Good Morning Security Gang!
Today I'm covering a lot including the SEC and SolarWinds reaching a much-needed settlement that I'll get into those details, plus this Brazilian insider threat and just what it took to heist $140 million - that answer will surprise you. We'll also discuss catalog updates and much more. From a Chinese national arrested in Italy linked to Silk Typhoon to active CitrixBleed 2 exploits in the wild, I'm delivering the essential cybersecurity intelligence you need to protect your organizations this Tuesday morning.
SolarWinds and SEC Reach Settlement After Years of Legal Battle
The SEC and SolarWinds have reached a settlement after years of legal battles stemming from the December 2020 breach. The SEC took what I considered an outrageous position by suing CISO Tim Brown and the company for allegedly misleading investors. I did a whole episode on this lawsuit because it was so outrageous - they were digging through Slack messages where engineers complained about security issues, not understanding that these analysts don't comprehend organizational decision-making processes or risk appetite, which isn't determined by the CISO but by the board of directors.
"Tim Brown is a dear friend, and the toll this has taken on him is unbelievable, so seeing this reach settlement is great news... SolarWinds was a victim of a crime by nation-state threat actors - they had a mature security program with a qualified CISO who's still in position five years later, which tells you everything you need to know." - James Azar On the SolarWinds SEC settlement
The proposed settlement must be reviewed by the full commission, which has shifted from Democratic to Republican control under President Trump, where Republican commissioners had objected to the original action. The lawsuit centered on allegations that SolarWinds misrepresented their cyber posture between 2018-2020, though most claims were dismissed except for allegedly misleading security statements made before the December 2020 disclosure.
SolarWinds was a victim of a crime by nation-state threat actors - they had a mature security program with a qualified CISO who's still in position five years later, which tells you everything you need to know.
Brazilian Employee Sold Bank Credentials for $2,770 in $140M Heist
Yesterday we discussed the Brazilian banking heist, and now we know the shocking details. The attacker stole nearly $140 million from six Brazilian banks using employee credentials from CNM, sold by employee João Nazareno Roque for roughly $920. I joked yesterday that I didn't think he understood what he was doing - this young man made just $2,770 total while attackers made $140 million, an unbelievable ROI.
Roque executed commands in CNM systems as instructed by attackers through the Notion collaboration platform, receiving another $1,850 for this work. He tried concealing his activity by changing mobile phones every fifteen days but was arrested July 3rd in São Paulo. The threat actors approached him when he was leaving a bar - the human insider threat in action.
"This highlights how you can have mature systems, defense in depth, and proper controls, but for $2,770, a key IT person leaving a bar can be lured into betraying his job... I joked yesterday that I didn't think he understood what he was doing - this young man made just $2,770 total while attackers made $140 million." - James Azar On the Brazilian insider threat incident
Blockchain investigator ZachXBT reports attackers have already converted $30-40 million to crypto through various exchanges and Latin American over-the-counter markets.
Russian Drone Firmware System Disrupted by Cyber Attack
Russian developers behind custom firmware used to convert consumer drones for military use in Ukraine reported a cyber attack disrupting their software distribution system. The "Russian Hackers to the Front" Telegram channel reported that unidentified attackers breached servers responsible for delivering the "1001 firmware," displaying false messages on operator terminals and disabling the system.
Russia buys commercial drones, flashes them with new software through backdoors, then uses them as suicide drones against Ukraine. The developers claim over 200,000 drones have been updated with this firmware as of March, which removes manufacturer flight limits, adds GPS spoofing resistance, and enables high-capacity batteries for military missions.
Qantas Confirms Extortion Following 6 Million Customer Data Breach
Qantas confirmed they're being extorted by threat actors following the cyber attack that potentially exposed 6 million customers' data. The cybercriminals made contact and they're working to validate this contact. Since this is a criminal matter, the Australian Federal Police is engaged and they won't comment further.
We knew this was a ransomware attack, possibly linked to Scattered Spider who are targeting aviation. I think going after airlines might be where they overstepped the line - they could get away with retail for a while, but airlines put a target on your back because all federal agencies want to get you.
Nova Scotia Power Breach Affects 280,000 with Real Financial Impact
Nova Scotia Power, which we discussed extensively on the show, is notifying 280,000 people of their data breach that impacted billing systems (not OT-related). We covered a local story of a couple who had $30,000 stolen from their bank account immediately after the breach when their banking information was compromised.
The stolen information included social insurance numbers, bank account details, power consumption data, service requests, customer payments, billing and credit history, and customer correspondence - they essentially infiltrated the entire billing system. Nova Scotia Power manages $5 billion worth of power generation, transmission, and distribution, so this affects 280,000 victims with at least one couple losing $30,000.
CitrixBleed 2 Live Exploits Released
Security researchers released a live exploit for CitrixBleed 2, the recently patched Citrix NetScaler vulnerability. CVE-2025-57777 has a CVSS score of 9.3 due to insufficient input validation leading to out-of-bounds memory reads. About a week after patching, ReliaQuest reported seeing evidence of active exploitation in the wild, and now we know there are active exploits available. If you haven't patched your Citrix NetScaler instances, you want to do that right now.
Chinese National Arrested in Italy Linked to Silk Typhoon
A Chinese national flying to vacation in Milan, Italy was arrested last week, allegedly linked to Silk Typhoon, the Chinese state-sponsored hacking group. The 30-year-old man, Zhu Ziwei, was arrested at Milan's Malpensa Airport on July 3rd after arriving from China, based on an international warrant from the U.S. government. He's accused of being linked to Silk Typhoon, responsible for wide-ranging cyber espionage attacks against the U.S. and other countries. Italian media reports link him to 2020 Silk Typhoon attacks on infectious disease researchers and healthcare organizations trying to steal anti-COVID vaccine data. He'll likely face extradition to the U.S., and China will probably put up a fight.
CISA Adds Four Old Vulnerabilities to KEV Catalog
CISA added four security flaws to its KEV catalog citing evidence of active exploitation, including some old ones. CVE-2014-39131 has a CVSS score of 9.8 - a buffer overflow vulnerability in Multi-Router Looking Glass allowing remote attackers to cause arbitrary memory writes and corruption. CVE-2021-40438 (CVSS 9.0) is an HTTP Request Smuggling vulnerability in Apache HTTP Server. CVE-2019-96221 is a server-side request forgery vulnerability in Zimbra Collaboration Suite that could result in unauthorized access to internal resources. All have been added to the CISA catalog and need immediate patching.
James Azar's CISO Take
My analysis today centers on two critical themes that every CISO must grapple with: the ongoing criminalization of cybersecurity leadership and the devastating reality of insider threats. The SolarWinds settlement represents a dangerous precedent where government agencies are going after the victims of nation-state attacks rather than the actual perpetrators - the Russians and Chinese behind these breaches.
Tim Brown is an excellent, respected CISO who has remained in his position for five years post-breach, which tells you everything about his competence and the organization's confidence in him. The SEC's position was outrageous from the start, digging through internal Slack messages and not understanding that engineers and analysts don't comprehend organizational risk appetite or decision-making processes. Instead of chasing companies that are victims of crimes, they should be going after the threat actors themselves.
The Brazilian banking incident perfectly illustrates the most terrifying aspect of our profession - the human element remains our greatest vulnerability regardless of how sophisticated our technical controls become. You can have the most mature security program, defense in depth, proper controls, and all the right technologies in place, but for $2,770, a key IT person approached outside a bar can compromise $140 million worth of assets. This young man probably had no idea what he was unleashing when he sold his credentials for less than three thousand dollars while enabling attackers to steal 140 million. The mathematical impossibility of our job becomes clear - they only have to be right once, while we have to be right 100% of the time.
Between government agencies criminalizing security leadership and insider threats that can't be fully mitigated through technology alone, it's a reminder that cybersecurity is ultimately about managing human risk in an increasingly complex threat landscape.
Action Items for Security Teams
CitrixBleed 2 emergency patching: Immediately patch all Citrix NetScaler systems against CVE-2025-57777 - active exploits now available
CISA KEV vulnerabilities: Patch CVE-2014-39131, CVE-2021-40438, and CVE-2019-96221 immediately due to active exploitation
Insider threat controls: Review and strengthen insider threat detection programs, especially for employees with privileged access
Brazilian banking monitoring: Monitor for Brazilian threat actor TTPs and cryptocurrency conversion patterns identified by ZachXBT
Scattered Spider aviation alerts: Enhance monitoring if operating in aviation/transportation sectors - federal agencies actively pursuing
Social engineering awareness: Update training programs to address bar/social setting recruitment tactics
Financial system monitoring: Implement enhanced controls for employees with access to payment processing systems
Nova Scotia Power lessons: Review billing system security if operating utility or critical infrastructure services
Zero trust insider controls: Strengthen privileged access management and behavioral monitoring systems
✅ Story Links:
https://www.bankinfosecurity.com/blogs/sec-solarwinds-agreed-to-settle-cyberfraud-lawsuit-p-3907
https://therecord.media/cyberattack-russia-firmware-blow-hackers
https://therecord.media/thousands-impacted-cyber-nova-scotia
https://www.securityweek.com/exploits-technical-details-released-for-citrixbleed2-vulnerability/
https://thehackernews.com/2025/07/cisa-adds-four-critical-vulnerabilities.html
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1
🚨 Important Links to Follow:
👉Website:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
Share this post