Good Morning Security Gang!
welcome back to the CyberHub Podcast. I’m James Azar, your host and CISO, coming to you with gratitude, a cup of espresso, and a reminder that even amidst chaos, there are things worth celebrating — like my son’s 4th birthday today (happy birthday, buddy!), and the incredible news that twenty hostages kidnapped on October 7th, 2023, have finally been reunited with their families.
As President Trump visits Israel, meets with Prime Minister Netanyahu, and prepares for a regional summit in Egypt, I can’t help but feel a little hope creeping into what’s often a dark global landscape. But as always, optimism doesn’t mean letting our guard down — because the cyber world never sleeps.
From a cyberattack on a Houston suburb to coordinated strikes on Cisco, Palo Alto, and Fortinet devices, and the FBI’s major BreachForums takedown, today’s episode has it all. So let’s dig in.
🏙 Houston Suburb Hit by Cyberattack
The city of Sugar Land, Texas, a suburb of Houston, is investigating a cyber incident that disrupted online services including utility billing, permit applications, and 311 requests. Thankfully, the 911 system remains operational due to complete segmentation from the main network. State and federal agencies are assisting in the response, but the city has yet to disclose the attack’s origin or scope.
This is just the latest in a series of Texas municipal cyber incidents, following recent attacks on Dallas, Matagorda County, Lubbock, Mission, and Abilene.
I reminded listeners, “If you’re a municipal CISO or MSP, micro-segmentation is your lifeline. You can’t stop every attack, but you can stop one from taking down your whole city.”
🔥 Coordinated Campaign Targets Cisco, Palo Alto, and Fortinet
A massive, coordinated cyber campaign is hammering Cisco ASA, Palo Alto Networks GlobalProtect, and Fortinet SSL VPN appliances in what experts call a multi-wave Chinese-linked offensive.
GrayNoise reported three overlapping exploitation waves, including the Cisco ASA/FTD zero-days tied to ArcaneDoor,
a 500% surge in GlobalProtect login brute-forcing (1.3 million unique attempts),
and simultaneous Fortinet SSL VPN brute-force attacks — all from the same subnet infrastructure.
With these three vendors controlling 80% of the global firewall market, this is a high-stakes event. My advice on the show was simple:Patch Cisco CVEs 2025-20333 and 2025-20362 immediately.
Geofence and throttle GlobalProtect portals.
Enforce FIDO2 MFA.
Block brute-force IPs automatically.
“Find me a network that doesn’t run Cisco, Palo Alto, or Fortinet,” I said, “and I’ll find you a unicorn.”
⚙ Oracle E-Business Suite Hit with New Flaw (Separate from Zero-Day)
Oracle issued an alert for a new E-Business Suite (EBS) vulnerability — CVE-2025-61884, distinct from the earlier zero-day exploited in August. This flaw allows unauthenticated remote data access via the EBS configurator in versions 12.2.3–12.2.14. Oracle’s Chief Security Officer Rob Duhart confirmed the issue could expose sensitive data if left unpatched.
Mitigation steps:
Patch immediately.
Remove EBS from direct internet exposure.
Apply WAF rules for traffic anomalies.
Monitor for HTTP spikes to configurator endpoints.
This comes as researchers also uncovered GoldVein.java, a downloader payload tied to the July Oracle zero-day campaign, showing how layered and persistent the attack ecosystem has become.
💰 Adversary-in-the-Middle Attacks Hit University Payrolls
Microsoft identified Storm-2657, a financially motivated group targeting U.S. universities through adversary-in-the-middle (AiTM) tactics. Attackers compromise Exchange and SSO, modify Workday HR payroll info, and redirect direct deposits to attacker-controlled accounts — while hiding activity via inbox rules and MFA manipulation.
At least 11 accounts across 3 universities were compromised, leading to 6,000+ phishing attempts.
Recommended mitigations include:
Phishing-resistant MFA (FIDO2).
Conditional access rules for HR/payroll changes.
Alerts on MFA device modifications.
Manual verification for payroll bank changes.
I shared a simple real-world policy that works: “At every org I’ve led, we baseline payroll changes. Anything over normal gets a phone call. It’s old-school, but it stops new-school fraud.”
🔧 Juniper Ships 220 Fixes — 9 Critical
Juniper Networks released over 220 patches for vulnerabilities across JunOS Space and SD-Management systems, including 9 critical CVEs (CVSS up to 8.8) enabling cross-site scripting and remote command execution.
Admins should:
Upgrade to Space 24.1R4+ Patch V1,
Restrict admin access to management VLANs,
Enable change alerts,
and log configuration modifications.
With no known exploitation yet, this is a patch-priority case before threat actors weaponize it.
🚨 Ivanti: The Gift That Keeps on Giving
Researchers disclosed 13 new vulnerabilities in Ivanti Endpoint Manager, including a privilege escalation flaw and multiple RCEs. Trend Micro’s Zero Day Initiative reported that Ivanti delayed disclosure, prompting partial public release.
I couldn’t resist saying: “Find yourself someone who loves you the way China loves Ivanti — and the way Ivanti loves vulnerabilities.”
For mitigation:
Rip and replace if possible.
Restrict access to internal VLANs only.
Enforce MFA.
Monitor export actions.
🕵 FBI Seizes BreachForums Ahead of Salesforce Data Dump
In a major operation, the FBI, DOJ, and Europol seized BreachForums, hours before the group planned to leak Salesforce ecosystem data stolen through the Salesloft/Drift OAuth token compromise. The site’s domain now displays a seizure notice, though the Tor mirrors remain active. Salesforce reiterated its stance: no ransom payments.
If you’re part of the Salesforce ecosystem:
Rotate API and OAuth keys.
Review app permissions and connected scopes.
Draft customer communications in advance.
Watch for phishing campaigns exploiting this takedown news.
🇪🇸 Spanish Police Arrest Phishing Gang Leader
Spain’s Civil Guard, with support from Brazilian and U.S. authorities, arrested the leader of the GXC Team, responsible for massive credential theft and financial fraud operations across Europe and Latin America. The takedown also seized servers and malware infrastructure. While the disruption is temporary, it’s a rare win against organized cybercrime — at least for now.
🧠 James Azar’s CISO Take
The big takeaway today: cyber defense is getting harder because attackers are getting smarter — and faster. The coordinated strikes on Cisco, Fortinet, and Palo Alto show how nation-state tactics now target the infrastructure of the internet itself. Eighty percent of the market depends on these vendors, and when China decides to move, the ripple effects are global.
The second lesson is about resilience versus reaction. From Sugar Land’s city response to Salesforce’s “no ransom” stance, organizations that prepare and communicate recover faster. This is what I keep saying: resilience isn’t built in the middle of chaos; it’s built long before it. For CISOs, the call to action is clear — segment, patch, and prepare. If your strategy depends on luck, it’s already too late.
✅ Action Items
🏙 Micro-segment municipal and critical infrastructure networks.
🔥 Patch Cisco (CVE-2025-20333/20362), Fortinet SSL VPN, and Palo Alto portals.
⚙ Apply Oracle EBS updates (CVE-2025-61884); remove from internet exposure.
💰 Monitor payroll and HR system access; verify changes manually.
🔧 Patch Juniper Space & restrict management access.
🚨 Replace or isolate Ivanti EPM; limit to management VLANs.
🕵 Review Salesforce OAuth and connected app scopes post-BreachForums takedown.
🇪🇸 Update IOC blocklists with GXC-related domains and hashes.
And that’s a wrap for today’s show, Security Gang — stay alert, stay resilient, and as always, stay cyber safe! ☕👊
