Good Morning Security Gang
Good morning, Security Gang — and welcome to a milestone. Today we are celebrating Episode 1000 of the CyberHub Podcast! What started back in 2018 as CyberHub Engage and evolved through pandemic pivots, side projects like CISO Talk and Tech Town Square, has now grown into one of the daily staples for practitioners worldwide. I couldn’t have reached this without all of you — the listeners, the LinkedIn Gang, the peers who text me each morning. As I sip my double espresso (yes, still a pie-not-cake guy), let’s dive into today’s cyber headlines. Because attackers didn’t take the weekend off.
Toys“R”Us Canada Customer Leak
Toys“R”Us Canada confirmed a data leak after a threat actor published customer records online. The breach traces back to July 30th and includes contact and order information. While no payment data has been confirmed, phishing, smishing, refund fraud, and account takeovers are all probable downstream risks. Customers are urged to watch for loyalty-program scams. For the company, DMARC rotation and domain monitoring are critical next steps to protect customer trust and brand reputation.
Russia’s Food-Safety Agency DDoS Attack
Russia’s Rosselkhoznadzor, its food-safety regulator, suffered another major DDoS attack — the second in just a few months. Systems that track agricultural chemicals and food logistics were disrupted, delaying customs operations. Beyond technical fallout, such attacks aim to sow domestic unrest by undermining public trust in the government’s ability to ensure safe food supplies during wartime pressures. A reminder: even “non-critical” agencies can become flashpoints for national morale and supply-chain disruption.
RedTiger-Based Infostealer Loots Discord Accounts
A re-weaponized variant of the RedTiger stealer is targeting Discord, harvesting tokens, MFA data, and payment info. Attackers are hijacking corporate support and development communities — damaging reputations and causing operational chaos. Recommended mitigations: rotate all tokens, require re-authentication on device profile changes, and monitor webhook edits. Discord’s widespread use for developer communication makes this a stealthy yet high-impact supply-chain risk.
Ransomware Economics: Attacks Up, Payments Down
Coveware’s Q3 2025 report shows an interesting paradox — attacks up 50 percent year-to-date, but average payments sharply down. Large enterprises are refusing to pay; mid-market payouts are shrinking. IR costs rise, but resilience improves as organizations practice restoration instead of capitulation. My message to practitioners: run restore exercises quarterly, make extortion-resilience part of your continuity testing, and remember that paper and pens still matter when everything digital goes dark.
Windows Server WSUS Exploited in the Wild
A critical WSUS vulnerability (CVE-2025-59287) is now under active exploitation. Unhardened WSUS servers allow attackers to push malicious updates directly to endpoints. If you manage Windows Server 2012–2025, patch immediately, enforce HTTPS with valid certificates, restrict update approvals, and review logs going back to early October. This flaw underscores how patching infrastructure itself can become an attack vector.
“The systems and tools we build to protect ourselves inevitably become targets themselves. The WSUS compromise exemplifies this paradox – we implement patch management infrastructure to keep systems secure, but adversaries recognize that controlling the patch distribution mechanism gives them privileged access to every endpoint in our environment.” James Azar
Chrome Zero-Day Linked to Spyware Campaign
Kaspersky has tied a recent Chrome zero-day to the same toolkit used in the Dante spyware campaigns. Dubbed Operation Forum Toll, it targets education, finance, media, and government organizations — mainly in Russia — via phishing emails masquerading as forum invites. The exploit delivers short-lived, personalized links hosting the payload. Security teams should force browser updates, audit for sandbox escapes, and investigate any suspicious new Chrome extensions.
HashiCorp Vault Vulnerabilities
Two fresh CVEs (2025-12044 and 2025-11621) expose potential secret leakage and authentication bypass in HashiCorp Vault. Despite earlier advisories, many environments remain unpatched, leaving regulated data at risk. Immediate actions: upgrade to fixed releases, rotate tokens and leases, restrict Vault UI/API behind SSO and strict network policies. Silent key leakage could cascade into full cloud compromise — don’t delay patching.
Qilin Ransomware’s Hybrid Resurgence
The Qilin crew (formerly “Kalin”) has surged back with new Linux-on-Windows payloads that leverage virtual-drive injection to disable EDR and wipe backups. Cisco Talos attributes 84 victims in August–September, mainly across manufacturing, scientific services, and wholesale sectors in the U.S., Canada, U.K., France, and Germany. Recommended: block vulnerable drivers, require per-session RMM approval, isolate backup networks, and test bare-metal restores to cut recovery times.
Breach Forums Returns (Again)
Despite repeated FBI takedowns, Breach Forums is back on the clearnet under new administration. This reappearance highlights the decentralized, hydra-like nature of cybercrime: take one site down, ten more appear. While the legal framework limits law enforcement speed, collaboration among the FBI, CISA, Europol, and Interpol continues to tighten. Their growing agility this year is notable — a bright spot amid endless threat replication.
Action List
🔒 Customers: Monitor for Toys“R”Us-themed phishing and update credentials.
🧩 Admins: Patch WSUS (CVE-2025-59287) and enforce HTTPS on all update servers.
🌐 Browser Security: Force-update Chrome/Chromium, review unknown extensions.
💾 Backup Readiness: Run a full restore exercise quarterly — pen and paper included.
🔑 Vault Users: Patch HashiCorp Vault and rotate secrets immediately.
🧠 Awareness: Train teams on Discord token hygiene and webhook monitoring.
🚔 Law Enforcement Cooperation: Share IoCs with ISACs and sector CERTs.
James Azar’s CISO’s Take
Hitting one thousand episodes feels surreal, but the mission remains the same: bringing practitioners real-world intelligence, not hype. What stood out this morning is the growing divergence between attacker volume and victim compliance — proof that when organizations practice recovery and hold the line, the economics of ransomware start to shift. At the same time, infrastructure-layer exploits like WSUS and Vault show how the supply chain of trust continues to evolve — attackers now aim for our patching pipelines and key stores, not just endpoints.
My takeaway? The tools will keep changing, but the fundamentals don’t. Defense-in-depth means knowing how every layer behaves when compromised. Restoration drills, secret rotation, and disciplined patching beat any shiny new acronym.
“After 1000 episodes covering breaches, vulnerabilities, and attacks, I remain convinced that our industry’s greatest challenge isn’t technical – it’s organizational and cultural. We know how to secure systems, we understand the threats, we have the tools and frameworks. What we often lack is the executive commitment, resource allocation, and organizational discipline to implement security properly.” James Azar
To the Security Gang that’s been here for 1,000 shows — thank you for being part of this journey.
Here’s to the next thousand. Stay cyber safe.
