This week’s Department of Know is hosted by Rich Stroffolino with guests Jacob Coombs, CISO, Tandem Diabetes Care, and Ross Young, Co-host, CISO Tradecraft, and author of courses, templates, and soon, a book!
Missed the live show? Check it out on YouTube
CISO Series The Department of Know is live every Monday at 4:00 p.m. ET. Join us each week by registering for the open discussion at CISOSeries.com
“Know” or “No”?
Jacob and Ross will discuss whether they think these stories are worth bringing to a team standup. Do you agree? Tell them what you think:
Organized crime cybercrooks steal cargo
Researchers from Proofpoint say cybercriminals are teaming up with organized crime groups to hijack cargo shipments through hacked logistics systems. Attackers gain access to U.S. freight broker load boards, post fake jobs, and infect logistics firms with remote monitoring tools like ScreenConnect or N-able.. then intercept delivery info and redirect goods to their own addresses. These range from electronics to energy drinks. CargoNet says theft losses hit $112 million in Q3 2025, with hotspots in California, Illinois, Florida, Texas, and Washington. (The Register)
GDI flaws could enable Windows remote code execution
Check Point Research revealed three newly patched Windows GDI flaws that could allow remote code execution and information disclosure, via fuzzing of EMF/EMF+ files. They involve out-of-bounds memory access affecting text rendering, thumbnail generation, and print-job initialization. Exploits could let attackers read or write memory without user interaction. Microsoft fixed the issues over the summer with validation checks, boundary trimming, and pointer corrections. The flaws also impacted Microsoft Office for Mac and Android. (Infosecurity Magazine)
Scattered Spider, LAPSUS$, and ShinyHunters join forces
Trustwave SpiderLabs said in a report shared with The Hacker News that three major cybercrime groups: Scattered Spider, LAPSUS$, and ShinyHunters, have merged into a new collective called Scattered LAPSUS$ Hunters (SLH), operating at least 16 Telegram channels since August.. running an “extortion-as-a-service” model and possibly developing its own ransomware, Sh1nySp1d3r. Trustwave describes the group as blending profit-driven crime with hacktivist theatrics, using Telegram for coordination and reputation-building. (The Hacker News)
Cybersecurity program ‘not effective’ after staff cuts
The Federal Reserve’s Office of Inspector General found the Consumer Financial Protection Bureau cybersecurity program “ineffective” after staff cuts and reduced contractor support. The audit noted the agency is not keeping up with system authorizations, relying on undocumented risk acceptance, and using outdated software. The program dropped to level-2 maturity in 2025 from level-4. Remaining staff have been implementing some mitigations, including ransomware response processes and weekly risk meetings, while legacy IT modernization continues. (FedScoop)
The Louvre’s video security password was reportedly ‘Louvre’
Analysis of one of the most brazen museum robberies in history, the theft of the French Crown Jewels from the Galerie d’Apollon at the Louvre Museum in Paris shows that the museum has endured lax security measures that go back many years. The password for video surveillance system, for example, was “Louvre,” and this was according to a security audit performed in 2014. Key parts of its security software were more than two decades old and are unsupported by its developer. These specific examples may not have been directly involved in last month’s jewel heist but represent significant delays in updating and expanding the museum’s security. The director of The Louvre, Laurence des Cars had struggled for years to obtain necessary upgrades. She tendered her resignation following the theft, but culture minister, Rachida Dati, refused it. (PC World) (The Guardian)
Huge thanks to our sponsor, Vanta
Is it “Do I have the right controls in place?”
Or “Are my vendors secure?”
….or the really scary one: “how do I get out from under these old tools and manual processes?
Enter Vanta.
Vanta automates manual work, so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. Vanta also fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit-ready—ALL…THE…TIME. With Vanta, you get everything you need to move faster, scale confidently—and get back to sleep.
Get started at vanta.com/headlines
Deep Dives
Here we will spend some time talking in more depth about some of these stories. Join in the conversation on YouTube Live:
“SleepyDuck” uses Ethereum to keep command server alive
Threat intelligence firm Secure Annex found a malicious Visual Studio extension called “SleepyDuck” that can install a remote access trojan. The extension looks legitimate at first but later turns malicious after roughly 14,000 downloads. Once a user opens a Solidity file, the extension collects system details and connects to a command-and-control server every 30 seconds. Secure Annex says the attackers used an Ethereum contract to dynamically update their C2 address to evade blocking, also tracing the group behind SleepyDuck to other rogue VS Code extensions that mine Monero through PowerShell scripts. (The Hacker News)
The most common passwords are still the ones you and everyone else knows they are
A new report from research company Comparitech shows that among the top 100 most used passwords of 2025, eight out of the top ten are variations of 123456, with the other two being “password” and “admin.” In fact variations of these three together pretty much occupy the entire 100 with just three standouts: gin, a row of 10 asterisks, root, India123 and minecraft. Comparitech consumer privacy advocate Paul Bischoff said in an email interview with The Register that companies that do not enforce good password technique is the most pressing problem. (The Register)
Operational technology security poses manufacturing risks
Despite rising awareness, manufacturers continue to face major operational technology (OT) security challenges, according to Dark Reading. Legacy systems, sprawling access points, and human error are leaving factories vulnerable, while the integration of cloud and AI-driven tools is expanding attack surfaces. Recent incidents, including a ransomware attack on Asahi, have highlighted both financial and supply chain impacts. Security experts say identity-focused strategies, governance, and full visibility across OT assets are essential to reduce risks and improve resiliency. (Dark Reading)