Good Morning Security Gang
If you’re tuning in from the South, you already know it’s a cold one. Georgia roads are iced over, coffee is hot, and I’m thankful we still have power after the storm warnings. For those of you braving it, stay warm and safe and for the lucky ones in Florida, well, good for you.
We’ve got a loaded show this morning: Crunchbase confirms a data breach, Nike investigates a potential leak under extortion threats, Fortinet’s FortiCloud patch didn’t fully close the gap, and a VMware zero-day is being exploited in the wild. On the nation-state front, we’re covering Sandworm’s strike on Poland’s power grid, a major military purge in China, and North Korea’s Lazarus Group targeting European drone manufacturers with AI-driven campaigns.
So coffee cup cheers, Security Gang, let’s dive in.
Crunchbase Confirms Data Breach Following ShinyHunters Claims
Crunchbase confirmed a data breach after the ShinyHunters group claimed responsibility, leaking what they say is a large dataset of user emails, hashed passwords, and API tokens.
At first glance, this looks like an account information exposure, not a product compromise — but the downstream impact could be severe. Threat actors could leverage investor and founder email addresses for spear phishing or token replay attacks targeting connected CRMs and deal-management platforms.
As I said on the show:
“If you’re using Crunchbase integrations, rotate your tokens and invalidate every long-lived session — don’t wait to see your brand in a breach thread.”
CISOs should enforce API key rotations, force password resets, and monitor for credential reuse across shared tools.
Nike Probes Security Incident Amid Extortion Threats
Nike has launched an internal investigation after a threat group claimed to have stolen sensitive data and began threatening public leaks unless the company pays.
Attackers released partial data samples as proof, including internal communications and financial statements, which suggests another data theft–without-encryption extortion play — a model quickly replacing ransomware.
Nike told reporters they take “consumer privacy and data security seriously,” but details remain scarce.
My take: “We’ve entered an era where ransomware isn’t the risk — exposure is. Attackers don’t need encryption when embarrassment pays better.”
CISOs should treat extortion leaks as PR crises, not just security incidents — that means rapid public transparency, segmented backups, and pre-approved press response plans.
Fortinet’s FortiCloud Authentication Bypass Still Not Fully Patched
Fortinet admitted its recent patch for the FortiCloud authentication bypass vulnerability left certain conditions still exploitable, allowing attackers to access cloud control planes and enroll rogue devices.
The incomplete patch exposes logging, policy, and API control layers — meaning that even after updating, threat actors may retain persistent administrative access.
As I warned:
“A patched system isn’t a clean system — especially when the bad guys got in before the fix.”
Run post-patch integrity sweeps, rotate all admin credentials, audit API keys, and isolate FortiCloud tenants until you verify clean configurations.
VMware Zero-Day Exploited in the Wild
A VMware remote code execution (RCE) flaw, tracked as CVE-2025-3079, is now being actively exploited in the wild.
The exploit targets vCenter and ESXi components, allowing attackers to gain hypervisor-level access — a nightmare for virtualized environments. Attackers are using this to pivot laterally across enterprise networks and exfiltrate snapshots of sensitive virtual machines.
Immediate actions:
Patch ESXi and vCenter.
Isolate management interfaces behind VPN or jump boxes.
Review all snapshot and backup activity for anomalies.
As I said: “Virtualization isn’t security by obscurity — it’s a high-value target with a front-row seat to everything you own.”
Sandworm Blamed for Attack on Polish Power Grid
Polish officials confirmed that the Russian Sandworm group was behind the recent power grid attack, which targeted telemetry and control systems rather than generation plants.
The attack aimed to cause grid instability through distributed substation manipulation, a technique reminiscent of the Industroyer2 playbook from the Ukraine incidents.
If Poland had gone dark, NATO could have considered invoking Article 5 — making this not just a cyber event, but a geopolitical flashpoint.
As I put it:
“You don’t need to blow up a power plant to start a war — you just have to flick the wrong digital switch.”
Energy sector operators should implement mass disconnect thresholds and setpoint anomaly detection across distributed OT systems.
China’s Military Purge Raises Cyber Red Flags
China’s top general, a key Xi Jinping ally, has been arrested and accused of spying for the U.S., sparking a massive leadership purge inside the PLA’s cyber and nuclear divisions.
This upheaval could cause erratic shifts in targeting, rules of engagement, and operational tempo, especially for companies operating in telecom, aerospace, and critical infrastructure.
I said it clearly: “When Beijing gets paranoid, the world’s attack surface shifts.”
CISOs should re-evaluate their China risk tiers, enhance geo-blocking on login attempts, and monitor for tenant access from Chinese infrastructure. The shake-up may embolden lower-level operators to act independently — making the next few months unpredictable.
North Korea’s Lazarus Targets European Drone Manufacturers
The Lazarus Group is actively targeting European drone and aerospace firms, aiming to steal firmware and flight control IP to backfill disrupted Iranian and Russian supply chains.
Following Venezuela’s regime collapse and the resulting disruption in Iran’s drone production, North Korea is moving in to fill the gap and resell designs to Russia and dark markets.
Mitigation steps:
Enforce hardware-backed firmware signing.
Restrict build signing keys to isolated hosts.
Require multi-person code review for all flight control updates.
As I explained: “When rogue states start stealing drones, it’s not espionage — it’s procurement.”
North Korea’s Kimsuky Group Deploys AI-Generated Phishing Campaign
The Kimsuky (a.k.a. CUNY) threat group is deploying AI-generated phishing emails and documents to target crypto miners, NGOs, and government contractors in Japan, Australia, and India.
These lures are written with LLM-quality grammar and context awareness, making them more convincing than traditional phishing.
Defenders should enforce PowerShell policy restrictions, scan for AI-generated content indicators, and integrate behavioral analytics for email attachments.
Action List
🔑 Reset Crunchbase tokens and passwords across all linked accounts.
👟 Treat Nike’s situation as a blueprint for extortion leak response.
🧱 Fortinet admins: verify patch integrity, rotate API keys, and rebaseline configs.
💻 VMware teams: isolate management and review snapshot activity immediately.
⚡ Energy operators: deploy anomaly detection for telemetry and substation traffic.
🇨🇳 Reassess China risk exposure — limit inbound logins from unverified IPs.
🚁 Drone and defense firms: enforce code signing and build isolation.
🤖 Train teams against AI-crafted phishing using simulated campaigns.
James Azar’s CISO’s Take
Today’s episode proves one thing — the pace of cyber conflict mirrors geopolitics. Whether it’s China’s internal purge, Russia’s sabotage in Poland, or North Korea’s industrial theft, the battlefield is global and continuous. Breaches like Crunchbase and Nike show that corporate data has become a proxy in this digital cold war.
My biggest takeaway? Resilience is now a geopolitical necessity. Patching, rotation, and segmentation aren’t just hygiene — they’re diplomacy by other means. As defenders, we’re not just protecting data; we’re stabilizing markets and national trust. So stay sharp, stay adaptable, and remember: you can’t control the threat landscape — but you can control how fast you recover.
Stay alert, stay caffeinated, and as always — stay cyber safe.
