Good Morning Security Gang
You’re tuning into episode 1056 of the CyberHub Podcast and yes, this show ain’t for the faint of heart. Daily cybersecurity analysis, real-world insights, and coffee so strong it could patch your firewall, that’s how we roll.
Before we dive in, tomorrow’s a special one my full interview with Zach Lewis, the author of Locked Up, about his first-hand experience being hit by the LockBit ransomware gang. It’s a story every practitioner needs to hear. That drops Friday at 11 AM Eastern exclusively on YouTube and Substack, with the extended version going live everywhere else Saturday.
Now, let’s jump into today’s headlines from Harvard and UPenn being shaken down by ShinyHunters, to CISA warning about multiple actively exploited vulnerabilities across SolarWinds, VMware, and GitLab, plus N8N automation flaws, NGINX hijacks, Chinese espionage campaigns, and even AI model tampering detection from Microsoft.
Coffee cup cheers, Security Gang — let’s get started. ☕
Lakeland Public Health Cyberattack Disrupts Services
We start in South Carolina, where a cyberattack against Lakeland’s public health district has forced systems offline, disrupting patient care and delaying appointments. While attackers’ motives appear to center on operational paralysis, the impact underscores the fragility of healthcare systems.
As I said on the show:
“When you hit healthcare, you’re not just stealing data — you’re gambling with lives.”
In many of these incidents, downtime leads directly to care delays or worse. My stance? Congress must treat attacks on healthcare systems as acts of domestic terrorism — punishable by extreme consequences, including life imprisonment or worse if human life is lost.
Mitigation means having paper-based downtime playbooks, manual registration, and emergency communication channels ready to go. You can’t rely on digital resilience alone when patients’ lives are on the line.
ShinyHunters Leak Harvard and UPenn Alumni Data
The ShinyHunters extortion group claims to have stolen and leaked data from Harvard University and the University of Pennsylvania, allegedly exposing donor and alumni details. The attackers are using the threat of publicity to pressure both institutions.
The real danger here isn’t just data loss — it’s social engineering and financial fraud against alumni networks and donors. Attackers can impersonate advancement staff or craft convincing charity scams using real donor lists.
As I explained:
“Reputation is the currency for institutions like Harvard and UPenn — and that’s exactly what attackers are cashing in on.”
If your company employs Harvard or UPenn alumni, monitor for lookalike domains and spoofed donation requests that exploit this breach.
CISA Flags Three Critical Exploited Vulnerabilities
For the first time in over 1,000 episodes, we have three separate CISA alerts in a single day — all currently being exploited in the wild. Let’s break them down.
1️⃣ SolarWinds Web Help Desk RCE
SolarWinds Web Help Desk (WHD) is now confirmed to be actively exploited via chained authentication bypass and deserialization bugs. Attackers are leveraging this to gain unauthenticated code execution and move laterally through service accounts.
Mitigation: Remove any public-facing WHD interfaces, enforce mutual TLS, and rotate service account credentials after patching to kill persistent access.
2️⃣ VMware ESXi Zero-Day Leads to Ransomware
A newly discovered ESXi zero-day is being used for fast encryption attacks across virtualized environments. Threat actors are detonating ransomware payloads at the hypervisor level — wiping out dozens of VMs within minutes.
Mitigation: enable ESXi lockdown mode, manage via isolated jump hosts, and disable HTTPS management on general subnets until you confirm patch compliance.
“When hypervisors go down, your business goes with them — this isn’t theoretical, it’s operational.”
3️⃣ GitLab Legacy Exploit Resurfaces
Attackers are exploiting an old GitLab SSRF vulnerability (CVE-2021-39935) to exfiltrate repos, steal tokens, and tamper with CI/CD supply chains. Over 49,000 instances remain exposed online, mostly in China.
Mitigation: Upgrade to a supported GitLab version, hide admin panels behind VPNs, and revoke all stored credentials in outdated instances.
N8N Workflow Automation Vulnerabilities Exposed
Several new vulnerabilities in N8N, the popular workflow automation platform, are now public — with proof-of-concept exploits available. Attackers can move from misconfigured webhooks to arbitrary code execution, accessing stored secrets or executing unauthorized workflows.
Mitigation: Restrict webhook IPs to allowlists, disable arbitrary “execute command” nodes, and limit workflow permissions in production environments.
NGINX Redirect Hijacks Surge
Threat actors are compromising NGINX web servers using weak credentials and outdated plugins, injecting malicious redirects and credit card skimmers into live sites. Because this happens at the reverse proxy layer, these attacks bypass WAF and app-level detection.
Mitigation: ship immutable NGINX configs, enable file integrity monitoring, and sign deployment bundles via CI/CD attestation.
Google Looker Vulnerability Enables Data Exfiltration
Tenable researchers uncovered a vulnerability chain in Google Looker, enabling full instance takeover and data warehouse exfiltration if misconfigured. Attackers can escalate privileges from BI dashboards to underlying databases.
Mitigation:
Run Looker behind VPC Service Controls
Enforce separate service accounts per environment
Disable ad-hoc SQL runners from production datasets.
Chinese Espionage Group Weaponizes WinRAR Flaw
China-linked APT41 (“Amaranth Dragon”) is exploiting a WinRAR vulnerability to deploy espionage loaders via booby-trapped archive files. Once extracted, these payloads live off the land, exfiltrating data stealthily.
Mitigation: block .rar attachments, scan archives automatically in a sandbox, and educate users that compressed equals suspicious.
As I said:
“You can’t just block risky file types — you’ve got to give the business a safer alternative.”
Microsoft Releases AI Model Tampering Scanner
In good news, Microsoft has released a free tool to detect tampered AI models or poisoned machine learning datasets. This helps identify maliciously modified models that leak data or produce attacker-influenced responses.
If your organization is experimenting with AI, integrate this into your ML Ops pipelines, require model signing, and reject any artifact that fails verification.
Varonis Acquires Altrue AI for $150M
Varonis announced a $150 million acquisition of Altrue AI, a move aimed at bolstering data security posture management (DSPM) and AI data governance. Expect new integrations around sensitive data discovery and LLM security within Varonis’s platform later this year.
Action List
🏥 Healthcare: maintain offline playbooks and manual care workflows for downtime events.
🎓 Universities & Enterprises: enable anti-spoofing controls for alumni-related phishing.
☁️ SolarWinds: isolate Web Help Desk and rotate credentials post-patch.
🧱 VMware: activate lockdown mode and disable management from open networks.
💻 GitLab: update legacy systems and secure admin panels behind VPNs.
⚙️ N8N: restrict webhooks and disable arbitrary execution.
🌐 NGINX: enable immutable configs and sign deployment artifacts.
🧩 AI: integrate model tamper scanners into ML pipelines.
James Azar’s CISO’s Take
Today’s show drives home one lesson: cyber resilience is no longer optional — it’s survival. From hospitals losing access to patient systems to hypervisors being locked for ransom, the new battleground is operational, not just informational. We can’t afford downtime when digital systems define real-world safety and continuity.
My biggest takeaway? We’re fighting on three fronts — technical, geopolitical, and human. CISA’s triple alert is a wake-up call: our tools, our vendors, and our people are all targets. Whether it’s China embedding malware into WinRAR or ransomware encrypting ESXi hosts, defense now means assumption of breach. Build with that in mind.
Stay alert, stay caffeinated, and as always — stay cyber safe.
