Good Morning Security Gang

Welcome to another episode of the Cyber Hub podcast with your host and Chief Information Security Officer, James Azar. Broadcasting from the Cyber Hub bunker and studio, this Monday's packed episode covers major international cyber incidents, from airline disruptions to escalating cyber warfare in the Middle East, alongside critical vulnerabilities affecting thousands of organizations worldwide.

This episode delivers critical cybersecurity intelligence covering a broad spectrum of threats facing organizations globally. From Canada's second-largest airline falling victim to cyber attackers to the dramatic 700% surge in cyber attacks against Israeli infrastructure, the security landscape continues to evolve rapidly. The show examines municipal government breaches, sophisticated impersonation campaigns, critical software vulnerabilities, and the ongoing weaponization of cyberspace in international conflicts.

WestJet Airlines Cyber Attack Disrupts Operations

Canada's second-largest airline, WestJet, fell victim to a sophisticated cyber attack that disrupted access to critical internal systems. The incident prevented customers from accessing both the website and mobile applications, though services were quickly restored following the company's response efforts. Unlike traditional ransomware attacks, this appears to have been an IT-focused application security breach, potentially involving backdoor access to the airline's development systems.

The attack highlights the vulnerability of transportation infrastructure, though aviation systems maintain crucial separation between IT networks and operational technology (OT) systems that control aircraft operations. This architectural design ensures that while IT systems can be compromised, the actual flight operations and avionics systems remain isolated and secure through one-way data communication protocols.

Municipal Government Systems Under Siege

Government offices across North Carolina and Georgia are experiencing widespread cyber attacks targeting municipal infrastructure. Thomasville, North Carolina, home to 30,000 residents, has been severely impacted with most city systems remaining offline since Thursday of last week, though essential services continue to operate.

The attack has spread throughout the region, with Winston-Salem also experiencing similar disruptions to city systems. In Georgia, the Ogeechee judicial circuit district attorney's office is warning the four counties under its jurisdiction about extensive phone and internet outages affecting critical operations.

The office, which serves approximately 180,000 people across Effingham and Bullock counties, has been forced to publish updates through local newspapers and social media due to the severity of the cyber attack that began the previous Tuesday. These incidents underscore the vulnerability of municipal governments, which often lack adequate cybersecurity governance due to budget constraints and insufficient cybersecurity education among staff.

Middle East Cyber Warfare Escalates Dramatically

The ongoing military conflict between Israel and Iran has triggered a massive escalation in cyber warfare activities. Radware security researchers report a staggering 700% increase in cyber attacks against Israeli infrastructure since the military campaign began on June 12th. This surge represents a significant escalation in malicious network activity, with Iranian state actors and pro-Iranian hacker groups launching coordinated cyber retaliation operations within just two days of the conflict's intensification.

The attacks encompass a wide range of malicious activities including distributed denial-of-service (DDoS) attacks, sophisticated infiltration attempts targeting critical infrastructure, extensive data theft operations, and widespread malware distribution campaigns. According to Ron Myran, VP of Cyber Threat Intelligence at Radware, the primary targets include government websites, financial institutions, telecommunications companies, and critical infrastructure systems.

The cyber warfare component mirrors the kinetic military operations, with Israel launching coordinated cyber attacks against Iranian infrastructure at precisely 3 AM when their aircraft struck Iranian targets, effectively crippling communications systems and other critical infrastructure simultaneously with the physical military strikes.

Zoomcar Data Breach Exposes 8.4 Million Users

India-based car sharing marketplace Zoomcar has suffered a significant data breach affecting 8.4 million users across its operations in India, Indonesia, Egypt, and Vietnam. The company, which operates as a platform connecting vehicle owners with rental customers, discovered the breach on June 9th when employees received external communications from threat actors claiming unauthorized access to company systems.

This incident represents a data theft and attempted blackmail operation rather than traditional ransomware, with attackers exfiltrating personal information including names, phone numbers, car registration numbers, physical addresses, and email addresses. Zoomcar Holdings Inc. has filed appropriate notifications with the SEC regarding the incident. While initial investigations indicate no compromise of financial data, passwords, or other highly sensitive information, security experts warn that deeper investigation often reveals additional compromised data as attackers typically maintain persistence within compromised networks.

Sophisticated Account Takeover Targets Russian Expert

A sophisticated cyber attack campaign has successfully compromised multiple email accounts belonging to Keir Giles, a prominent British researcher specializing in Russian affairs and author of "Russia's War on Everybody." The attackers employed advanced social engineering techniques, impersonating U.S. State Department officials to gain unauthorized access to Giles' accounts. As a consulting fellow at the prestigious Chatham House Think Tank, Giles has issued warnings through LinkedIn advising contacts to treat any unexpected emails from his accounts with extreme caution.

The researcher noted that in previous sophisticated account takeover incidents, attackers often include previously acquired communications in future data dumps, potentially compromising ongoing research and diplomatic communications. This attack follows a pattern established last year when Russian intelligence services targeted Giles and other Western researchers, impersonating academic colleagues to gain access to broader academic and policy networks.

The incident demonstrates Russia's continued focus on targeting Western experts and researchers who study Russian activities, representing a strategic information warfare campaign. James Azar

Critical Nessus Agent Vulnerabilities Demand Immediate Patching

Tenable has released emergency patches addressing three high-severity vulnerabilities in the Nessus Agent for Windows that pose significant security risks. The vulnerabilities, designated CVE-2025-36631, CVE-2025-36632, and CVE-2025-36633, carry CVSS scores of 8.4, 7.8, and 8.8 respectively, indicating severe security implications. These flaws enable attackers to perform unauthorized file operations and execute malicious code with elevated system privileges.

The first vulnerability allows users with non-administrative accounts to override arbitrary local system files using log content with system-level privileges.

The second vulnerability permits non-administrative users to execute arbitrary code with full system privileges, while the third enables unauthorized deletion of critical local system files, also with system privileges.

These vulnerabilities affect all Nessus Agent versions 10.8.4 and earlier, with remediation available through the updated version 10.8.5. Organizations using Nessus agents must prioritize immediate patching to prevent potential system compromise.

Simple Health Ransomware Targets Retail Sector

CISA has issued warnings regarding the Simple Health ransomware group's recent targeting of retail organizations through a series of coordinated attacks. While specific technical details regarding the attack vectors remain undisclosed as investigations continue, the pattern suggests exploitation of common vulnerabilities in retail infrastructure. The warning indicates that CISA is still gathering intelligence on the specific CVEs being exploited and the attack methodologies employed by this ransomware group.

This cautious approach to information disclosure suggests ongoing active investigations where premature release of technical details could compromise response efforts or enable additional attacks. The retail sector's continued vulnerability to ransomware attacks reflects the industry's challenge in maintaining robust cybersecurity practices while managing complex, distributed infrastructure supporting both physical and digital commerce operations.

Malicious PyPI Package Targets Developer Credentials

Cybersecurity researchers have identified a sophisticated malicious package in the Python Package Index (PyPI) designed to harvest sensitive developer credentials and configuration data. The package, masquerading as "chimera-sandbox-extension," attracted 143 downloads before detection, demonstrating the ongoing threat to software supply chains. The malicious package impersonates a legitimate helper module for the Chimera Sandbox, a tool released by Singaporean technology company Grab for machine learning experimentation and development.

According to JFrog researcher Guy Korkevski, the malware operates by acquiring authentication tokens from a command-and-control domain, then retrieving a Python-based information stealer capable of harvesting extensive sensitive data. The stolen information includes Jamf receipts (records of software packages installed by Jamf Pro on managed devices), CI/CD environment variables, AWS tokens and account information, Zscaler host configurations, Git repository information, public IP addresses, and comprehensive platform, user, and host information.

This attack demonstrates the evolving sophistication of supply chain attacks targeting developer environments and infrastructure.

Massive Grafana Vulnerability Exposure Threatens 46,000 Instances

Security researchers have discovered that over 46,000 internet-facing Grafana instances remain vulnerable to a critical client-side open redirect vulnerability that enables malicious plugin execution and account takeover attacks. The flaw, designated CVE-2025-41230, affects multiple versions of the popular open-source monitoring and visualization platform used for infrastructure and application metrics. Originally discovered by bug bounty hunter Alvaro Balata and addressed in Grafana's latest release on May 21st, the vulnerability continues to affect approximately 36% of publicly accessible instances.

AUX Security's comprehensive analysis identified 128,864 total instances exposed online, with 46,506 still running vulnerable versions susceptible to exploitation. The attack methodology combines client-side path traversal and open redirect mechanics, enabling attackers to craft malicious URLs that, when clicked by victims, load malicious Grafana plugins from attacker-controlled servers. This vulnerability represents a significant supply chain risk, as compromised monitoring infrastructure could provide attackers with extensive visibility into organizational operations and sensitive metrics data.

Action Items

• Immediate Patching Required: Update Nessus Agent to version 10.8.5 immediately to address critical Windows vulnerabilities

• Grafana Security Review: Audit and update all Grafana instances to latest version, prioritizing internet-facing deployments

• Municipal Cybersecurity Assessment: Local governments should conduct immediate cybersecurity governance reviews and implement basic security packages

• Developer Security Protocols: Implement enhanced vetting procedures for PyPI packages and review CI/CD environment security

• Email Security Enhancement: Organizations should strengthen email authentication and employee training regarding sophisticated impersonation attacks

• Transportation Sector Review: Airlines and transportation companies should review IT/OT network separation and application security protocols

• Middle East Operations: Organizations with Middle East operations should heighten cybersecurity monitoring and incident response readiness

• Account Takeover Prevention: Implement multi-factor authentication and anomaly detection for high-profile accounts and researchers

• Retail Security Hardening: Retail organizations should review and strengthen ransomware prevention and response capabilities

• Supply Chain Security: Establish comprehensive software supply chain security protocols and dependency monitoring systems

✅ Story Links:

https://www.bleepingcomputer.com/news/security/westjet-investigates-cyberattack-disrupting-internal-systems/

https://therecord.media/thomasville-nc-government-ogeechee-ga-district-cyberattacks

https://www.jpost.com/business-and-innovation/tech-and-start-ups/article-857790#google_vignette

https://www.securityweek.com/zoomcar-says-hackers-accessed-data-of-8-4-million-users/

https://therecord.media/keir-giles-russia-researcher-email-hacked

https://www.securityweek.com/high-severity-vulnerabilities-patched-in-tenable-nessus-agent/

https://therecord.media/cisa-warns-of-simplehelp-ransomware-compromises

https://thehackernews.com/2025/06/malicious-pypi-package-masquerades-as.html

https://www.bleepingcomputer.com/news/security/over-46-000-grafana-instances-exposed-to-account-takeover-bug/

🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1

🚨 Important Links to Follow:

👉Website:

CISO Talk by James Azar

The latest news and topics from a cybersecurity practitioners discussing Cybersecurity, Privacy, Technology & Geo-Politics. I am a two times Founder and Chief Information Security Officer. All opinions are my own

👉Listen here: https://linktr.ee/cyberhubpodcast

✅ Stay Connected With Us.

👉Facebook: https://www.facebook.com/CyberHubpodcast/

👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/

👉Twitter (X): https://twitter.com/cyberhubpodcast

👉Instagram: https://www.instagram.com/cyberhubpodcast

🤝 For Business Inquiries: info@cyberhubpodcast.com

=============================

🚀 About The CyberHub Podcast.

The Hub of the Infosec Community.

Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.