CISO Talk by James Azar
CyberHub Podcast
Cybersecurity Policy Reform, Coinbase Target of Supply Chain Attack, Veeam RCE Bug Patch Now
0:00
Current time: 0:00 / Total time: -21:26
-21:26

Cybersecurity Policy Reform, Coinbase Target of Supply Chain Attack, Veeam RCE Bug Patch Now

Spotlight on Ransomware Tactics, Code-Signing Threats, and Emerging Supply Chain Risks

In this edition of the CyberHub Podcast, broadcasting from Israel during the CyberTech event, the host provides an in-depth look at the latest threats and vulnerabilities shaking up the cybersecurity landscape.

From critical backup service flaws to orchestrated supply chain breaches, ransomware driver misuse, and the ongoing concerns over short-term code-signing certificates, this episode details the evolving methods threat actors use to exploit critical systems. It also covers broader discussions on policy reforms in cybersecurity, along with a high-profile settlement involving facial recognition tech firm Clearview AI.

Veeam Remote Code Execution Vulnerability

A critical remote code execution vulnerability (CVE-2025-23120) was disclosed in Veeam Backup and Replication software. It allows attackers to exploit deserialization flaws in backup-related components. Since Veeam is often a core pillar in an organization’s cyber resiliency strategy—enabling quick recovery from incidents—the host emphasizes rapid patching. Threat actors commonly scan for such vulnerabilities within minutes of public disclosure, making timely remediation essential.

GitHub Supply Chain Attack

Researchers at Wiz and Palo Alto’s Unit 42 exposed more details regarding a recent supply chain attack on GitHub Actions. The compromised action, “tj-action/changed-files,” is used by thousands of repositories and was tampered with to dump secrets and authentication tokens in continuous integration and delivery (CI/CD) logs. Attackers started by obtaining a GitHub personal access token, then used that foothold to insert malicious commits. The ultimate goal appeared to be targeting companies like Coinbase, indicating sophisticated planning and potential links to state-sponsored groups. The incident highlights the risks of open-source dependencies and the importance of scrutinizing all third-party code.

Medusa Ransomware Leveraging a Malicious Driver

Elastic Security Labs identified the Medusa ransomware gang using a malicious driver (“Abyss Worker”) to disable and delete endpoint detection and response (EDR) products. This driver impersonates a legitimate CrowdStrike Falcon driver and relies on stolen code-signing certificates, letting it operate at the kernel level. Because Windows systems tend to allow such drivers for compatibility reasons, revoking certificates does not always mitigate the threat. This underscores how adversaries use legitimate security and business processes to evade detection.

Short-Term Code-Signing Certificates Abuse

Threat actors increasingly abuse short-lived (three-day) Microsoft code-signing certificates to distribute malware, taking advantage of the trust automatically granted to signed executables. Although the certificates expire, many systems do not immediately block previously signed executables, letting them persist. These certificates are cheap to obtain (e.g., via monthly subscription platforms) and slip past security tools that rely on signature-based trust. Developers and security teams alike must carefully vet all code-signing processes and continuously monitor certificates for suspicious use.

Ukraine CERT Alerts on Dark Crystal RAT

Ukraine’s CERT warns of ongoing cyberattacks against defense industrial complex workers, using the Dark Crystal RAT to gain full control of victims’ devices. Attackers allegedly use the Signal messaging app as an infiltration vector, with the RAT enabling data theft, manipulation, and further payload deployment. The persistent nature of these campaigns highlights ongoing cyber-espionage threats in conflict zones.

Virginia Attorney General’s Office Breach

The Cloak ransomware gang has claimed responsibility for an attack on the Virginia Attorney General’s Office first disclosed in February. Having failed to extort payment, the gang leaked allegedly stolen data online. This underscores the dangers of public-facing leaks when ransom demands go unmet and the importance of rapid response and communication to minimize reputational and legal impacts.

Policy Discussion on Cybersecurity Reform

An article by Professor Scott Shackelford highlights perceived gaps in cybersecurity policy and urges more aggressive government action. Suggested reforms include improved federal agency coordination, universal data-breach reporting, standardized cybersecurity frameworks for critical infrastructure, clearer accountability for vendors, and expanded cybersecurity education. While the podcast host supports coordinated regulations and robust breach-reporting laws, he cautions that holding companies strictly liable for all security flaws may stifle innovation and ignores the complexity of constantly evolving vulnerabilities.

Clearview AI Lawsuit Settlement

Clearview AI, known for its facial-recognition database, is settling a class-action privacy lawsuit potentially valued at over USD 50 million. With the company unable to afford such a sum outright, plaintiffs may end up receiving partial payouts or other arrangements. This settlement reflects growing legal pressures around biometric data collection and privacy rights, signaling a possible precedent for similar technologies.

Action List

  • Patch Veeam Immediately: Update to the latest Veeam Backup and Replication version to address the remote code execution vulnerability.

  • Review GitHub Integrations: Audit all GitHub Actions and personal access tokens to detect any unusual commits or configurations.

  • Harden EDR Defenses: Check driver installations and certificate trust lists to guard against malicious driver campaigns like Medusa.

  • Evaluate Code-Signing Practices: Regularly verify the legitimacy of certificates used to sign internal and external software components.

  • Monitor Messaging Platforms: Especially in high-risk regions, scrutinize communication tools (e.g., Signal) for malicious RAT links.

  • Develop Incident Response Plans: Prepare legal and public communications strategies to handle extortion and data leak scenarios.

  • Advocate for Smart Regulations: Support well-coordinated, practical cybersecurity legislation that avoids overburdening legitimate innovation.

  • Stay Abreast of Privacy Lawsuits: Assess corporate liabilities regarding biometric data and update policies in line with emerging legal precedents.

Thanks for reading CISO Talk by James Azar! This post is public so feel free to share it.

Share

✅ Story Links:

https://www.bleepingcomputer.com/news/security/veeam-rce-bug-lets-domain-users-hack-backup-servers-patch-now/

https://www.securityweek.com/impact-root-cause-of-github-actions-supply-chain-hack-revealed/

https://www.bleepingcomputer.com/news/security/coinbase-was-primary-target-of-recent-github-actions-breaches/

https://www.cybersecuritydive.com/news/medusa-ransomware-malicious-driver-edr-killer/743181/

https://www.bleepingcomputer.com/news/security/microsoft-trusted-signing-service-abused-to-code-sign-malware/

https://thecyberexpress.com/cert-ua-warns-of-darkcrystal-rat/

https://www.securityweek.com/ransomware-group-claims-attack-on-virginia-attorney-generals-office/

https://www.wsj.com/tech/cybersecurity/america-cybersecurity-policy-need-reforms-56ada544?mod=cybersecurity_news_article_pos1

https://therecord.media/clearview-ai-illinois-class-action-lawsuit-settlement

Level Zero Conference Discount Code: L020RESPOND at www.levelzeroconference.com

🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1

🚨 Important Links to Follow:

👉Website:

👉Listen here: https://linktr.ee/cyberhubpodcast

Stay Connected With Us.

👉Facebook: https://www.facebook.com/CyberHubpodcast/

👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/

👉Twitter (X): https://twitter.com/cyberhubpodcast

👉Instagram: https://www.instagram.com/cyberhubpodcast

🤝 For Business Inquiries: info@cyberhubpodcast.com

=============================

🚀 About The CyberHub Podcast.

The Hub of the Infosec Community.

Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.

Discussion about this episode