Neural Newscast

[00:00] Announcer: From Neural Newscast, this is Prime Cyber Insights, Intelligence for Defenders, Leaders, and Decision Makers.
[00:11] Aaron Cole: Welcome to Prime Cyber Insights. I'm Aaron Cole.
[00:15] Aaron Cole: We're tracking a significant breakdown in third-party trust as Crunchyroll confirms a multi-million user data breach.
[00:23] Lauren Mitchell: I'm Lauren Mitchell.
[00:24] Lauren Mitchell: TechRadar reports this breach stemmed from a malware infection on a support agent's workstation at Telus Digital, leading to the compromise of an Okta SSO account.
[00:37] Aaron Cole: Lauren, the scale is concerning.
[00:39] Aaron Cole: We are looking at roughly 8 million support tickets and 6.8 million unique email addresses
[00:45] Aaron Cole: exfiltrated from Zendesk.
[00:48] Aaron Cole: The adversary allegedly maintained access for 24 hours and demanded a $5 million ransom.
[00:55] Lauren Mitchell: It is a classic supply chain failure, Aaron.
[00:58] Lauren Mitchell: Beyond email addresses, the data includes IP addresses, geographic locations, and internal Slack communications.
[01:06] Lauren Mitchell: This aligns with findings in Google's latest Mtrends report.
[01:10] Aaron Cole: The report highlights that voice phishing or vishing is now the primary initial access method for cloud environments.
[01:18] Aaron Cole: Attackers are socially engineering IT helpdesks to reset MFA devices.
[01:24] Lauren Mitchell: Persistence is the other half of the story.
[01:27] Lauren Mitchell: Mandiant identifies a trend they call living on the edge,
[01:31] Lauren Mitchell: where groups like UNC 6201 utilize backdoors
[01:35] Lauren Mitchell: like brick storm on firewalls and routers.
[01:38] Lauren Mitchell: In some instances, they have maintained access for nearly 400 days.
[01:43] Aaron Cole: That shift toward edge device exploitation makes the discovery of CVE-2026233 in Microsoft Authenticator even more critical.
[01:55] Aaron Cole: Malwarebytes recently interviewed researcher Khalid Muhammad, who discovered the vulnerability.
[02:01] Lauren Mitchell: The vulnerability allowed a malicious app on a mobile device to intercept QR code sign-in flows.
[02:08] Lauren Mitchell: If an agent scanned a legitimate code, the malicious app could hijack the deep link and take over the account, bypassing 2FA.
[02:17] Lauren Mitchell: Microsoft released a patch for this earlier this month.
[02:20] Aaron Cole: On the legal front, the register reports that Russian initial access broker Alexei Volkov was sentenced to 81 months in prison yesterday, March 24th.
[02:30] Lauren Mitchell: Volkov was a key enabler for the Yang-Low Wang Ransomware Group.
[02:35] Lauren Mitchell: His role in selling network access resulted in approximately $9 million in losses.
[02:41] Lauren Mitchell: It represents significant success for cross-border enforcement.
[02:45] Aaron Cole: It underscores that these specialists are as critical as the ransomware crews themselves.
[02:50] Aaron Cole: For practitioners, the priority remains, harden help desk protocols and monitor edge devices.
[02:57] Aaron Cole: I'm Aaron Cole.
[02:59] Lauren Mitchell: And I'm Lauren Mitchell.
[03:00] Lauren Mitchell: Thank you for joining us.
[03:02] Lauren Mitchell: For the full briefing and technical breakdown, visit pci.neuralnewscast.com.
[03:08] Lauren Mitchell: Stay resilient.
[03:09] Lauren Mitchell: Neural Newscast is AI-assisted, human-reviewed.
[03:13] Lauren Mitchell: View our AI transparency policy at neuralnewscast.com.
[03:17] Announcer: This has been Prime Cyber Insights on Neural Newscast.
[03:21] Announcer: Intelligence for defenders, leaders, and decision makers.