Good Morning Security Gang
I’m still getting used to our new 15-second intro — feels like I barely have time to sip my espresso before we’re live. Coffee cup cheers, y’all.
We’ve got a packed lineup: China officially bans U.S. and Israeli cybersecurity firms, Starlink faces a real-time test in Iran, Iranian state TV gets hijacked on-air, and new revelations about U.S. cyber operations used in Maduro’s capture. We’ll also hit stories on Anchorage police servers pulled offline after a vendor breach, a Canadian regulator breach exposing 750,000 investors, Black Basta raids across Europe, a Sitecore zero-day exploited by China-linked actors, and five malicious Chrome extensions stealing data.
To close it out, we’ll talk about NSA-Cyber Command leadership confirmation hearings and a Jordanian access broker pleading guilty. Buckle up, Security Gang we’ve got a global battlefield today.
China’s Cybersecurity Ban Sparks Industry Backlash
China’s reported move to ban U.S. and Israeli cybersecurity companies has triggered strong reactions across the industry . The list includes major players like CrowdStrike, Palo Alto Networks, Check Point, SentinelOne, CyberArk, Rapid7, Mandiant, Claroty, and McAfee, among others.
CrowdStrike responded swiftly, noting:
“We’ve never sold to China — nor do we plan to. Unlike our competitors, we made that decision years ago.”
Others, like Check Point, said they continue to serve customers under review, while analysts see this as an economic power play rather than an actual security measure. As I said on the show:
“This isn’t about risk — it’s about leverage. Beijing’s playing Wall Street chess, not cybersecurity checkers.”
The timing aligns with the upcoming Trump–Xi summit, suggesting this move aims to weaken investor confidence in Western security vendors ahead of trade negotiations.
Starlink Tested During Iran Crackdown
Starlink is facing its toughest resilience test yet amid Iran’s brutal crackdown, where reports suggest over 20,000 people killed in the last week.
Iranian cyber units have been jamming, triangulating, and tracking Starlink terminals, aiming to silence communication among protestors and aid groups .
As I noted: “Starlink’s not a magic shield — it’s a spotlight. Every signal is a target, and Tehran knows it.”
Organizations using satellite internet in high-risk regions must deploy RF OPSEC procedures to prevent exposure of teams, locations, and communications.
Iranian State TV Hijacked Live On-Air
Hackers hijacked Iranian state television broadcasts, injecting anti-regime messages and calls for protests from exiled Crown Prince Reza Pahlavi .
Attackers reportedly compromised the broadcast control chain, leveraging weak segmentation and credential reuse between production and on-air systems.
The operation temporarily overrode Iran’s heavily censored media, urging security forces to “stand with the people.”
As I said: “When you can’t control the internet, TV becomes your last propaganda weapon — and the hackers just flipped it against the regime.”
U.S. Cyber Ops Aided Maduro Capture and Caracas Blackout
U.S. officials confirmed that cyber operations were integral to Nicolás Maduro’s capture on January 3rd, including disabling power grids and radar systems around Caracas .
The operation combined cyber and kinetic tactics, using malware to disrupt command centers and delay military response.
This is America flexing its muscles again:
“You don’t need bombs when you can pull the plug,” I said on air.
It also raises questions about grid fragility — as seen in Venezuela, a single cascading failure can paralyze an entire capital.
Anchorage Police Pull Servers Offline After Vendor Breach
The Anchorage Police Department took multiple systems offline after a third-party vendor compromise .
To prevent lateral movement, the department disconnected systems handling case management, witness data, and records.
For departments reliant on SaaS and cloud integrations, this is a painful but necessary reminder: vendor segmentation is survival.
I advised: “If you’ve got third-party integrations, build enclaves. One bad vendor shouldn’t take down your badge.”
Canada Regulator Breach Exposes 750,000 Investors
Canada’s Investor Regulatory Organization (CIRO) confirmed a breach exposing data from 750,000 investors .
The root cause? A compromised data exchange workflow used for inter-brokerage verification. Impacted data includes PII, investment profiles, and financial records.
This breach happened in August 2025, but disclosures were only made this week — a five-month delay that could result in phishing and synthetic identity fraud across the financial sector.
My advice: enforce passkeys instead of SMS for investor logins and limit data synchronization between partners to only essential fields.
Police Raid Black Basta Operators in Ukraine and Germany
European law enforcement raided Black Basta affiliates in Ukraine and Germany, arresting several operators and seizing crypto wallets .
While the main leadership remains at large, the arrests targeted money-laundering and data-leak facilitators. Affiliates are expected to retaliate by reposting stolen data to maintain reputation.
Defenders should ingest the released IOCs and wallet addresses and auto-block them across proxies and payment systems.
As I said: “When you arrest the money guys, the coders scatter. That’s how you break ransomware.”
China-Linked Actors Exploit Sitecore Zero-Day
Researchers identified China-linked threat actors exploiting a Sitecore deserialization zero-day (CVE-2025-53690) for initial access and persistence .
Organizations running Sitecore should patch immediately, rotate machine keys and service credentials, and implement WAF rules to block malicious payloads.
This is part of a broader pattern of China targeting CMS platforms for lateral infiltration into corporate environments.
Five Malicious Chrome Extensions Stealing Data
Five malicious Chrome extensions have been discovered exfiltrating session tokens, chat content, and browser data .
The extensions — Data by Cloud Access, Tool Access 11, Data by Cloud One, Data by Cloud Two, and Software Access — masqueraded as productivity tools but were stealing credentials and cookies.
Admins should deploy enterprise allowlists and auto-revoke OAuth tokens tied to removed extensions.
As I warned: “If your browser is your office, then every extension is a co-worker and some of them are thieves.”
NSA–Cyber Command Nominee Faces Confirmation Hearing
Lieutenant General Joshua Reed Rudd testified before the Senate as nominee for NSA Director and U.S. Cyber Command Chief, signaling continuity in forward defense and critical infrastructure resilience .
Rudd emphasized:
Faster patching of in-the-wild exploits
Deeper public-private collaboration
A live KEV burndown dashboard to track global vulnerability response
His confirmation is expected by week’s end.
Jordanian Access Broker Pleads Guilty
Faris Elbashiti, a Jordanian national and major initial access broker, pled guilty to selling VPN and RDP credentials for over 50 organizations .
Elbashiti operated marketplaces that supplied access to ransomware affiliates, fueling multiple U.S. corporate breaches. He faces up to 10 years in prison and deportation after serving his sentence.
As I said: “Access is the new gold — and this guy was a banker for every ransomware crew in town.”
Action List
🇨🇳 Review China exposure — relocate sensitive data and evaluate partner risk.
🛰️ Deploy RF OPSEC procedures for satellite comms in hostile regions.
📺 Segment broadcast networks from production environments.
⚡ Test grid recovery and isolate telemetry for critical infrastructure.
🧱 Enforce vendor enclaves and log all third-party traffic.
💰 Implement passkeys for investor logins and audit data exchange workflows.
💻 Ingest IOCs and wallet data from Black Basta raids.
🧩 Patch Sitecore CVE-2025-53690 and rotate all service credentials.
🌐 Whitelist Chrome extensions and auto-revoke risky tokens.
🛡️ Adopt forward-defense frameworks aligned with NSA-CyberCom direction.
James Azar’s CISO’s Take
Today’s show proves just how tightly intertwined geopolitics, cyber operations, and private enterprise have become. From China’s economic warfare to U.S. digital strikes and rogue states waging information chaos — cyber is no longer a supporting domain; it’s the main stage.
My biggest takeaway? Resilience now defines credibility. Whether it’s a government blackout, a corporate breach, or a browser exploit, every CISO’s job is about maintaining trust under siege. We can’t control the world stage — but we can make sure our organizations don’t collapse when it shifts beneath us.
Stay alert, stay caffeinated, and as always — stay cyber safe.
