Good Morning Security Gang!
Can you believe it’s October already? I kicked off today’s show with my double espresso and a reminder that tomorrow I’ll be offline for Yom Kippur.
But for now, we’ve got a packed episode: WestJet’s breach disclosure, Afghanistan’s internet blackout, the U.S. government shutdown, VMware zero-day exploitation, industrial router abuse for SMS phishing, Gemini’s “Trifecta” flaws, China’s Phantom Taurus espionage campaign, California’s biggest privacy fine yet, and the FTC suing a social app popular with teens. Let’s jump right in.
✈ WestJet Breach Disclosed
WestJet confirmed a June cyberattack exposed customer data including names, contact information, and government-issued IDs. Payment data and passwords were not compromised thanks to PCI separation and hashing standards. While tens of thousands of travelers are likely impacted, the airline is now sending out notifications. The case shows once again how personal data stored in CRMs like Salesforce is prime target material for attackers.
📵 Taliban Blackout in Afghanistan
Afghanistan experienced a nationwide internet blackout, cutting millions off from banking, flights, and essential services. The Taliban reportedly shut down fiber to curb “immoral acts,” effectively paralyzing Kabul and halting all flights. Journalists and NGOs lost contact with bureaus. As I said, it’s a chilling reminder of how governments can weaponize connectivity itself.
🏛 U.S. Government Shutdown Hits CISA
The U.S. entered a federal government shutdown at midnight, furloughing 65% of CISA’s workforce. The Cybersecurity Information Sharing Act of 2015 lapsed, leaving gaps in coordination. While insiders expect a continuing resolution soon, the reality is that cyber risk doesn’t pause because politicians can’t agree.
“Cyber risk doesn’t pause because politicians can’t agree.” James Azar
⚙ VMware Zero-Day Exploited for a Year
Broadcom confirmed CVE-2025-41244, a VMware Aria Operations and Tools flaw, was actively exploited since October 2024. Chinese state-sponsored UNC5174 leveraged the bug in espionage campaigns, even attempting attacks on SentinelOne. It’s another example of attackers targeting defensive software itself, forcing CISOs to treat critical patches with 24–48-hour SLAs.
“To me, I’ve always made my SLA for critical patches 24 to 48 hours. I know that’s really rough for a lot of people, but it’s really simple folks - you’ve got to buckle in your boots, build those relationships, understand the business impact, and communicate it in a way that doesn’t sell FUD (fear, uncertainty, and doubt) but rather sows partnership, business continuity, and business resilience.” James Azar
📡 Industrial Routers Abused for SMS Phishing
Attackers exploited Milesight industrial routers’ APIs to send malicious SMS messages across Europe, impersonating government and banking platforms. Sequoia researchers identified at least 572 exposed routers sending out phishing URLs. Sweden, Italy, and Belgium were hardest hit.
🤖 Google Gemini “Trifecta” Flaws Patched
Tenable uncovered three vulnerabilities in Google Gemini, dubbed the “Gemini Trifecta.” Exploits allowed attackers to inject malicious prompts via log files, trick Gemini into analyzing them, and display phishing pages. Google patched the flaws, but it highlights the risks of integrating AI assistants into enterprise environments without strong guardrails.
🐉 Phantom Taurus – New China-Linked Actor
Palo Alto Networks’ Unit 42 detailed Phantom Taurus, a China-aligned espionage group targeting foreign ministries, embassies, and military organizations across Africa, the Middle East, and Asia. The group shows persistence, stealth, and adaptability, building long-term access for geopolitical intelligence.
💸 California Fines Tractor Supply $1.4M
California’s Privacy Protection Agency fined Tractor Supply $1.4M for failing to honor opt-outs, not publishing a privacy policy, and sharing personal data without consent. It’s the largest fine under CCPA to date, showing regulators are tightening enforcement.
⚖ FTC Sues Teen Social App “Sendit”
The FTC sued Sendit and its CEO for illegally collecting children’s data and deceptive subscription practices. The app, with 25M users, misled teens with fake anonymous messages and charged $9.99 weekly for “Diamond Membership” without proper disclosures. The DOJ is now involved, signaling a federal crackdown on predatory apps targeting kids.
🧠 James Azar’s CISO Take
Today’s show really highlights how governance failures amplify cyber risk. WestJet kept payment systems secure thanks to PCI separation, but still lost customer data. Meanwhile, CISA furloughs show how political dysfunction weakens national cyber defense. Whether in Kabul or Washington, leadership failures leave citizens vulnerable.
The other theme is trust erosion in our digital systems. From industrial routers hijacked for phishing to Gemini AI being tricked into exfiltrating data, attackers are exploiting the very systems organizations rely on most. For CISOs, this means focusing not only on patch speed and segmentation but also on ecosystem trust boundaries—the overlooked places where risk becomes reality.
✅ Action Items
✈ Review customer data storage—segregate IDs from core systems.
📵 Monitor geopolitical hotspots—plan for internet shutdown scenarios.
🏛 Anticipate reduced federal cyber support during U.S. shutdown.
⚙ Patch VMware Aria Ops & Tools (CVE-2025-41244) immediately.
📡 Audit exposed industrial routers; disable unused APIs.
🤖 Validate AI integrations for prompt injection resilience.
🐉 Track Phantom Taurus indicators if in government/defense supply chains.
💸 Update privacy compliance playbooks to align with CCPA enforcement.
⚖ Vet third-party apps handling youth data for COPPA compliance.
That’s it for our show today. We’ll be back on Monday at 9 AM Eastern. Tomorrow we’re off for Yom Kippur. At this time, it’s a custom right before Yom Kippur that I say the following: If I offended you in any way over the last year, I sincerely apologize. I have no intention of hurting anyone’s feelings when I do the show or in my comments. However, sometimes it may come off that way, but it’s never ill-willed. It’s never meant to be anything but sharing my viewpoint.
Thank you all for tuning in. Have a great rest of your day, and most importantly, stay cyber safe!
