Good Morning Security Gang!

Welcome back to another action-packed Hump Day episode of the Cyber Hub podcast, broadcasting live from the bunker on Wednesday, June 25th, 2025. Host and CISO James Azar serves up another double espresso of cybersecurity intelligence as global threats continue to escalate on multiple fronts.

Today's show is strategically divided into geopolitical nation-state threats, cyber insurance market updates, and a comprehensive vulnerability roundup that security teams need to address immediately. From China's relentless "death by a thousand cuts" strategy to Iran's desperate hacktivist responses and North Korea's supply chain attacks, the threat landscape remains as complex and dangerous as ever.

Geopolitical Nation-State Threats

FBI Cyber Chief: Don't Sleep on China's Typhoon Groups

The FBI's new Cyber Division Director Brett Leatherman - an experienced cybersecurity practitioner whose appointment we've celebrated on this show - is delivering some hard truths about the strategic threat landscape. While everyone's eyes are focused on Iran and the Middle East conflict, Leatherman is warning that the U.S. can't afford to forget about China's Typhoon groups. And frankly, it's refreshing to have a cybersecurity leader in the FBI who doesn't just move with the political winds.

Here's the reality check: Iran's a threat, sure, but China is the ongoing, persistent danger that's on a collision course with the United States - economically, technologically, and strategically. Beijing's malicious cyber activity is unfolding in silence, as Leatherman puts it. You don't see the fireball on the news like you do with kinetic warfare, but the strategic damage is real and continues to accumulate over time. It's a death by a thousand cuts, and that's the most accurate way to describe China's approach.

Leatherman's emphasis on China comes amid all the media hype about Iran potentially unleashing digital assaults on the U.S. for bombing their nuclear facilities. But here's what the media isn't telling you - a lot of Iran's cyber capabilities were literally bombed into rubble when Israel physically destroyed a 15-story building that housed the head of the IRGC cyber center and their APT operations. So Iran's current infrastructure for large-scale cyber attacks is significantly degraded.

China's intrusion into U.S. critical infrastructure operators, telecom firms, and other networks remains one of the most consequential cyber espionage campaigns we're seeing today. And it's all part of China's long game. As businesses diversify away from China due to tariffs and geopolitical disincentives, the Chinese are going to aggressively target those companies to gain IP advantages and try to take them out. Security teams need to be hyper-focused on this reality because it's central to China's overall strategic plan.

Iran's Pathetic Cyber Response: When Defacement Equals "Victory"

Let's talk about Iran's cyber response to President Trump dropping ordnance on their nuclear facilities. The cyber blog posts claimed attacks on the U.S. Air Force website, aerospace and defense companies, financial services organizations, and an unverified claim against Truth Social. Here's the thing - all of these were classic defacement attacks, basic disruption tactics that I predicted on Monday's show would be Iran's likely response.

Why such weak sauce? Because anything more significant would constitute escalation, and Secretary Rubio, Vice President J.D. Vance, and President Trump made it crystal clear to Iran: target or hurt Americans, and we'll hit you harder than we did over the weekend. So Iran's response was primarily Telegram front-page propaganda - "We disrupted the Air Force! Yay, victory!"

Here's what's absolutely mind-boggling: Iran somehow thinks they won a war where they lost almost every single nuclear scientist, all their top generals three or four levels down, every single IRGC building, fifty aircraft from their air force, and all their air defense missile systems. If that's winning, I'd hate to see what losing looks like for Iran.

The hacktivist group led by "Mr. Hamza" claimed to have targeted several U.S. Air Force and aerospace websites, posting exploits using #OpUSA with checkhost.net reports showing website downtime over a ten-hour period. That's literally the best they could do, and it proves the point about their degraded capabilities.

Iran's Surveillance Camera Hacking: Modern Warfare Intelligence Gathering

Here's where it gets really interesting and ties into the article I published yesterday about how IoT devices are being weaponized for modern warfare intelligence gathering. Iran has been hacking Israeli security cameras to evaluate the impact of their missile strikes and adjust targeting in real-time. This isn't just cyber espionage - it's tactical battlefield intelligence gathering through compromised IoT infrastructure.

According to former Israeli cybersecurity official and friend of the show Rafael Franco, Iranian actors have been attempting to access private surveillance systems to evaluate strike impacts. Israel's INCD confirmed that CCTV systems have increasingly become targets for Iran's cyber operations, leading Israel to ban government officials from using any device connected to public internet or telecom due to hacking and surveillance fears.

This isn't the first time Israel has dealt with this tactic. There was a terror attack at a Jerusalem bus stop where Hamas actors hacked surveillance footage to livestream the attack in real-time, similar to October 7th tactics but on a smaller scale. The terrorist was neutralized, but three people were killed and eight or nine injured.

The CCTV exploitation playbook has been extensively used in the Russia-Ukraine war, where Russia hacks surveillance cameras across Ukraine to evaluate troop positioning and air defense systems. Ukraine has reported dismantling compromised surveillance cameras in Kiev that were being used by Russian intelligence. This is exactly the cyber warfare playbook transfer I've been talking about - what Russia and Ukraine pioneered is now being replicated in the Israel-Iran conflict.

Iranian Proxies Target Saudi Games: Information Warfare Escalation

In more proof that Iran can't be trusted and was on their back feet when President Trump decided to pause military operations, a pro-Iranian hacktivist group called Cyber Fata has published thousands of personal records allegedly linked to athletes and visitors of the Saudi Games. Cybersecurity company Resecurity reported this breach was announced on Telegram on June 22nd as an SQL database dump, characterizing it as an information operation by Iran and its proxies.

The actors gained unauthorized access through a PHP MyAdmin backend and exfiltrated stored records including IT staff credentials, government officials' email addresses, athletes' information, visitor data with passport and ID cards, bank statements, medical forms, and scanned sensitive documents. Cyber Fata calls itself an Iranian cyber team with a history of targeting Israeli and Western web resources and government agencies.

The fact that Iran is going after Saudi Arabia while supposedly being allies shows you everything you need to know about Iran's trustworthiness and strategic thinking. This aligns with broader Middle Eastern hacktivist trends where groups engage in cyber warfare as activism, but it's really state-sponsored information operations designed to destabilize regional relationships.

Cyber Insurance Market Update

Rates Finally Dropping: Market Maturation Signals

Here's some good news for once - cyber insurance rates are actually dropping 2.3% year-over-year to $7.1 billion in 2024, according to a new report from credit rating agency AM Best. The cyber insurance providers' loss ratio remains below 50%, indicating the market is still profitable for insurers - and if it wasn't profitable, they wouldn't be selling policies, period.

Premium decreases averaged 1.6% - not massive, but it's something. The pricing decrease indicates steady demand for cyber insurance, with more companies buying policies, which floods the market and creates competition that drives rates down. This is basic economics working in favor of businesses that need coverage.

What this really tells us is that the cyber insurance market is maturing. Insurers have better risk models, companies have better security practices (generally), and the overall ecosystem is becoming more predictable from an actuarial perspective. It's a positive trend that should continue as long as both sides - insurers and insured - keep improving their cybersecurity postures.

Critical Vulnerabilities and Supply Chain Threats

North Korea's NPM Supply Chain Attack: Contagious Interview 2.0

Our friends over in North Korea are back with a fresh batch of malicious NPM packages in an ongoing "contagious interview" operation. Cybersecurity researchers at Socket uncovered 35 malicious packages uploaded from 24 NPM accounts - collectively downloaded about 4,000 times, which might seem small but remember, supply chain attacks are about quality targets, not quantity.

Each identified NPM package contained a hex-encoded loader dubbed "hex eval" designed to collect host information post-installation and selectively deliver follow-on payloads. The primary payload is a JavaScript stealer called "Beaver Tail" that's configured to download and execute a Python backdoor called "Invisible Ferret," enabling threat actors to collect sensitive data and establish remote control of infected hosts.

The contagious interview campaign was first documented by Palo Alto Networks Unit 42 in 2023 and continues targeting the software supply chain through NPM. This represents a significant challenge for development teams who need to scrutinize every package dependency. The complete list of malicious packages is available below:

• react-plaid-sdk

• sumsub-node-websdk

• vite-plugin-next-refresh

• vite-plugin-purify

• nextjs-insight

• vite-plugin-svgn

• node-loggers

• react-logs

• reactbootstraps

• framer-motion-ext

• serverlog-dispatch

• mongo-errorlog

• next-log-patcher

• vite-plugin-tools

• pixel-percent

• test-topdev-logger-v1

• test-topdev-logger-v3

• server-log-engine

• logbin-nodejs

• vite-loader-svg

• struct-logger

• flexible-loggers

• beautiful-plugins

• chalk-config

• jsonpacks

• jsonspecific

• jsonsecs

• util-buffers

• blur-plugins

• proc-watch

• node-orm-mongoose

• prior-config

• use-videos

• lucide-node, and

• router-parse

GitHub Enterprise RCE: Hot Patching Vulnerability

GitHub is rolling out patches for a remote code execution vulnerability affecting multiple enterprise service versions. CVE-2025-35059 has a CVSS score of 7.1 and allows attackers to exploit pre-received hook functionality to bind to dynamically allocated ports. The good news is exploitation requires either site administrator permissions or user privileges to modify repositories containing pre-received hooks, and it's only exploitable under specific operational conditions like during hot patching processes.

GitHub found their initial fix was incomplete, so they've released a full fix that you need to implement immediately. While the attack surface is limited, RCE vulnerabilities in enterprise Git environments can be devastating if exploited, especially in DevOps pipelines where code repositories are central to operations.

Siemens and Microsoft Defender: OT Environment Nightmare

Siemens is working with Microsoft to address a significant issue with Defender antivirus and Symantec PCS products in operational technology environments. The problem is that Defender doesn't provide proper alert-only functionality for OT systems. If configured to ignore threats, no alerts are generated when malware is detected. If configured for action, Defender may delete or quarantine critical files (including false positives) that OT systems depend on, causing operational disruptions.

This highlights a fundamental challenge in OT security - traditional IT security tools aren't designed for operational technology environments where availability often trumps security, and where false positives can shut down critical industrial processes. Until Siemens and Microsoft work out a proper solution, plant managers face a lose-lose situation: risk missing malware infections or risk operational disruptions from overzealous antivirus actions.

SonicWall NetExtender Trojan: Supply Chain Impersonation

SonicWall has issued alerts about a campaign distributing a modified version of their NetExtender SSL VPN application to steal user information. Working with Microsoft Threat Intelligence, they identified a deceptive campaign distributing a hacked and modified version that closely resembles the official software.

The trojanized application was built on the latest release version (10.3.2.27) and digitally signed with a certificate issued to "City Light Media Private Limited." The malicious code fetches VPN configuration information and sends it to remote servers by modifying two components: the service and NetExtender executables.

SonicWall and Microsoft took down the impersonating website and revoked the installer's digital certificate, but this demonstrates how sophisticated supply chain attacks have become. Attackers are now creating pixel-perfect copies of legitimate software, complete with valid digital signatures, making detection extremely difficult for end users.

Brother Printer Vulnerabilities: Millions of Devices at Risk

RapidSeven researchers have identified eight vulnerabilities affecting Brother printers, with 689 printer, scanner, and label maker models from Brother affected, plus additional models from Fujifilm Business Innovation, Ricoh, Konica Minolta, and Toshiba. Overall, millions of enterprise and home printers are exposed.

The most critical flaw, CVE-2024-51978, allows remote unauthenticated attackers to bypass authentication by obtaining default administrator passwords. When chained with CVE-2024-51977 to obtain device serial numbers needed for password generation, it essentially becomes a zero-day exploit path.

Additional vulnerabilities enable denial of service attacks, force TCP connections, password theft from external services, stack overflows, and arbitrary HTTP requests. While Brother has patched most flaws, CVE-2024-51978 cannot be fully patched in firmware, requiring workaround implementations.

This represents a massive attack surface in enterprise environments where printers are often overlooked in security assessments but have network connectivity and potential access to sensitive documents and network segments.

Chrome and Firefox Updates: Routine but Critical

Chrome 131 has arrived with 11 security fixes, including three for medium and low severity bugs. Firefox has also released security updates. While these might seem routine, browser security is fundamental to endpoint protection, especially as more applications move to web-based interfaces and browsers become primary attack vectors for credential theft and malware delivery.

Action Items for Security Teams

• Dependency auditing: Immediately audit all NPM packages for the 35 malicious packages identified in North Korea's contagious interview campaign

• GitHub Enterprise patching: Update all GitHub Enterprise installations to address CVE-2025-35059 RCE vulnerability

• Printer security assessment: Inventory and patch all Brother, Fujifilm, Ricoh, Konica Minolta, and Toshiba printers against the eight identified vulnerabilities

• SonicWall NetExtender verification: Verify all NetExtender installations are from legitimate sources and check for indicators of compromise

• China-focused threat hunting: Implement enhanced monitoring for Chinese Typhoon group TTPs targeting critical infrastructure and telecom systems

• IoT camera security review: Audit all surveillance cameras and IoT devices for unauthorized access, particularly in critical facilities

• OT antivirus strategy: Develop specialized operational technology security strategies that balance threat detection with operational availability

• Supply chain verification: Implement enhanced software verification processes including certificate validation and behavioral analysis

• Browser security updates: Deploy Chrome 131 and latest Firefox updates across all enterprise endpoints

• VPN security review: Audit all SSL VPN deployments for signs of compromise or impersonation attacks

• Iran hacktivist monitoring: Monitor for Iranian hacktivist TTPs targeting regional partnerships and international events

• Cyber insurance evaluation: Review current cyber insurance coverage in light of improving market conditions and rate decreases

• OT network segmentation: Ensure proper network segmentation between IT and OT environments to prevent cross-contamination

• Third-party risk assessment: Evaluate all software vendors for supply chain security practices and incident response capabilities

✅ Story Links:

https://therecord.media/china-typhoon-groups-espionage-fbi-cyber-brett-leatherman

https://therecord.media/iran-espionage-israeli-security-cameras-missile-attacks

https://thecyberexpress.com/us-ddos-attacks-iran-hacktivists/

https://thehackernews.com/2025/06/pro-iranian-hacktivist-group-leaks.html

https://www.cybersecuritydive.com/news/cyber-insurance-premiums-decline-am-best-report/751474/

https://thehackernews.com/2025/06/north-korea-linked-supply-chain-attack.html

https://www.securityweek.com/code-execution-vulnerability-patched-in-github-enterprise-server/

https://www.securityweek.com/siemens-notifies-customers-of-microsoft-defender-antivirus-issue/

https://www.securityweek.com/sonicwall-warns-of-trojanized-netextender-stealing-user-information/

https://www.securityweek.com/chrome-138-firefox-140-patch-multiple-vulnerabilities/

https://www.securityweek.com/new-vulnerabilities-expose-millions-of-brother-printers-to-hacking/

🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1

🚨 Important Links to Follow:

👉Website:

CISO Talk by James Azar

The latest news and topics from a cybersecurity practitioners discussing Cybersecurity, Privacy, Technology & Geo-Politics. I am a two times Founder and Chief Information Security Officer. All opinions are my own

👉Listen here: https://linktr.ee/cyberhubpodcast

✅ Stay Connected With Us.

👉Facebook: https://www.facebook.com/CyberHubpodcast/

👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/

👉Twitter (X): https://twitter.com/cyberhubpodcast

👉Instagram: https://www.instagram.com/cyberhubpodcast

🤝 For Business Inquiries: info@cyberhubpodcast.com

=============================

🚀 About The CyberHub Podcast.

The Hub of the Infosec Community.

Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.