Good Morning Security Gang!

Broadcasting from Tel Aviv, Israel, we've got an absolutely packed show for you this Wednesday morning. Grab your coffee and join me for a coffee cup cheers as we dive into what might be one of the most significant cybersecurity stories of the year.

We're talking about Chinese state-sponsored actors exploiting Microsoft SharePoint zero-days for weeks before discovery, a massive healthcare breach affecting over 100 facilities, and the UK's bold move to ban ransomware payments for public sector organizations.

🐉 Chinese APTs Exploiting ToolShell Zero-Days

We’ve been talking about the SharePoint ToolShell vulnerabilities for a while now — but today, things escalated. Microsoft’s being dragged into political and national security hot water as evidence mounts that China-backed threat actors (Lemon Typhoon, Violet Typhoon, and Storm-2603) exploited the zero-days weeks before Microsoft even detected them. That’s weeks — plural.

This comes amid new outrage that Microsoft code used in federal systems is allegedly being written in China. That’s not a conspiracy theory — it’s under investigation by Senator Tom Cotton and backed by whistleblowers. Even worse, Chinese law requires companies to report zero-days to their own government before anyone else. If that doesn’t scream "conflict of interest," I don’t know what does.

"At some point we have to admit that there's a conflict, a direct conflict in the fact that we cannot on one hand say that China is a direct adversary to the United States and to the West... but Microsoft hasn't learned anything from what Rockwell Automation is going through." James Azar

🔥 Sophos Firewall: Five Vulnerabilities Patched

Sophos patched five new vulnerabilities in its firewalls, with the worst one — CVE-2025-53873 — scoring a 9.8 CVSS. It allows unauthenticated attackers to write arbitrary files. The risk is somewhat mitigated as it requires a specific SPX configuration and HA mode, but if you're running Sophos in a complex deployment, patch immediately.

Over the past month, Sophos released hotfixes to address these issues in Firewall versions 19.0 MR2 (19.0.2.472), 20.0 MR2 (20.0.2.378), 20.0 MR3 (20.0.3.427), 21.0 GA (21.0.0.169), 21.0 MR1 (21.0.1.237), 21.0 MR1-1 (21.0.1.272), 21.0 MR1-2 (21.0.1.277), and 21.5 GA (21.5.0.171).

🏥 AMEOS Healthcare Breach

German-Swiss healthcare giant AMEOS has confirmed a breach affecting over 100 hospitals, clinics, and care centers. Employee, patient, and partner data may have been accessed — though there’s no confirmed leak yet. The organization has issued warnings about phishing attempts and is still investigating. This breach hits Europe hard — especially in the DACH region — and underscores why healthcare remains ransomware group catnip.

🌐 Chrome & Firefox Zero-Days Fixed

Both Google and Mozilla pushed out emergency patches. Chrome 138 fixed two zero-days (CVE-2025-6558 and -6554), and Firefox 141 shipped 17 security fixes — many tied to their JS engine. These browser bugs are in active exploitation. If your auto-updates haven’t kicked in yet, now’s the time to force them.

💉 Interlock Ransomware Targets Healthcare and Beyond

CISA, FBI, HHS, and MS-ISAC issued a broad advisory against Interlock — a ransomware group breaking the mold by not sticking to a single vertical. They’ve hit everything from healthcare to manufacturing and airlines. Notably, they’re using double extortion tactics, and the advisory shares IOCs and recommends DNS filtering, WAFs, and security awareness training. This group also has ties to the “ClickFix” and “FileFix” exploits we’ve discussed previously.

🧟‍♂️ Luma Stealer Resurfaces

Thought Luma Stealer was gone after its takedown in May? Think again. Trend Micro reports that the malware is back with new infrastructure and hundreds of fresh C2 domains. It’s spreading via cracked software, fake keygens, and malicious websites. Luma Stealer’s TTPs haven’t changed much — and unfortunately, neither have our habits of clicking on shady downloads.

💰 UK to Ban Ransomware Payments for Public Sector

The UK is proposing legislation to ban public sector and critical infrastructure entities — like NHS, schools, and local councils — from paying ransom. The goal: make these targets less attractive. The risk? Threat actors may double down, or shift to pure destructive attacks. The law isn’t in force yet, but it's expected to pass — and it’s going to test the theory that banning ransom reduces targeting.

🏛️ U.S. Gov’t Decentralizes Cybersecurity for Critical Infrastructure

No, the federal government isn’t abandoning cybersecurity. But it is scaling back federal agency involvement and shifting responsibility to the states. Agencies like CISA aren’t going anywhere, but local ownership is being encouraged. This shift could empower states like Georgia, which are better positioned to deliver nimble, responsive support than an overburdened federal agency with 24-month sales cycles.

🤖 Replit’s AI Agent Deletes Code... Then Lies About It

Replit, a browser-based AI coding platform, faced significant criticism after its AI tool deleted an entire codebase and production database without authorization, then essentially "lied" about it. The controversy began when prominent VC Jason Lemkin reported that during his 12-day experiment using natural language prompts to build commercial-grade apps, the AI ignored code freezes, failed to seek permission before making changes despite explicit instructions, and then admitted to ignoring user directives.

"In today's age, you can't just trust these models blindly. AI has a mind of its own, and we're quickly finding out just how good it is." James Azar

CEO Amjad Masaad apologized publicly on X and committed to fixing the issues, but this incident highlights the dangers of blindly trusting AI models in production environments.

✅ Action List:

• 🔧 Patch SharePoint ToolShell vulnerabilities & watch for state-backed TTPs.

• 🛡️ Upgrade Sophos firewalls to mitigate new CVEs.

• 🏥 If you’re in EU healthcare, review exposure to AMEOS systems.

• 🌍 Patch Chrome 138 and Firefox 141 now — those zero-days are live.

• 🧩 Review IOCs from Interlock ransomware advisory; update detection rules.

• 👁️ Monitor for Luma Stealer indicators and domain activity.

• 🚫 Watch the UK’s ransomware law — prepare alternate recovery plans.

• 🗺️ Align with your state-level cyber teams if you're in U.S. critical infrastructure.

🧠 James Azar’s CISO Take:

This episode felt like a digital minefield. The SharePoint ToolShell fallout is more than just another zero-day — it's about trust. When the same country responsible for exploiting these vulnerabilities is also writing code for federal systems, it’s not just risky — it’s negligent. Microsoft’s got a storm coming, and the rest of us need to think long and hard about software provenance.

At the same time, the UK’s ransomware payment ban is a bold move that could backfire if it isn’t paired with stronger defenses. And while Replit’s faceplant makes us laugh, it should also terrify every engineering team testing AI copilots. We are moving fast into a world of semi-autonomous agents — and unless we wrap them in policy and process, they’ll wreck more than just code.

Until next time, patch those networks and…
Stay cyber safe.

✅ Story Links:

https://www.securityweek.com/microsoft-says-chinese-apts-exploited-toolshell-zero-days-weeks-before-patch/

https://www.securityweek.com/critical-vulnerabilities-patched-in-sophos-firewall/

https://www.bleepingcomputer.com/news/security/major-european-healthcare-network-discloses-security-breach/

https://www.securityweek.com/high-severity-flaws-patched-in-chrome-firefox/

https://www.bleepingcomputer.com/news/security/cisa-and-fbi-warn-of-escalating-interlock-ransomware-attacks/

https://www.securityweek.com/lumma-stealer-malware-returns-after-takedown-attempt/

https://www.bleepingcomputer.com/news/security/uk-to-ban-public-sector-orgs-from-paying-ransomware-gangs/

https://www.cybersecuritydive.com/news/critical-infrastructure-cybersecurity-federal-support-risk/753686/

https://thecyberexpress.com/replit-ai-agent-incident/

🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1

🚨 Important Links to Follow:

👉Website:

CISO Talk by James Azar

The latest news and topics from a cybersecurity practitioners discussing Cybersecurity, Privacy, Technology & Geo-Politics. I am a two times Founder and Chief Information Security Officer. All opinions are my own

👉Listen here: https://linktr.ee/cyberhubpodcast

✅ Stay Connected With Us.

👉Facebook: https://www.facebook.com/CyberHubpodcast/

👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/

👉Twitter (X): https://twitter.com/cyberhubpodcast

👉Instagram: https://www.instagram.com/cyberhubpodcast

🤝 For Business Inquiries: info@cyberhubpodcast.com

=============================

🚀 About The CyberHub Podcast.

The Hub of the Infosec Community.

Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.