Good Morning Security Gang
We’ve got a stacked lineup today. From Russia’s critical infrastructure targeting to a Chrome zero-day and even 10,000 poisoned Docker images, this episode is a full-on security workout.
Before we jump in, I’ve got my double espresso here — the crema’s a bit subdued this morning, but the flavor’s perfect.
Coffee cup cheers, y’all! Let’s get into it.
DOJ and CISA Warn of Russia Targeting U.S. Critical Infrastructure
The U.S. Department of Justice and CISA have issued a joint advisory confirming that Russia-linked threat groups are actively targeting critical infrastructure sectors — including energy, water, transportation, and healthcare — using living-off-the-land techniques and valid account exploitation.
The alert attributes activity to Russia’s Cyber Army of Russia, NoName057(16), and affiliated APTs that have been quietly probing networks since 2022. In some cases, attacks resulted in physical damage at operational sites, primarily through minimally secured vendor VPNs and VNC connections.
“What scares me the most is what the Russians learned in cyber warfare against Ukraine over the last three years, and when that gun no longer points at Ukraine and points to the rest of the world.” James Azar
CISA’s mitigation guidance includes:
Enforce MFA on all remote access, including vendor jump hosts.
Segregate IT and OT networks.
Deploy firewalls and data diodes between control and corporate networks.
Hunt for after-hours admin activity and unauthorized new accounts.
As I said on the show: “When you work in tech or banking, getting home safe is just taken for granted. When you’re doing these blue-collar jobs, anytime, the number one concern is always safety. Are my guys going home in the same shape they came into work for? It’s a bad day when they’re not.”
Russia’s Flagship Airline Aeroflot Breached via Tiny Vendor
Russia’s flagship carrier Aeroflot was breached through a little-known Moscow-based vendor called Bakasoft, which developed its iOS app and quality systems.
The pro-Ukrainian hacktivist group Silent Crow, alongside Belarusian Cyber Partisans, claimed responsibility, reportedly grounding over 100 flights and stranding tens of thousands of passengers.
The incident highlights how small third-party vendors remain the Achilles’ heel of major enterprises. As James put it: “You’re never stronger than your weakest supplier — and most don’t even know they’re weak.”
This is a reminder for all organizations to double down on TPRM, continuously vet software vendors, and isolate high-privilege third-party integrations.
Chrome Zero-Day Under Active Exploitation
Google has rolled out an emergency update to patch a Chrome zero-day under active exploitation — CVE-2025-14372, a use-after-free flaw in Chrome’s password manager, and CVE-2025-14373, a toolbar implementation bug.
Both vulnerabilities can allow arbitrary code execution and memory corruption. Users should immediately upgrade to Chrome version 143.0.7499.109 or later across Windows, macOS, and Linux.
Admins should deploy updates through enterprise group policy and disable legacy password caching until systems are patched.
Intel & AMD PCIe Vulnerabilities Expose Memory Paths
Newly disclosed PCI Express (PCIe) DMA flaws affecting Intel and AMD chipsets could allow attackers with physical or firmware-level access to read or modify system memory, potentially breaching hypervisors and high-value servers.
These vulnerabilities — CVE-2025-90612, CVE-2025-90613, and CVE-2025-90614 — are particularly dangerous in build labs and developer environments.
Mitigation steps include:
Enable IOMMU/VTD/SMMU in BIOS and OS settings.
Disable Thunderbolt or external PCIe ports in secure facilities.
Enforce kernel DMA protection and approved device lists.
These flaws highlight that hardware exploitation remains a blind spot in most enterprise risk models, especially when threat actors go beyond the operating system layer.
Google Fixes Gemini Enterprise Data Leak
Google patched a Gemini Enterprise vulnerability that leaked sensitive prompt and output data between tenants. Attackers could use indirect prompt injection to exfiltrate corporate documents by instructing Gemini to collect all files containing keywords like “confidential” or “API key.”
Admins should:
Disable sending PII in prompts.
Limit model access to approved groups.
Enforce short-lived tokens and monitor bulk AI export requests.
As I said during the episode: AI governance isn’t optional anymore — it’s the new endpoint management.
Siemens, Schneider, and Rockwell Issue OT Patches
In a critical OT update wave, Siemens, Schneider Electric, Rockwell Automation, and Phoenix Contact all released patches addressing authentication bypass, RCE, and DoS vulnerabilities across PLCs, HMIs, and engineering tools.
Siemens published 14 advisories, three rated critical.
Schneider fixed flaws affecting EcoStruxure Foxboro DCS products.
Rockwell addressed DoS flaws in GuardLink Ethernet IP interfaces.
Organizations running industrial environments must patch immediately or isolate vulnerable devices behind segmented firewalls and disable internet-facing access.
Android “DroidLock” Ransomware Locks BYOD Devices
New Android ransomware dubbed DroidLock is spreading through SMS phishing and sideloaded APKs, locking devices and demanding ransom.
Once installed, it abuses accessibility and admin permissions to reset PINs and biometrics, then displays a ransom screen via webview overlays. Victims are threatened with permanent data destruction within 24 hours if they refuse to pay.
Mobile device admins should:
Disable sideloading and enforce managed app stores.
Deploy mobile threat defense (MTD).
Mandate remote wipe policies for BYOD fleets.
BYOD just became a ransomware risk vector.
10,000 Poisoned Docker Images Found Containing Secrets
Researchers found over 10,000 Docker Hub images containing hardcoded secrets, including cloud keys, database passwords, and SSH credentials, many still active and regularly pulled by CI/CD pipelines.
About 41% had five or more keys, 25% had two to five, and 32% had at least one.
To mitigate:
Ban direct pulls from public registries.
Mirror and scan images internally before use.
Rotate and vault all discovered keys.
Adopt multi-stage builds to minimize spillage.
Developers need to treat secrets like radioactive waste — isolate, rotate, and minimize exposure.
Israel’s Cyber VC Boom Hits $4.4B in 2025
Despite ongoing regional conflict, Israeli cybersecurity startups raised $4.4 billion in funding across 130 rounds this year, a 9% increase from 2024.
Key players like Armis, Cato Networks, and Island led major rounds, with 71 seed investments totaling $680 million. U.S. venture firms led 44 of those rounds — signaling sustained confidence in Israel’s cyber innovation ecosystem.
As I put it on the podcast: “While others talk cyber, Israel builds it — even under fire.”
Russia-Linked Hacker Extradited to the U.S.
The DOJ charged 33-year-old Viktoria Dubrovnik, a technical operator for the NoName057(16) and Cyber Army of Russia, with providing infrastructure and coordination support for attacks on U.S. and European water systems.
She faces up to 32 years in prison after extradition from a European ally earlier this year. This case confirms what the advisory hinted at — that Russian hacktivism is state-managed, not freelance chaos.
Action List
🇷🇺 Review OT and IT segmentation to defend against Russia-aligned persistence.
✈️ Vet all vendors — especially small suppliers — for data handling and access scope.
🌐 Patch Chrome to version 143.0.7499.109+ immediately.
⚙️ Enable IOMMU/VTD/SMMU for PCIe protection on Intel/AMD systems.
🤖 Harden AI platforms — disable sensitive prompt access and monitor logs.
🧱 Patch OT systems from Siemens, Schneider, and Rockwell.
📱 Enforce MDM and disable APK sideloading for all Android devices.
🐳 Scan Docker registries for embedded secrets and move to internal mirrors.
James Azar’s CISO’s Take
Today’s episode was a wake-up call about resilience at every layer — from OT to AI, from hardware to supply chain. What we’re seeing from Russia’s hybrid warfare playbook is the blueprint for how nation-state tactics bleed into enterprise risk. It’s no longer about shutting down networks — it’s about embedding quietly until the switch flips.
My biggest takeaway? Visibility and control win wars. Whether it’s a Chrome zero-day or a poisoned Docker image, our defenses fail when we can’t see the full stack. The job for CISOs in 2026 isn’t just cybersecurity — it’s attack surface governance across humans, code, and machines.
That’s it for our show this morning. We’ll be back on Monday at 9 a.m. Eastern live with all the latest. Tomorrow, we’ll have our summary of all the cyber news that you missed this week in one beautiful email. On Saturday, part three of “The Subscription Model Squeeze: How Subscription Models Turned the Cybersecurity Budget Into a Nightmare for CISOs and CFOs.” We get to the conclusion – how should we fix it? So that part three comes out Saturday morning. You can check that all out.
Stay alert, stay caffeinated, and as always — stay cyber safe.
