Good Morning Security Gang
Before we get into today’s show, we hit a major milestone over the weekend — 50,000 YouTube subscribers and over 4 million views. That milestone belongs to every single one of you tuning in daily, sharing, engaging, and building this community. 100K — we’re coming for it.
Now, today’s episode is a masterclass in how attacks actually happen — not theory, not hype, but real-world entry points, real tactics, and real consequences. And if you pay attention, there’s a consistent pattern across every story:
Attackers aren’t breaking in anymore — they’re walking in through trusted systems.
We’re covering a Mazda supply chain breach, ransomware in semiconductors, a Crunchyroll data exposure via Zendesk, Iranian malware campaigns leveraging Telegram, Kubernetes wipers, MFA bypass resurgence, and critical vulnerabilities across enterprise infrastructure.
Coffee cup cheers,
"Every single story today answers one question: How did they get in? The answer isn't exotic. It's a supplier system, a Zendesk instance, a developer tool, a messaging app, a forgotten device. Attackers aren't breaking the systems, they're using them exactly as designed, just better than we are." James Azar
Mazda Breach Exposes Supply Chain Intelligence Risks
Mazda disclosed a breach tied to a warehouse operations management system connected to parts procurement in Thailand. Attackers exploited a vulnerability in that supplier system, exposing employee and partner data — not customer records, but something arguably more valuable: organizational context.
This is how modern attacks are built. Threat actors don’t just want data — they want relationships, communication paths, and operational insights. That information fuels targeted phishing, vendor impersonation, and deeper supply chain compromise.
The real risk here is supply chain intelligence gathering, enabling attackers to map how organizations operate and where to strike next.
Mitigation isn’t simple, but organizations must focus on segmentation of partner systems and strengthening business process security, even in highly interconnected environments.
Ransomware Hits Semiconductor Supply Chain
A Singapore-based semiconductor subsidiary was hit by ransomware, with attackers encrypting systems and publishing stolen data.
This is part of a broader trend attackers targeting downstream providers rather than major chip manufacturers. You don’t need to hit Intel or NVIDIA if you can disrupt their suppliers.
The impact is significant: operational disruption, rising component costs, and cascading effects across global supply chains. The risk here is economic disruption at scale, not just isolated ransomware events. Organizations must maintain offline, tested recovery capabilities to ensure operational continuity during these disruptions.
Crunchyroll Breach via Zendesk Support System
Crunchyroll is investigating a breach involving its Zendesk support environment, with approximately 6.8 million unique email records exposed. This wasn’t a breach of the core platform, it was a breach of a support system, exposing names, emails, IP addresses, and support tickets.
And that’s exactly the kind of data attackers want.
Support systems are becoming one of the most overlooked attack surfaces. They provide rich context for phishing campaigns and enable attackers to craft highly convincing social engineering attacks.
The risk is large-scale phishing and credential harvesting using trusted brand context. Mitigation requires strict access controls and monitoring across third-party SaaS platforms, along with proactive user protection measures.
Libyan Oil Infrastructure Targeted with Persistent RAT
A Libyan oil refinery was targeted in a long-running campaign using AsyncRAT, maintaining access for months.
This wasn’t disruption it was quiet, persistent espionage. Energy infrastructure continues to be a geopolitical target, with attackers positioning themselves for future operations.
The risk is long-term access to critical infrastructure, enabling both intelligence gathering and potential future disruption. Organizations in OT environments must deploy continuous threat hunting and monitoring across industrial systems.
Iranian Hackers Abuse Telegram for Malware Delivery
The FBI warns that Iranian hackers are impersonating trusted contacts and convincing victims to install malware disguised as legitimate apps like Telegram or WhatsApp.
Once installed, malware uses Telegram itself for command and control and data exfiltration. This is a major shift attackers hiding inside trusted, encrypted platforms. You’re not blocking Telegram. That’s the point.
The risk is covert command-and-control within legitimate communication channels. Mitigation requires focusing on endpoint detection and behavioral monitoring, not just network-level controls.
Handala Infrastructure Takedown — and Immediate Comeback
The FBI and DOJ seized domains linked to the Handala hacking group tied to Iranian intelligence but the infrastructure was back online within days.
This highlights a critical reality: takedowns create friction, not elimination. Adversaries are persistent, adaptive, and well-resourced. The risk is continuous adversary presence despite disruption efforts. Organizations must design defenses assuming attackers will return because they will.
"Takedowns create friction, not elimination. The Handala group sites are back up online within a day or two. If you believe they're going to disappear, I've got a bridge in Brooklyn I'm selling right now." James Azar
Tycoon 2FA Phishing Kit Returns
The Tycoon 2FA phishing kit responsible for 62% of phishing attempts blocked by Microsoft in 2025 was disrupted, but activity resumed almost immediately.
This toolkit bypasses MFA, not just passwords. And this reinforces a harsh truth: MFA alone is no longer enough. The risk is widespread MFA bypass through advanced phishing frameworks. Organizations must adopt phishing-resistant authentication methods like passkeys and modern identity controls.
Kubernetes Wiper Escalates Cloud Threats
A wiper campaign targeting Kubernetes clusters was identified, capable of destroying cloud workloads under specific configurations.
This marks a clear escalation from supply chain compromise to destructive cloud-native attacks. The risk is total destruction of containerized infrastructure. Organizations must enforce strict administrative controls and monitoring within Kubernetes environments.
Citrix NetScaler Vulnerabilities Enable Session Hijacking
Critical vulnerabilities in Citrix NetScaler introduce session mix-ups — effectively breaking trust between users and systems.
Edge devices remain prime targets because they sit at the intersection of identity and access. The risk is session hijacking and unauthorized access via edge infrastructure. Immediate patching of internet-facing systems is essential.
QNAP Exploits Demonstrated Live at Pwn2Own
Researchers chained multiple vulnerabilities in QNAP devices to gain root access demonstrated live. These devices often sit quietly in environments, unmonitored and unpatched. The risk is complete compromise of storage and internal systems.
Organizations must inventory and regularly patch network-attached storage devices.
North Korean Campaign Targets Developers via VS Code
North Korean actors are abusing VS Code auto-run tasks to deploy malware.
Developers are now a primary attack vector — through fake jobs, malicious packages, and compromised tools. The risk is compromise of development environments leading to production access. Mitigation requires restricting automated execution and tightening controls within development tools.
NIST Updates DNS Security Guidance
NIST updated its DNS guidance, emphasizing protective DNS and warning that encrypted DNS (DoH/DoT) can bypass enterprise controls.
DNS is no longer passive it’s now a critical security control layer. The risk is phishing, covert communications, and bypassed controls through DNS abuse. Organizations must implement centralized DNS monitoring and policy enforcement.
Global Botnet Takedown Targets IoT Devices
Authorities disrupted multiple IoT botnets across the US, Canada, and Germany. These botnets rely on insecure, exposed devices — a problem that refuses to go away. The risk is large-scale distributed attacks powered by unmanaged IoT devices.
Mitigation requires network segmentation and strict controls for IoT environments.
Key Action Items for Security Teams
Segment and secure supplier-connected systems
Maintain offline, tested recovery environments
Lock down third-party SaaS platforms and support systems
Deploy continuous threat hunting in OT environments
Focus on endpoint detection over network blocking
Assume adversary persistence in defense strategies
Implement phishing-resistant authentication (passkeys)
Enforce strict Kubernetes administrative controls
Patch internet-facing infrastructure immediately
Inventory and secure NAS and IoT devices
Restrict execution in development environments
Centralize DNS monitoring and enforce policies
James Azar’s CISOs Take
When I look across today’s stories, the common thread is trust and how it’s being exploited at every level. Whether it’s supplier systems, support platforms, developer tools, or messaging apps, attackers are leveraging the very systems we rely on to operate efficiently. This isn’t about perimeter defense anymore. This is about understanding how your business actually functions and securing those workflows.
The second takeaway is persistence. Whether it’s Iranian infrastructure coming back online, phishing kits reappearing within days, or long-term espionage in critical infrastructure attackers are not going away. So our strategy can’t be based on elimination. It has to be based on resilience, detection, and response. If we don’t evolve our thinking to match the reality of how attacks happen today, we’ll continue to defend yesterday’s problems while attackers exploit today’s systems.
