Cyber Incidents Hit Hospitals in TX, TN & IN, Iran-Linked MuddyWater Targets Over 100 Organizations Worldwide, Hackers Exploiting SessionReaper Flaw in Adobe Magento, PhantomCaptcha Targets Ukraine

CyberHub Podcast

0:00

-18:36

Cyber Incidents Hit Hospitals in TX, TN & IN, Iran-Linked MuddyWater Targets Over 100 Organizations Worldwide, Hackers Exploiting SessionReaper Flaw in Adobe Magento, PhantomCaptcha Targets Ukraine

Hospital Cyberattacks Disrupt Care, Iran’s MuddyWater Expands Global Targets, Adobe SessionReaper Exploited, and AI Servers Exposed

James Azar

Oct 23, 2025

Transcript

Good Morning Security Gang!
Welcome back to the CyberHub Podcast — I’m your host and CISO, James Azar. It’s a big day here in the bunker as we close out our 999th episode — one shy of the big 1,000! As we look ahead to Monday’s milestone celebration, today’s show reminds us why this work matters.

From hospital cyberattacks disrupting care in Texas, Tennessee, and Indiana, to Iran’s MuddyWater APT hitting over 100 global targets, to Adobe Magento’s SessionReaper exploit being actively abused, we’ve got a lot to unpack. Plus, AI security exposure in MCP servers, new persistence tactics through OAuth tokens, and fresh campaigns leveraging Rust and SharePoint vulnerabilities.

It’s been a wild week — so grab your double espresso, I’ve got mine, and let’s get into it. ☕

🏥 Hospitals in TX, TN, and IN Suffer Cyberattacks — Disrupting Patient Care

Healthcare took another beating this week. Haywood and Ethel Hospitals in Massachusetts and multiple healthcare facilities in Texas, Tennessee, and Indiana were hit by coordinated cyber incidents that disrupted care delivery. Ambulances were diverted, labs were delayed, and hospitals had to activate code black procedures, meaning they could no longer accept new patients.

In some cases, even radiology and communications systems were knocked offline. I reminded listeners:

“When you take down a hospital network, you’re not just stealing data — you’re gambling with human lives.”

The root cause appears to be poor network segmentation and flat architectures that let ransomware move laterally from IT systems to IoT-connected medical equipment. Hospitals are working with DHS and CISA to recover, but HIPAA penalties and insurer scrutiny are almost certain to follow.

🏛 Multiple U.S. Municipalities Targeted — TX, TN, IN, and PA Governments Affected

Municipalities remain soft targets. Kaufman County, Texas (pop. 200K) was hit by a cyber incident disrupting public portals and administrative services. Similar outages were confirmed in La Vergne, Tennessee; DeKalb County, Indiana; and the Chester County Library System in Pennsylvania.

These attacks — likely ransomware — have halted government operations, delayed fee collection, and disrupted public-facing services. As I said:

“City networks run on shoestring budgets and blind trust. It’s not a lack of effort — it’s a lack of resources and accountability.”

State-level intervention and standardized cyber readiness audits are urgently needed, as local governments remain ripe for exploitation.

🇬🇧 UK Intelligence Chief Warns of “Most Contested Threat in Decades”

Britain’s signals intelligence agency, GCHQ, raised the alarm about escalating global cyber threats. Director Anne Keast-Butler said the UK is facing four times as many significant incidents compared to last year, calling this the most contested digital era in her 30-year career.

GCHQ is now prioritizing AI for defensive operations, focusing on:

boosting analyst productivity,
securing AI by design, and
tracking adversary use of AI.

The agency plans to embed AI model governance across the private sector — meaning compliance controls may soon require transparency on AI training data and model integrity.

☠ Iran’s MuddyWater Targets 100+ Organizations Worldwide

Iranian-backed threat group MuddyWater is conducting an ongoing campaign against energy, logistics, and government entities across the Middle East, Europe, and the U.S.
The attacks involve spear phishing, SharePoint credential theft, and long-dwell persistence using native Windows tools (living off the land).

I emphasized, “The Iranians play the long game — they’ll sit in your environment for months waiting for the right door to open.”
To defend, enterprises should:

Enforce phishing-resistant MFA,
Disable legacy authentication,
Hunt for WMI, PSExec, and SMB beaconing from admin shares.

MuddyWater’s persistence methods have already been observed across multiple energy-sector vendors, underscoring supply-chain exposure.

🧠 3,000+ AI Servers Exposed via Model Context Protocol (MCP) Bug

A major flaw in the Smithery.ai MCP server registry exposed over 3,000 AI servers and API keys. This could’ve allowed attackers to harvest secrets, manipulate LLM behavior, or even poison data pipelines.

Had it not been patched, the business impact could’ve been catastrophic — silent access to AI-assisted workflows, compromised source integrity, and total loss of trust in model outputs.

Mitigations include:

Rotating all MCP keys and tokens,
Pinning registries by hash,
Requiring signed manifests, and
Locking prompt telemetry.

I noted, “If you think patching Windows is hard, wait until you have to patch your AI.”

🇨🇳 China Exploits SharePoint Vulnerabilities in New Espionage Campaign

Chinese threat actors are again exploiting SharePoint ToolShell vulnerabilities, chaining old flaws patched in July to gain domain escalation in telecom and enterprise environments.
Despite Microsoft’s patch, attackers are still hitting unpatched on-prem servers — moving laterally into segmented zones using collaboration apps as pivots.

Admins should:

Patch all on-prem SharePoint servers,
Disable legacy authentication,
Isolate SharePoint from Tier 0 assets,
Align patching to CISA KEV deadlines.

🦀 Rust “Tarmageddon” Vulnerability Enables RCE

A newly discovered Rust async-tar library bug, nicknamed “Tarmageddon” (CVE-2025-6518), could allow remote code execution during archive extraction. With 5M+ downloads, this library is used in countless projects.

The flaw stems from header misparsing during unpacking, which could allow archive smuggling and malicious code injection.
Developers should:

Update to fixed versions,
Disable automatic unpacking in pipelines,
Add size and content-type validation before extracting files.

This could have ripple effects in supply chain tooling, CI/CD systems, and cloud storage processors.

🔑 OAuth Tokens Maintain Persistence After Password Resets

New research shows attackers are exploiting OAuth tokens to maintain cloud persistence even after password resets.
By abusing refresh and access tokens, attackers can silently maintain session control over Salesforce, Microsoft 365, and other SaaS environments.

To mitigate:

Enumerate and block unapproved OAuth apps,
Rotate secrets and keys,
Enforce token invalidation upon password changes,
Restrict high-risk grant scopes.

This attack highlights a recurring problem — password hygiene alone is not enough.

🧬 Vidar Stealer 2.0 Rewritten for Speed and Stealth

The Vitre information stealer is back with a complete rewrite, featuring in-memory injection, faster credential theft, and browser wallet targeting.
The updated version uses anti-analysis features to evade sandboxes, making it particularly dangerous for developers and finance users.
CISOs should restrict unsigned extensions, filter executables from referral links, and watch for credential vault access anomalies.

🛒 Adobe Magento SessionReaper Exploited in Active Attacks

Adobe Magento sites are under siege. Threat actors are exploiting CVE-2025-54236 — dubbed SessionReaper — to hijack customer sessions via Web APIs, leading to account takeovers, fraudulent orders, and cart skimming.
SANS observed 250+ active exploitation attempts from five IPs, which will be listed at CyberHubPodcast.com.

Patch Adobe 2.4.8-p2 or 2.4.9-alpha2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 (and earlier) enable WAF protection, and rotate admin tokens.
Just today, Sansec blocked more than 250 SessionReaper exploitation attempts targeting multiple stores, most of the attacks originating from five IP addresses:

34.227.25.4
44.212.43.34
54.205.171.35
155.117.84.134
159.89.12.166

🎯 Phantom CAPTCHA Campaign Targets Ukraine NGOs

A Russian-linked campaign targeted Ukrainian relief organizations, including UNICEF and the Red Cross, with fake Zoom meeting invites and malicious PDF attachments. Victims were funneled through fake CAPTCHA pages to deploy malware or connect attackers to live sessions.

The attackers even impersonated the Ukrainian president’s office. This operation shows continued hybrid warfare tactics merging social engineering, malware, and political deception.

🧠 James Azar’s CISO Take

Today’s show is a sobering reminder that cybersecurity isn’t abstract — it’s human. When hospitals go dark or AI systems are exposed, the consequences extend far beyond code. We’re no longer defending servers; we’re defending trust — in medicine, governance, and innovation itself.

The second takeaway is that AI and cloud persistence are redefining our attack surface. Between OAuth abuse, MCP key leaks, and adversarial AI use, we’re moving into a world where identity and integrity are the new perimeters. As CISOs, our job isn’t just to detect threats — it’s to anticipate the next intersection of technology and risk before it hits production.