CISO Talk by James Azar
CyberHub Podcast
ColdFusion CVSS 10 Exploited Within Hours, Canada's Cyber Command Takes Down Ransomware Infrastructure, and Iran's New Cavern C2 Targets Critical Infrastructure
0:00
-16:51

ColdFusion CVSS 10 Exploited Within Hours, Canada's Cyber Command Takes Down Ransomware Infrastructure, and Iran's New Cavern C2 Targets Critical Infrastructure

Why the fastest attackers aren't inventing new techniques, they're perfecting the old ones faster than defenders can respond.

☕ Good Morning Security Gang,

Today’s episode reinforced something we’ve been saying for months: attackers don’t need revolutionary techniques—they simply need defenders who leave the basics undone.

Today’s headlines ranged from Adobe ColdFusion vulnerabilities being exploited less than 48 hours after patches were released, to a rapidly evolving ransomware family capable of propagating across an enterprise using more than twenty different remote execution techniques. We also examined active probing of a critical Gitea Docker vulnerability just days after disclosure, a sophisticated new espionage campaign targeting government and electric utilities, Microsoft’s device code authentication being abused for account hijacking, and Canada’s intelligence agency publicly revealing offensive cyber operations that dismantled ransomware infrastructure.

The common thread throughout today’s show wasn’t sophisticated zero-days or groundbreaking malware.

It was operational discipline or the lack of it. Double espresso in hand.

Coffee cup cheers, gang.

🧭 Executive Summary

Today’s cybersecurity landscape demonstrated how quickly attackers capitalize on opportunity.

Critical vulnerabilities are now being weaponized within days or sometimes hours of public disclosure. At the same time, ransomware operators continue improving lateral movement, software supply chain attacks are expanding into everyday developer tools, and advanced persistent threat groups remain focused on critical infrastructure using surprisingly familiar phishing techniques.

Meanwhile, governments are becoming increasingly aggressive in offensive cyber operations, while organizations continue struggling with the same fundamentals: patch management, identity protection, network segmentation, and security awareness.

The technology changes.

The fundamentals don’t.

📰 Top Stories & Deep Dive Analysis

“The entry point is boring. What’s waiting behind it is what should keep you up at night.” James Azar

🚨 Adobe ColdFusion CVSS 10 Vulnerability Already Under Active Exploitation

The most urgent story today involves CVE-2026-48282, a maximum severity vulnerability affecting Adobe ColdFusion 2025, ColdFusion 2023, and earlier releases. Adobe released patches only days ago, urging customers to deploy them within 72 hours. Less than two days later, Canada’s Centre for Cyber Security confirmed active exploitation in the wild.

The vulnerability allows an unauthenticated attacker to achieve full remote code execution against exposed ColdFusion servers, placing business-critical web applications directly at risk. Shadowserver continues tracking nearly 800 internet-facing ColdFusion instances, although it remains unclear how many have already been patched.

ColdFusion may not dominate headlines the way VPN appliances or identity platforms do, but it continues powering numerous legacy enterprise applications across healthcare, financial services, government, and manufacturing.

This isn’t an isolated event either.

Just last week Adobe addressed six additional critical ColdFusion vulnerabilities, underscoring that organizations still relying on the platform need to treat ColdFusion updates as an ongoing operational priority rather than an annual maintenance exercise.

If ColdFusion remains internet-facing inside your environment, today’s recommendation is straightforward: patch immediately or place it behind a VPN or web application firewall until updates can be completed.

💣 “The Gentleman” Ransomware Evolves Into Self-Spreading Enterprise Malware

Researchers at Picus Security detailed significant new capabilities within The Gentleman ransomware family, showing how it has evolved beyond simple encryption into a highly automated enterprise propagation platform.

Unlike traditional ransomware that depends primarily on manual operator movement, The Gentleman attempts 21 different remote execution techniques after compromising its initial victim. It leverages PsExec, scheduled tasks, Windows services, PowerShell, SMB shares, and numerous additional execution paths to spread throughout an enterprise network.

Before encryption even begins, the malware disables Microsoft Defender, clears forensic artifacts, deletes Windows Shadow Copies multiple times, erases command history, and then encrypts files using modern Curve25519 and XChaCha20 cryptography.

The targeting has already expanded across education, healthcare, transportation, financial services, and other industries on multiple continents.

The most important takeaway isn’t simply stronger encryption.

It’s that ransomware operators increasingly assume defenders have endpoint protection and design malware specifically to disable those controls before beginning encryption.

Organizations should validate network segmentation, restrict administrative tools such as PsExec, maintain offline backups, and specifically test detections against the malware’s lateral movement techniques instead of relying solely on generic ransomware signatures.

🐳 Attackers Begin Probing Critical Gitea Docker Vulnerability

Threat intelligence researchers observed the first active reconnaissance targeting CVE-2026-20896, a critical vulnerability affecting official Gitea Docker images less than two weeks after disclosure.

The issue stems from a dangerous default configuration where trusted reverse proxy settings accept requests from any source instead of limiting authentication to localhost.

For organizations using reverse proxy authentication, attackers can simply forge an HTTP authentication header and immediately authenticate as any user including administrators without needing passwords or authentication tokens.

Current estimates suggest approximately 6,200 internet-facing Gitea instances remain exposed worldwide.

Although observed activity currently appears limited to reconnaissance, history suggests exploitation frequently follows shortly afterward.

Organizations should immediately upgrade to Gitea version 1.26.3 or later, verify trusted proxy configurations, and ensure container access remains restricted only to authorized reverse proxies.

⚡ New Armored Likho Campaign Targets Government and Electric Utilities

Kaspersky disclosed a newly documented campaign conducted by the threat actor Armored Likho, targeting government organizations and electric power operators across Russia, Kazakhstan, and Brazil.

What makes this campaign notable isn’t a sophisticated zero-day.

It begins with something security professionals have battled for years: phishing emails containing shortcut files and malicious archives disguised as legitimate documents.

Once executed, however, victims receive an advanced Python-based information stealer known as BusySnake, capable of dynamically encrypting and decrypting its own code, harvesting browser credentials, collecting one-time password secrets, stealing cryptocurrency wallets, extracting Telegram sessions, logging keystrokes, capturing screenshots, and establishing reverse SSH tunnels for persistent remote access.

The campaign serves as another reminder that initial access remains remarkably consistent.

Sophisticated malware often enters through remarkably ordinary phishing emails.

Organizations protecting critical infrastructure should continue emphasizing phishing resilience while expanding endpoint detection capabilities to identify reverse tunneling, credential theft, and process injection techniques.

⚡ Need to Know

“Attackers keep finding ways to make the boring stuff work better—and that’s exactly why the basics still matter.” James Azar

🎭 Microsoft Teams Voice Calls Used to Deploy Malware

Palo Alto Networks Unit 42 identified attackers impersonating IT support personnel over Microsoft Teams voice calls. Victims are convinced to install legitimate remote administration tools before receiving malware that communicates through Ethereum smart contracts for command and control. Organizations should review Teams policies governing external calls and screen sharing.

🔑 Microsoft Device Code Authentication Being Abused

Researchers documented attackers abusing Microsoft’s legitimate device code authentication process to obtain access tokens through genuine Microsoft login pages. Victims never visit fake websites, making traditional phishing detection significantly more difficult. Organizations not requiring device code authentication should disable it through Conditional Access.

🇮🇷 Iranian Cavern Framework Targets IT Providers

Researchers documented a modular command-and-control framework known as Cavern, deployed by an Iranian threat actor against Israeli government organizations and managed service providers. Attackers frequently compromise an IT provider before pivoting into downstream customer environments, reinforcing the importance of securing third-party relationships.

🇨🇦 Canada Reveals Offensive Cyber Operations

Canada’s Communications Security Establishment announced that it conducted three offensive cyber operations last year, including one that disrupted ransomware infrastructure and deleted portions of stolen victim data after attacks targeting Canadian healthcare, transportation, and businesses.

🧒 Fifteen-Year-Old Arrested After Using AI to Exploit Streaming Service

Tokyo police arrested a 15-year-old student accused of using AI-generated exploit code against Bandai Channel, allegedly disrupting more than 46,000 subscriptions. The incident illustrates how generative AI continues lowering technical barriers for inexperienced attackers.

💰 DAO Governance Attack Drains $20 Million

Attackers reportedly spent approximately $4 million acquiring governance tokens before using their voting power to approve a malicious proposal that drained nearly $20 million from a decentralized autonomous organization’s treasury. Organizations participating in DAO governance should review timelocks and multi-signature protections.

📄 VeilDrop Malware Uses Google Blogspot Infrastructure

Researchers identified a fileless malware campaign known as VeilDrop that leverages legitimate Google Blogspot pages to deliver payloads through reflective .NET loading. Because traffic blends into normal Google infrastructure, organizations should focus on behavioral detections rather than static URL blocklists.

Share

🎯 Key Takeaway

Today’s show wasn’t really about Adobe.

It wasn’t about ransomware.

And it wasn’t about phishing.

It was about execution.

The vulnerabilities were known.

The patches existed.

The phishing techniques were familiar.

The defensive controls were available.

Attackers continue succeeding not because they’re inventing entirely new techniques but because they’re executing the basics faster and more consistently than many defenders.

🧠 James Azar’s CISOs Take

What stood out to me today is that almost every major story started with something we’ve been fighting for years. A phishing email. A vulnerable web application. A default configuration. A trusted authentication flow. None of those are new. What has changed is the speed and sophistication that follows initial compromise. Attackers are chaining together automation, credential theft, remote execution, and lateral movement faster than many organizations can detect or respond. If you’re still treating phishing awareness, patching, and endpoint monitoring as annual exercises instead of daily operational priorities, you’re giving attackers exactly the advantage they want.

The second lesson is that cybersecurity continues to reward organizations that execute the fundamentals exceptionally well. Whether it’s ColdFusion, Gitea, Microsoft Teams, or critical infrastructure, the strongest defenses remain disciplined vulnerability management, identity protection, network segmentation, application hardening, and continuous monitoring. New technologies including AI will continue changing the attack landscape, but they don’t replace the basics. They simply make getting the basics wrong far more expensive.

🛠️ Action Items

  • Patch Adobe ColdFusion immediately and remove unnecessary internet exposure.

  • Upgrade Gitea Docker deployments to version 1.26.3 or later.

  • Validate reverse proxy authentication settings for Gitea instances.

  • Test ransomware detection against The Gentleman’s lateral movement techniques.

  • Restrict administrative tools including PsExec where operationally possible.

  • Strengthen phishing awareness training for shortcut files and archive-based attacks.

  • Monitor for reverse SSH tunnels and credential theft activity.

  • Review Microsoft Teams policies governing external calls and screen sharing.

  • Disable Microsoft Device Code authentication if not required.

  • Audit managed service provider and third-party access relationships.

  • Review behavioral detections for fileless malware leveraging trusted cloud infrastructure.

🔥 Stay Cyber Safe.

Discussion about this episode

User's avatar

Ready for more?