Good Morning Security Gang
Sixteen days left in the year, and what a year it’s been. Fast, intense, and monumental. Before we wrap it all up, today’s show is packed: insider threats take center stage with Accenture and Coupang, Russia’s cyber operations get called out by Germany, Apple patches two new zero-days, MITRE releases its Top 25 weaknesses, and the Pentagon drops a massive $15B cyber budget for 2026.
It’s also the first day of Hanukkah, so to everyone celebrating — may the light keep shining bright, especially after the heartbreaking antisemitic attack in Sydney. To my friends and community there, we see you, we stand with you, and we keep lighting the candles even when the darkness tries to win.
Coffee cup cheers, y’all — let’s get into it.
Former Accenture Employee Charged with Cybersecurity Fraud
A former Accenture employee, Danielle Hilmer of Virginia, has been charged with cyber fraud and obstruction for concealing security control failures on a federal cloud platform while employed with the firm. Prosecutors allege she hid noncompliance with FedRAMP and DoD risk frameworks, tampered with audit results, and instructed others to suppress findings between March 2020 and November 2021.
The case reinforces that insider abuse is now a top-tier risk during both employment and offboarding. Organizations must tighten access verification, revoke API tokens, and require quarterly access re-attestations.
As I said on the show: “Every insider breach starts as a trust gap — and too many companies leave the door open long after the employee’s gone.”
Coupang Data Breach Traced to Ex-Employee
South Korea’s retail giant Coupang has confirmed that its massive 33.7 million–record data breach was carried out by a former employee, who retained access after leaving the company. The suspect, a 43-year-old Chinese national, allegedly stole customer IDs, phone numbers, and order metadata.
Police raids at Coupang’s Seoul HQ uncovered the compromised servers, leading to multiple arrests. While financial data wasn’t exposed, trust damage and regulatory fallout are inevitable.
This breach underscores the need for day-zero offboarding, short-lived credentials, and auto-revocation of refresh tokens. Rotate all third-party keys tied to exposed systems and enable mass-export anomaly detection to prevent large-scale data pulls.
Germany Summons Russian Ambassador Over Cyberattack
Germany has summoned the Russian ambassador following a wave of cyber intrusions and coordinated disinformation campaigns tied to Fancy Bear (APT28), a unit of the Russian GRU.
The campaign reportedly targeted German air traffic control and attempted to influence federal elections through social engineering and narrative warfare. Officials confirmed that Moscow’s efforts to destabilize Europe remain ongoing.
Defenders should enforce DMARC, monitor for OAuth consent abuse, and pre-approve crisis communication templates. As I put it on the podcast: “You target air traffic control, and you’re no longer a hacker — you’re an enemy combatant.”
Notepad++ Hijacking Flaw Patched
A vulnerability in Notepad++ update traffic allowed man-in-the-middle hijacking and malicious binary injection on systems where update integrity wasn’t enforced. Researcher Kevin Beaumont reported incidents of traffic redirection leading to malware delivery.
Admins should move to Notepad++ v8.8.9, enforce code-signing validation, and deploy EDR detections for installer–PowerShell chains. For developers running elevated privileges, this patch is mandatory.
Apple Fixes Two Zero-Days Under Active Exploitation
Apple has issued emergency patches for two zero-days impacting iOS, iPadOS, and macOS, both used in targeted attacks on executives and government employees.
CVE-2025-43529: A WebKit use-after-free RCE triggered by malicious web content.
CVE-2025-14174: A memory corruption flaw enabling device compromise and data theft.
Discovered jointly by Apple and Google TAG, these vulnerabilities are being actively exploited. Push updates via MDM immediately, enforce device compliance checks, and disable sideloading and debugging on enterprise iPhones.
Gladinet CentreStack Exploit Actively Used in Attacks
Threat actors are exploiting a vulnerability in Gladinet CentreStack, a file synchronization and sharing platform, allowing remote code execution and data theft.
Researchers from Huntress Labs confirmed attackers are exploiting static cryptographic key derivation, enabling credential theft and admin takeover. Organizations must patch to version 16.12.10420.56791, rotate all service keys, and remove public admin access.
CISA Warns of Windows Cloud File Mini-Filter Exploitation
CISA has added a Windows Cloud File Mini Filter vulnerability to its Known Exploited Vulnerabilities Catalog, noting its use for privilege escalation and defense evasion in ransomware operations.
The flaw enables user-to-system privilege jumps and EDR tampering. Apply Microsoft’s latest patch, monitor for filter driver modifications, and block unsigned kernel-mode code.
Hamas-Linked APT “Ashen Lepsis” Targets Governments
Palo Alto’s Unit 42 has identified a Hamas-affiliated cyber unit conducting spear phishing campaigns targeting government and defense sectors across the Middle East and North Africa.
The group uses Turkish-Moroccan diplomatic lures, remote access Trojans, and credential phishing to maintain long-term persistence. These operations align with Hamas’ military agenda, highlighting the intersection of cyber and kinetic operations in modern conflict.
MITRE Releases 2025 Top 25 Software Weaknesses
MITRE published its annual Top 25 Most Dangerous Software Weaknesses list, with Cross-Site Scripting (XSS) and SQL Injection once again topping the charts.
Key highlights:
Improper input sanitization during web generation (XSS).
SQL command neutralization flaws (SQLi).
Cross-Site Request Forgery (CSRF).
Missing authorization checks.
Out-of-bounds writes and reads.
The message is clear — the same bugs keep returning, because secure development remains underfunded and code reviews lack teeth.
Pentagon Approves $15.1B Cyber Budget for 2026
The U.S. Defense Department has approved a $15.1 billion cyber funding increase, marking a 4.1% rise from 2025.
Breakdown:
$9.1B for core cybersecurity programs.
$612M for research and emerging threat modeling.
Zero Trust and OT resilience are top priorities, alongside offensive cyber ops capabilities.
This means the DoD’s cyber workforce hiring spree is about to begin again — and if you’ve been on the bench, now’s the time to polish your resume.
Action List
🧑💻 Enforce immediate credential revocation for offboarded employees.
🏢 Rotate all API keys and tokens post-insider or vendor exposure.
🇩🇪 Apply DMARC and OAuth monitoring to mitigate disinformation abuse.
💻 Update to Notepad++ v8.8.9 and verify binary signing.
🍎 Deploy Apple patches enterprise-wide and disable USB debugging.
☁️ Patch Gladinet CentreStack and isolate admin portals.
🧱 Apply Microsoft’s latest cumulative update for privilege escalation flaws.
🕵️♂️ Review OT and government systems for APT phishing indicators.
🧠 Train developers on MITRE’s Top 25 CWE mitigation techniques.
James Azar’s CISO’s Take
Today’s show connects every dot that defines modern cybersecurity: insider risk, state-backed threats, and the continuous loop of old vulnerabilities returning with new names. Whether it’s an Accenture insider, a former Coupang engineer, or a Russian APT, the theme remains — trust is the attack vector.
My biggest takeaway? Resilience starts with control, not tools. If you can’t revoke access, validate code integrity, or patch quickly, you’re not secure — you’re lucky. As we wrap up 2025, let’s stop measuring maturity by frameworks and start measuring it by response speed. The difference between a scare and a breach is often just 15 minutes.
That’s it for our show this morning. We’ll be back tomorrow when the show airs at 9 a.m. Eastern on YouTube, LinkedIn, Facebook, X, and anywhere else you get your content. Make sure you go check it out there.
Check out cyberhubpodcast.com. Part three of “Rebuilding the Model: How Cybersecurity Can Balance Innovation, Security, and Pricing” was released on Saturday morning with actual real ways to help control the unpredictability of cyber billing and when you can’t actually charge a subscription and when you shouldn’t be working off subscription, at least in my humble opinion. Happy to debate you anytime, anywhere over this topic. I think it’s one we should be talking about more to help boost the collaboration between our cyber partners and CISOs and our CFOs.
Thank you all for tuning in. Have a great rest of your day.
Happy Hanukkah to everyone celebrating. See you tomorrow and stay cyber safe!
