Good Morning Security Gang
Welcome back to the CyberHub Podcast!
What a start to the year it’s already been.
We’re just six days in, and the cybersecurity news cycle hasn’t taken a breath. Today’s show is loaded — we’re talking a fresh U.S. telecom incident, two major third-party breaches, China’s cyber pressure on Taiwan, Russia-linked operations spreading across Europe, Fortinet’s latest exploit campaign, and why prompt injection continues to haunt AI security models. Plus, there’s a lighthearted twist at the end involving a pink Power Ranger, a hack, and white supremacists looking for love.
So grab your espresso mine’s a double Lavazza this morning and coffee cup cheers, y’all! Let’s get right into it.
Brightspeed Investigating Cyberattack
U.S. telecom provider Brightspeed confirmed it is investigating a cyber incident impacting its internal systems. Details are still limited, but the Crimson Collective hacking group has claimed responsibility, saying they stole customer and billing data, payment details, and service records.
If that’s accurate, attackers may have gained ERP or Oracle EBS system access, exposing metadata, architecture diagrams, and subscriber information. Brightspeed’s IT and infosec teams are working around the clock to contain and remediate.
This case highlights the increasing targeting of telecom infrastructure as a supply-chain vector for espionage and credential harvesting.
Ledger Customers Impacted by Global-E Vendor Breach
Ledger, the crypto hardware wallet company, confirmed some customer data was exposed following a breach at e-commerce partner Global-E.
While wallet hardware and keys remain secure, threat actors now have access to accurate contact details, shipping addresses, and transaction histories — the perfect recipe for phishing and BEC (business email compromise).
Companies should:
Block scam domains targeting vendor customer portals.
Enforce banking info changes through secure portals, not via email.
Launch proactive takedown campaigns to preempt fraud attempts.
As I said bluntly: “If you’re changing vendor banking info over email in 2026, you’re already behind the eight ball.”
This is a textbook supply chain privacy breach with massive social engineering potential.
NordVPN Denies Breach Claims
Threat actors claimed to have exfiltrated NordVPN’s user data, but the company quickly denied the claims, saying the leaked information was dummy data from a non-production environment.
This story is intriguing because Resecurity recently reported a similar incident — attackers accessing a honeypot environment designed to capture adversary telemetry. NordVPN may have experienced something similar.
In my view: “I’m not quick to believe hackers. In 2026, fake data is bait — and companies are finally smart enough to use it.”
While skepticism is healthy, this story underscores how development environments remain underprotected. Many lack endpoint controls or telemetry, making them an easy target for both real and deceptive breaches.
"Our job as security practitioners is to find the risk to the business, identify the risk for the business, explain the risk to the business, and then accept whatever result the business wants to take on said risk... the company's job is to make revenue. And in every business, in every point, period of time, businesses try to find the shortest path to revenue, not the right path to revenue, because the right path to revenue never exists. A lot of ideas died on the idea of perfect."
China’s Cyber Pressure on Taiwan Escalates
Taiwan’s National Security Bureau reported a staggering 2.63 million daily cyberattacks in 2025 — a 113% increase over 2023 — most of them linked to China’s People’s Liberation Army (PLA).
Targets included energy, emergency services, and hospitals, reflecting China’s hybrid warfare model that synchronizes military intimidation with sustained digital harassment.
This cyber barrage aims to destabilize Taiwan ahead of key elections and test U.S. response readiness. As I said on air:
“This isn’t random. It’s the long game — death by disruption.”
Even organizations outside the region with Taiwanese vendors or dependencies should prepare for incident comms elevation and third-party monitoring.
Russia-Linked Malware Hits European Hospitality Sector
Russia-linked threat group Fancy Bear (APT28) has been deploying malicious drivers that trigger Blue Screen of Death restarts across European hospitality networks.
This isn’t a destructive attack — it’s stealth. The forced reboots allow malware to establish persistence at a low-noise level.
If you operate in travel, retail, or hotel IT, assume thin-client exposure. You need Device Guard, allowlisting, and signed driver enforcement enabled across your fleet.
As I noted: “Russia’s not targeting guests — they’re targeting confidence. If Europe’s tourism engine stutters, its economy follows.”
Russia Abuses Viber Messaging Platform in Ukraine
Russia-aligned actors are also exploiting the Viber messaging platform in the Russia–Ukraine conflict to distribute info-stealers and misinformation campaigns.
The method involves phishing ZIP files disguised as Office documents. Once opened, LNK loaders fetch payloads using PowerShell and connect to C2 servers.
While Viber isn’t popular in the U.S., this tactic shows how trusted consumer platforms are being weaponized for espionage and disruption — a trend every enterprise should monitor for cross-border communications risk.
FortiWeb Exploited to Drop Silver C2 Framework
Researchers uncovered multiple FortiWeb edge devices being exploited to deploy Silver C2 beacons using outdated firmware versions.
Attackers also paired this with React2Shell vulnerabilities, combining RCE (remote code execution) with stealthy lateral movement.
If you’re running FortiWeb:
Patch immediately to 6.1.62+
Audit for Silver C2 artifacts and FRP binaries
Rotate TLS keys and admin credentials post-incident
This reinforces a core truth: edge devices aren’t “fire and forget” — they’re persistent targets.
AI Prompt Injection: The Long-Term Threat
OpenAI reaffirmed that prompt injection — malicious content that manipulates model behavior — remains a long-term, unsolved problem in AI systems.
The company advised enterprises piloting AI integrations to:
Treat model inputs like untrusted user data
Implement context firewalls and retrieval limits
Require human-in-the-loop approval for sensitive actions
As I said: “AI isn’t hacking us — people are hacking the inputs. That’s the problem we’re not ready for.”
AI adoption without security guardrails will create more chaos than efficiency.
CISA KEV Catalog Grows by 20%
CISA’s Known Exploited Vulnerabilities (KEV) Catalog expanded by 20% in 2025, now including 1,480 CVEs — a stark reminder that exploited CVEs should drive your patching priorities.
Top exploit types include:
Command injection (18)
Deserialization (14)
Path traversal (13)
Use-after-free (11)
As I said: “If you’re still patching by CVSS score instead of active exploitation — you’re doing it wrong.”
White Supremacist Dating Site Hacked - “okstupid.lol”
To close the show, a German hacker known as Martha Root — dressed as a pink Power Ranger — breached a white supremacist dating site and dumped the data online under okstupid.lol.
It’s both absurd and oddly poetic: a Power Ranger exposing hate groups looking for love. Root’s hack revealed thousands of extremist profiles across Europe and the U.S.
Action List
📡 Investigate telecom dependencies and ensure ERP segmentation.
💳 Enforce vendor banking updates via portals only.
🔐 Secure dev environments — no unmonitored test data.
🇨🇳 Monitor suppliers with exposure to Taiwan or East Asia.
💻 Enforce driver signing policies to prevent low-level persistence.
🌐 Patch FortiWeb and React-based systems immediately.
🤖 Deploy AI context isolation and user intent validation.
🧩 Prioritize KEV CVEs — patch what’s actually being exploited.
James Azar’s CISO’s Take
Today’s stories sum up the modern CISO’s battlefield: telecoms under siege, supply chains compromised, AI ungoverned, and nation-states weaponizing everything from messaging apps to hospitality servers. It’s a world where trust itself is the new attack surface.
My biggest takeaway? Cyber resilience in 2026 will hinge on visibility and velocity — knowing what’s real, patching what’s active, and responding faster than the narrative spreads. As practitioners, our role isn’t just to defend networks — it’s to protect business credibility. Because in the end, it’s not the breach that defines you — it’s how you respond.
Stay sharp, stay caffeinated, and as always — stay cyber safe.
