Good Morning Security Gang
I’m live from Atlanta ahead of a double-header day — CISO XC this morning and my keynote this afternoon at FutureCon. If you’re in town, come say hi. I’ll have some stickers, some CyberHub swag, and, as always, good coffee and better conversation.
Now, buckle up. Today’s show is loaded with global breaches, nation-state activity, major software exploits, and an unexpected cybercrime merger that changes the extortion game.
Let’s dive right in — coffee cup cheers, y’all.
Japanese Media Giant Nikkei Breached via Slack
Japan’s Nikkei Group — one of Asia’s largest media and financial data organizations — disclosed a Slack breach impacting 17,368 users. The intrusion stemmed from malware-infected employee workstations, allowing threat actors to steal Slack credentials and access internal chats, names, and email addresses.
While Nikkei reports no source data loss, the exposure underscores the persistent risks tied to OAuth tokens and session hijacking. If you’re using Slack or Teams, rotate those tokens regularly, enforce MFA with re-authentication, and monitor for unusual API calls from foreign IPs.
“I know we kind of had a bunch of cybersecurity vendors come out and say ‘you do this once, it’ll never happen again.’ I wasn’t buying the hype then, I don’t buy the hype now.” James Azar
Identity remains the soft underbelly of modern security — and one-time fixes won’t save you. This is a recurring hygiene exercise, not a one-and-done.
Poland Faces Coordinated Cyberattacks on Finance and Travel
Poland is under sustained cyber pressure, with authorities confirming simultaneous attacks on loan, mobile payment, and travel platforms. Targets include AIQ Labs, Bleek (the national mobile payment system), and major travel agency Noya Itika.
Data stolen includes names, national IDs, tax numbers, and bank accounts for under 10,000 customers, alongside DDoS attacks on payment APIs. The campaigns are being tied to Russian groups such as the Bleek DDoS collective, which has repeatedly targeted Poland since its support for Ukraine in 2022.
This is hybrid warfare — a digital continuation of the kinetic conflict. Poland’s engineers have proven resilient, but it’s another reminder that critical industries like travel and banking are now active battlefields.
Sweden’s Municipal Software Breach Impacts 1.5 Million Residents
Sweden’s Miloja Data, a municipal software supplier, confirmed a breach affecting up to 1.5 million citizens. A 224MB archive posted online contains names, emails, IDs, phone numbers, and birth dates from city systems across the country.
With GDPR now fully in play, Sweden faces regulatory fines and national-level identity theft risk. The attack follows a pattern of supplier chain compromise, proving once again that governments depend on vendors that attackers can easily infiltrate.
If you’re managing public-sector IT, revisit your vendor security attestation process. Supply-chain resilience starts with visibility and contractual accountability — not just compliance paperwork.
Apache OpenOffice Disputes Ransomware Gang’s Breach Claim
The Akira ransomware group claimed to have exfiltrated 23GB of financial and internal data from Apache OpenOffice, but the Apache Software Foundation (ASF) disputes the claim. ASF says it does not host the type of data described and found no evidence of intrusion.
This is the latest in a wave of “bluff leaks” — fabricated breaches used as negotiation leverage or brand pressure. Last week it was Gmail and HSBC; this week it’s Apache.
The takeaway: don’t panic until forensics confirm a breach. False flags are becoming common tools for extortion groups trying to regain relevance.
Israel Recalls 700 Chinese-Made Military Vehicles Over Espionage Risk
The Israel Defense Forces (IDF) is recalling 700 Chinese-manufactured vehicles assigned to senior officers over security concerns. The cars — particularly Chery Tiggo 8 Pro models — contain telemetry, microphones, cameras, and OTA firmware that could enable Chinese surveillance and location tracking.
Having lived in Israel, I can tell you — cars there are heavily taxed, and Chinese EVs dominate the market. But this decision underscores a critical truth: hardware is the new espionage frontier. You can’t run national security operations on devices you don’t control.
“I said, ‘Aren’t you guys worried about these Chinese cars? Because it’s China, we know there’s backdoors into these cars, there’s no way there isn’t.’ The fact that they allowed it is mind-boggling to me to begin with.” James Azar
This move might be costly, but it’s the right one. It’s better to absorb the financial hit than risk classified chatter being routed through Beijing.
Tycoon 2FA Phishing Kit Targets Microsoft and Gmail
A new phishing-as-a-service platform called Tycoon 2FA is bypassing MFA using adversary-in-the-middle (AitM) techniques. Attackers deploy fake Microsoft or Gmail login portals, intercepting credentials and session cookies in real-time.
The kit uses reverse proxies, TLS certificates, and cloud-hosted lures (on Canva, Dropbox, or S3) to evade detection.
Mitigation checklist:
Enforce FIDO2 passkeys
Enable token binding and impossible travel detection
Restrict OAuth app consent workflows
If you still treat MFA as bulletproof, it’s time to evolve — attackers already have.
WordPress Plugin Exploit: Post SMTP Actively Hijacked
Over 400,000 WordPress sites are being exploited via a Post SMTP plugin vulnerability (CVE-2025-24000). Attackers exploit a broken access control flaw to hijack admin sessions through the plugin’s REST API.
Admins should update to version 3.3.0, review logs for unauthorized JSON requests, and remove any rogue accounts created since late October.
If your business depends on WordPress, your patch cycle needs to be measured in hours, not days.
Critical React Native CLI RCE Vulnerability
JFrog disclosed a critical Remote Code Execution flaw (CVE-2025-11953) in React Native’s Community CLI. Developers using outdated builds face potential supply-chain attacks, as malicious packages can hijack build systems.
Patch now, and audit your CI/CD pipelines for unexpected dependency calls. The broader lesson: developer tooling is the new attack surface.
Android November Security Update Fixes Zero-Click Flaws
Google’s November patch fixes two major zero-click vulnerabilities — CVE-2025-48593 and CVE-2025-48581 — affecting Android 16 and below. These flaws allow remote code execution via malicious system component calls.
If your enterprise manages mobile fleets, push these patches now. Android’s fragmented update model means the window for exploitation stays wide open unless managed centrally.
Cybercrime Gangs Merge: Scattered Spider + Lapsus Form Extortion Supergroup
In a move no one wanted but everyone feared, the Scattered Lapsus Hunters group — a merger of Scattered Spider and Lapsus$ affiliates — has gone public across 16 Telegram channels. They’re offering “Extortion-as-a-Service”, selling custom ransomware and stolen Salesforce-adjacent data.
This merger signals a disturbing trend: cybercriminals are industrializing cooperation. They’ve learned that collaboration scales better than chaos. Expect faster, more targeted extortion waves as these groups pool intelligence, code, and victims.
European Police Arrest Nine in $700 Million Crypto Scam
Authorities in Cyprus, Spain, and Germany arrested nine individuals tied to a $700 million cross-border investment scam. The group operated fake trading platforms, laundering proceeds through complex EU-based shell networks.
It’s another win for coordinated law enforcement and a reminder that crypto crime enforcement is tightening — slowly, but surely.
Action List
🔐 Rotate Slack/OAuth tokens and enable behavioral monitoring.
💳 Patch all WordPress and React Native instances immediately.
🧱 Apply Android November security updates across managed devices.
🌍 Review hardware origins for connected or telemetry-enabled vehicles.
🧩 Deploy MFA with token binding and restrict OAuth consent sprawl.
🚨 Prepare for new extortion tactics from merged cybercrime groups.
🧾 Assess vendor breach clauses in municipal or government contracts.
James Azar’s CISO’s Take
Today’s episode was a reminder that cybersecurity is now a global economy — for both defenders and attackers. The same collaboration that fuels our industry’s innovation is being mirrored in cybercrime. Scattered Spider’s merger with Lapsus$ isn’t just a headline — it’s a turning point. The underground is maturing, organizing, and industrializing extortion at scale.
On the defense side, the message is clear: identity, supply chain, and developer tooling are today’s battlegrounds. Slack, OAuth tokens, React CLI — these aren’t fringe issues; they’re the new frontline. As CISOs, our challenge isn’t just to respond, but to architect resilience into complexity.
So patch fast, think bigger, and never forget — stay cyber safe
