Good Morning Security Gang!
Happy Monday and welcome back to the CyberHub Podcast, episode 996. We are about to hit quadruple digits next week. Yeah, 1,000 episodes is around the corner, and I couldn’t do it without y’all tuning in every morning.
As we head into Q4 — the most chaotic, high-stakes time in cybersecurity — today’s stories set the tone for what’s coming: relentless attacks, vendor vulnerabilities, and a few long-overdue takedowns. We’ve got American Airlines’ Envoy Air tangled in the Oracle EBS campaign, Volkswagen targeted by ransomware, Prosper Marketplace suffering a 17.6 million-account breach, ConnectWise vulnerabilities enabling fake updates, Microsoft patching a record .NET flaw, and NSO Group fined (sort of) in the latest spyware showdown.
Espresso in hand, let’s get into it. ☕
🖼 Sotheby’s Confirms Data Breach — VIP Clients Exposed
We start with Sotheby’s, the iconic auction house, confirming a July 24th intrusion that compromised the names, Social Security numbers, and financial account details of high-value clients. While the total number of victims is small, the risk is high — these are ultra-wealthy buyers and sellers. The stolen data could be used for VIP-targeted fraud, wire scams, or executive social engineering. I advised, “If your executives do business with Sotheby’s, lock down any wire transfer and purchase verification protocols.” This breach reminds us: prestige targets carry premium risk.
✈ American Airlines’ Envoy Air Caught in Oracle EBS Campaign
American Airlines subsidiary Envoy Air confirmed exposure in the ongoing Oracle E-Business Suite campaign tied to Clop/FIN11. While American Airlines itself wasn’t breached, Envoy’s Oracle EBS instance was exploited via a mix of patched bugs and the recent zero-day CVE-2025-61882, along with CVE-2025-61884. The attackers accessed limited business data and commercial contact details.
I said on the show, “If you’re running Oracle EBS — stop treating it like a business app and start treating it like a Tier 1 asset. Remove it from the internet, patch it, and throw a WAF in front of it.”
Expect follow-on phishing and supply-chain extortion targeting partners connected to Envoy and Oracle.
🚗 Volkswagen Targeted by 8Base Ransomware
Volkswagen Group is investigating claims by 8Base ransomware operators that they’ve stolen sensitive data, including internal reports and customer files. The carmaker hasn’t confirmed a full breach, but attackers are leveraging VW’s name for visibility — a common extortion tactic. As we’ve seen with Jaguar Land Rover, automakers’ complex dealer networks and supply chains make them ripe for disruption.
“If it’s even partially true,” I said, “this could ripple through Audi, Porsche, and Bentley manufacturing systems like we saw in the UK last month.” VW’s investigation is ongoing, but CISOs in the auto sector should be auditing OT segmentation immediately.
💸 Prosper Marketplace Breach Hits 17.6 Million Accounts
Peer-to-peer lender Prosper confirmed a massive breach impacting 17.6 million users. Stolen data includes names, birthdates, addresses, emails, government IDs, and Social Security numbers tied to both borrowers and investors.
This breach is a goldmine for identity fraud and synthetic identity creation, and it will likely spark class-action lawsuits. I warned, “MFA and password managers are the bare minimum here — identity fraud monitoring and strong account recovery protocols are what’ll matter most.”
Users should assume personal data is circulating on dark markets and act accordingly.
⚙ ConnectWise Automate Flaws Allow Fake Update Attacks
A newly disclosed set of ConnectWise Automate vulnerabilities enables man-in-the-middle (MitM) attacks where adversaries can push fake updates to managed endpoints. This flaw, already patched, could have allowed attackers to mass-deploy malware or ransomware across MSP and MSSP customer fleets.
“If you’re an MSP and haven’t patched Automate yet,” I said, “you’re not managing risk — you’re handing out keys to the kingdom.”
Immediate actions: update Automate, enforce signed update verification, rotate credentials and certs, and hunt for unsigned payloads or anomalous agent behavior.
🧱 Microsoft Fixes Critical .NET Flaw and Revokes 200 Certificates
Microsoft shipped emergency patches for the most severe ASP.NET Core flaw to date, impacting both .NET Core and Visual Studio. Attackers could exploit it for remote takeover and data theft via public APIs. Redmond also revoked over 200 compromised code-signing certificates used by the Ryceta ransomware gang to distribute fake Teams installers containing the Oyster backdoor.
“If you’re running public APIs, patch .NET now and rebuild your containers,” I said. “And for the love of cyber sanity, stop trusting unsigned installers.”
📱 TikTok Lures Push Infostealers
Even under new U.S. ownership, TikTok is still being abused to push credential-stealing malware through clickbait video ads promising “free activations.” The campaigns deliver Vidor and SteelC variants once users pass fake verification pages.
Recommendation: block TikTok on work devices, monitor for unusual credential use, and strengthen MFA coverage across all social-linked accounts.
🕵 China Accuses U.S. of Hacking Time Center
In a tit-for-tat propaganda move, China accused the U.S. of hacking its National Time Center, claiming it was part of a long-term espionage campaign. While attribution is unverified, Beijing’s timing aligns with rising trade and tariff tensions.
Expect this narrative to fuel phishing and disinformation targeting Western firms with China-based operations.
My advice: refresh your geo-risk playbooks, brief staff on potential spear-phishing tied to news cycles, and monitor for compliance shifts or export-control scrutiny involving China.
🤖 AI Supercharges Phishing, Says Microsoft
Microsoft warned that state-backed groups are using AI to scale phishing and disinformation — not to write malware, but to industrialize operations. The company says AI is increasing campaign volume and realism, making it harder for users to spot fake content.
I noted, “This is AI in the wrong hands — 500 phishing attacks a week instead of five.” Organizations need faster detection, better response automation, and deeper behavioral analytics to combat AI-enhanced deception.
“Instead of doing five attacks a week, I’m giving that as an example, they’re doing 500 attacks a week with AI. Our speed, our mitigation, our time to respond is all really, really significant here, folks. Extremely.” James Azar
📡 Europol Dismantles SIM Farm Operation
Europol and Latvian authorities dismantled a massive SIM-swapping and OTP interception network, dubbed Operation SIM Cartel. The crackdown resulted in seven arrests, seizure of 1,200 SIM boxes with 40,000 active cards, five servers, and nearly €700,000 in cash and crypto.
The group was tied to phishing and investment scams across Europe — another reminder of how telecom infrastructure continues to underpin financial crime.
🧰 NSO Group Fined $4M, Barred from WhatsApp
In a long-running case, a U.S. judge barred NSO Group — maker of Pegasus spyware — from using WhatsApp after the company exploited the app in targeted surveillance campaigns. The court cut punitive damages from $167 million down to $4 million, but upheld the injunction.
As I said, “Four million is couch change for a company like NSO — but the precedent matters. Spyware’s finally on legal notice.
🧠 James Azar’s CISO Take
Today’s episode underscores one key reality: speed is everything. From Oracle zero-days to ConnectWise update hijacks, our adversaries are weaponizing our tools faster than most teams can patch them. If you’re still relying on quarterly patch cycles, you’re already behind. CISOs need to think in terms of continuous vulnerability management and supply-chain resilience — not compliance checkboxes.
The second takeaway is the evolution of cyber accountability. The NSO ruling, Europol’s SIM bust, and even Capita’s fine show that governments and regulators are finally applying real pressure. But it’s up to us, practitioners, to close the loop. Governance, speed, and operational readiness — that’s the 2025 triad.
✅ Action Items
🖼 Audit exposure from Sotheby’s breach — executives are prime social targets.
✈ Patch Oracle EBS (CVE-2025-61882/61884) and remove it from direct internet access.
🚗 Prepare for ransomware ripple effects across auto and manufacturing supply chains.
💸 Rotate credentials and enable MFA for Prosper users.
⚙ Update ConnectWise Automate; verify update signing and credentials.
🧱 Patch ASP.NET Core immediately; block unsigned installers.
📱 Block TikTok on enterprise devices; monitor for infostealers.
🇨🇳 Track geopolitical phishing tied to U.S.–China tensions.
🤖 Review your AI-risk mitigation and phishing training programs.
🧰 Update OT and SIM infrastructure security — don’t ignore telecom links in fraud.
And that’s a wrap for today’s show, Security Gang — patch fast, stay resilient, and as always, stay cyber safe! ☕👊
