Good Morning Security Gang
It’s a chilly Monday morning here in Georgia. We got a dusting of snow over the weekend, and when I say snow, I mean an inch that shut the entire state down. So while the roads were iced, I spent the weekend diving into research and family time, and honestly, it was a nice reminder that the things that matter most aren’t screens, social media, or work it’s the people we love.
Now, with that reflection out of the way, let’s dig into today’s packed show. We’ve got major data breaches impacting Bumble and Match, a SonicWall cloud backup compromise blamed for the Marquis Software breach, new details in Poland’s power grid cyberattack that left ICS devices bricked, and a record-setting $158 billion in illicit crypto flows. Plus, MongoDB’s extortion woes, a critical Johnson Controls vulnerability, Ivanti zero-day exploitation, and the conviction of a Google engineer for smuggling AI secrets to China.
Coffee cup cheers, y’all — double espresso on deck. Let’s roll.
Bumble and Match Confirm Data Breaches Impacting Millions
Both Bumble and Match Group platforms which include Tinder, OkCupid, and Hinge reported data breaches potentially impacting tens of millions of users worldwide. Leaked data includes profile information, contact details, and metadata from private messages.
The breach introduces serious risks of targeted harassment, extortion, and credential reuse especially for corporate employees who reuse personal credentials across work systems.
As I said on the show:
“When personal and professional overlap, breaches like this become business risk — not gossip fodder.”
My advice to CISOs: coordinate with HR to issue company-wide credential hygiene resets, require password refreshes for anyone reusing personal logins, and deploy credential-stuffing detection in your corporate SSO.
Marquis Software Breach Traced to SonicWall Cloud Backup
Marquis Software, a key provider for financial institutions and public sector clients, says its network intrusion originated from a compromised SonicWall cloud backup. Attackers exploited the vendor’s trusted control channel to infiltrate internal assets, a stark reminder of the supply chain fragility in modern cybersecurity.
Whether this claim is fully accurate or part of post-breach deflection, it highlights one truth: security vendors are still attack surfaces.
I said it bluntly:
“When your security vendor becomes your attack vector, you’re not in defense — you’re in denial.”
To mitigate, place all vendor admin and backup access behind just-in-time privileged accounts, zero-standing API keys, and device posture validation.
Poland Grid Attack Bricked ICS Devices at 30 Energy Sites
New findings show that Russia-linked actors behind the December Poland grid attack intentionally bricked field ICS devices, disrupting telemetry and control functions across 30 distributed energy sites.
This attack was not about data theft, it was operational warfare, echoing Sandworm-style tradecraft aimed at destruction and chaos rather than espionage.
CISOs in energy and manufacturing should deploy unidirectional gateways or data diodes at remote sites to prevent reverse command abuse and isolate RTUs and gateways from central SCADA systems.
“Wiper attacks aren’t about ransom — they’re about inflicting operational pain that lingers long after the logs go cold.”
Illicit Crypto Flows Soar to $158 Billion
A new report from TRM Labs shows illicit crypto flows surged 145% year-over-year, reaching a staggering $158 billion across mixers, high-risk exchanges, and scam wallets.
This includes funds from ransomware, pig-butchering scams, and BEC operations. Though illicit activity only represents 1.3% of total blockchain volume, its sheer scale poses serious compliance risks.
Businesses dealing with crypto or digital payments must restrict payouts to pre-approved wallets, apply real-time chain risk analysis, and maintain off-chain audit logs for compliance.
As I said: “Crypto risk isn’t just regulatory anymore — it’s reputational and existential.”
Ivanti Zero-Day Under Active Exploitation
Ivanti Endpoint Manager Mobile (EPMM) is under active attack via two flaws enabling remote code execution and authentication bypass. Attackers are leveraging these weaknesses to deploy payloads to entire device fleets.
Patch immediately, then geofence admin portals, rotate credentials, and enforce hardware-key SSO until verified clean.
“Attackers love MDM because it’s a distribution hub for compromise — patch like your reputation depends on it, because it does.”
MongoDB Extortion Campaign Expands
Attackers continue to target internet-exposed MongoDB instances without authentication, scraping data and demanding ransom under the “pay or we leak” model.
Even with backups, reputation damage and regulatory scrutiny make recovery costly.
Mitigation steps:
Enforce IP allowlists and mandatory authentication.
Deploy TLS encryption for all MongoDB connections.
Auto-quarantine non-compliant cloud instances.
Johnson Controls Vulnerability Puts Smart Buildings at Risk
A newly disclosed SQL injection vulnerability (CVE-2025-26385) in Johnson Controls building management software scores a perfect 10/10 CVSS, allowing unauthenticated remote access to critical infrastructure.
This could enable attackers to manipulate HVAC systems, access control, and even building automation networks potentially serving as lateral gateways to corporate IT environments.
Recommendation: disable remote cloud access until patches are validated, and lab-test new firmware before deployment.
Google Engineer Convicted of Selling AI Tech to China
A U.S. court convicted former Google engineer Linwei Ding on seven counts of trade secret theft and economic espionage for exfiltrating over 2,000 pages of confidential AI material and uploading it to his personal Google Cloud Drive before attempting to sell it to Chinese tech companies.
He now faces up to 150 years in prison.
This case underscores the insider threat risk in intellectual property environments. Implement repo-level DLP, require just-in-time approvals for bulk code exports, and maintain watchlists for high-value AI assets.
As I said: “The biggest breach risk isn’t outside your firewall — it’s the person who already has the keys.”
Action List
🧩 Rotate credentials for any Bumble/Match users using personal reuse patterns.
🔐 Restrict vendor admin access with just-in-time privileged accounts.
⚡ Add data diodes at remote industrial sites for unidirectional telemetry.
💰 Whitelist crypto wallets and apply chain analysis before payouts.
🧱 Patch Avanti EPMM immediately and lock down portals.
☁️ Quarantine unauthenticated MongoDB instances.
🏢 Patch Johnson Controls software and disable remote features.
🧠 Apply repo DLP and JIT approvals for AI-related exports.
James Azar’s CISO’s Take
Today’s episode was a reminder that cybersecurity isn’t just about firewalls and forensics it’s about trust and dependency. From dating apps leaking user data to a national grid being bricked, every breach tells the same story: we’ve built systems too dependent on others to fail safely.
My biggest takeaway? We’re only as resilient as our weakest integration. Whether it’s a SonicWall backup, an MDM agent, or a MongoDB cluster, attackers are weaponizing our trust in convenience. It’s time to double down on segmentation, verification, and least privilege, because the next compromise won’t come from the outside. It’ll come from the tools we trust most.
Stay alert, stay caffeinated, and as always stay cyber safe.
