🎙 With guest co-hosts Thomas Schwab and Scott Kisser

For most people, healthcare feels immediate.

A doctor.

A prescription.

A moment of care.

What they don’t see…

is everything that has to happen before any of that is allowed to move.

Claims must be approved.

Payments must clear.

Authorizations must pass through systems no patient has ever heard of.

At the center of that system sat Change Healthcare.

When it worked, no one noticed.

In February 2024, it stopped.

No zero-day.

No advanced exploit.

Just stolen credentials…

and a remote access portal without multi-factor authentication.

Attackers linked to ALPHV/BlackCat logged in.

And from there, everything followed.

They moved laterally.

Exfiltrated sensitive data.

And deployed ransomware inside one of the most critical financial pipelines in American healthcare.

Pharmacies could not process prescriptions.

Providers could not submit claims.

Payments froze.

Care was not denied.

But it was delayed.

And delay, in healthcare, carries weight.

What followed was not just a breach.

It was a system-wide disruption that exposed a hard truth:

Modern healthcare does not just depend on technology.

It depends on a small number of systems working exactly as expected.

In this episode of The CISO Signal | True Cybercrime Podcast, host Jeremy Ladner is joined by Thomas Schwab of 1st Cyber Operations Group and Scott Kisser to examine how dependency becomes a weapon, why identity failures now carry systemic risk, and what leaders are forced to decide when every option comes with consequence.

Because in cybersecurity, the most dangerous attacks don’t break systems.

They use them exactly as designed.

🎙 Guest CISO Co-Host

Scott Kisser:

Chief Information Security Office @ SmithRx

https://www.smithrx.com

🤝 Sponsor Expert

Thomas Schwab:

Managing Director, 1st Cyber Operations Group

https://www.1stCyberOpsGroup.com

1st Cyber Operations Group helps organizations strengthen cyber resilience and incident response readiness, ensuring leaders can make confident decisions under pressure and recover quickly when disruption occurs.

🔎 Episode Topics

• How a lack of MFA enabled one of the largest healthcare breaches in history

• Why attackers target dependency and not endpoints

• Identity as the true perimeter in modern enterprise environments

• The operational consequences of ransomware in critical infrastructure

• How leaders make decisions when every option carries risk

🧩 About The CISO Signal

True cybercrime storytelling with real CISO lessons.

▶️ https://www.youtube.com/@TheCISOSignal

💼 https://www.linkedin.com/company/the-ciso-signal

🌐 https://www.thecisosignal.com

👥 Join the Conversation

The CISO Signal Cybersecurity Leadership Forum

https://www.linkedin.com/groups/17974008

#CISOSignal #ChangeHealthcare #CyberSecurity

#Ransomware #HealthcareSecurity #CyberResilience

#CISO #TrueCybercrime

🎙 With Jeremy Ladner and guest co-hosts Kavitha Mariappan and Mark Dorsi

For months, the warning was sitting in plain sight.

A critical vulnerability.

Publicly disclosed.

Actively exploited.

A patch was available.

Inside one of the largest credit reporting agencies in the world, the system remained exposed.

No zero-day.

No advanced exploit chain.

Just a missed update.

In May 2017, attackers began exploiting a known flaw in the Apache Struts framework.

The vulnerability allowed remote code execution.

Unauthenticated.

Unrestricted.

From the outside, it looked like routine traffic.

Inside the network, it was something else.

They accessed databases.

Queried records.

And began extracting one of the most sensitive datasets imaginable.

Names.

Social Security numbers.

Birth dates.

Addresses.

The identity layer of nearly half the United States population.

For 76 days, the activity continued.

No alarms.

No interruption.

Until it was too late.

By the time Equifax disclosed the breach in September 2017, approximately 147 million individuals had been affected.

Executives resigned.

Investigations launched.

Congress intervened.

But the breach itself had already unfolded.

Because this was not a story about attackers breaking through hardened defenses. It was a story about what happens when a known vulnerability remains unpatched inside a system that holds national-scale data.

In this episode of The CISO Signal | True Cybercrime Podcast, host Jeremy Ladner is joined by Kavitha Mariappan of Rubrik and Mark Dorsi, CISO at Netlify, to examine how a single missed control can cascade into systemic failure, why patch management must be operationalized not assumed, and what resilience actually means when prevention fails.

Because in cybersecurity, the most dangerous vulnerabilities are often the ones already documented. And already waiting.

🎙 Guest CISO Co-Host

Mark Dorsi

Chief Information Security Officer

Netlify

https://www.netlify.com

🤝 Sponsor Expert

Kavitha Mariappan

Chief Transformation Officer, Rubrik

https://www.rubrik.com

Rubrik delivers cyber resilience by securing data across enterprise, cloud, and SaaS environments, enabling organizations to recover quickly from cyber incidents and maintain operational continuity.

🔎 Episode Topics

• The Apache Struts vulnerability (CVE-2017-5638) and how it was exploited

• Why patch management failures still drive catastrophic breaches

• How attackers operated undetected inside Equifax systems for over two months

• The difference between prevention failure and resilience failure

• What security leaders must operationalize to avoid systemic exposure

🧩 About The CISO Signal

True cybercrime storytelling with real CISO lessons.

▶️    / @thecisosignal  

💼   / the-ciso-signal  

🌐 https://www.thecisosignal.com

👥 Join the Conversation

The CISO Signal Cybersecurity Leadership Forum

  / 17974008  

#CISOSignal #EquifaxBreach #CyberSecurity

#DataBreach #PatchManagement #CyberResilience

#CISO #TrueCybercrime

🎙 With guest co-hosts Ev Kontsevoy, CEO and Co-founder of Teleport, and Marius Poskus Global VP of Cyber Security at Glow Financial Services

For years, attackers have used artificial intelligence.

It helped them write malware faster.
Scan networks more efficiently.
Refine phishing campaigns.
Automate reconnaissance.

But the humans were still in charge.

They chose the targets.
They wrote the scripts.
They decided what happened next.

That era has ended.

The GTG-1002 campaign revealed something new on the cybersecurity battlefield:

Agentic attackers.

Not tools.
Not assistants.

Autonomous attackers capable of planning, testing, refining, and executing operational steps with minimal human direction.

Armies of them.

Once deployed, these systems do not pause.
They iterate.

And they move at a speed no human operator can match.

In September 2025, security teams at Anthropic began noticing unusual activity inside Claude Code, the company’s powerful AI coding system designed to help engineers write software and automate development tasks.

At first glance, the activity looked legitimate.

Infrastructure validation.
Authentication testing.
Compliance reviews.

But the sessions ran deeper than expected.

Prompts chained together in recursive loops.
Scripts generated, executed, refined, and redeployed in rapid succession.
Reconnaissance disguised as routine engineering workflows.

The system was not simply answering questions.

It was executing operational sequences.

Investigators eventually linked the activity to a threat cluster designated GTG-1002, touching organizations across technology, finance, manufacturing, and government environments.

Human operators were still present.

But they were no longer directing every move.

Instead, the system generated scripts, mapped environments, refined exploit logic, and iterated through operational pathways at machine speed.

Tasks that once required weeks compressed into cycles measured in minutes.

Anthropic detected abnormal behavior patterns and suspended the accounts. On November 13, 2025, the company publicly disclosed what it described as the first known large-scale AI-orchestrated cyber espionage campaign.

Attribution remains assessed rather than proven. Some analysts noted characteristics consistent with Chinese state-aligned operations. Chinese officials denied involvement.

But the geopolitical debate may not be the most important part of this story.

Because the real significance of GTG-1002 is not simply that attackers used AI.

It is that agentic systems began managing parts of the operation themselves.

In this episode of The CISO Signal | True Cybercrime Podcast, host Jeremy Ladner is joined by Ev Kontsevoy, Co-founder and CEO of Teleport, and Marius Poskus, Global VP of Cyber Security and CISO at Glow Financial Services, to examine how agentic AI systems can be manipulated into operational roles, why identity and infrastructure controls become critical in an agentic world, and what security leaders must understand when trusted automation begins directing attack workflows.

Because once cyber operations move at machine speed, the rules change.

And the age of agentic attacks has already begun.

🎙 Guest CISO Co-Hosts

Marius Poskus
Global Vice President of Cyber Security | CISO
Glow Financial Services Limited
https://www.glowservices.com

🤝 Sponsor Expert

Ev Kontsevoy
Co-founder & CEO, Teleport
https://goteleport.com

Teleport is the AI Infrastructure Identity company, providing a unified identity layer that orchestrates identities for humans, machines, workloads, and AI agents while eliminating static credentials from infrastructure.

🔎 Episode Topics

• The GTG-1002 AI-orchestrated espionage campaign
• Claude Code and the rise of agentic attack workflows
• How prompt manipulation can redirect autonomous AI systems
• The difference between AI-assisted and AI-directed attacks
• Why agentic systems compress attack timelines dramatically

🧩 About The CISO Signal

True cybercrime storytelling with real CISO lessons.

▶️   / @thecisosignal 
💼   / the-ciso-signal 
🌐

With guest co-host John Carse, Field CISO at SquareX

In 2024, attackers did not steal call recordings.
They did not intercept encrypted text messages.
They went after something quieter.
Call detail records.
The outlines of conversations.
Phone numbers.
Timestamps.
Durations.
Cell tower connections.
Metadata that, on its own, seems technical. Harmless. Operational.
But at telecom scale, metadata becomes something else.
Between April and early June 2024, attackers accessed systems containing call and text metadata tied to approximately 86 million AT&T customers. The intrusion was traced to a third-party cloud environment associated with AT&T’s data operations. Investigators later pointed to compromised credentials discovered in a Snowflake environment after a phishing attack and infostealer infection inside a vendor ecosystem.
No ransomware encryption.
No service outage.
No dramatic system shutdown.
Instead, approximately $370,000 in cryptocurrency was reportedly paid in an effort to prevent public exposure of the dataset.
Some analysts linked the activity to a cluster labeled UNC5537. 

Other reporting mentioned data brokerage ecosystems such as ShinyHunters. Researchers, including those at Mandiant, urged caution on attribution, noting behavior consistent with criminal monetization rather than confirmed state-sponsored espionage.

There is no public evidence that this dataset was used for intelligence operations.
There is also no way to prove that it was not.

Because telecom metadata does not just describe calls.
It describes relationships.
Who speaks to whom.
How often.
From where.
Which towers were touched along the way.

For criminals, that information enables SIM swapping, fraud, and targeted phishing.
For nation states, it can illuminate social graphs, travel patterns, and networks of influence.

In this episode of The CISO Signal | True Cybercrime Podcast, we examine how third-party access became the breach path, why metadata is often more strategically valuable than content, and what happens when operational data quietly becomes intelligence-grade material.
This is not a story about encryption failing.
It is a story about accumulation.

🎙 Guest Co-Host
John Carse
Field CISO, SquareX
Three-time CISO and host of Be Fearless: The CISO Perspective

🔍 Episode Topics
• What telecom metadata actually reveals beyond call content
• Why large telecom providers are high-value intelligence targets
• How third-party access and credential reuse created the breach path
• Snowflake, vendor risk, and the anatomy of cloud miscalculation
• The criminal data brokerage ecosystem and resale supply chains
• Why metadata can be more operationally useful than call recordings
• Inside the first 24 hours of executive response and board escalation
• How security debt surfaces after a third-party breach
• Why threat models must evolve when operational systems become intelligence repositories

🧊 The Aftershock
On July 12, 2024, AT&T publicly acknowledged the breach, confirming that call and text content were not accessed.
But the exposure shifted the conversation.
Privacy experts noted that metadata can reveal business relationships, political activity, religious observance, romantic connections, and movement patterns, without ever recording a single word.
Later reporting connected the broader Snowflake-related campaign to individuals including John Erin Binns and Connor Moucka, though attribution questions remain complex and evolving.
What makes the AT&T breach different is not technical spectacle.
It is the quiet reality that behavioral data, once accumulated at scale, becomes strategic.
Every organization that logs user behavior now holds a map.
And every map attracts attention.

🧩 About The CISO Signal
True cybercrime storytelling with real CISO lessons.
Subscribe so you never miss an investigation.
👉 @thecisosignal
👉 www.linkedin.com/company/the-ciso-signal
👉 www.theCISOsignal.com

#CISOSignal #ATTBreach #Metadata #Snowflake
#CyberEspionage #ThirdPartyRisk #TelecomSecurity #CISO #TrueCybercrime

With guest co-hosts Christopher Russell, CISO at tZERO Group
and Benjamin Lipczynski, Director of Cyber Security & Regulatory Services at Origina

In late 2020, attackers did not target the cloud.
They did not exploit a modern SaaS platform.
They went after a quiet, aging file transfer appliance that had been sitting in enterprise environments for nearly two decades.
The Accellion File Transfer Appliance (FTA) was still moving contracts, legal documents, financial records, and sensitive data across governments, universities, and global enterprises. Long past its intended design horizon, it remained trusted. And largely unseen.
Then a cluster of zero-day vulnerabilities was exploited.
Attackers linked to FIN11 used the flaws for large-scale data exfiltration. The stolen data was then handed off to the Clop, which launched a public leak-site extortion campaign.
No ransomware encryption.
Just stolen files and pressure.
Victims included Shell, Kroger, the Reserve Bank of New Zealand, multiple universities, and public-sector agencies worldwide.

In this episode of The CISO Signal | True Cybercrime Podcast, we break down how legacy systems quietly become high-consequence risk, why patching alone could not fix the underlying problem, and what happens when attackers specialize across exploitation and extortion.

This is not a story about ignoring upgrades.
It is a story about systems that outlive their assumptions.

🎙 Guest Co-Hosts

Christopher Russell:
Chief Information Security Officer, tZERO Group
👉  www.tzero.com
👉    / tzero 

Benjamin Lipczynski:
Director, Cyber Security & Regulatory Services,
🤝 Episode Sponsor: Origina
👉  www.origina.com
👉    / origina 

This episode is sponsored by Origina, an independent provider of third-party software support and lifecycle governance for mission-critical enterprise systems.

Origina works with security, IT, and risk leaders to safely operate, harden, and govern systems that may be aging, end-of-life, or under vendor upgrade pressure, without forcing rushed or unnecessary migrations. Their approach focuses on control, stability, and evidence-based decision making, especially in environments where downtime or disruption is not an option.

🔍 Episode Topics

• Why legacy file transfer tools stayed in production for decades
• How multiple zero-days were exploited in rapid succession
• The handoff between initial access groups and extortion operators
• Why many victims learned of the breach through leak sites
• Patching vs architectural limits in aging systems
• How security leaders can manage legacy risk without panic-driven upgrades

🧊 The aftershock

By early 2021, global CERT teams urged organizations to migrate off Accellion FTA immediately, citing its end-of-life status and ongoing risk. Multiple lawsuits followed, along with increased regulatory scrutiny of legacy tools embedded in sensitive workflows.

The Accellion breach became a reference point for a broader industry reckoning around technical debt, governance, and the hidden risk of systems that are still working right up until the moment they fail.

🧩 About The CISO Signal

True cybercrime storytelling with real CISO lessons.
Subscribe so you never miss an investigation.
👉 @thecisosignal 
👉  www.linkedin.com/company/the-ciso-signal
👉  www.theCISOsignal.com 

#CISOSignal #AccellionBreach #Clop #FIN11
#LegacySystems #DataExtortion

With guest CISO Co-Host Alyssa Robinson, CISO at HubSpot

In late 2023, a Russian state-sponsored threat actor known as Midnight Blizzard (also called NOBELIUM and widely associated with APT29) began probing Microsoft the old-fashioned way: password spraying.

No zero-day. No smash-and-grab.

Just patience, repetition, and one legacy gap.

Microsoft says the actor compromised a legacy, non-production test tenant account and used that foothold to access a very small percentage of Microsoft corporate email accounts, including members of senior leadership and employees in cybersecurity and legal, then exfiltrated some emails and attached documents. Microsoft detected the attack on January 12, 2024, and disclosed it publicly on January 19, 2024.
Microsoft

This was espionage, not extortion: Microsoft assessed the actor was initially seeking information related to Midnight Blizzard itself, essentially trying to learn what Microsoft knew about their operations.
Microsoft
+1

In this episode of The CISO Signal | True Cybercrime Podcast, we break down how a nation-state operation targets the most valuable asset in modern security: identity. We explore why executive inboxes are intelligence gold, why slow intrusions are so hard to see in real time, and what incident response looks like when the adversary is collecting insight, not detonating ransomware.

🎙 Guest CISO Co-Host

Alyssa Robinson
Chief Information Security Officer, HubSpot

🔍 Episode Topics

• How password spraying still works at massive scale
• Why legacy test tenants and exceptions become the entry point
• Executive identity risk and the “convenience gap”
• What changes when the attacker is a nation state
• The trust question: what downstream organizations must assume

🧊 The aftershock

Microsoft later reported evidence that the actor was using exfiltrated information to pursue additional unauthorized access, including some source code repositories and internal systems, while stating it found no evidence that Microsoft-hosted customer-facing systems were compromised.
Microsoft

CISA also issued guidance on SVR / APT29 tradecraft for initial cloud access (AA24-057A) and an Emergency Directive tied to this compromise (ED 24-02).
CISA
+1

🧩 About The CISO Signal
True cybercrime storytelling with real CISO lessons. Subscribe so you never miss an investigation.
👉 / @thecisosignal
www.linkedin.com/company/the-ciso-signal

#CISOSignal #MicrosoftBreach #MidnightBlizzard #APT29 #NOBELIUM
#CyberEspionage #IdentitySecurity #CloudSecurity #CISO #TrueCybercrime

They were after the customers of its customers.

Crypto firms like Trezor, BlockFi, and Swan Bitcoin suddenly saw their users targeted by near-perfect phishing emails designed to steal recovery seeds and drain wallets. And just weeks later, another SaaS provider, Klaviyo, was hit the same way. The message was clear:

You can defend your castle…
but attackers will go after the people guarding your gates.

This week on The CISO Signal | True Cybercrime Podcast, we dissect the SaaS-supply-chain breach that shook the crypto world and the coordinated response that stopped it from becoming a full-scale disaster.

🎙 Guest CISO Co-Host: Scott Kisser
Chief Information Security Officer – Swan Bitcoin
Former security leader at Salesforce, DocuSign, Amazon, and F5.

Scott takes us inside the incident response:
• How a single phished employee put the SaaS ecosystem at risk
• Why crypto companies were the downstream target
• The race to warn customers before attackers drained wallets
• How CISOs must rethink vendor access and trust assumptions
• Why no major funds were stolen — and why that victory matters

This wasn’t a tale of ransomware, it was a breach of trust.
And a reminder that SaaS is now part of every organization’s attack surface.

🔍 Episode Topics

• Vendor compromise → internal tool access → crypto user phishing

• The human element behind SaaS security

• What leadership communication looks like when trust is shaken

• The new rules of defending against third-party attack vectors

🏴‍☠️ Key Players
• HubSpot — initial breach vector
• Klaviyo — second SaaS compromise
• Trezor & Swan Bitcoin — downstream targets
• Crypto customers — the true victims
• CISOs — left to restore confidence & reshape strategy

💡 Takeaway for CISOs
“You’re only as strong as the SaaS identities you can’t see.”

🧩 About The CISO Signal
Hollywood-style storytelling meets real cybersecurity lessons.
Every episode, CISOs break down the world’s most notorious cyberattacks — what happened, what broke, and what must change.

Subscribe & ring the bell so you never miss an investigation. 🛎️
👉   / @thecisosignal 

📣 Connect with Us
🌐 Website: thecisosignal.transistor.fm
🔗 LinkedIn: linkedin.com/company/the-ciso-signal
Subscribe & share to stay ahead of the world’s most sophisticated cyber threats.

🔥 Hashtags
#CISOSignal #HubSpotBreach #Klaviyo #SaaSSecurity #CryptoSecurity #SupplyChainAttack #SocialEngineering #Phishing #SecurityPodcast #TrueCybercrime #ScottKisser #SwanBitcoin #Trezor

For two full weeks, the intruders operated in silence. No alerts. No red flags. No detection.

When the truth came out, it wasn't just a security incident, it was a crisis of trust in the infrastructure that underpins modern authentication.
How did a company synonymous with identity become a cautionary tale? What does this breach reveal about session tokens as the new crown jewels, third-party risk, and the blind spots that even top-tier security teams can miss? And what lessons does every CISO need to take from the Okta compromise before history repeats itself?

In this episode of The CISO Signal: True Cybercrime Podcast, host Jeremy Ladner is joined by Oren Zenescu, CISO at Plarium, to break down every layer of the Okta breach, from the silent entry and token theft to the fallout across the cybersecurity community and what it means for the future of identity security.

💡 In this episode, we discuss:
🔹 How attackers harvested HAR files and hijacked live session tokens
🔹 Why session tokens are becoming the primary target for modern attackers
🔹 The two-week detection delay and what it says about support system security
🔹 What the Okta breach means for zero trust, vendor reliance, and third-party risk
🔹 Lessons CISOs must take from Okta’s incident history Lapsus$, source code theft, and beyond

🎙 Featured Guest
Oren Zenescu | Global CISO at Plarium
Member of Team8 CISO Village, with 15+ years of enterprise security leadership across finance, gaming, and global tech.

Follow The CISO Signal
🌐 Website: thecisosignal.transistor.fm
🔗 LinkedIn: linkedin.com/company/the-ciso-signal
Subscribe & share to stay ahead of the world’s most sophisticated cyber threats.

#CyberSecurity #OktaBreach #IdentitySecurity #TokenHijacking #ZeroTrust #CISO #IncidentResponse #SupplyChainSecurity #CyberCrime #TheCisoSignal

In one of the most shocking moments in crypto history, a lone hacker exploited a vulnerability in Poly Network’s cross-chain protocol—draining over $610 million in digital assets across Ethereum, Binance Smart Chain, and Polygon.

Then, in a twist no one saw coming… they gave it all back.

Was it a white-hat test gone wrong? A hacker with a conscience? Or a sophisticated cover-up by an insider? To this day, the attacker’s true identity remains a mystery—and the world is still searching for answers.

In this episode of The CISO Signal: True Cybercrime Podcast, host Jeremy Ladner is joined by Christopher Russell, CISO at tZERO Group, to dissect the technical brilliance, psychological intrigue, and geopolitical implications of what might be the largest digital heist in history—and the most bizarre ending cybersecurity has ever seen.

💡 In this episode, we discuss:
🔹 How a flaw in Poly Network’s cross-chain manager enabled the $610M exploit
🔹 Why the hacker chose to return every stolen token
🔹 The role of decentralized finance (DeFi) in enabling modern cybercrime
🔹 What CISOs can learn from the blockchain’s weakest link
🔹 Why attribution in crypto attacks remains nearly impossible

Follow The CISO Signal:
🌐 Website: www.thecisosignal.transistor.fm

🔗 LinkedIn: www.linkedin.com/company/the-ciso-signal

Don’t forget to like, subscribe, and share — to stay ahead of the world’s most sophisticated cyberattacks.

#CyberSecurity #CryptoHack #PolyNetwork #DeFi #BlockchainSecurity #CISO #TheCisoSignal #CyberCrime #CryptoHeist

In a world where AI can mimic voices and faces perfectly, even the most secure companies can fall victim. The Arup Deepfake Hack shocked the corporate world when attackers used AI-generated video of the company’s CFO to trick an employee into wiring $25 million to a fraudulent account.

This was not just another phishing attempt, it was a sophisticated manipulation that blurred the line between reality and digital deception. The incident highlights how AI-driven attacks are evolving and why every cybersecurity leader must rethink traditional defense strategies.

In this episode of The CISO Signal: True Cybercrime Podcast, host Jeremy Ladner is joined by Mark Dorsi, CISO at Netlify, to break down one of the most alarming corporate scams of our time. Mark brings decades of experience building security programs for high-growth technology organizations, including HelloSign, Cloud Lending Solutions, and Qualys, and now leads security at Netlify. Together, they unpack how the deepfake attack happened, why traditional security controls failed, and what actionable steps leaders can take to protect their organizations from AI-powered social engineering.

💡 In this episode, we discuss:
🔹 How attackers used AI and a video conference to impersonate the CFO
🔹 The psychological tactics behind the $25 million wire transfer
🔹 Why traditional security measures were not enough to prevent the attack
🔹 Emerging strategies to defend against deepfake and AI-driven threats
🔹 Key lessons every CISO can use to strengthen their security posture

Follow The CISO Signal:
🌐 Website: www.thecisosignal.transistor.fm

🔗 LinkedIn: www.linkedin.com/company/the-ciso-signal

Don’t forget to like, subscribe, and share to stay ahead of the world’s most sophisticated cyberattacks.

#Cybersecurity #DeepfakeHack #ArupHack #CISO #TheCisoSignal #AIThreats #CyberCrime

What started as a movie scandal quickly escalated into an international incident and a turning point for every CISO and cybersecurity leader. The Sony Hack showed the world how geopolitics, culture, and cyber warfare could collide in ways that devastate private companies.

In this episode of THE CISO SIGNAL: TRUE CYBERCRIME PODCAST, host Jeremy Ladner takes you inside the breach that changed corporate security forever. We unpack how Sony responded under pressure, why their crisis management is still debated a decade later, and what today’s security leaders must learn to defend against state-sponsored threats.

💡 IN THIS EPISODE, WE DISCUSS:
👉 How The Interview triggered a nation-state cyberattack
🔹 The impact of leaked emails and unreleased Sony films
⚠️ Why Sony’s response became a leadership case study
🛡️ How the Sony Hack reshaped global cybersecurity strategy
📈 Actionable CISO lessons for preparing against nation-state adversaries

🎙️ ABOUT OUR GUEST:
Dror Hevlin — VP Security & CISO at Cynomi. With 20+ years in defense, critical infrastructure, and enterprise security, Dror brings unique insight into nation-state threats. Learn more 👉 https://www.cynomi.com

FOLLOW "THE CISO SIGNAL" ON:
🌐 Website: www.thecisosignal.transistor.fm
🔗 LinkedIn: www.linkedin.com/company/the-ciso-signal

👍 Don’t forget to LIKE, SUBSCRIBE & SHARE to stay ahead of the world’s most dangerous cyberattacks!

#Cybersecurity #SonyHack #TheInterview #NorthKorea #NationStateAttack #CISO #TheCisoSignal

In September 2023, Las Vegas turned into ground zero for one of the most disruptive cyberattacks in U.S. history. MGM Resorts, owner of iconic casinos on the Strip, saw slot machines go dark, hotel check-ins grind to a halt, and operations paralyzed for days. At the same time, Caesars Entertainment quietly faced its own breach, but unlike MGM, Caesars chose to pay the ransom.

In this episode of THE CISO SIGNAL: TRUE CYBERCRIME PODCAST, we take you inside the MGM Casino $100M ransomware hack and contrast it with the Caesars breach. We break down how attackers from the Scattered Spider/ALPHV ransomware group gained access, why MGM refused to pay, and what every CISO can learn from the two very different incident response strategies.

Our special guest co-host is PAZ SHWARTZ, CISO and CEO at Persist Security, who joins us to analyze the attacks, share real-world insights, and outline how leaders should prepare for ransomware scenarios that strike at the heart of critical business operations.

IN THIS EPISODE, WE DISCUSS:

👉 How the Scattered Spider group used social engineering to breach MGM and Caesars

🔹 Why MGM Resorts refused to pay ransom and Caesars paid up

⚠️ The operational and financial fallout for both casino giants

🛡️ Actionable strategies CISOs can deploy to prepare for high-stakes ransomware incidents

📈 Key leadership lessons for crisis response under public and shareholder pressure

ABOUT OUR GUEST:

Paz Shwartz is the CEO and CISO of Persist Security, with deep expertise in cybersecurity strategy, risk management, and incident response for global enterprises.

FOLLOW "THE CISO SIGNAL" ON:

🌐 Website: www.thecisosignal.transistor.fm

🔗 LinkedIn: www.linkedin.com/company/the-ciso-signal

DON'T FORGET TO LIKE, SUBSCRIBE, AND SHARE TO STAY AHEAD OF THE LATEST CYBERCRIME THREATS!

#Cybersecurity #MGM #Caesars #CasinoHack #Ransomware #CISO #TheCisoSignal

In this episode of The CISO Signal, we go deep inside the cyberattack that shook the financial world.

Join us as we unravel the haunting details of the 2021 ransomware attack on CNA Financial, which resulted in a record-breaking $40 million ransom payment in Bitcoin.

This wasn't just another breach. This was a black swan event cloaked in silence, executed by a mysterious threat actor known as Phoenix. They slid past defenses, encrypted over 15,000 devices, and vanished with a payday big enough to fund a small nation-state.

How did one of the largest U.S. insurers, an industry built on managing risk become the ultimate risk?

🧠 GUEST CISO CO-HOST: Matan Eli Matalon

We’re joined by Matan Eli Matalon, CISO of OP Innovate. With a battlefield-hardened perspective from years in offensive and defensive cybersecurity, Matan brings a rare blend of red team psychology and blue team pragmatism to decode the dark mechanics behind this quiet catastrophe.

From ransomware tactics and insurance industry blind spots to negotiating with digital extortionists, Matan provides unparalleled insights.

📌 In This Episode:

ATTACK ANATOMY: How the CNA ransomware attackers gained access and detonated their payload.

ROOT CAUSE: The critical role of stolen credentials, Active Directory, and legacy systems.

THE RANSOM DECISION: Why a $40M ransom was paid and what it signals for future attacks.

THE AFTERMATH: The eerie silence that followed and the legal/PR playbook that unfolded.

KEY TAKEAWAYS: What security leaders can learn from CNA’s nightmare to prevent the next one.

🔐 FOR CISOs, BY CISOs.
The CISO Signal is a cinematic, story-driven podcast for security leaders, SOC professionals, and infosec veterans. Each week, we dissect high-stakes breaches with the insight of top CISOs and the pace of a true crime thriller.

SUBSCRIBE NOW! for weekly episodes that go beyond the headlines and deep into the shadows of today’s cyber underworld.

👍 LIKE, COMMENT, and SHARE this episode with your security team.
🌐 Visit thecisosignal.transistor.fm for full episodes, bios, and more.

#CNAFinancial #RansomwareAttack #Cybersecurity #CISOPodcast #TrueCybercrime #Infosec #Ransomware #CyberInsurance #SecurityLeadership #BreachAnalysis #IncidentResponse #SOC #CyberRisk #CIO #CTO #Hacking #DigitalExtortion #Cyberthreats #CybersecurityNews #Datasecurity #MatanMatalon

A 17-year-old hacker. A simple social engineering tactic. A taunting message posted to Uber’s internal Slack channel. In one of the most audacious breaches in recent memory, a teenager allegedly affiliated with the Lapsus$ group compromised a Fortune 500 company, exposing critical vulnerabilities in even the most sophisticated security frameworks.

In this episode of THE CISO SIGNAL: TRUE CYBERCRIME, we go behind the scenes of the Uber breach to tell the full story of how this attack unfolded. We investigate the chain of events that led to the compromise and shine a light on the human element—the weakest link in cybersecurity.

Our special guest co-host is ORI STEIN, CISO at TrustNet Security, part of the Tama Group. Ori breaks down the anatomy of the attack and shares actionable intelligence on how to protect your organization from similar social engineering threats.

IN THIS EPISODE, WE DISCUSS:
👉 How a simple text message and MFA fatigue became the keys to the kingdom
🔹 The role of the Lapsus$ threat group and their unusual tactics
⚠️ Why even a strong security team can be vulnerable to human factors
🛡️ Actionable strategies to bolster your MFA and incident response protocols
📈 The leadership lessons CISOs can take away from this high-profile breach

ABOUT OUR GUEST:
Ori Stein is a seasoned CISO with extensive experience in security strategy and incident response. He serves as CISO at TrustNet Security, part of the Tama Group.

FOLLOW "THE CISO SIGNAL" ON:
🌐 Website: www.thecisosignal.transistor.fm
🔗 LinkedIn: www.linkedin.com/company/the-ciso-signal

DON'T FORGET TO LIKE, SUBSCRIBE, AND SHARE TO STAY AHEAD OF THE LATEST CYBERCRIME THREATS!

#Cybersecurity #UberBreach #SocialEngineering #CISO

One trusted software update. Thousands of victims. A breach that changed the cybersecurity landscape forever.

In this episode, we investigate the SolarWinds supply chain attack, a nation-state cyber operation that exposed the deep fragility of the modern software ecosystem. What made this breach so dangerous wasn’t just how many organizations were compromised; it was how long the attackers went undetected and how deeply they infiltrated the systems we rely on most.

🧠 Jeremy Ladner with Guest Co-Host: Alberto Deto Hassan
Veteran CISO and former head of Israel’s National CERT, Alberto, joins Jeremy Ladner to analyze the SolarWinds hack from both strategic and technical perspectives with lessons every CISO and security leader needs to hear.

🔍 In This Episode:

• How Russian APT actors compromised 18,000+ organizations using a poisoned software update
• Why perimeter-based security models failed
• How this attack ignited the Zero Trust movement
• What today’s CISOs must do to secure their software supply chain
• Real-world advice from one of the world’s leading cybersecurity experts

👂 Who Should Listen:

• CISOs, security architects, and incident responders
• Cyber threat intelligence and red team professionals
• Fans of true cybercrime and nation-state breach stories
• Anyone who wants to understand how trust was exploited and how to defend against it

The CISO Signal is a cinematic, story-driven podcast that turns major breaches into case studies for security leaders — blending narrative storytelling with expert CISO insight.

🔐 For CISOs. By CISOs. But, made to thrill fans of true crime, cyber warfare, and the breach stories that shaped our world.

🔗 Subscribe, Review & Share:

Follow us for weekly episodes exploring the breaches that define cybersecurity today.
 💬 Leave a review if you enjoy the show — it helps us reach more security pros and true cybercrime fans.

In this premiere episode of The CISO Signal, we uncover the chilling true cybercrime story of the NotPetya attack — a weaponized piece of malware launched by the Russian state-backed hacking group Sandworm, which brought Maersk, the world’s largest shipping company, to its knees.

What began as an attack on Ukraine’s infrastructure cascaded across the globe, infecting critical systems, halting operations, and costing the logistics giant over $10 billion in damage.

But this isn’t just a story about malware — it’s a case study in lateral movement, trusted access abuse, and what happens when even the most mature enterprises are blindsided by nation-state warfare masquerading as ransomware.

🎧 With Guest Co-Host: Shlomi Avivi
We’re joined by Shlomi Avivi, a veteran cybersecurity executive and former CISO of several hyper-growth companies. With 20+ years in the trenches of risk management and enterprise security, Shlomi brings a sharp, modern lens to what went wrong, and what CISOs everywhere need to understand today.

Shlomi is a strong believer in forward-thinking security strategies that evolve with the threat landscape, and in this episode, he helps unpack how legacy vulnerabilities met modern warfare… and lost.🎧 In this episode:

- How a single compromised update triggered global chaos
- What Maersk lost — and how close they came to losing everything
- The technical and emotional toll on security teams
- What CISOs can learn from one of history’s most destructive cyberattacks

🧠 Guest Commentary from Top CISOs
We bring in real-world CISOs to analyze the breach, not as victims, but as expert investigators. Together, we examine the breach’s timeline, the security failures, and the haunting “what ifs” that still echo through the infosec world.

🔐 For CISOs, by CISOs.
The CISO Signal is a cinematic true cybercrime podcast designed for cybersecurity leaders, red teamers, and infosec pros. Each episode dissects a real breach with the tone of True Detective, the rhythm of The Twilight Zone, and the insight only seasoned CISOs can provide.

🧭 Subscribe now for weekly episodes that turn infamous cyberattacks into case studies every security team should hear.
👉 Don’t forget to like, comment, and share with your security team.

#Cybercrime #NotPetya #MaerskHack #Sandworm #TheCISOSignal #CISOPodcast #CybersecurityPodcast #TrueCybercrime #IncidentResponse #NationStateAttack #InfoSec #BreachAnalysis #SOC #RedTeam #SecurityLeadership #SupplyChainSecurity