Good Morning Security Gang
On today’s episode, we’re breaking down auto parts giant LKQ confirming it’s part of the Oracle EBS breach, a China-linked zero-day exploitation in Cisco’s secure email products, SonicWall shipping a live-fire patch, React2Shell being chained into sub-one-minute ransomware execution, and AWS cloud accounts turning into crypto mines.
Add to that a major FBI–Europol money laundering takedown, cyber-enabled cargo theft spiking to $111 million, and arrests tied to the France Interior Ministry email hack and a Ukrainian call-center fraud ring, and yeah — this is one wild Thursday.
Grab that espresso — I’m on a Lavazza double today, rich crema and all — and coffee cup cheers, y’all! Let’s roll.
LKQ Confirms It’s a Victim of the Oracle EBS Breach
U.S.-based auto parts giant LKQ Corporation has confirmed it was impacted by the Oracle E-Business Suite (EBS) data breach that’s affected multiple enterprises this year. Attackers tied to the Oracle EBS extortion wave accessed enterprise resource planning (ERP) systems via abused service accounts, overprivileged APIs, and SFTP integrations, exfiltrating sensitive internal data.
LKQ says thousands of individuals may be affected, with exposure tied to procurement records, invoices, and supplier communications. Attackers reportedly leveraged bulk reporting jobs to extract data in compressed files — a tactic seen in similar campaigns.
If you’re running EBS, patch now and rotate all SFTP, API, and integration credentials. Also, monitor for mass report generation, new admin account creation, and unusual export tasks.
As I said on the show: “If you’re still unpatched on Oracle EBS at this point, you’re not behind — you’re negligent.”
FBI and Europol Dismantle Global Money Laundering Network
In a major joint operation, the FBI, Europol, and European partners have taken down a massive cyber laundering ring operating out of Germany and Finland, seizing servers, infrastructure, and millions in crypto.
The ring funneled money for ransomware, carding, and fraud syndicates, running an underground financial service that moved cash through crypto tumblers, prepaid networks, and even “ghost accounts” at small banks.
This operation won’t end cybercrime overnight — as I noted, these networks “go dark for a few weeks, then respawn with new branding” — but it dents their global cashout capabilities and gives law enforcement intelligence leads on future cases.
Cisco Zero-Day Under Active Exploitation by China-Linked Group
Cisco Talos has confirmed an active zero-day exploitation of its Secure Email Gateway and Secure Email and Web Manager products, tracked as CVE-2025-20393, with root-level command execution potential.
The campaign is attributed to UAT-9686, a China-linked APT, and aligns with tactics seen in telecom espionage operations from earlier this year. The exploit lets attackers inject payloads, harvest credentials, and pivot internally through trusted email flows.
Cisco has issued temporary mitigations, urging customers to:
Restrict management interfaces behind VPN and IP allowlists.
Watch for new admin users or policy drift.
Review ESA/WSA authentication attempts from unknown sources.
This is a major escalation — and another reminder that email gateways are now prime nation-state targets.
SonicWall Ships Live Patch for Exploited SMA Bug
SonicWall has shipped an emergency patch for CVE-2025-40602, a privilege escalation bug affecting SMA-100 series appliances. The flaw, already exploited in the wild, enables attackers to gain full control of appliances, opening the door to lateral movement and traffic tampering.
Admins should immediately upgrade to version 12.4.3-03245 or 12.5.0-02283, restrict management to VPN and IP allowlists, and rotate device tokens and credentials.
As I said: “Edge device control equals network control. If you own the gateway, you own the kingdom.”
React2Shell Drives Ultra-Fast Ransomware Campaigns
Attackers are chaining the React2Shell RCE vulnerability (CVE-2025-55182) with automated web shell deployment to launch ransomware in under one minute after initial access.
This is the latest evolution of ultra-speed ransomware, where data theft and encryption happen simultaneously. Once an internet-facing React app is compromised, attackers immediately drop payloads, exfiltrate data, and trigger encryption — often before SOC alerts fire.
“I think I was at an event a few weeks ago, and Kevin Mandia said that we’re entering the next three to five years a place where humans cannot keep up with how threat actors are going to use AI in these environments... Everything is going to have to be AI versus AI versus AI versus other AI in order to mitigate and work at scale and at speed because humans can’t keep up with it. They just can’t.”
Defenders should:
Patch React/Next.js dependencies now.
Harden admin interfaces with private networks or VPN.
Hunt for web shell indicators and rare outbound connections.
As I noted, “human response speed simply can’t match automated kill chains — it’s going to be AI versus AI from here on out.”
North Korean Kimsuky Expands Mobile Espionage Campaign
The Kimsuky APT, linked to North Korea’s Reconnaissance General Bureau, has expanded its mobile phishing and spyware operations. The campaign uses delivery-style QR codes, malicious Android apps, and accessibility abuse to capture credentials and mailbox sessions from BYOD devices.
The malware’s persistence mechanism enables rule-based email forwarding, a tactic seen in APT43 and TA406 campaigns.
Organizations should block APK sideloading via MDM, enforce Google Play Protect, and apply phishing-resistant MFA for executives and admins.
AWS Accounts Hijacked for Crypto Mining
Amazon Web Services reports a surge in crypto mining abuse, with attackers hijacking leaked IAM keys to spin up EC2 and ECS instances. Many incidents trace back to compromised CI/CD tokens, public GitHub repos, or Docker Hub images with embedded secrets.
Victims face surprise cloud bills in the tens of thousands as attackers deploy miners across regions.
Recommended actions:
Eliminate long-lived IAM keys.
Use service control policies to block mining AMIs.
Alert on GPU utilization spikes and unexpected EC2 instance creation.
Crypto mining remains a preferred funding mechanism for North Korean and Iranian groups, exploiting cloud elasticity for financial gain.
Cyber-Enabled Cargo Theft Surges to $111 Million
The American Trucking Association reports over 700 cargo theft incidents in Q3 2025, totaling $111 million in losses. Threat actors are leveraging dispatch system intrusions, account takeovers, and GPS spoofing to steal goods in transit.
Social engineering is a key factor — attackers impersonate carriers, hijack email threads, and manipulate tender documents to redirect shipments.
Trucking and logistics firms should:
Transition away from BYOD and issue secured company devices.
Implement geofencing and identity-verified workflows.
Conduct fraud awareness training for dispatchers and drivers.
“This is significant for the trucking industry, which is the backbone of the US and Canada, folks. Those truckers, they’re the reason we have groceries, merchandise on the shelves of our stores, restaurants are able to supply us.”
France’s Interior Ministry Hacker Arrested
French police have arrested a 22-year-old suspect behind the Interior Ministry email breach earlier this month. The hacker accessed dozens of files tied to state personnel, leading to a swift investigation by France’s cybercrime unit.
The arrest highlights how rapid attribution and action can deter opportunistic cybercrime. Quick law enforcement follow-up sends a clear message: Europe is stepping up its cyber policing game.
Ukraine Dismantles $11.7M Scam Call Center Network
A joint police operation in Ukraine and the EU has dismantled multiple fake banking call centers that scammed victims out of $11.7 million.
The network recruited workers from across Eastern Europe, posing as law enforcement and bank officials. Over 100 people were detained.
Officials say such “vishing” operations are now moving closer to front-line zones, where law enforcement struggles to operate during wartime.
Action List
🧱 Patch Oracle EBS and rotate all service and API credentials.
🔐 Apply Cisco mitigations and monitor for unauthorized admin drift.
🚨 Update SonicWall SMA to fixed versions immediately.
⚙️ Patch React and Node.js to close RCE exploit paths.
☁️ Eliminate long-lived IAM keys and monitor for crypto mining activity.
🚚 Deploy geofencing and identity validation for logistics operations.
📱 Block sideloaded apps and enforce MDM controls on BYOD devices.
🕵️ Watch for APT indicators across Chinese, North Korean, and hybrid ransomware ops.
James Azar’s CISO’s Take
Today’s stories are a perfect reflection of where cybersecurity stands heading into 2026: the battlefield is layered, and the attackers are faster than ever. From Oracle ERP breaches to React2Shell automation and AI-driven ransomware, our defenses can’t rely on human response alone.
My biggest takeaway? Speed, visibility, and discipline will define survival. The best CISOs aren’t just buying more tools — they’re orchestrating faster, smarter response frameworks. When one unpatched edge device or overprivileged API can trigger a global breach, the difference between chaos and control is how fast you can detect, contain, and communicate.
Stay vigilant, stay caffeinated, and as always — stay cyber safe.
