#NSBCS.073 - Fear Doesn’t Fix Cyber
Source: NSB Cyber
Fear doesn’t fix cyber
I recently saw a post on LinkedIn that really got me thinking. A photo of a person sitting on a train with their laptop, catching up on some work. Stuck to their laptop is a bright pink post-it note that appears to show passwords. The post gets the engagement, of course—likes, reposts, and a few 'this is why we can’t have nice things' comments.
I get that it’s meant to be funny, but every time I see one of these posts, I wonder, what if that person saw this post? Would they feel safer, smarter, more engaged with cyber? Or would they feel humiliated and less likely to actually ask for help? I feel like as an industry we shouldn’t be trying to catch people out. We shouldn’t be here to shame, we should be here to support, because fear and shame rarely drive actual change. Think of anything in life—fear creates paralysis, silence, and a culture where people are too afraid to speak up when something goes wrong. It’s so easy to mock user error, but these behaviours that we mock come from a place of trying to get things done. Passwords get written down because people are juggling 12 systems and can't remember them all. MFA often isn’t used because it wasn’t rolled out properly. Workarounds appear because someone needed to move faster than the process allowed.
When we respond with empathy instead of ego, we actually get the information we need to fix the root cause. And when people know they won’t be blamed, they’re far more likely to report, to ask questions, and to help strengthen the system. And that’s the point, of course cyber is a technical problem but it’s also a people one. No one wakes up and decides to put their business at risk—but people do operate within systems that set them up to fail. Our job is to create environments and processes where secure behaviours are the easiest and most natural option.
I like to think that we are deliberate about the tone we bring into every room. We’re not interested in scaring clients into compliance or mocking their gaps. We care about building momentum (not perfection) and helping people feel supported enough to actually engage. No ‘gotcha’ moments, no public shame, no ‘you should’ve known better’. Just clear advice, honest conversations and respectful partnership.
Cyber is complex, it’s stressful, but it doesn’t have to be alienating. Stop treating users like the enemy. Stop relying on fear as a sales tactic. Start building secure businesses in ways that actually respect the people inside them.
If you’ve read any of my other posts you’ll know I’m big on people and culture, so I strongly believe that security will improve when people feel safe within the risk culture of their organisation. Empathy is a far more effective driver of behaviour than shame will ever be.
What we read this week
Venom Spider Targets HR Teams With Polymorphic More_eggs Malware- Arctic Wolf Labs has identified a spear-phishing campaign by threat actor Venom Spider, targeting HR staff with malicious résumés delivering the More_eggs backdoor. Victims receive ZIP files containing a decoy image and a Windows shortcut (.LNK) that downloads obfuscated scripts. These trigger a multi-stage payload, including More_eggs_Dropper, which uses legitimate Windows tools like ie4uinit.exe and msxsl.exe to evade detection and execute JavaScript code. The final payload, More_eggs, enables system data collection and remote code execution. Arctic Wolf urges organisations to train HR teams to scrutinise attachments and avoid opening suspicious file types like LNK, ISO, and VBS.
LockBit Dark Web Panel Breached, Affiliate Data and Chats Leaked - The LockBit ransomware gang has suffered a significant breach after its dark web affiliate panels were defaced with a message linking to a leaked MySQL database dump. The defacement, reading “Don’t do crime CRIME IS BAD xoxo from Prague,” revealed affiliate chat logs, bitcoin addresses, and plaintext passwords for 75 users. The dump includes 4,442 negotiation messages and attack configurations but no private keys. The breach appears to have occurred on April 29, 2025. Analysts suspect exploitation of CVE-2024-4577 in PHP 8.1.2. This breach follows LockBit’s 2024 takedown by Operation Cronos and gives potential further information on the rebranding of certain affiliates.
New “Bring Your Own Installer” Attack Bypasses Misconfigured SentinelOne EDR - Researchers at Aon’s Stroz Friedberg have discovered a new attack technique, dubbed “Bring Your Own Installer,” which exploits misconfigured SentinelOne EDR agents. The flaw allows attackers with local admin access to downgrade the EDR version, creating a 55-second gap with no protection—enabling malware deployment. In tests, researchers interrupted the upgrade process, leaving the endpoint fully unprotected. SentinelOne responded with a new Local Upgrade Authorization toggle, now enabled by default, that blocks local upgrades/downgrades. The vendor confirmed properly configured systems are unaffected and shared guidance with customers and other EDR vendors to prevent exploitation of similar techniques.
CISA, FBI Warn of Basic Cyberattacks Targeting US Oil and Gas ICS Systems - American agencies have issued a joint alert warning of unsophisticated but potentially disruptive cyberattacks targeting internet-connected industrial control systems (ICS) within the US oil and gas sector. Likely conducted by hacktivist groups exploiting default credentials and misconfigured systems, these intrusions could lead to operational disruptions or physical damage. Organisations are urged to disconnect ICS from public networks, implement strong authentication, rotate default passwords, and enforce network segmentation. The agencies also recommend working closely with system integrators and vendors to resolve configuration weaknesses and to adopt CISA's published ICS security guidance.
Europol and Partners Dismantle Global DDoS-for-Hire Network in Operation PowerOFF - Europol has announced the takedown of six DDoS-for-hire services—cfxapi, cfxsecurity, neostress, jetstress, quickdown, and zapcut—as part of Operation PowerOFF. Four suspects aged 19–22 were arrested in Poland, and nine domains were seized by the U.S. The services allowed paying users to launch powerful DDoS attacks for as little as €10, disrupting schools, government bodies, businesses, and gaming platforms. Platforms like QuickDown offered hybrid botnet/server attack options with pricing up to $379/month. The crackdown, coordinated with Dutch and German authorities, follows a December 2024 action that removed 27 similar platforms from operation.
Referenceshttps://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-hacked-victim-negotiations-exposed/
https://www.darkreading.com/vulnerabilities-threats/bring-your-own-installer-attack-sentinelone-edr
https://www.securityweek.com/us-warns-of-hackers-targeting-ics-scada-at-oil-and-gas-organizations/
https://thehackernews.com/2025/05/europol-shuts-down-six-ddos-for-hire.html