Good Morning Security Gang,
Today’s show was loaded: state-backed espionage, long-running zero-days, AI misuse at scale, vendor accountability lawsuits, IoT surveillance risks, and a cybersecurity M&A machine that just won’t slow down.
If there’s a single takeaway from today, it’s this: attack surface is expanding faster than governance, and adversaries are exploiting every layer telecom, SD-WAN, AI workflows, IoT devices, and even backup infrastructure.
Let’s get into it.
Google Disrupts Chinese Cyber Espionage Campaign
Google announced it disrupted a Chinese cyber espionage operation targeting telecom providers and government entities across 42 countries.
The campaign attributed to UNC2814 wasn’t about smash-and-grab disruption. It was about persistent access. Attackers used credential phishing and infrastructure compromise to gain long-term footholds inside telecom networks. Some backdoors even leveraged Google Sheets as a command-and-control mechanism using spreadsheets as covert communication channels.
Telecom providers are crown jewels. Compromise grants access to metadata, lawful intercept capabilities, and potentially political communications. This was intelligence harvesting at scale.
The strategic risk? Long-term espionage embedded inside global communications infrastructure.
Cisco SD-WAN Zero-Day Exploited Since 2023
Cisco confirmed that a critical SD-WAN vulnerability (CVE-2026-21217) had been exploited as a zero-day since 2023. Let that sink in exploitation potentially spanning years.
SD-WAN sits at the network perimeter. Compromise means lateral movement into distributed branch networks, government systems, and enterprise infrastructure. CISA issued emergency directives requiring federal agencies to inventory systems, apply patches, and conduct forensic investigations.
The alarming part isn’t just the vulnerability it’s the timeline. Extended exposure windows mean adversaries may have established deep persistence.
If you’re running SD-WAN, you should be auditing logs going back to initial exposure windows and conducting retroactive threat hunts.
Medical Device Manufacturer Data Stolen
UFP Technologies, a supplier in the medical device ecosystem, disclosed that attackers accessed internal systems and exfiltrated sensitive data.
While operational disruption was reportedly limited, this is a highly regulated and interconnected supply chain environment. Compromised intellectual property or production data can ripple into healthcare systems downstream.
Medical device ecosystems are part of critical infrastructure. Exfiltration here isn’t just corporate loss it’s supply chain risk.
SonicWall Backup Flaw Tied to Ransomware Lawsuit
Marquis filed a lawsuit alleging that a breach in SonicWall’s cloud backup solution enabled ransomware fallout. This story matters because it signals a shift: vendor security failures are increasingly leading to legal accountability.
Backup infrastructure is supposed to be resilience insurance. When backup systems themselves become attack vectors, blast radius increases dramatically.
This echoes broader legal trends security vendors are no longer immune from downstream liability scrutiny.
The risk here is cascading ransomware impact through managed backup platforms.
SolarWinds Serve-U Critical Vulnerabilities
SolarWinds patched four critical vulnerabilities in its Serve-U managed file transfer software.
These flaws could allow remote code execution and privilege escalation especially dangerous in externally exposed FTP systems handling sensitive business data.
FTP systems are often overlooked but remain high-value targets. External exposure plus RCE equals immediate enterprise risk.
Claude AI Exploited in Mexican Government Campaign
Researchers uncovered a case where Claude AI was abused in a workflow scenario to manipulate outputs and exploit vulnerabilities across Mexican federal and state systems.
Persistent prompting bypassed safety guardrails. The attacker reportedly identified over 20 vulnerabilities across government systems by leveraging AI outputs.
This isn’t an AI breach. It’s AI misuse.
When AI-generated outputs are executed without human review, you create an indirect attack surface.
AI governance without execution control is theater.
China’s Domestic IP Crackdown — Strategic Posturing?
China announced a domestic intellectual property theft crackdown.
On the surface, it appears to be internal reform. Strategically, it aligns with geopolitical positioning amid global criticism of Chinese cyber espionage.
Multinational organizations operating in China must maintain strict data segregation and governance separation between domestic and international systems. Trust nothing by default. Validate everything by design.
Robot Vacuum Army: IoT Exposure via API Flaw
An engineer reverse-engineered a robot vacuum ecosystem and discovered an unauthenticated API that exposed control over nearly 7,000 devices across 24 countries.
Live camera feeds, microphone audio, mapping data all accessible due to weak backend controls. The engineer just wanted to control his vacuum with a PS5 controller. Instead, he uncovered a surveillance nightmare.
IoT devices are no longer novelty gadgets. They are distributed sensors embedded in homes and offices globally.
Cybersecurity M&A Continues at Record Pace
SecurityWeek reported 426 cybersecurity M&A deals in 2025, totaling nearly $92.5 billion in disclosed value.
Consolidation is accelerating. Vendors are racing to become platforms rather than point solutions. The market is consolidating around identity, cloud security, and integrated ecosystems.
The takeaway? Know whether you’re buying a feature, product, or platform — because the market is deciding for you.
Chicago Public Schools Data Breach Settlement
Chicago Public Schools reached a proposed $17 million settlement tied to breach litigation. The education sector continues facing legal and financial fallout from student and staff data exposure.
Breach impact doesn’t end at remediation it extends into courts, settlements, and long-term institutional trust erosion.
Key Action Items
Conduct retrospective forensic audits on Cisco SD-WAN deployments
Implement continuous credential anomaly detection in telecom environments
Deploy DLP monitoring on R&D and regulated production repositories
Validate backup integrity independently from vendor assurance
Restrict AI-generated outputs from automated execution without human review
Segment IoT devices from enterprise networks
Patch externally exposed file transfer systems immediately
Separate China-based operational data governance from global systems
James Azar’s CISOs Take
When I step back from today’s stories, I see layered exposure. Telecom espionage, perimeter zero-days, AI workflow manipulation, IoT surveillance gaps, and vendor backup failures — all converging.
The perimeter isn’t gone. It’s multiplied.
Every management interface, every AI prompt workflow, every SD-WAN edge device, every cloud backup — they’re all perimeter now.
As a CISO, my focus remains simple: relentless visibility, aggressive segmentation, retroactive forensic validation, and governance that matches the speed of automation.
Cyber today isn’t about reacting to breaches. It’s about designing resilience before adversaries discover the next control gap.
Stay cyber safe.
