- Exzec Cyber Newsletter
- Posts
- Power Plays, Deepfakes, and Ransom Negotiation gets Shadier
Power Plays, Deepfakes, and Ransom Negotiation gets Shadier
Military funding, cloned voices, and the negotiator who switched sides
The average AI-generated phishing site stays online for just 3.5 hours—but that’s more than enough time to do damage.
📬 This Week’s Clickables
📌 Big News – Military cyber funding & UK retail cybercrime arrests
🚨 Can’t Miss – Email bombs, Scattered Spider’s TTPs, and Iranian ICS threats
🤖 AI in Cyber – AI pentesters, deepfake impersonation, global AI summit, and org-level gaps
🧪 Strange Cyber Story – A ransomware negotiator... turned threat actor?
🚨 Big Stories
🤑 U.S. Military Cyber Funding Surges in Domestic Policy Bill
Intro: Cybersecurity isn’t just a tech budget line anymore—it’s part of national power projection. Lawmakers are treating cyber capability as a strategic pillar alongside air, sea, land, and space.
What Happened: A sweeping domestic policy bill passed the House with over $100 million earmarked for military cyber operations, including upgrades to defense systems and offensive cyber development. The funding is tied to broader infrastructure, but cyber saw the largest relative year-over-year increase.
Why It’s Important: This marks one of the most significant peacetime investments in U.S. cyber posture. It also reflects how modern deterrence strategies are shifting away from kinetic weapons and toward persistent digital readiness.
The Other Side: Critics have flagged the lack of transparency in how these cyber budgets will be allocated—especially for offensive operations, which often sit in a legal and ethical gray zone. There’s also concern about accountability when contractors are involved. Not to mention the lack of funding for CISA, which provides services to small businesses that might not otherwise afford it.
The Takeaway: If you're in defense, aerospace, or high-trust infrastructure, expect new opportunities—and new scrutiny. Government funding is expanding, but so are expectations for resilience and reporting.
TL;DR: The U.S. isn’t just defending networks—it’s funding digital dominance.
Further Reading:
👮 UK Arrests Four in £440M Retail Cyberattacks Linked to Scattered Spider
Intro: Law enforcement just made one of the largest cybercrime busts in UK history—connecting a series of retail breaches to a familiar adversary. The impact spans millions of customers, disrupted supply chains, and eroded trust in luxury retail.
What Happened: British authorities arrested four suspects tied to cyberattacks against Marks & Spencer, Co-op, and Harrods, which leveraged phishing and social engineering to breach internal systems. The attacks caused an estimated £300–440 million in losses and are attributed to a group using Scattered Spider’s known tactics.
Why It’s Important: This shows how retail—especially with centralized payment systems and CRM databases—is an ongoing target for sophisticated, persistent attackers. Scattered Spider has evolved from a nuisance to a sustained, vertical-specific threat actor.
The Other Side: Authorities say this is a meaningful takedown, but investigators believe the broader group remains active across multiple countries. With modular tactics and decentralized membership, Scattered Spider is proving hard to root out entirely.
The Takeaway: If you’re in retail or e-commerce, this is your third and final warning: zero-trust, least privilege, and endpoint monitoring must move beyond theory. Social engineering is now industrialized.
TL;DR: Retail chains got wrecked—and Scattered Spider’s web just got partially snipped.
Further Reading:
🔥 Can’t Miss This Week
📨 Microsoft Blocks Email Bombs in Office 365 – Defender now automatically mitigates email-bomb floods intended to bury critical alerts or cause account lockout.
Takeaway: Enable email-bomb protection and consider limiting forwarding rules for sensitive roles.🕵️♂️ Breaking Down Scattered Spider’s Playbook – Detailed insights into MFA bypasses, SIM swapping, and lateral movement in real-world breaches.
Takeaway: Review your helpdesk, identity workflows, and SOC triage assumptions—before Scattered Spider does.⚙️ Iran-Linked APTs Target U.S. Industrial & Transportation Sectors – Federal agencies reported Iranian threat actors are probing and compromising ICS networks in logistics and manufacturing.
Takeaway: If you run OT, review segmentation now. The geopolitical threat surface just expanded.
🤖 AI in Cyber
🧠 AI-Powered Pentesters Uncover 17 Zero-Days
AI agents scanned 188 open-source projects and found 17 new vulnerabilities—automated code review has officially gone offensive.
Takeaway: Integrate autonomous scanners into your security pipelines before attackers do.🎙️ Deepfake Voice Impersonation Targets Secretary Rubio
Cloned audio was used in a spoofed call targeting government staff, raising alarms about voice-based trust models.
Takeaway: Drop voice-verification for high-risk actions—biometric fraud is now a script away.⚠️ 90% of Orgs Not Ready for AI-Augmented Threats
Accenture reports show 9 in 10 enterprises have no AI-specific IR plans—despite widespread Copilot use.
Takeaway: Audit AI inputs, outputs, and accountability frameworks before attackers test them for you.
🧟♂️ Strange Cyber
🎤 The Negotiator Who Switched Sides
Intro: What if the ransomware negotiator on your side... wasn’t?
What Happened: Bloomberg uncovered that a former U.S.-based ransomware negotiator is under federal investigation for allegedly colluding with criminal hackers. He reportedly advised companies to pay while directing ransom flows to groups he was covertly affiliated with.
Why It’s Important: This case blurs the line between insider threat and cybercrime. It’s not about malware—it’s about manipulating trust under the guise of crisis response.
The Other Side: The accused denies wrongdoing and hasn’t been charged, but the Department of Justice confirmed the investigation is active and international.
The Takeaway: Incident response vendors now require the same due diligence as CISOs and CFOs. Access to ransomware negotiations is too powerful to blindly trust.
TL;DR: He wasn’t just negotiating for the victim—he may have been brokering both ends.
Further Reading:
Thanks for reading this week’s edition. Like what you see? Forward it!
Hate everything you see or have other feedback? Reply back to this email!