Good Morning Security Gang
Today’s show is a loaded one. We’ve got ransomware, global partnerships, AI flaws, and a major leadership move at CISA.
Here’s what’s on deck: Ingram Micro confirms ransomware hitting 42,000 people, four out of five small businesses were scammed last year, Germany and Israel team up for a joint cyber defense “Cyber Dome,” and a Cloudflare zero-day vulnerability sends shockwaves through edge security. We’ll also cover TP-Link’s camera takeover patch, Gemini’s prompt injection flaw, VS Code dev tool abuse, and fake Malwarebytes download sites pushing info-stealers.
To wrap it up, we’ve got Russian hacktivists disrupting UK infrastructure, Jen Easterly’s next chapter at RSA Conference, and a bipartisan congressional bill addressing the Department of Defense’s cyber talent crisis.
Coffee cup cheers, y’all — double Lavazza semi-bold this morning. Let’s get started.
Ingram Micro Confirms Ransomware Breach Affecting 42,000 Individuals
Global distributor Ingram Micro confirmed a ransomware attack that exposed data of more than 42,000 employees and partners, disrupting logistics and downstream reseller operations.
The breach originated from compromised partner credentials that enabled lateral movement into internal data stores before encryption. The attackers deployed a classic double extortion model — stealing PII and financial data while disrupting warehouse systems.
The ripple effect includes shipping delays, fraudulent invoices, and MFA fatigue attacks against finance teams. I said it clearly on the show:
“If your vendors touch your payment systems, every invoice is now a potential phishing lure.”
CISOs should enforce out-of-band callbacks for supplier bank changes and require multi-person verification for invoice adjustments tied to distributors.
Four in Five Small Businesses Fell Victim to Cyber Scams in 2025
A new survey reveals that 80% of small businesses were targeted — and hit — by cyber scams in 2025, ranging from phishing and invoice fraud to fake tech support and CEO wire requests
The biggest issue? Low verification culture and single-approval payments.
As I said on air:
“Small businesses aren’t falling because of tech — they’re falling because no one’s empowered to ask questions.”
For owners and operators:
Require two-person approval for first-time or unusual payments.
Set thresholds based on beneficiary country or transaction size.
Empower employees to pause transactions that feel wrong.
Remember, cyber insurance often doesn’t cover ACH fraud — so vigilance is the best defense.
Germany and Israel Launch Joint ‘Cyber Dome’ Defense Network
Germany and Israel have unveiled Cyber Dome, a joint cyber defense architecture designed to share real-time threat intelligence, detection tooling, and joint response playbooks across both governments and private infrastructure sectors
The partnership aims to counter state-backed attacks from Russia and Iran while improving Europe’s cross-border response times.
As I explained: “Israel’s cyber model works because of civic duty — engineers answer the call just like soldiers. That’s what Germany’s trying to replicate.”
For companies operating in the German market:
Expect tighter audits and incident reporting timelines.
Align with sector ISACs and local response liaisons.
This collaboration could become the new benchmark for allied cyber coordination.
Cloudflare Zero-Day Exposes Edge Authentication Flaw
A critical Cloudflare zero-day exposed flaws in authentication caching and worker logic at the edge, allowing potential session hijacking and traffic redirection before emergency mitigations were deployed
Even though Cloudflare acted fast, the brief exposure window highlights a growing challenge — edge complexity.
I said it plainly: “The edge is fast, flexible, and fragile. When it breaks, everything downstream goes dark.”
Defenders should:
Enable service-level circuit breakers in Cloudflare.
Use traffic segmentation to isolate critical workloads.
Treat edge authentication as production-critical, not secondary.
TP-Link Patches VG Camera Takeover Flaw
TP-Link has patched a critical flaw in its VG camera series that allowed attackers to remotely hijack cameras exposed to the internet
The web interface lacked proper authentication, enabling unauthorized users to pivot laterally from surveillance systems into business networks.
If patching isn’t possible, isolate devices on non-routable VLANs and limit access through a management jump host. Physical security is digital too — don’t let a $40 camera become your first infection point.
Gemini AI Exposed to Prompt Injection Attack
Researchers at Miggo Security discovered a prompt injection vulnerability in Google’s Gemini AI, where hostile data could coerce agents to exfiltrate secrets or execute unauthorized actions
The flaw stems from weak tool constraints and unfiltered retrieval chains.
To mitigate:
Whitelist data sources and tool access for any LLM integration.
Disable auto-actions from untrusted input origins.
As I said: “AI isn’t magic — it’s automation with manners. And right now, it’s way too polite to attackers.”
VS Code Extensions Abused to Deploy Malware
Attackers are using malicious Visual Studio Code extensions and debug profiles to install stealers and backdoors on developer workstations
Because VS Code trusts workspace-level settings, unvetted repos can execute malicious code on build systems.
Mitigation steps:
Lock extensions to an enterprise-approved allowlist.
Block workspace-level settings from untrusted repos.
This is another reminder that developers are the new endpoint — secure your IDE like you would a server.
Malwarebytes Impersonation Campaign Pushes Info-Stealers
Threat actors are impersonating Malwarebytes in fake update campaigns using SEO poisoning and rogue download sites
These fraudulent installers deploy info-stealers that capture browser credentials and password vaults.
I warned listeners: “If a pop-up tells you to update security software, close it — that’s malware advertising itself.”
For enterprises:
Publish internal download links to official software.
Deploy DNS typo-squatting protection and filter sponsored results.
Russian Hacktivists Target UK Public Services
UK authorities warn that Russian hacktivist groups are ramping up DDoS attacks and web defacements targeting public sector websites and utilities
These nuisance attacks focus more on propaganda value than technical damage.
To mitigate:
Pre-stage DDoS surge capacity with CDNs tied to event calendars.
Ensure communications redundancy for service availability.
Jen Easterly Named CEO of RSA Conference
Former CISA Director Jen Easterly has been appointed CEO of RSA Conference, marking a major leadership shift in the cybersecurity industry
Easterly is expected to emphasize real-world resilience, patch urgency, and public-private playbooks in her new role.
I noted: “If anyone can turn conferences from talkfests into action hubs, it’s Jen.”
This move also highlights the growing trend of cyber leaders crossing into industry advocacy, bridging the gap between government and enterprise.
Congress Pushes Bipartisan Bill to Fix DoD Cyber Workforce Shortage
Senators Mike Rounds (R-SD) and Gary Peters (D-MI) introduced a bipartisan bill to close the Department of Defense’s cyber talent gap
The bill aims to accelerate hiring, clearances, scholarships, and career pipelines to scale both defensive and offensive cyber units.
CISOs should consider building apprenticeship partnerships with local colleges and military transition programs — both for talent development and national security contribution.
Action List
🔐 Implement vendor payment verification and multi-person approvals.
💼 Empower employees to question anomalies in small business operations.
🇩🇪 Pre-align with German ISACs ahead of Cyber Dome readiness checks.
⚙️ Enable Cloudflare circuit breakers and isolate edge workloads.
📸 Patch or segment TP-Link VG cameras.
🤖 Gate Gemini AI tools to trusted data sources only.
🧑💻 Restrict VS Code extensions and block unverified workspace files.
🪪 Deploy DNS filtering against fake brand updates.
🇬🇧 Pre-stage CDN DDoS capacity for public sector resilience.
🧠 Develop cyber apprenticeships to feed your talent pipeline.
James Azar’s CISO’s Take
Today’s show captured the tension between technology innovation and operational fragility. From Ingram Micro’s supply chain disruption to Gemini’s prompt injection flaw, every headline today was a reminder that our systems are interconnected — and one weak credential, one rogue repo, or one unpatched API can unravel the whole chain.
My biggest takeaway? Cybersecurity leadership isn’t about control — it’s about culture. The businesses that survive attacks empower people to think critically, ask questions, and respond fast. Whether you’re a global distributor or a three-person startup, resilience starts with awareness and ends with accountability.
Stay alert, stay caffeinated, and as always — stay cyber safe.
