Google has confirmed that state-backed threat actors are operationally using Gemini across the intrusion lifecycle — not experimentally, but strategically. In this episode of Security Squawk, we break down how AI is being integrated into reconnaissance, phishing refinement, vulnerability research, and even dynamic malware generation. According to Google's Threat Intelligence Group, multiple clusters — including DPRK-linked actors — are using Gemini to synthesize OSINT, map organizational structures, refine recruiter impersonation campaigns, and research exploit paths. In one case, malware known as HONESTCUE leveraged Gemini's API to dynamically generate C# code for stage-two payload behavior, compile it in memory using legitimate .NET tooling, and execute filelessly. This isn't a zero-day story. It's a friction story. At the same time, two individuals in Connecticut were charged for allegedly using thousands of stolen identities to exploit FanDuel's onboarding and promotional systems. No exotic exploit. No advanced intrusion chain. Just automated workflow abuse at scale. The pattern is clear: AI is compressing attacker timelines, and identity-driven fraud is industrializing predictable processes. We examine: How AI-enhanced phishing eliminates traditional grammar-based red flags Why trusted SaaS domains (Gemini share links, Discord CDNs, Cloudflare fronting, Supabase backends) are weakening reputation-based defenses What model distillation attempts (100,000+ structured prompts) signal about API abuse and intellectual property risk How fileless malware compiled with legitimate developer tooling challenges signature-based detection Why onboarding workflows and recruiting processes are now primary attack surfaces For CEOs, this is about erosion of trust anchors and shifting insurability expectations. For IT Directors and SOC leaders, this means reevaluating fileless execution visibility, API anomaly detection, and the reliability of reputation filtering models. For MSPs and risk managers, breaches will increasingly originate from workflow exploitation rather than perimeter misconfiguration. AI didn't invent new attack types. It removed friction from existing ones. And when friction disappears, scale compounds. If your recruiting, onboarding, verification, or AI product interfaces can be scripted — they can be weaponized. This episode is about operational clarity in a rapidly compressing threat landscape. Keywords: Google Gemini, HONESTCUE malware, AI phishing, state-backed threat actors, DPRK cyber operations, model distillation attacks, API abuse detection, fileless malware, .NET in-memory compilation, identity fraud, FanDuel fraud case, workflow exploitation, SaaS infrastructure abuse, Cloudflare phishing, Discord CDN payloads, Supabase backend abuse. Support the show https://buymeacoffee.com/securitysquawk

In this episode of Security Squawk, Bryan Hornung, Reginald Ande, & Randy Bryan break down three stories that should change how executives think about cyber risk. This is not about tools, alerts, or vendor promises. It is about operational dependency, leadership accountability, and financial exposure when systems fail. Story one focuses on active exploitation of SolarWinds Web Help Desk vulnerabilities being used as an entry point for ransomware staging. Researchers are seeing attackers move fast after initial access, blending in by using legitimate remote management and incident response tools. That is the point. When attackers use normal looking admin utilities, many organizations do not detect the intrusion until the business impact is already locked in. If you run Web Help Desk or you have not verified your patch posture, this is a governance issue, not an IT debate. Patch timelines and exposure management are leadership decisions because they directly affect business interruption risk. Story two is a warning about the ransomware market adapting. As more organizations refuse to pay for data theft only extortion, threat actors are expected to pivot back toward encryption. Encryption creates urgency because it disrupts operations. The financial exposure shifts toward downtime, recovery labor, lost revenue, and customer churn. Executives should treat restore capability like a business continuity requirement. If your recovery plan has not been tested under pressure, it is not a plan. Story three covers the BridgePay ransomware incident and the downstream impact on merchants and local government services. Even when payment card data is not confirmed compromised, availability failures still create real harm. Customers do not care which vendor was hit. They only see that your business cannot process transactions. This is a clear reminder to revisit vendor criticality, SLAs, outage communications, and contingency processing options. Security Squawk is built for business owners, executives, board members, and IT leaders who want the real world impact without the fear marketing. Subscribe, share, and support the show at https://buymeacoffee.com/securitysquawk

Cyber risk is escalating fast, and most business leaders are still operating with outdated assumptions. This episode of Security Squawk confronts that reality head on. Ransomware is no longer limited to encrypted files and downtime calculations. Threat actors are escalating pressure tactics into the physical world, including intimidation and direct threats against employees and executives. That shift fundamentally changes the risk profile for organizations. Once physical safety enters the equation, cybersecurity stops being a technical issue and becomes a leadership, legal, and duty of care problem. Companies that are unprepared for this escalation expose themselves to serious liability, regulatory scrutiny, and reputational damage that insurance alone cannot fix. At the same time, businesses are quietly introducing new risks through personal AI agents and automation tools. These tools are often adopted without security review, legal oversight, or compliance consideration. Marketed as productivity enhancers, personal AI agents frequently operate with broad access to email, files, customer data, and internal systems. When these agents mishandle or leak data, responsibility does not fall on the software vendor or the employee experimenting with automation. It falls squarely on the business. Regulators, insurers, and courts do not accept ignorance or convenience as a defense. We also examine why extortion groups like ShinyHunters continue to succeed even as companies invest heavily in security controls. This is not about sophisticated hacking techniques. It is about business pressure. Attackers understand deadlines, brand risk, customer trust, and executive fear. They exploit supply chains, third party vendors, and disclosure obligations to force decisions under time constraints. Paying extortion may feel like resolution, but it often increases long term risk, invites repeat targeting, and complicates regulatory reporting. Throughout this episode, the focus is not on tools, vendors, or technical jargon. It is on decision making. Who owns cyber risk inside the organization? How prepared is leadership to respond when incidents move beyond IT into legal, HR, and physical security territory? And how does a board defend its actions when regulators or plaintiffs start asking questions after an incident? This conversation is designed for CEOs, business owners, board members, and senior leaders who understand that cybersecurity is inseparable from operational risk, financial exposure, and executive accountability. If your strategy relies on cyber insurance, compliance checklists, or the belief that serious incidents only happen to larger companies, this episode will challenge that thinking. Security Squawk cuts through vendor noise and fear driven messaging to focus on what actually matters to businesses making real decisions. Support the show at https://buymeacoffee.com/securitysquawk

This episode of Security Squawk breaks down a familiar and dangerous pattern in cybersecurity. Major brands are losing data. Attackers are moving fast. And companies are still relying on silence and delay as a response strategy. We cover hackers auctioning stolen source code from a major retailer, an unprotected database exposing millions of Gmail and Instagram records, ransomware claims involving Nike and Under Armour, and a gas station breach that exposed Social Security numbers. This is not about advanced hacking techniques or rare exploits. It is about basic security failures, weak response decisions, and the real business impact of hesitation after data exposure. If you are a business owner, executive, or IT leader, this episode explains why modern breaches cause damage long before confirmation and why waiting to respond often shifts risk onto customers and employees

Cybersecurity failures are no longer just IT problems. They are legal, financial, and leadership failures. In this episode of Security Squawk, we break down how a ransomware attack on Ireland's Office of the Ombudsman delayed justice for citizens and what that incident reveals about preparedness, accountability, and real-world consequences of cyber risk. We start with the Ireland cyberattack that forced a key public watchdog agency to halt case processing for months. This was not a minor disruption. Systems were taken offline, legal action was required to prevent potential data leaks, and people relying on the system became collateral damage. The story highlights a hard truth. When cybersecurity fails, mission failure follows. Government or private sector, the outcome is the same. From there, we zoom out to the private sector where the warning signs are flashing red. New survey data shows cybersecurity litigation risk is rising faster than any other legal exposure for U.S. businesses. Corporate legal teams expect cyber and data privacy disputes to intensify, yet fewer of them feel prepared compared to last year. That gap tells us everything we need to know. Companies understand the risk is growing, but they are not investing or aligning fast enough to reduce it. We also examine the dangerous confidence gap in middle market firms. Nearly one in five experienced a cyber incident, yet almost all executives still believe their security posture is strong. Confidence without controls is not resilience. It is exposure. This disconnect raises serious questions about leadership accountability and how security decisions are being made at the executive level. The episode also dives into research showing that many top U.S. companies still fail basic cybersecurity hygiene. Reused passwords, outdated software, poor configuration, and unpatched systems remain common in 2025. These are not advanced threats. These are fundamentals. When organizations cannot execute the basics, the issue is not technical skill. It is culture, discipline, and leadership priority. We discuss the ongoing wave of data breaches affecting insurance, healthcare, and business services organizations, exposing millions of records. These incidents are proof that many companies remain reactive instead of proactive. Third-party risk, weak internal controls, and poor governance continue to amplify the damage. Finally, we tackle a growing blind spot. AI security governance. As businesses rapidly adopt AI tools, many still lack formal rules, oversight, or risk frameworks. Without governance, innovation turns into liability. Attackers move faster than policy, and organizations are left exposed. This episode is a wake-up call for business leaders, MSPs, IT professionals, and security decision-makers. Cybersecurity is no longer about compliance checklists or technology spend. It is about reducing real risk, protecting trust, and leading responsibly. If you want to understand why cyberattacks now lead to lawsuits, why confidence is not the same as security, and why leadership decisions matter more than ever, this episode delivers the insight you need. Subscribe, follow, and share Security Squawk. And if you want to support the show, you can always buy me a coffee at buymeacoffee.com/securitysquawk.

Today on Security Squawk we are breaking down three different incidents that all point to the same underlying issue. Basic security failures with real consequences. An Oregon state agency exposes personal information tied to environmental complaints. Nissan suffers a ransomware incident that leaks nearly 900 gigabytes of internal data. And an Illinois government agency exposes sensitive information connected to more than 700,000 individuals. Randy Bryan, Reginald Andre, and Bryan Hornung walk through what actually happened, why these incidents keep repeating across industries, and what they mean for businesses that assume they are too small or too quiet to be targeted. If government agencies and global manufacturers are struggling with access control, monitoring, and accountability, the real question is what that means for your organization. Join us live to understand the risks and what to do next. Join Randy Bryan, Reginald Andre, and Bryan Hornung live and be part of the conversation.

University of Phoenix confirms a massive data breach affecting almost 3.5 million current and former students, staff, and partners after attackers exploited a zero-day in Oracle E-Business Suite. We break down the implications for identity theft risk and breach response. Next, Andre explains why most existing medical devices would fail the FDA's new cybersecurity standards and how healthcare organizations can manage legacy device risk in critical environments. Finally, Bryan breaks down a cloud breach spree that hit 50 global organizations because multi-factor authentication wasn't enforced. Learn why MFA is no longer optional and how basic security failures lead to major breaches. Tune in for expert insights, practical advice, and what every IT leader needs to know today.

In this annual Security Squawk tradition, we do two things most people avoid: accountability and predictions. First, we break down the top cyber-attacks of 2025 and translate them into what actually matters for business owners, IT pros, and MSPs. Then we grade our predictions from last year using real outcomes. No excuses. No hand waving. No “well technically.” Why does this episode matter? Because 2025 made one thing painfully clear. Most cyber damage does not come from genius hackers. It comes from predictable failures. Unpatched systems. Over-trusted third parties. Tokens and sessions that live too long. Help desks that can be socially engineered. And organizations that still treat cybersecurity like an IT issue instead of a business survival issue. We start with the Top 10 Cyber-Attacks of 2025 and pull out the patterns hiding behind the headlines. This year's list includes ransomware and extortion campaigns, software supply chain failures, identity and OAuth token abuse, and attacks that caused real operational disruption, not just data exposure. These stories show how attackers scale impact by targeting widely deployed platforms and trusted business tools, then turning that access into downtime, data theft, and brand damage. One of the biggest lessons of 2025 is simple: identity is the new perimeter. Many of the most important incidents were not break-in stories. They were log-in stories. Stolen sessions and OAuth tokens keep working because they let attackers bypass MFA, move quickly, and blend in as legitimate users. If your security strategy is focused only on blocking failed logins, you are watching the wrong signal. 2025 also reinforced how fragile third-party trust has become. Integrations are everywhere. They make businesses faster and more efficient, but they also expand the blast radius. When a third-party tool or service account is compromised, it can become a shortcut into systems that were never directly attacked. In this episode, we talk about practical steps like minimizing access scopes, eliminating unnecessary integrations, shortening token lifetimes, and having a real plan to revoke access when something looks off. We also dig into why on-prem enterprise tools continue to get hammered. Many organizations still run internet-facing platforms that are patched slowly and monitored poorly. Attackers love that combination. In 2025, we saw repeated exploitation of high-value enterprise software where a single weakness led to widespread compromise across industries. If your patching strategy is “we will get to it,” attackers already have. Another major theme this year was operational disruption. Some of the costliest incidents were not just about stolen data. They shut down production, halted sales, broke customer service systems, and created ripple effects across supply chains. That is where executives feel cyber risk the hardest. Data loss hurts. Downtime is a business emergency. Then we grade last year's predictions. Did AI take our jobs? Not even close. What it did do was raise the baseline for both attackers and defenders. AI improved phishing quality, accelerated scams, and forced organizations to confront the risks of adopting new tools without clear controls. We also review our call on token and session-based attacks. That prediction aged well. Identity-layer abuse dominated 2025. The issue was not a lack of MFA. The issue was that attackers did not need to defeat MFA if they could steal what comes after it. We also revisit regulation. It did not arrive all at once. It crept forward. Agencies and lawmakers continued tightening expectations, especially in sectors that keep getting hit. Businesses that wait for mandates before improving controls will pay more later, either through recovery costs, insurance pressure, or lost trust. Finally, we look ahead to 2026 with new predictions that are probable, not obvious. We discuss what is likely to change around identity, help desk security, SaaS governance, and how leaders measure cyber readiness. The short version is this: 2026 will reward companies that treat access as a living system and punish those that treat it like a one-time setup. If you like the show, help us grow it. Subscribe, leave a review, and share this episode with someone who still thinks cybersecurity is just antivirus and a firewall. And if you want to support the podcast directly, buy me a coffee at buymeacoffee.com/securitysquawk.