Good Morning Security Gang!
It’s Wednesday, September 3rd, 2025, and if it feels like the news cycle picked up right after Labor Day-you’re right. Today’s CyberHub Podcast is loaded: Cloudflare joins the list of victims in the SalesLoft Drift supply chain attack, Jaguar Land Rover is dealing with ransomware-driven outages, Brazil stopped a $130M bank heist, Disney pays a fine over children’s data, Cloudflare blocks the largest DDoS attack ever recorded, and more. Grab your espresso—foam and all - and let’s dive in.
☁ Cloudflare Breached via SalesLoft Drift Supply Chain Attack
Cloudflare confirmed it was impacted by the SalesLoft Drift/Salesforce supply chain compromise, joining Palo Alto, Zscaler, Google, and others. Attackers exfiltrated 104 platform issue tokens plus customer case data, including names, emails, phone numbers, domains, and in some cases, secrets embedded in support tickets. Cloudflare rotated all tokens and warned that the breach was part of a wider campaign meant to harvest credentials for future attacks.
⚖ Pennsylvania AG Ransomware Attack – 3 Weeks Offline
The Pennsylvania Attorney General’s Office admitted that ransomware caused its three-week-long outage in August. The attack knocked out phones, email, and the public website statewide. Services were gradually restored, but resiliency was clearly lacking.
As I said on the show: “Resiliency isn’t a magic word—it’s everything.”
Without microsegmentation or recovery planning, they had to rebuild their networks from zero.
🚗 Jaguar Land Rover Cyberattack Halts Production
Jaguar Land Rover disconnected global IT systems after a cyberattack severely impacted manufacturing and retail operations. Parent company Tata Motors confirmed the incident had a global impact. Manufacturing remains uniquely vulnerable because IT and OT systems often overlap, meaning ransomware in ERP or supply chain systems can force a full production shutdown.
"In cyber, we have to bat at a thousand. And if we bat at point nine, nine, nine, nine, nine, Guess what? We're SOL." James Azar
💰 $130M Bank Heist Attempt in Brazil Foiled
Brazil’s central bank payment system PIX was targeted in an attempted $130M cyber heist against fintech Evertec/Cinqüia. Attackers gained access to the real-time payment system but were blocked before funds left customer accounts. Media reports tied HSBC to the attempt, though the bank stressed customer funds were not affected. This is the latest example of attackers targeting instant payment platforms like PIX, FedNow, and UPI.
🧒 Disney Pays $10M Fine Over Children’s Privacy
Disney agreed to a $10M FTC settlement for violating the Children’s Online Privacy Protection Act (COPPA). Improper labeling of YouTube videos allowed collection of data from kids under 13 without parental consent. A small fine for Disney, but a big reminder: cutting compliance corners is expensive in the long run.
🌐 Cloudflare Blocks Largest-Ever DDoS Attack
Cloudflare blocked the largest recorded DDoS attack at 11.5 Tbps, a UDP flood lasting 35 seconds and sourced from multiple cloud and IoT providers, including Google Cloud. Hundreds of hyper-volumetric attacks have been stopped in recent weeks, with others peaking at 5.1 Tbps.
☎ FreePBX Zero-Day Exploited in the Wild
Sangoma released emergency patches for FreePBX (CVE-2025-57819), a CVSS 10.0 flaw in the admin control panel. Exploited since August 21, it allows database manipulation and remote code execution. Admins running versions 15, 16, and 17 should patch immediately.
🏛 CISA Names New Executive Assistant Director
Nick Anderson was appointed as CISA’s Executive Assistant Director for Cybersecurity. He previously led DOE cyber programs and replaces Eric Goldstein. Anderson worked closely with Sean Planky, the incoming CISA director whose nomination remains stalled in the Senate.
📰 Google Fake Breach Rumor Debunked
Multiple outlets falsely reported that Google was warning all users to reset their passwords due to a breach. Google called the story “fake”, confirming no such breach or advisory occurred.
🧠 James Azar’s CISO Take
Today’s stories highlight two major truths: supply chain risk and resiliency failures. Cloudflare joins the growing list of Salesforce customers hit by the SalesLoft Drift compromise. This isn’t about Salesforce itself—it’s about integration governance. Every SaaS integration is a privileged account and must be treated as such. On the other side, the Pennsylvania AG and Jaguar Land Rover incidents show what happens when resiliency planning is neglected. If you can’t segment or recover quickly, a single ransomware event can knock you offline for weeks.
The second theme is scale of attacks. From a foiled $130M bank heist to an 11.5 Tbps DDoS, adversaries are swinging for the fences. Disney’s compliance fine and FreePBX’s zero-day remind us that small oversights have big costs. As CISOs, we don’t need to boil the ocean—we need to get the basics right: patch, segment, govern, and plan for recovery. That’s what turns a crisis into just another Tuesday.
✅ Action Items
🔐 Rotate Salesforce/Drift OAuth tokens and audit integrations.
🛡 Patch FreePBX CVE-2025-57819 immediately.
☎ Ensure state/local agencies maintain landline or backup comms for VoIP outages.
🚗 Segment IT/OT in manufacturing to limit ransomware blast radius.
💰 Harden payment platforms against real-time transaction fraud.
📊 Reassess compliance staffing—fines cost more than good governance.
🌐 Monitor for volumetric DDoS trends; test scrubbing providers.
📰 Verify breach rumors before reacting; misinformation spreads fast.
That's it for our show this morning. We'll be back tomorrow at 9 AM Eastern with all the latest. Have a great rest of your day, y'all, and most importantly, stay cyber safe.
