Podcasts
The Microsoft Threat Intelligence Podcast
Ep 39
The Microsoft Threat Intelligence Podcast 3.6.25
Ep 39 | 3.6.25

Malvertising Campaign Leads to Info Stealers Hosted on Github

Show Notes
Transcript

Sherrod DeGrippo: Hey everyone. It's Sherrod. Before we get into the episode, I just wanted to let you know, I will be speaking and attending at the RSA Conference in San Francisco, at the end of April. And I really hope to see you there. Come on by and say hello. [ Music ] Welcome to the Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cyber security. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. [ Music ] Welcome back to the Microsoft Threat Intelligence Podcast. I am Sherrod DeGrippo, Director of Threat Intelligence Strategy here at Microsoft. And I am joined by senior security researcher, Kajhon Soyini. Kajhon, thank you for joining us.

Kajhon Soyini: Thank you for having me. Happy to be here.

Sherrod DeGrippo: So, I love having people from DEX, Defender Experts, on the podcast because you and your team are in the trenches, day in, day out, looking at actual threats hitting Microsoft customers. And I understand that one of those threats that you've seen recently is something called Lumma Stealer, which is doing malvertising. So, that looks like it started back in December of 2024. And went primarily through the month, the threat actor Storm-1000, which is a cybercrime actor. Tell me, what this Lumma Stealer activity is, what was this campaign doing.

Kajhon Soyini: Absolutely. So, for starters, like you've mentioned is something we discovered early December. A lot of the activity seemed to originate from a malvertising network of scam websites, pirating, stream websites. One of the first things we started to notice were the initial infection payloads. They were randomly seeming payloads being download from GitHub, and a signed with a GitHub, a signed from GitHub certificate upon downloaded. And one of the things we started to recognize was this payloads and section behavior just kind of serves as a dropper, if you will. As soon as it gets down onto your machine, it ends up dropping another Windows executable. The first instance of anything looking anomalous was that second payload that gets dropped starts to exfiltrate certain information from your system. And one of the things that we see is the command prompt is invoke. And system discovery commands are ran, such as echo, variables for the user's DNS, computer name, things about the user's GPU information, and so forth. And following that system discovery being ran, we see the payload initiate network connections. And within those network connections, we observed in the exfiltration of a set information over HTTP, using a get request. The exfiltration is encoded bay 64. So, that's one of the things that stood out to us early on, the actual bay 64 is inside of the URL parameters. And when you decode that, you can determine the actual information that's exfiltrated. Such as the user's temp folder, the user's name, GPU, CPU, operating system information. Like this is kind of like the first step to gaining information about the affected asset. So, that's very interesting early on.

Sherrod DeGrippo: I noticed too, looking at this attack chain, there's 7 different steps. There's two stages of payload. And it looks like it pulls in NetSupport RAT at some time. in some infection chains too, NetSupport is like a remote access trojan from the good old days. It did have legitimate uses at some point. But now, it primarily is seen as part of attack chains with malware. So, it also looks like it does some registry modifications to maintain persistence. Which is in my opinion, an indicator of a more sophisticated piece of malware, especially in the crime space. A lot of times we don't see persistence past startup. So, that's a nice feature of this malware too. Kajhon, how much of this are we seeing? Is it pretty prevalent, or at the time I guess?

Kajhon Soyini: Very prevalent. We kicked into high gear once we started noticing it. Actually, the prevalence got a lot of us to look at this and give it more attention. We saw upwards up to, close to a million devices worldwide getting impacted across various different industries, various different orbs, right. From your small and medium sized business, to more your multinational corporations. We've seen many different devices being compromised, and the activity sprawling, right. The thing about this threat actor, like you said, generalized cybercrime Storm-1000. It started off small, right. We identified at least 5 malicious GitHub repositories first, and 5 initial infection payloads. That number quickly grew as the days and weeks went on. Til eventually we got to numerous GitHub repositories over, up to 30. And up to 30 initial infection payloads. Those repositories have since then been taken down, for obvious reasons. However, yes, the prevalence was massive. I haven't seen an info stealer campaign this large, and in the wild actually.

Sherrod DeGrippo: Okay. Interesting. I want to talk about really quickly, about the GitHub angle on this. That's something that I think is really important to understand for Microsoft. You work with DEX, which is Defender Experts. They're these really, kind of like Swiss army knife threat hunters that hunt for cool threats in our products, for our customers. And because GitHub is a Microsoft property, we participate in the disruption of the threat actor as well. So, Kajhon, can you kind of tell me, how do we do that with GitHub? Do we have a friend? Do we have a process? What does that look like?

Kajhon Soyini: As you mentioned, GitHub is already part of the Microsoft family, ecosystem. So, when it comes to requesting takedowns of people abusing this sort of living off trusted sites, that's what we like to call it. We have a process that we got through that involves escalating this activity up to GitHub, and garnishing their attention to let them know what is happening. And that process is very smooth. Within not only Defender Experts, but other teams as well within Microsoft. This process is very smooth. And it assists us with disrupting the threat actor's activity. But what we found with this threat actor, soon as we took one down, two more pops up. And you know, they were able to replicate fairly quickly, and get spun up really fast. So, like I said, when we started off with at least 5 repos from the beginning, a few more kept popping up. So, the threat actor knew we were onto them.

Sherrod DeGrippo: And I think that's kind of the, that's just sort of the way of the world. That's the life, right? Is you disrupt a part of a threat actor's infrastructure, or some part of their ability to create and send campaigns, and they find a way around that. That's just sort of the you know, some people call it cat and mouse. But it almost doesn't even feel like cat and mouse. It just sort of feels like threat actor creativity. Just finding ways around things over and over again.

Kajhon Soyini: Absolutely, yeah. It's very interesting because we had to conduct some retroactive analysis on the traffic stream, right. Where did this traffic originate from? And in doing so, when we start from, the thing about having good Defender telemetry, is that often times once a file is downloaded, we are able to determine the origin of that file. And not just the origin of the URL, but if that user was also directed from a different URL, right. We also have Mark-of-the-Web referrals as well. Which allows us to see, hey, this user downloaded this payload from this GitHub repository. But this user was redirected to this GitHub repository from a different URL. And so, when we took the referral URLs, we were able to trace back and find that a lot of these sites were, the malicious sites were embedded into the iframes of streaming and pirating sites. So, that's how the redirection happened. So, you want to be fairly careful on the websites that you visit, especially websites dealing with possible tech support, possible streaming and pirating websites. Often times, those websites are known to have embedded malicious properties and links within like, iframes, or EREF references as well, within inside the code of the website. And that's basically what we were able to uncover. That this was the case. That you know, the referral URLs were actually embedded inside those websites. And then the final landing page would be GitHub, once you go to those referral URLs.

Sherrod DeGrippo: And that's something I think that's been happening for such a long time is, malicious things being embedded into kind of sketch websites. Whether they're fraudulent tech support, or downloading media that you shouldn't be downloading, we've seen that kind of tactic for a long time. And it sounds like it's still tried and true and working very well for Lumma Stealer. Kajohn, anything else we need to know about this particular campaign, or this activity?

Kajhon Soyini: Yeah. So, early on, Lumma Stealer was definitely our first bet. That's because the initial payloads that we did have and did conduct analysis on, some of the signs did point to Lumma, based on the activity. However, we have since then conducted further analysis, and we see some relations to the Doenerium malware family.

Sherrod DeGrippo: Oh.

Kajhon Soyini: Doenerium is not as popular and prevalent as let's say, a Lumma Stealer. However, last time we've heard of Donerium, they've had some initial changes since 2023, when they were very prevalent back then. What we were able to surmise is that, a lot of the infection payloads that were hosted on GitHub has relations to the Doenerium family, based on the binaries' properties, and so forth. And also, the files that those binaries contain. So, a lot of the times when a payload is executed, it drops a lot of files, DLLs, and so forth, right, additional files that can be leveraged. A lot of those DLLs, and HTML, and so forth files have similar relations to what we saw with Doenerium as well. So, that kind of side by side is very interesting. So, we not only have some instances of Lumma as well, and some known Lumma payloads, but also Doenerium seems to be the first infection vector, right, to get inside of an enterprise network or yeah. So, that's pretty interesting.

Sherrod DeGrippo: So, there's some potential either threat actor overlap or infrastructure and code overlap that might be some interesting indicators from a previous malware that's been out there.

Kajhon Soyini: That's correct, right. We're seeing Doenerium like payloads with Lumma, known Lumma infrastructure, right. So, that's very interesting. And when I say infrastructure, I mean particularly, the command and control infrastructure, right. We have a few domains and IPs, which have been known to be leveraged by a Lumma Stealer in the past. We've also seen that with Doenerium as well. These Doenerium payloads are also using that same infrastructure.

Sherrod DeGrippo: Got it. Okay. That's really interesting. And I imagine that we'll continue watching that infrastructure to see if if changes to something even different on the next iteration.

Kajhon Soyini: Absolutely. Yeah.

Sherrod DeGrippo: Okay. So, that was Lumma Stealer on a GitHub malvertising campaign. And I hear that we've got another one to talk about, which is crypto mining. Which you know, I don't understand crypto mining. Because I thought it wasn't so good anymore. But apparently, threat actors are still doing crypto mining. So, Kajohn, can you kind of tell us about this campaign that uses Netcat, for command and control and crypto mining?

Kajhon Soyini: Absolutely. So, this campaign was pretty interesting because we have a recurring theme. And that theme seems to be trusted site, such as GitHub and YouTube, right. This is another instance where the initial compromise results from users, right, attempting to download tools or software that has been advertised on GitHub and YouTube specifically. So, you know, YouTube, a lot of times you go to YouTube, you're watching a video, you know it has these links for advertisement. Hey, download this software. Download this now. And that's basically what happened. Is these files are masquerading as legitimate tools that users are looking for. And one of the things that we're noticing is that, a lot of these binaries are disguised as legitimate software. So, game cheats, or office programs, crypto trading bots, as well. So, the adversary has a way of getting their foot into the victim's environment. And the whole goal of once you get access to that, and you run those payloads, is to use the victim's resources for an effort of crypto mining. Things like their CPU, and so forth, their memory, to mine crypto. And that's basically one of the things that we saw, right. It hijacks the resources. It impacts performance of the victims. We've seen some instances of process injection, right. Injecting themselves into legitimate processes. So, yeah. It's basically, very interesting. One of the things I want to point out is the Netcat masquerade.

Sherrod DeGrippo: Yeah.

Kajhon Soyini: Now this was something, yeah, so this was something where the adversaries would masquerade as, they're actually a Netcat binary that's masquerading as a benign file. And the benign files, one of the things that we noticed is that, the files are specific to certain benign binaries. Specifically, like start menu experience host.exe. That particular binary is known to be a LOLBin, if you will, right.

Sherrod DeGrippo: Which is what? That doesn't mean laughing out loud.

Kajhon Soyini: Right.

Sherrod DeGrippo: So, what does that mean? LOLBin.

Kajhon Soyini: Right. LOLBin, that's living off the land binary. And sometimes you may also hear LOLBas, which is living off the land binary script. Basically, what that means is, a lot of adversaries will take heed and leverage the native utilities already present on a machine, right. So, if you're in Windows, a lot of the popular LOLBins include things like PowerShell, and WMI, so forth. But they also will masquerade as those LOLBins, right. They may introduce a suspicious payload binary and rename the file as, [inaudible 00:15:34] LOLBin, to evade detection, right. Part of a http. So, when it came to this Netcat binary, one of the things we were able to see was, hey this start menu experience host.exe binary is making a lot of connections, right. And this is something you don't see.

Sherrod DeGrippo: That's sus, as they say.

Kajhon Soyini: Yeah.

Sherrod DeGrippo: The kids say. They call that sus.

Kajhon Soyini: Exactly. Yeah. That's definitely suspect. These binaries, this particular binary is actually what's used to manage the Windows start menu, and the display, and the GUI of it. So, that binary making connections is very, very interesting. So, one of the things that we were able to do is determine, well how I was able to determine that it was Netcat, is named pipes. So, a lot of times, in order to initiate some type of network connection externally or internally, processes will create a named pipe event, right. And we saw Netcat, which is the original process name of that binary, was present within the named pipe names, this C2 activity was also encrypted over a non-standard port, 5252, right. So, if you see some SSL traffic, which is going over, you know, non-standard SSL ports, such as 443, that's something you want to you know, investigate as well, because it'll stand out.

Sherrod DeGrippo: This is fascinating. Because okay, what you've explained is a pretty complicated, essentially, ability to hide behind something like, all of these things that has command and control, all of this stuff, to mine crypto currency. That's the final payload?

Kajhon Soyini: Yes. So, the thing about this campaign, the whole goal is to evade and hide, right. Evade detection, hide.

Sherrod DeGrippo: Right.

Kajhon Soyini: Nefarious persistence mechanisms put in place. And the whole goal is to mine crypto currency. One of the things that's interesting, is that this particular campaign, it leveraged a couple bat scripts as well, right. Which you'll see with the.bat file extension. It's a Windows bat script. And also, it drops a couple archive files. And it uses WinRAR, right, archive files. And then it also delivers a unpacking utility, right. Which says UnRAR. UnRAR is used to unpack WinRAR archive files. Within that a lot of payloads are delivered as well, specifically DLLs. So, one of the things that we see is, you know, libcrypto DLLs, libssl DLLS. We see 7-Zip DLLs also dropped. Again, that's another masquerade as well. Because it has, in this case, that particular DLL has nothing to do with 7-Zip on the program. What we did see was that this 7-Zip DLL is actually responsible for process injection into explore.exe. So, that's one of the things that stood out as well.

Sherrod DeGrippo: I just can't get over the quite complicated, relatively sophisticated attack chain and utilities that are being used. All of this to mine crypto currency. I feel like, Kojhan, I keep running into things about crypto currency that I don't understand. I think we've got to get, if you're a crypto currency expert, hit me up to be on the podcast. Because I need help understanding why people are still crypto mining in this day and age.

Kajhon Soyini: Yeah. It's certainly, you know, something that...

Sherrod DeGrippo: It's a twist. Yeah. I started to see, even within my career, you know, in 2020 crypto mining really became a thing that took off, especially during Covid. It since then, has taken, I don't want to say a back seat, but compared to a lot of you know, malware families and types out there, it hasn't been the loudest, right, within the threat landscape. However, it still happens. It certainly happens. Crypto itself, is not going anywhere. So, in this case, you know, we still see a lot of adversaries want to leverage that. And mine crypto, and use these sort of bots to mine crypto for them. Within this campaign, it's really interesting because it does a lot of process injection. It uses a, it uses two DLLs specifically. You have a deviceid.dll, which is actually, it has a malicious AutoIt script embedded inside, to execute the silo crypto miner payload. And then injects that code inside explore.exe. Again, a known Windows binary. And then we have the 7zxa.dll, which is part of the 7-Zip archive. And that contains what's called a clipper malware. It's used to monitor data inside the clipboard. Yeah.

Kajhon Soyini: And that also injects code into explore.exe. So, those two payloads are what actually delivers the crypto mining functionality. However, I want to move on to some persistence mechanisms as well.

Sherrod DeGrippo: Well, let me just ask really quickly about the clipboard piece. What I have seen in the past is, the malware will sort of take whatever is in the clipboard and evaluate that, looking for the potential of someone copy pasting their wallet addresses and passwords. So, is that the case in this particular situation? It's looking for valuable things like credentials or wallet information?

Kajhon Soyini: In this case, it's more so monitoring specific data, right.

Sherrod DeGrippo: Okay.

Kajhon Soyini: Yes. It does, it does look for data within the clipboard. So, yeah, that is the function. But within injecting its code into explore.exe, it does it within another way, right. Now explore.exe, which is you know, that's something, you can't necessarily remove that payload off your machines.

Sherrod DeGrippo: You can't live without that.

Kajhon Soyini: Right. So, it does it in a more stealthier way, should I say.

Sherrod DeGrippo: Okay. So, this is really wild. This is very in-depth for something to mine crypto. Now tell me, you said there was something interesting about the persistence here. which I again, find fascinating. So, what are they doing for persistence? It looks like some registry modification?

Kajhon Soyini: That's right. Registry modifications. And we have some WMIC, which is the Windows Management Instrumentation Console. WMI has something called a event consumer. And this event consumer, think of it as kind of similar to what you might find in the startup registry. It's basically an event that once certain parameters are met, an event will initiate on the machine, right. So in this case, within the command line event consumer we see an event, WMI event consumer created. That executes the start menu experience host.exe. Which is again, the trojan Netcat. To create an encrypted C2 tunnel, to the C2 domain. That's a level of persistence, right. And then we also have the same things. Those two DLLs I mentioned, that are also responsible for the crypto mining. WMI events are created for those as well. And the thing about these DLLs, is that they are actually executed by an AutoIt trojan. So, we have another binary which is called shellext.dll. And this binary is actually a WinRAR archive binary DLL. It's actually an AutoIt interpreter hat's disguised as the WinRAR library. So, this AutoIt interpreter actually runs these two AutoIt scripts. So, both those DLLs I mentioned, they're actually scripts. They're not even DLLs. And the shellext.dll is an AutoIt interpreter. So, then we have level of AutoIt being leveraged. You have the interpreter, and then you have the scripts to run. So in this case, you would see these DLLs being created or leveraged within the WMI event consumer. But they're not DLLs at all actually. They're, you have an AutoIt interpreter, which is supposed to execute the AutoIt scripts. So, that's one instance of persistence there. And then we have some more instances of persistence. So, we mentioned registry. So, we do have something which, this was something that I was first privy to as well. Within the registry, you know, we're all familiar with the ASEP registry, which is the automated startup entry points for you know, your run Ts, right when you log on the machine. This adversary decided not to do that. They decided to do something a little bit different. So, they used something called the image file execution objects registry path. And basically, what this does is, it has a debugger function. And when a process is executed and ran, another process will run behind it, right, as a debugging function. So, in this case, microsoftedgeupdate.exe. So, every time you know, you log onto your machine and you know, your system is booting up, this is a binary that will you know, does what it sounds like it does. It actually initiates updates for Microsoft Edge. Well in this case, the debugger function was, hey every time microsoftedge.exe runs, I need you to run this AutoIt interpreter shellext.dll. And run the 7zxa.dll, which is an AutoIt script, which is the clipper malware. So, it runs that within that registry key. And that's very interesting. I've never seen image file execution objects be leveraged in that way. And for another level of persistence, we have what's called a silent process exit registry key. So basically, what this means is any time a process is exited, so you know, you have processes when they start and then you have processes when they end. So, when this process ends, for example, taxhost., which basically is a binary that helps with certain tasks. Running like task manager, and so forth. When that binary exits those DLLs, right, masqueraded DLLs, subsequently run as well. So, there's multiple levels of persistence to ensure this malware is successful. If you were to find the WMI even consumer, and eradicate that from the machine, well now that adversary still has two more places, right. They have the image file execution objects. And they have the silent process exit registry path as well. So, these are very, very interesting. Basically, you have certain binaries that you use all the time on your machine. That you may not know that's running. But in this case, the persistence mechanism says, hey, any time those binaries stop running, right, those processes stop running, I want you to run. I want you to execute. Very interesting. So, you have debugger function there, then you have a monitor function. And these are registry values that kick of when those known benign processes stop running. We even see it with servicehost.exe. So, any time a servicehost.exe is done running, it exits its process chain, then it initiates an execution of the AutoIt interpreter and the AutoIt script.

Sherrod DeGrippo: I want to just point out again, that this is all in efforts to mine crypto. These are on like hosts. These are not on PCs. This is not even cloud compute. This is individual computers, right?

Kajhon Soyini: That's right. Yeah.

Sherrod DeGrippo: It's crazy. Anything else we need to know about this campaign?

Kajhon Soyini: It's a very straightforward campaign, should I say. I mean, it's not a lot going on the machine. What you will find though, you have a bunch of DLLs, and they have various different functions. So, the evasion part is understanding, okay what, which DLL is responsible for which. And which one is actually a trojan and not really a DLL. Just a DLL in name, in which is responsible for mining crypto and using up my system resources. So, I did mention there was a command and control factor to it as well. So, we did see some TLS connections over port 5252. So, the C2 server. But at the same time, in some cases, we also saw some connections over ports 50, 5050 and 3333. So, this campaign is using some high ports, right. Still less then the ephemeral ports but high ports to carry out the C2 operations, which is pretty interesting.

Sherrod DeGrippo: And you think that's a function of again, obfuscation by using those...

Kajhon Soyini: Absolutely, yeah.

Sherrod DeGrippo: Non standard port numbers?

Kajhon Soyini: This is a reverse shell, right, interactive shell, because they're using Netcat, right. They're using Netcat as that driving force to open up those TCP tunnels.

Sherrod DeGrippo: I learned Netcat from Ed Skoudis at SANS, 20 years ago.

Kajhon Soyini: Oh, yeah, Skoudis, he's good.

Sherrod DeGrippo: He's really, he's like for real about that.

Kajhon Soyini: Yeah. >> Sherrod DeGrippo:n And I see also, that this campaign was, it started in September of 2024 and went through November of 2024. Did it just drop off or keep trickling in, or that's the end of it? That's the latest, right.

Sherrod DeGrippo: Okay.

Kajhon Soyini: In terms of our telemetry, of the earliest, we identified one host with the earliest known activity of this type in September. And then the latest, and the thing about the latest is that, that speaks to the command and control aspect. Because like I said, if you don't identify those persistence mechanisms and take those hosts through the proper eradication and remediation process, then that adversary may still be inside your environment, and continue in those connections. So, a lot of the times what I saw was, hey even until November, these connections are still here active. Or the persistence mechanisms are taking hold, and those C2 tunnels are still being created.

Sherrod DeGrippo: That's fascinating. And Kajhon tell me, when you discover this in a customer's environment, what is the response there?

Kajhon Soyini: Well, one of the good things is that you know, there was ample Defender coverage, right.

Sherrod DeGrippo: Okay, good.

Kajhon Soyini: You know, across, specifically during the persistence and the defense evasion stages, right. Being that these payloads, the initial vector first had to do with the MSI archive, right. MSI archive file is responsible, that's what that person would download from a GitHub website or a YouTube, right. They'll download that archive file. And that archive file, once it installed, it drops another WinRAR archive file. And it drops a bat script. The bat script kicks it off, right. During that phase, it's very interesting. Because the bat script, it's just a randomly named bat script. And it's something that, it can change every time. So, the function will remain the same, but the files can change every time. So, that's very interesting. But I would say, you know, one of the first things of the response was okay, what do we see here, and what did Defender see, right. So, one of the things that we determined caught a lot of the activity, right. And made sure that there was enough alerts here for these customers to be aware of this activity. Especially when you get to the registry portions as well. Some of our response with this campaign involved first, the problem with this is that it was difficult to track, in terms of the origination of these MSI files, the dropper files. Because the activity is spread between two platforms, right. One being GitHub and one being YouTube.

Sherrod DeGrippo: Oh.

Kajhon Soyini: So, no telling how many URLs serve these files to begin with. So, this was an instance where we weren't necessarily able to track down and disrupt exactly where it came from. This, a lot of the times these files, they had no origination, in terms of you know, original URL download or referral. So, we just caught the activity and we responded accordingly. But a lot of the OSINT out there suggests a lot of these files were originating from GitHub and YouTube.

Sherrod DeGrippo: Okay. Well, this is a fascinating one. And I also think, Kajhon, all of our listeners out there who are malware analysts and reverse engineers are, this is like an episode for them specifically. Cause I feel like this is really what they love to know about. And I've met some of the best reverse engineers and malware analysts in the world. And you guys just all talk exactly like this, and love to talk about what the malware does. Which I love to hear about but obviously, I'm not as deep in this as, as all of your are. So, Kajohn, thank you so much for joining me. This has been absolutely fascinating. I hope you will come back again. Everyone, this was Microsoft's Senior Security Researcher, Kajhon Soyini from Defender Experts. Kajhon, thanks for joining me.

Kajhon Soyini: Thank you for having me. I appreciate it. [ Music ]

Sherrod DeGrippo: Thanks for listening, to the Microsoft Threat Intelligence Podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode, we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more, and subscribe on your favorite podcast app.

The Microsoft Threat Intelligence Podcast
Podcast Info
HOST(S):
Sherrod DeGrippo
Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, is a frequently cited threat intelligence expert with a 19-year career leading global threat research and analyst teams. She was named Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Sherrod has provided expert commentary for BBC News, Wall Street Journal, CNN, and New York Times and has presented extensively at conferences including Black Hat, RSA Conference, RMISC, SleuthCon, and others.
Schedule: Bi-Weekly
Credits: Executive Producer is Bruce Bracken, Producer is Rob Petrillo, Production Manager is Max Solomon, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft