Good Morning Security Gang!
I’ll be back in the studio tomorrow. We’ve got a packed show today. It’s a fast sprint through some real-world hits and must-patches.
“If you’re tired, so am I. But guess what? Traveling, no real – and where I’m at, like, it’s Dunkin or Starbucks. So with that being said, no double espresso this morning.” Traveling CISO with an Espresso Addiction
DoorDash: personal info stolen (no passwords or full card data).
DoorDash confirmed a data breach exposing customer details like names, emails, phone numbers, and the last four digits of payment cards. While full payment data wasn’t taken, this is perfect fuel for targeted phishing and account-recovery abuse. I called out the downstream risk to any business accounts that reuse emails across consumer services—expect credential-stuffing, social engineering around refunds, and OTP fatigue plays.
Princeton University: donor & alumni database exposure.
Princeton disclosed a breach affecting donor/alumni records. The combination of contact info + relationship context makes these lists potent for high-credibility fundraising and invoice lures. If your organization runs advancement or operates in the nonprofit/education ecosystem, assume tailored emails that reference real events and prior gifts will start landing.
Pennsylvania Attorney General’s Office: SSNs and some medical info compromised.
The AG’s Office confirmed theft of names, Social Security numbers, and limited medical information after an August ransomware incident. Even without ransom payment, the long tail—credit monitoring, legal notifications, and restoring justice workflows—drives cost and public scrutiny. I stressed hardening remote access, rotating justice/case-system creds, and validating backups for legal-ops continuity.
Eurofiber France: ticketing-system breach; attacker claims VPN configs & certs.
Eurofiber France warned customers after its support/ticket system was compromised. A threat actor advertised screenshots, possible VPN configurations, device certificates, and credentials tied to thousands of client organizations. Even as validation continues, the prudent move is to act as if attachments and configuration files are exposed and rotate anything referenced there.
Iran-nexus targeting of defense & government with long-con social engineering.
Researchers detail a sustained APT campaign using conference invites, WhatsApp outreach, and decoy docs to harvest credentials and deploy modular PowerShell backdoors that can talk over Telegram/Discord. The theme is patience and proximity—work the persona, then land the access. I covered concrete blocks on consumer C2 channels and instrumentation for script-based recon.
Microsoft: Aisuru botnet blasted Azure with ~15.7 Tbps using ~500,000 IPs.
Aisuru (a Turbo-Mirai variant) delivered a record volumetric attack against Azure public endpoints. Home routers/IoT and even abused router update channels are part of the herd. If your SaaS or APIs sit behind cloud scrubbing, assume the next wave will test your DNS, failover, and provider-tier assumptions at the worst possible time.
IBM AIX: multiple critical vulnerabilities (one rated CVSS 10).
IBM shipped fixes for several critical issues affecting AIX. Legacy UNIX still underpins crown-jewel workloads in many enterprises—these vulns are lateral-movement accelerants if segmentation and maintenance windows lag. Treat this like a platform risk, not “just another patch.”
Chrome: V8 type-confusion 0-day under active exploitation.
Google pushed Stable updates to close a high-severity V8 type-confusion bug that attackers are already using in the wild. Drive-by exploitation against exec and developer browsers is the likely path—MDM enforcement and Site Isolation make the difference between a blocked render crash and a beachhead.
RondoDox botnet now exploiting XWiki RCE (CVE-2025-24893).
Operators are abusing a Groovy-injection flaw in XWiki’s SolrSearch to drop webshells and miners. Older versions are particularly exposed. This one is noisy in logs if you look for it; the danger is how quickly compromised wikis get repurposed as footholds and C2 relays.
CISA workforce strategy: rebuilding technical ranks, ICS & state coordination focus.
CISA outlined hiring and talent initiatives to close key skill gaps, expand incident-assist capacity, and deepen state/critical-infrastructure coordination. For practitioners, expect more structured touchpoints, faster advisory cadence, and additional services you can tap—if you’re ready with the right information.
Action List
Targeted phishing & ATO: Notify impacted users; add rules for refund/“invoice” lures; tighten account-recovery and brute-force thresholds on any app using consumer emails.
Third-party ticket exposure: Assume attachments/configs may be out—rotate VPN/device certificates and any shared credentials referenced in support tickets.
Remote access & legal-ops continuity: Re-lock remote gateways; rotate case-system and justice-workflow creds; validate offline/immutable backups and restore SLAs.
Exec/VIP protection: Block Telegram/Discord egress on corp devices; enable AMSI + PowerShell transcript logging; provide execs/families with separate identities and travel devices.
DDoS readiness: Confirm cloud DDoS tier, warm a secondary region, lower DNS TTLs, and pre-approve UDP flood profiles with your provider.
AIX hardening: Patch now; segment AIX LPARs; use IPS/virtual patching where downtime is constrained; monitor East-West traffic from AIX zones.
Chrome 0-day: Force update via MDM; enable Site Isolation; review crash telemetry around the patch window.
XWiki CVE-2025-24893: Upgrade to fixed releases; hunt logs for Groovy injection strings/base64 payloads; quarantine any compromised wikis.
CISA engagement: Identify your regional coordinator; prep a “break-glass” bundle (asset maps, SBOMs, contacts under NDA) to accelerate assistance.
James Azar’s CISO’s Take
This episode is a reminder that our biggest failures aren’t exotic—they’re familiar. Identity, remote access, and third-party workflows keep showing up as the first domino. DoorDash and Princeton highlight how ordinary data becomes extraordinary leverage when criminals stitch context together. The Pennsylvania AG case proves “we didn’t pay” is not the same as “we didn’t pay a price.” Meanwhile, Eurofiber’s ticket breach reinforces that our vendors’ screenshots, configs, and PDFs can compromise our environments just as efficiently as our own.
Speed is the other theme. Aisuru DDoS waves evolve faster than many of our failovers; Chrome’s 0-day shows how quickly drive-bys appear; and botnets like RondoDox pivot to fresh RCEs before change windows open. The counter isn’t heroics—it’s discipline: KEV-first patching, ruthless segmentation around legacy platforms like AIX, and instrumentation on crown-jewel apps so mass exports, odd admin API calls, and unexpected egress get caught in minutes, not months.
Thank you so much for tuning in today. It’s great to have you with us. And most importantly, y’all stay cyber safe!
