Good Morning Security Gang
What a week it’s been. I officially announced my new role as CISO at Artera, and I want to thank everyone who sent love, messages, and notes on LinkedIn. Y’all blew up my phone — and it means the world. As I said yesterday, I love the critical infrastructure space — it’s blue collar, mission-driven, and foundational to what we do as cybersecurity practitioners.
Now, let’s dive into today’s episode. From a $120 million DeFi heist, to AI tools being abused as covert command channels, to cyberattacks hitting water utilities and global shipping systems, the week is shaping up to remind us why cyber never sleeps.
So let’s power up with a double espresso and get into it — coffee cup cheers, y’all.
$120 Million DeFi Heist Hits Balancer Protocol
The DeFi world took another hit as Balancer confirmed a $120 million theft after attackers exploited precision rounding math to manipulate transactions. Unlike traditional key thefts, this was a protocol logic attack, allowing adversaries to drain liquidity pools using DeFi’s composable mechanics.
This isn’t just another crypto theft — it’s a case study in smart contract abuse and systemic risk. Because Balancer connects to multiple decentralized pools, the contagion effect could ripple across other DeFi ecosystems.
For practitioners in crypto or fintech:
Pause withdrawals from affected pools.
Raise slippage protection thresholds.
Review DeFi treasury policies for maximum exposure limits per protocol.
As someone who’s been in the crypto space since 2013, I can say this: the technology keeps evolving, but so do the attackers — and they’re learning faster than most of the market.
“Folks, if you’re in the crypto space, you have to understand you’re not dealing with thieves, you’re dealing with nation-states, and that requires industry collaboration. That’s the only way you’re going to win.” James Azar
UK Drinking Water Systems Face Record Cyber Incidents
Britain’s Drinking Water Inspectorate reported a record 15 cyber incidents in less than two years, highlighting increasing attacks on operational technology (OT). While no water quality issues occurred, the rise exposes a critical weakness — underfunded, understaffed, and unsegmented infrastructure.
I’ve said it before: safety is the fourth pillar of the CIA triad — and in OT, it comes first. Segmentation, restricted port access, and single ingress-egress network models are key defenses. Every operator must prioritize IT/OT isolation and eliminate unnecessary remote access.
This isn’t just a UK problem. The U.S. and other Western utilities face the same vulnerabilities — and adversaries know it.
Freight and Shipping Firms Targeted via RMM Abuse
Proofpoint reports over two dozen campaigns since August abusing remote monitoring and management (RMM) tools such as ScreenConnect, PDQ Connect, and NetSupport to hijack freight logistics. Attackers impersonated dispatchers, rerouted cargo, and deleted bookings to mask fraudulent deliveries.
This is the Fast & Furious era of cybercrime — digital hijackings instead of highway ones. Logistics firms face direct losses and potential insurance denial if incidents are classified as “cyber-related” instead of physical theft.
Mitigation steps:
Block unapproved RMM installations.
Require dual verification on shipment changes.
Implement the old-school but still unbeatable control — pick up the phone.
South Korean Telecom Loses 90% of Profits After Massive Breach
A major South Korean telecom reported a 90% collapse in operating profits after a 2024 data breach affecting 27 million customers. The malware persisted undetected for nearly two years, leading to regulatory fines, compensation costs, and mass customer churn.
The company’s Q3 profit dropped from ₩493 billion to ₩48 billion ($34M), proving that cybersecurity failures are no longer IT problems — they’re board-level financial crises.
Boards everywhere need to understand this: cybersecurity is a P&L variable, not a compliance checkbox.
AI APIs Abused for Data Exfiltration and C2 Channels
Researchers discovered that cloud AI APIs — including Claude (Anthropic) and OpenAI Assistants — are being abused for data exfiltration and covert C2 communications. Attackers are embedding malicious prompts into legitimate API calls, using the AI model itself as a tunnel for stolen data or commands.
There’s no vulnerability in these platforms — just misuse of open capabilities. Shadow AI integrations, if unmonitored, create invisible exfiltration channels that bypass traditional detection.
Mitigation essentials:
Enforce egress policies for AI endpoints.
Allowlist vendor tenants and monitor API usage anomalies.
Disable unsanctioned keys and deploy prompt guardrails in LLM workflows.
“AI isn’t just an innovation tool anymore — it’s a new attack surface with infinite imagination.” James Azar
OpenAI API Misused in New “SesameOp” Backdoor
Microsoft’s DART team found a sophisticated .NET loader using the OpenAI Assistants API for encrypted command retrieval — dubbed SesameOp. The system isn’t exploiting OpenAI itself but leveraging its trusted communications channel for stealthy C2 operations.
OpenAI and Microsoft have revoked the abused keys, but the campaign demonstrates how adversaries weaponize legitimate services to evade detection. AI is now both a defensive tool and an offensive asset — and defenders need to keep pace.
Apple Patches Actively Exploited Zero-Day
Apple has released emergency patches for CVE-2025-43300, an ImageIO flaw exploited in the wild across iOS, iPadOS, and macOS. The vulnerability allows malicious image files to trigger remote code execution.
If you manage Apple devices — force this update immediately. Delayed patching leaves an open door for threat actors, especially as exploit kits are already circulating online.
Belarus Military Targeted via SSH + Tor Backdoor
A new espionage campaign, attributed to Sandworm (Russia), is deploying a fake Belarus military PDF lure to deliver an SSH/Tor backdoor. The operation uses encrypted tunnels for covert C2 communication and appears to be part of broader regional espionage.
This attack continues the trend of APT weaponization trickling down to criminal groups, creating crossover techniques between espionage and financial cybercrime.
Cybersecurity Professionals Indicted for Aiding Ransomware
In an unprecedented case, three U.S.-based cybersecurity professionals have been indicted for operating as BlackCat/ALPHV affiliates. The defendants allegedly used their insider knowledge of incident response to breach networks, deploy ransomware, and demand ransoms from $300K to $10M.
One defendant — a former IR manager — used his legitimate credentials to stage attacks, receiving $1.2 million from a victim medical firm.
It’s a sobering reminder that ethics are the final line of defense in our field. The line between white hat and black hat is thinner than we’d like to admit.
“I’m not saying it represents all of us, but it just shows you the thin line between white hat and black hat is extremely, extremely thin.” James Azar
Jabber Zeus Developer Extradited to the U.S.
In a long-awaited move, Ukrainian cybercriminal Yuri Rybatsov, known as “Mr. ICQ”, was extradited from Italy to the U.S. for developing the Jabber Zeus banking trojan. First indicted in 2012, Rybatsov’s case highlights ongoing international cooperation in dismantling old but still active malware networks.
Persistence pays off — both for investigators and criminals who underestimate it.
Action List
🧱 Segment and isolate OT systems — one gateway in, one out.
💸 Review DeFi exposure — apply loss caps and pause risky pools.
🧩 Restrict RMM tools and require manual shipment verification.
📊 Use cyber risk as a financial KPI — not an IT metric.
🤖 Monitor AI endpoint traffic — treat APIs like sensitive assets.
🍎 Patch Apple devices immediately for CVE-2025-43300.
⚖️ Reinforce ethical oversight — insider risk programs matter more than ever.
James Azar’s CISO’s Take
Today’s episode brings together three converging realities: financial, operational, and ethical. From DeFi math exploits to insider-fueled ransomware, it’s clear that our adversaries are adapting faster than policy or regulation ever could. In crypto and AI especially, the innovation curve is outrunning the guardrails.
As CISOs, our mission isn’t just defense — it’s foresight. We must anticipate how technology will be misused and build detection into the unknown. The indictment of fellow practitioners hits hard, but it’s also a reminder: trust and integrity are our industry’s currency. Lose that, and no amount of encryption can protect what really matters — credibility.
So as always, keep your patches tight, your APIs clean, and your moral compass calibrated.
Until tomorrow, stay sharp, stay resilient, and stay cyber safe.
