Good Morning Security Gang
Good morning, Security Gang — James Azar here, and welcome back to the CyberHub Podcast! From the bunker and studio, it’s Thanksgiving Eve, and yes — tomorrow is all about family, food, and gratitude. No show tomorrow, but I’ve got a packed episode for you today before we sign off for the long weekend.
Grab your double espresso, take that first sip, and coffee cup cheers, y’all.
Today we’re breaking down the Dartmouth College ransomware breach, a Georgia courts ransomware attack, Russia’s disruption of U.S. emergency alert systems, and a $262 million bank fraud operation that’s targeting Americans nationwide. We’ll also look at Russian hacking of U.S. engineering firms, new Windows click-fix malware, and a Fluent Bit exploit that could threaten cloud telemetry everywhere. Let’s dive right in.
Dartmouth College Confirms Data Breach by Clop Ransomware Gang
Dartmouth College has joined the growing list of Ivy League universities targeted by the Clop ransomware and extortion group. Following attacks on Harvard and Princeton, Clop has now published exfiltrated data from Dartmouth’s alumni, employee, and student records.
The gang’s focus on alumni and donor data highlights a shift in extortion strategy — rather than just operational disruption, they’re going after endowments and high-value financial networks. These elite institutions collectively manage billions of dollars, and Clop’s goal is to weaponize stolen donor lists and email communications for fraud and social engineering.
“Universities aren’t just academic targets — they’re billion-dollar fundraising operations, and that’s what hackers are really after.” James Azar
Universities should treat donor databases as financial targets, enforce MFA across federated SSO environments, and prepare donor-specific phishing awareness campaigns. Dartmouth’s breach underscores that academic prestige doesn’t equal cybersecurity maturity — and higher ed remains soft infrastructure for organized cybercrime.
Georgia Court Filing Network Hit by Ransomware
A ransomware attack has crippled Georgia’s Superior Courts Cooperative Authority (GSCCCA), disrupting legal e-filing and document submission systems statewide. The GSCCCA handles filings for thousands of law firms, making it a single point of failure for judicial operations.
The Devman ransomware gang claimed responsibility, boasting it exfiltrated 500GB of sensitive case data and is demanding $400,000 in ransom. This incident highlights how attackers target judicial software-as-a-service (SaaS) providers — thinly staffed IT teams running critical systems with outdated defenses.
The outage has left lawyers unable to submit filings or respond to court orders, potentially leading to missed deadlines, malpractice exposure, and even evidence chain-of-custody risks. The GSCCCA confirmed the threat is ongoing, and restoration may take days.
For court systems, the takeaway is clear: centralization breeds fragility. SaaS platforms handling legal or public data must be treated like critical infrastructure, not convenience utilities.
Russia Disrupts U.S. National Emergency Alert Platform
In a concerning escalation, OnSolve’s CodeRED emergency alert system, used by over 2,000 local governments, was taken offline following a ransomware attack by the INC group, which has confirmed ties to Russian state operations.
The CodeRED system powers weather alerts, hazmat warnings, and active shooter notifications, often integrated with social media, SMS, and reverse-911 calls. The breach created “communication dead zones” where residents had no way of receiving alerts — a potentially life-threatening scenario.
Russia’s playbook here is clear: disrupt trust in emergency systems and expose U.S. dependency on single-vendor models. Worse, this kind of outage could be weaponized during crises — letting misinformation or fake alerts spread faster than the real ones.
Agencies relying on CodeRED should immediately implement redundant alerting systems, conduct tabletop exercises for outage scenarios, and rehearse manual emergency broadcast procedures.
FBI Reports $262 Million Lost to Bank Impersonation Fraud
The FBI released a new report revealing that $262 million has been stolen this year through bank support impersonation scams, a massive surge in phone-based social engineering attacks.
“Banks will never call you. They’ll text you, they’ll email you, they will not call you... Another tip: don’t use your debit cards online. Never ever use your debit cards online. Your debit cards are uninsured.” James Azar
The scheme works like this: criminals pose as bank representatives, convincing victims to “verify” transactions or “secure” their accounts by transferring money via Zelle, ACH, or cryptocurrency. Attackers increasingly use remote-access tools like AnyDesk and QuickSupport, and even coach victims through disabling their own bank’s fraud controls.
The FBI has logged over 5,100 complaints this year, with activity expected to spike during the holiday shopping season. Criminals are exploiting both consumer confusion and corporate payroll windows to maximize theft before clawbacks are possible.
As I said on the show: if someone calls you from the bank — hang up, and call your bank directly. No bank will ever ask you to transfer money to “secure” an account. And for everyone listening: never use debit cards online. Use credit cards or prepaid cards instead — debit transactions are uninsured, and banks can deny reimbursements on fraudulent withdrawals.
Russian Hackers Target U.S. Engineering Firm Over Ukraine Work
Arctic Wolf researchers have identified a Russian-linked cyber operation targeting a U.S. engineering firm involved in civic partnerships with Ukrainian cities. The campaign leveraged credential phishing and selective data theft to embarrass both the firm and its municipal partners.
This kind of “grievance-driven” targeting has become common — aimed not at military contractors, but at any organization showing public support for Ukraine or Taiwan. Attacks like these often culminate in hack-and-leak campaigns designed to influence local elections or public perception.
Companies with international civic or nonprofit engagements should integrate geo-risk conditional access, monitor mailbox search anomalies, and restrict external sharing domains within collaboration suites.
ClickFix Malware Masquerades as Windows Update
A dangerous new malware campaign dubbed ClickFix is using fake Windows update screens to trick users into executing payloads. When victims click to “update,” the malware executes a PowerShell script that installs remote access tools or data stealers.
Attackers are leveraging realistic system overlays, complete with Microsoft branding and progress bars. This level of sophistication targets managed corporate endpoints, bypassing casual detection.
Organizations should block unsigned installers, enforce non-admin privileges, and ensure PowerShell and WScript logging are active. Quick awareness training for helpdesk impersonation and update scams can go a long way toward mitigating this threat.
Fluent Bit Vulnerability Exposes Cloud Environments
Researchers uncovered a set of critical vulnerabilities in Fluent Bit, a popular cloud logging and observability tool, that allow memory corruption, authentication bypass, and even cross-tenant data exposure in certain deployments.
If exploited, attackers could poison telemetry, pivot laterally within Kubernetes clusters, or exfiltrate sensitive data from other tenants. The risk lies in shared observability infrastructure that’s often assumed secure.
Admins should upgrade to patched versions immediately, isolate collectors, and remove unnecessary plugins. Fluent Bit processes should always run as non-root users with minimal capabilities.
Spyware Attacks on Messaging Apps Increasing
CISA issued a new advisory warning of commercial spyware campaigns leveraging messaging app lures — including Signal, WhatsApp, and regional chat apps like TukTuk. These attacks often use zero-click or one-click exploits to install surveillance tools on mobile devices.
Threat actors are primarily nation-state groups targeting journalists, diplomats, and executives, though spillover risk remains for enterprises. Security teams should emphasize mobile security hygiene, enforce mobile threat defense (MTD), and ban side-loaded APKs on company-managed devices.
Russian Cybersecurity Founder Arrested for “Treason”
Russian authorities have detained Timur Kalin, a young cybersecurity founder accused of treason for criticizing a Kremlin-backed messaging app called Max. Kalin reportedly exposed vulnerabilities in the app and accused developers of using foreign software libraries that could leak Russian data — which, in true Kremlin fashion, landed him in prison.
“In Russia, that means that if we don’t like the way you do this, we’re going to send you to jail. So there’s that. Good luck to Timur, and hopefully you’re acquitted, although I’m not crossing my fingers for that one because we know how the Russian legal system works.” James Azar
His arrest sends a chilling message to researchers in Russia: even responsible disclosure can be treated as espionage. It’s another example of how authoritarian control and cybersecurity paranoia intertwine in Moscow’s digital doctrine.
Action List
🎓 Universities: Secure donor networks and audit alumni databases for phishing exposure.
⚖️ Courts and Law Firms: Treat legal SaaS as critical infrastructure; mandate data isolation.
🚨 Emergency Agencies: Build redundancy for CodeRED or single-vendor alert systems.
💳 Consumers: Avoid debit cards online; verify bank calls independently.
🧠 Corporations: Restrict PowerShell, monitor WScript execution, and patch Fluent Bit.
🌍 Global Firms: Enforce geo-risk access controls for international partnerships.
📱 Mobile Users: Enable mobile threat defense; disable third-party installs.
James Azar’s CISO’s Take
Today’s show highlights the evolution of cyber risk — from ransomware to reputational warfare. Threat actors aren’t just chasing ransom anymore; they’re weaponizing trust, exploiting the dependencies between technology, governance, and perception. Whether it’s Ivy League endowments, emergency systems, or civic partnerships, the pattern is the same: if it carries influence or visibility, it’s a target.
My biggest takeaway? The line between cybercrime and nation-state operations is blurring fast. From Russian hackers taking aim at U.S. infrastructure to fraudsters stealing hundreds of millions through call scams, the battlefield has moved beyond firewalls. The next phase of cybersecurity isn’t about tools — it’s about resilience, awareness, and trust discipline.
Enjoy the turkey, enjoy the family time, and as always — stay cyber safe.
