Good Morning Security Gang
This is it — the last episode of 2025. Wow. What a year. And what a wild ride it’s been for all of us in cybersecurity.
Today, we’re closing out the year with a massive lineup: The European Space Agency confirms a breach after hackers offer 200GB of data for sale, two U.S. cybersecurity pros plead guilty to helping BlackCat ransomware, the Shai Hulud supply chain attack drains $8.5 million from Trust Wallet, Azure suffers a global DNS meltdown, the U.S. Treasury reverses spyware sanctions on Intelexa, IBM issues a critical API Connect patch, and Disney pays $10 million for violating COPPA. We’ll wrap with the year’s biggest cybersecurity acquisitions — over $400 billion in deals that are reshaping the industry.
So, coffee cup cheers, y’all — I’ve got a double Lavazza espresso this morning, and the crema is perfect. Let’s dive in.
European Space Agency Confirms Data Breach After 200GB Hack
The European Space Agency (ESA) confirmed a breach after an attacker named “888” claimed to have stolen 200GB of contractor, partner, and staff data, now being sold on Breach Forums.
ESA says mission systems remain secure thanks to network segmentation, but stolen personal data could enable spear-phishing, vendor impersonation, and follow-on supplier access across its ecosystem.
I didn’t mince words on the show:
“Europe has spent years regulating cyber into a compliance game while ignoring the operational threat. Now the bleeding’s real — and they’re almost out of bandages.”
The agency is conducting forensic investigations and has notified all stakeholders.
Two U.S. Cybersecurity Experts Plead Guilty to Aiding BlackCat
In one of the most disturbing insider stories of the year, two U.S. security professionals — Ryan Clifford Goldberg (33, Georgia) and Kevin Tyler Martin (28, Texas) — pleaded guilty to conspiring with BlackCat/ALPHV in ransomware campaigns .
Goldberg, a former incident response manager at Signia, and Martin, a Digital Mint ransomware negotiator, used their access and training to breach multiple U.S. firms, including a Maryland pharma company, a California engineering firm, and a Tampa medical device manufacturer.
The pair demanded ransoms between $300,000 and $10 million, earning $1.27 million from a single payment. Both face up to 20 years in federal prison.
As I said: "These guys were on the good side at one point. They were on our side... there's no amount of money in the world that can bring back your freedom... One's 33, one's 28. By the time they get out of prison, they're going to be in their late 40s, early 50s. Life's passed them by... You got to work hard. You got to do it the hard way. That's just life. There's no shortcut to success."
Shai Hulud Supply Chain Attack Powers $8.5 Million Trust Wallet Heist
The Trust Wallet Chrome extension hack, now linked to the Shai Hulud supply chain campaign, has stolen $8.5 million across more than 2,000 crypto wallets.
Researchers found attackers tampered with dependencies inside the Shai Hulud 2.0 module, enabling malicious signing prompts and seed phrase exfiltration.
Developers need to treat this as a wake-up call:
Pin dependencies and mirror package registries privately.
Require signed builds and CI reputation checks.
Rotate dev tokens and wallet credentials immediately.
Users should revoke stale token approvals and store keys offline.
As I noted: “The supply chain isn’t theoretical anymore — it’s the modern attacker’s playground, and every engineer is part of the security team now.”
Microsoft Azure Global Outage Caused by DNS Meltdown
Azure suffered a global DNS outage, impacting compute, SaaS, and telecom services across Europe and the Middle East — even causing temporary blackouts for Israeli telecoms Partner and HOT.
The downtime lasted roughly two and a half hours, with recovery slowed by cascading DNS resolution loops.
I said it bluntly: “DNS is the Achilles’ heel of the cloud, and now AI workloads are adding weight to an infrastructure already at its breaking point.”
The outage highlights the fragility of centralized DNS and the need for geo-distributed fallback resolvers and AI-aware load management.
U.S. Treasury Removes Spyware Vendor Intelexa from Sanctions List
The Trump administration’s Treasury Department has officially removed Intelexa and two executives from the sanctions list, reversing a 2024 decision made under President Biden.
Intelexa, creator of the Predator spyware platform, was previously sanctioned alongside individuals tied to surveillance operations in Congo, Angola, and Madagascar.
Critics argue the removal signals renewed acceptance of offensive cyber tools for state use, while defenders — myself included — see it as a pragmatic realignment.
“Spyware saves lives when used responsibly. The problem isn’t the tech — it’s who holds the leash.”
IBM Patches Critical API Connect Authentication Bypass (CVE-2025-13915)
IBM has issued a fix for a 9.8 CVSS authentication bypass flaw in API Connect and DataPower, allowing attackers to gain tenant-level admin access.
Admins should:
Patch immediately to the latest versions.
Remove public admin interfaces.
Rotate API tokens and monitor for new admin accounts.
Threat actors are already advertising exploit code, so this one’s not optional — patch before New Year’s champagne pops.
AI-Enhanced Cryptors Evade Detection
New AI-assisted polymorphic cryptors are hitting the dark web, mutating payloads in real-time to evade antivirus signatures and sandbox analysis.
Expect lower detection rates and heavier abuse of living-off-the-land binaries like rundll32, WScript, and PowerShell mesh injections.
Defenders should pivot to behavioral detection, macro blocking, and automated sandbox detonations to counter these new morphing threats.
Disney Fined $10 Million for COPPA Violations
Disney agreed to a $10 million civil penalty for violating the Children’s Online Privacy Protection Act (COPPA), after it was found collecting data from child-directed apps for targeted advertising.
The FTC case underscores how compliance gaps can become brand killers — especially when kids’ data is involved.
If you operate child-facing products, review your consent workflows, and ensure data labeling and ad targeting align with COPPA requirements.
2025: The Year of Billion-Dollar Cybersecurity M&A
2025 set a record for cybersecurity acquisitions, with 420 M&A deals totaling over $400 billion. Eight deals surpassed the $1 billion mark, including:
Google buying Wiz for $32B.
Palo Alto Networks acquiring CyberArk for $25B and Chronosphere for $3.3B.
ServiceNow buying Armis for $7.75B.
Visa acquiring Armor for $1B.
Francisco Partners acquiring Jamf for $2.2B.
Proofpoint acquiring Hornet Security for $1.8B.
I wrapped it up by saying: “The cybersecurity industry has officially consolidated. 2026 won’t be about tools — it’ll be about trust.”
Action List
🛰️ Segment mission and contractor systems to limit data breach fallout.
🧑💻 Audit insider access and behavior monitoring for all privileged users.
🪙 Lock dependencies and enforce CI/CD signing for dev ecosystems.
☁️ Adopt multi-resolver DNS fallback for critical cloud workloads.
🕵️♂️ Review spyware procurement ethics and vendor transparency.
🔐 Patch IBM API Connect immediately and rotate tokens.
⚙️ Deploy behavioral EDR tuned for LOLBin abuse.
🧒 Reassess COPPA and data labeling in consumer products.
💼 Track post-acquisition vendor integrations for security continuity.
James Azar’s CISO’s Take
Today’s show was the perfect send-off for 2025 — a year defined by insiders, dependencies, and decentralization gone wrong. From ESA’s breach to the Trust Wallet heist, it’s clear our biggest vulnerabilities aren’t the hackers — they’re the human and process gaps that make exploitation easy.
My biggest takeaway? 2026 is going to be the year of hard accountability. Whether it’s ransomware insiders facing prison, API zero-days going live, or billion-dollar mergers reshaping defense, we’re entering an era where every CISO’s measure is proof, not promises. The industry is maturing, and resilience — not perfection — is the goal.
Stay vigilant, touch grass, and as always — stay cyber safe.
