Good Morning Security Gang
The Middle East is on fire, and cyberspace is mirroring every missile with malware, every strike with digital retaliation.
Today’s episode focused heavily on the U.S.–Israel campaign against Iran and the cyber consequences unfolding in real time. We also covered DHS warnings of retaliation, ransomware hammering universities and entertainment giants, fresh zero-days tied to APT28 and Chrome’s Gemini AI assistant, and the evolution of phishing kits designed to bypass MFA entirely.
Cyber isn’t the second front anymore. It’s the simultaneous one.
Coffee Cup Cheers, Gang,
U.S., Israel, and Iran Trading Cyber Blows
We opened the show discussing how kinetic strikes in Iran were immediately followed by cyber retaliation and disruption campaigns. This is modern warfare. Missiles fly networks light up.
Pro-Western actors reportedly disrupted Iranian digital infrastructure, while Iranian-linked groups began probing Western networks. We’ve seen this pattern before in Russia–Ukraine: cyber becomes the deniable yet strategic escalation layer.
The risk here isn’t just symbolic defacement. It’s destructive targeting. As geopolitical tension rises, so does the probability of opportunistic targeting of Western infrastructure — especially financial systems, utilities, and telecom.
As practitioners, this is when we elevate SOC thresholds, expand anomaly detection baselines, and prepare for spillover.
UK and DHS Warn of Retaliatory Risk
The UK government issued warnings to organizations about heightened Iranian cyber risks amid the escalating conflict.
Iranian cyber units have historically targeted critical infrastructure, government agencies, and financial institutions during flashpoints. This isn’t theoretical — it’s patterned behavior.
"You cannot coexist with people who hate the place they come to and want to transform it to the place they came from. If you want to live under Sharia law, plenty of Muslim countries—go do that there. The United States has the Constitution. That's what we follow. You either conform and adapt, or you get out."
Simultaneously, DHS elevated its warning posture in the United States, citing credible threat intelligence regarding potential cyber or even physical attacks
That’s the uncomfortable part. Many of us in cybersecurity also carry physical security responsibilities. Increased situational awareness, monitoring gatherings and infrastructure sites, and reinforcing access controls isn’t paranoia — it’s preparation.
Geopolitics is no longer separate from enterprise risk.
Iranian Claims Against U.S. Cyber Command
Iranian sources claimed a cyberattack against U.S. Cyber Command.
Whether exaggerated or symbolic, the messaging matters. Psychological operations amplify perception. Cyber capability becomes leverage.
When adversaries are losing kinetically, they amplify digitally. Information warfare, narrative shaping, and technical probing blend together.
The takeaway? Expect distortion campaigns alongside technical attempts.
CISA Leadership Transition During Escalation
Amid this turbulence, Nick Anderson was appointed acting director of CISA, replacing prior leadership during a period of Senate gridlock.
Continuity in federal cyber defense posture during geopolitical spikes is critical. Leadership vacuums invite probing. Adversaries test seams.
National cyber resilience requires steady command during escalation windows.
University of Hawaii Cancer Center Ransomware
The University of Hawaii Cancer Center confirmed ransomware activity and associated data breach.
Universities remain prime targets due to open research networks and insufficient segmentation. In this case, exposed data included Social Security numbers, driver’s license numbers, and voter registration records — impacting over one million individuals.
Higher education environments often lack robust network segmentation, making lateral movement easier for ransomware operators.
The lesson here isn’t new but it’s urgent. Flat networks fuel ransomware velocity.
Madison Square Garden Data Breach
Madison Square Garden confirmed a data breach months after the original incident.
Entertainment venues hold valuable ticketing data, CRM information, and employee records. Detection lag continues to amplify regulatory and reputational risk. The problem isn’t just compromise it’s delayed discovery.
Continuous threat hunting within ticketing and CRM ecosystems is no longer optional in consumer-facing enterprises.
APT28 Exploits New Microsoft Zero-Day
APT28, linked to Russian intelligence, has exploited a new MSHTML zero-day vulnerability (CVE-2026-21513).
The flaw enables remote code execution via crafted HTML content in documents. Document-based exploitation remains one of the most effective initial access vectors in government and defense environments.
This isn’t random. It aligns with current geopolitical volatility.
Mitigation requires strict attachment sandboxing, rapid patch deployment, and strong email filtering policies.
Chrome Gemini AI Assistant Vulnerability
A vulnerability in Chrome’s Gemini AI assistant allowed potential abuse of integrated AI workflows. AI embedded in browsers creates new attack surfaces. Prompt injection and privilege mismanagement can expand the blast radius dramatically.
AI isn’t inherently insecure. Poor governance is.
Applying least privilege to AI integrations and monitoring AI-assisted workflows is becoming a necessary security control.
Fake Google Security Page MFA Bypass
Attackers created a fake Google security page delivered through a progressive web app, enabling credential and MFA code theft.
These phishing kits persist like installed apps, bypassing suspicion and capturing live MFA tokens. This represents the continued evolution of MFA bypass campaigns.
Phish-resistant MFA (FIDO2 hardware keys or passwordless device-bound authentication) is now the gold standard.
Key Action Items
Elevate SOC monitoring thresholds during geopolitical escalation windows
Conduct external attack surface reviews for internet-facing services
Monitor Iranian and Russian TTPs and known IOCs
Rebuild and validate exposed systems during zero-day exploitation cycles
Implement strict network segmentation in academic and research environments
Deploy attachment sandbox detonation before email delivery
Enforce phish-resistant MFA (FIDO2 or device-bound authentication)
Apply least privilege governance to AI-integrated workflows
Increase physical security vigilance during threat intelligence advisories
James Azar’s CISOs Take
As I look at today’s landscape, I see convergence — not chaos. Geopolitical escalation, ransomware targeting universities, AI vulnerabilities, phishing innovation, and leadership shifts at federal agencies are all occurring simultaneously. This isn’t coincidence. It’s layered pressure.
Cyber pressure increases when kinetic tensions rise. Adversaries probe when leadership transitions occur. AI tools expand attack surfaces faster than governance frameworks mature. And detection lag still costs organizations months of exposure.
As a CISO, my posture during these windows is simple: elevate monitoring, patch aggressively, segment intelligently, and assume adversaries are testing boundaries. Cyber risk is no longer isolated from geopolitics. It is shaped by it.
Stay cyber safe.
