Good Morning Security Gang!
Welcome to today’s pre-recorded episode of the CyberHub Podcast for Tuesday, July 29, 2025. I may not have my espresso in hand (it’s nearly 1 a.m. here in Israel as I record this), but that doesn’t mean we’re skipping a beat.
We've got a high-voltage episode for all y’all—from airline chaos in Russia and one of the biggest data breaches in French defense history to new AI security flaws, fresh exploit chains, and attackers hammering Cisco and Apple systems. So grab your coffee, Red Bull, or Coke Zero (trust me, it tastes better in Israel), and let’s roll into today’s top stories.
✈ Aeroflot Cyberattack Grounds Russian Flights
Russia’s largest airline, Aeroflot, confirmed a cyberattack that disrupted over 50 flights on Monday. This national carrier—already isolated by global sanctions—suffered severe system outages, long airport lines, and flight cancellations. Pro-Ukrainian hacker group Silent Crow, alongside Belarusian CyberPartisans, claimed responsibility, alleging full infrastructure compromise, surveillance data theft, and access persistence for over a year. While the claim may be inflated, the impact is real—Aeroflot’s shares dropped 4% and the Kremlin acknowledged the breach. In wartime, cyberattacks like these can trigger real-world retaliation. Keep an eye on the skies.
🚢 1TB Breach at French Naval Defense Giant
French state-owned defense contractor Naval Group suffered a major cyberattack that allegedly resulted in the theft of 1 terabyte of sensitive data. Although the company downplayed operational impact and denied visible system compromise, portions of the stolen data have already surfaced on hacker forums. Naval Group supplies warships to nations like France, India, Brazil, and Egypt. Their reaction? Filing a complaint. But here’s the truth—exfiltration without ransomware is still a breach. Silence doesn’t mean security.
🌐 Thai Media Hit with 200M+ Cyberattacks Amid Regional Tensions
Thailand’s Nation Group media network reported over 200 million cyberattacks in three days, amid rising tensions with Cambodia. The attackers deployed a multi-pronged DDoS, spam, and fake content assault targeting websites and social media. This is another clear example of information warfare as a standard playbook during geopolitical conflicts, echoing similar tactics seen in Israel-Iran, Russia-Ukraine, and now Southeast Asia. The message to CISOs: Update your IR plans now.
🤖 Google Gemini CLI Exploit Enables Silent Malicious Commands
Tracebit researchers uncovered a severe vulnerability in Google’s new Gemini CLI tool that lets attackers silently execute malicious commands and exfiltrate data. Exploiting weak UX and command trust mechanisms, the exploit used a poisoned README.md to trigger hidden data transfers. Although Google patched the flaw in version 0.1.14, this incident exposes how early-stage AI tools can be manipulated if trust models aren’t hardened.
🍎 Apple macOS Exploit Bypasses Privacy Controls
Microsoft discovered that threat actors could use Spotlight plugin access to bypass Apple’s Transparency, Consent, and Control (TCC) security system and harvest sensitive user data—including Apple Intelligence cache files. Although this CVE was patched in March, it illustrates how attackers are finding gaps in trusted OS-level privacy mechanisms and why endpoint monitoring still matters—even on Macs.
🕷 Scattered Spider Now Targeting VMware vSphere Environments
Scattered Spider, the threat group behind attacks on MGM, Harrods, and others, has shifted tactics. According to Google’s Threat Intelligence Group, they’re now compromising vSphere environments to gain hypervisor-level access. This five-stage attack moves from initial AD compromise to hypervisor control, allowing ransomware deployment without detection by standard tools. The key TTP? Social engineering your help desk into resetting admin accounts. Harden that front line.
"The only way to deal with these threat actors isn't another tool - it's putting in the right controls, understanding their TTPs and IOCs, locking down your help desk, and making sure when one of these indicators pops, you lock it down, investigate, contain, and rebuild if necessary." James Azar
🧱 Cisco ISE Exploit Chain Fully Weaponized
A full exploit chain for CVE-2024-22881 targeting Cisco’s Identity Services Engine (ISE) is now public. Attackers can execute arbitrary code as root inside Docker containers. Cisco has urged all users to apply updates for versions 3.3 Patch 7 and 3.4 Patch 2. With active exploitation confirmed, delay here means exposure.
🖨 PaperCut NG/MF Exploits Persist in the Wild
A lingering 2023 vulnerability (CVE-2023-2533) in PaperCut print management software is still being exploited, despite being patched over a year ago. More than 1,100 instances remain online, some still vulnerable. CISA has added the flaw to its KEV catalog and ordered federal agencies to patch by August 18. Organizations not updating risk ransomware payloads being deployed.
🧠 James Azar’s CISO Take
This episode reflects the increasing convergence of geopolitical warfare and enterprise cybersecurity. From Aeroflot to the French Naval Group to the Thai media barrage, organizations are now pawns and proxies in modern conflict. If your business touches infrastructure, media, or supply chains, you are already in the crosshairs—even if you don’t know it. Build IR playbooks with geopolitical conflict in mind. Know your nation's allies and adversaries and prepare accordingly.
Equally important is how AI and core platforms like VMware and Cisco are introducing new exploit surfaces. Google Gemini, Apple TCC, and Cisco ISE all have security expectations tied to trust—and attackers know that. We’re shifting to a world where exploiting admin tools and machine interfaces offers better ROI than phishing. That means practitioners must build controls around system behaviors—not just human ones.
✅ Action Items
🛫 Monitor aviation and transportation sectors for retaliatory cyber activity
🧑💻 Apply Cisco ISE patches immediately (3.3 Patch 7 / 3.4 Patch 2)
🖨 Patch PaperCut MF/NG servers before August 18 per CISA directive
🐞 Update Google Gemini CLI to version 0.1.14 or later
🍎 Confirm all macOS endpoints have March security updates
🔐 Restrict help desk access to password resets; enforce MFA
📃 Review business continuity plans for DDoS and information warfare scenarios
🧠 Use this moment to audit AI-assisted development tools for trust boundary violations
Stay cyber safe.
✅ Story Links:
https://therecord.media/cyberattack-aeroflot-russia-delays
https://thecyberexpress.com/nation-group-cyberattacks/
https://www.securityweek.com/scattered-spider-targeting-vmware-vsphere-environments/
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1
🚨 Important Links to Follow:
👉Website:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
Share this post