Good Morning Security Gang
The first Patch Tuesday of the year did not disappoint. I’m traveling this week broadcasting from a Midwestern hotel room that’s far from glamorous — but the show must go on!
Today’s lineup is stacked: a Belgian hospital goes dark after a cyberattack, the U.N. exposes North Korean IT fraud in 40 countries, Betterment confirms a breach tied to crypto scams, and we’ll dig into Microsoft’s first Patch Tuesday of 2026 — fixing three zero-days and 114 total flaws. Plus, critical fixes from Adobe, SAP, ServiceNow, Broadcom, and Fortinet, a leadership shakeup in Ukraine’s Security Service, and CrowdStrike’s first acquisition of the year.
Coffee cup cheers, Security Gang — even if you’ve got a Starbucks in hand instead of a Lavazza. Let’s jump in.
Belgian Hospital Shuts Down After Devastating Cyberattack
The AZ Monica Hospital in Belgium has been forced to shut down core servers and divert patients after a ransomware incident crippled critical systems
The hospital halted imaging, lab, scheduling, and e-prescribing operations, leaving staff to revert to paper workflows. Seven ICU patients were transferred to other facilities with Red Cross assistance, and emergency departments are running at reduced capacity.
As I said on the show:
“It takes the lowest kind of scum to hit a hospital — the bottom of the barrel of humanity. Karma will find them.”
AZ Monica operates major campuses in Antwerp and Deurne, both affected by the 6:30 a.m. attack. The hospital is now facing GDPR scrutiny and operational paralysis.
Healthcare cyberattacks aren’t just IT incidents — they’re humanitarian crises in disguise.
UN: North Korean IT Fraud Network Hits 40+ Countries
The United Nations revealed that North Korean IT operatives are posing as remote developers and contractors to infiltrate Western companies, launder money, and install backdoors
The report lists China, Russia, Cambodia, Laos, Ecuador, Guinea, Nigeria, and Tanzania as countries enabling these schemes — either by hosting North Korean workers or providing banking channels.
U.S. officials estimate that these operations laundered over $2 billion in 2025, with $1.5 billion from crypto theft and $500 million from fraudulent “IT work.”
I didn’t hold back on air:
“If you’re still outsourcing unvetted dev work overseas, you might as well be inviting Pyongyang to your build pipeline.”
CISOs need to start auditing vendor code, performing supply-chain background checks, and verifying remote developer identities.
Betterment Confirms Breach After Crypto Scam Emails
Fintech giant Betterment confirmed a third-party data breach after customers received fake crypto reward emails
Belgian Hospital Cyberattack Sh…
. Attackers compromised a marketing vendor to send fraudulent messages using a legitimate subdomain (support@e.betterment.com) — tricking customers into depositing funds into fake wallets.
Data exposed includes names, emails, phone numbers, addresses, and birthdates. The firm manages over $65 billion in assets and serves 1 million clients.
While no direct account takeovers were confirmed, this breach could enable SIM swapping and targeted phishing.
My advice on air: “If your vendors send email on your behalf, they’re part of your attack surface — start auditing them like you audit your own SOC.”
Microsoft Patch Tuesday: 114 Fixes, 3 Zero-Days
The first Microsoft Patch Tuesday of 2026 includes 114 vulnerabilities, with three zero-days — one actively exploited
Here’s the breakdown:
68 critical vulnerabilities
57 privilege escalation
22 RCE (remote code execution)
5 spoofing
3 security bypass
and a partridge in a pear tree
The actively exploited flaw, CVE-2026-20805, is a Windows Desktop Manager information disclosure bug that allows attackers to read memory addresses tied to ALPC ports.
Two other zero-days include a Secure Boot certificate expiration bypass (CVE-2026-21265) and a Windows AgriSoft modem driver elevation of privilege vulnerability (CVE-2023-31096).
Patch fast — attackers are already moving.
Adobe, SAP, and ServiceNow Push Emergency Fixes
Adobe patched a critical Apache Tika flaw in ColdFusion, alongside updates for Substance Designer, Illustrator, and Bridge
SAP released fixes for four critical vulnerabilities, including a SQL injection (CVE-2026-0501) and remote code execution bug (CVE-2026-0500) in NetWeaver and HANA, both scoring 9.6+ CVSS.
ServiceNow patched CVE-2025-12420, a critical AI platform flaw allowing unauthenticated user impersonation with 9.3 CVSS. Rotate credentials, audit integrations, and restrict high-permission scoped apps immediately.
Broadcom Wi-Fi and Fortinet Edge Flaws Under Active Attack
Broadcom warned of a Wi-Fi chipset flaw enabling network disruption and neighbor pivoting, potentially allowing DoS or lateral movement across guest networks
Update all drivers and segment guest Wi-Fi from enterprise networks — especially for high-risk traveling users.
Fortinet disclosed a heap-based buffer overflow (FortiOS/FortiSwitch) that attackers can exploit via CWACD daemons to compromise edge infrastructure.
Fortinet’s mantra is the same: patch fast, restrict admin access, enforce MFA, and never expose management planes to the internet.
Ukraine Security Service Chief Resigns
Ukraine’s parliament accepted the resignation of its Security Service (SBU) chief, signaling potential intel and cyber policy shifts during wartime
Leadership churn in Kyiv’s security apparatus can change cyber doctrine — especially as Ukraine balances domestic espionage prevention and offensive cyber coordination with Western allies.
This move might mark a realignment of intelligence priorities heading into another volatile year of hybrid conflict.
CrowdStrike Acquires Seraphic Security for $420 Million
CrowdStrike announced its first acquisition of 2026, buying Seraphic Security for $420 million
Seraphic provides browser-level protection against zero-days, phishing, and malicious extensions — no secure browser or rerouting required.
This comes just months after CrowdStrike’s $740 million acquisition of Signal, signaling a continued push into identity and browser security.
As I said: “CrowdStrike isn’t playing checkers — they’re building an empire one browser at a time.”
The cybersecurity M&A wave that hit $32 billion in 2025 is rolling strong into 2026.
Action List
🏥 Segment healthcare systems and ensure offline, immutable backups.
🌍 Vet foreign contractors and verify developer credentials.
💰 Audit third-party marketing vendors and revoke unneeded API access.
🧱 Patch Microsoft’s January updates and prioritize zero-days.
🧩 Update ColdFusion, SAP, and ServiceNow — monitor for new accounts.
📡 Segment guest Wi-Fi and patch Broadcom chipsets.
🔐 Restrict Fortinet edge management to VPN-only access.
🇺🇦 Watch for Ukraine cyber strategy shifts impacting threat activity.
💼 Track CrowdStrike’s consolidation strategy for industry alignment.
James Azar’s CISO’s Take
Today’s stories reflect one brutal truth — we’re fighting a cyber war where ethics, operations, and economics collide daily. Hospitals shutting down, AI impersonation flaws, and espionage operations dressed as IT contracts — this is no longer theory.
My biggest takeaway? 2026 is the year cybersecurity becomes survival. CISOs aren’t just technologists — we’re business lifelines, regulators, diplomats, and crisis managers rolled into one. The only constant is speed: the faster we patch, the faster we respond, the more lives we protect.
Stay alert, stay caffeinated, and as always — stay cyber safe.
