Good Morning Security Gang
Happy Monday and welcome back to the CyberHub Podcast!
Today’s episode is packed. We’ve got Iran-aligned hackers claiming to breach the Israeli Prime Minister’s chief of staff’s phone, a Wired database leak exposing 2.3 million users, the Coupang insider saga straight out of a movie scene, and the LastPass 2022 breach still costing victims years later. We’ll also hit on Russia’s DDoS on France’s postal service, the Republic of Georgia arresting its ex–spy chief for scam collusion, a new MongoDB zero-day, a critical SNMP bug, China’s Evasive Panda DNS malware, and a volunteer MSSP helping defend small U.S. water utilities.
It’s a busy day in the cyber world — so grab that double espresso, coffee cup cheers, y’all, and let’s get into it.
Iran-Aligned Group Claims Hack of Israeli PM’s Chief of Staff
An Iranian-aligned threat group known as Handala has claimed responsibility for hacking the phone of Tzahi Braverman, Chief of Staff to Israeli Prime Minister Benjamin Netanyahu. They allegedly stole messages, encrypted communications, and photos, suggesting potential corruption and political misconduct.
While the evidence is still unverified, this hack falls squarely within Iran’s long-term disinformation playbook — aiming to undermine political confidence in Israel during a delicate geopolitical moment. As I noted on the show: “Cyber isn’t just part of geopolitics — it’s the new front line. And this front line doesn’t sleep.”
This attack mirrors Handala’s earlier breaches of former Israeli Prime Minister Naftali Bennett’s phone, part of an escalating Iran–Israel shadow cyberwar that continues despite ceasefires in Gaza.
"You're not tuning in for the geopolitical side of this, but the geopolitical side of this is driven by the cyber side of this. And cyber is just part of that geopolitical battle. And sometimes we get caught in the crossfire, in the crosshairs of this battle between these two nations as practitioners. Our businesses do. Our supply chain does." James Azar
Wired Confirms 2.3 Million Accounts Leaked
Condé Nast’s Wired magazine confirmed a 2.3 million–record database leak, exposing email addresses, hashed passwords, and user metadata. The attackers posted the data online for sale after breaching an outdated user authentication API.
While Wired accounts don’t offer much financial value, attackers target media platforms to perform credential stuffing and reused-password attacks elsewhere. CISOs should cross-reference affected users with corporate directories and enforce mandatory resets.
My advice to listeners: reset your passwords everywhere if you reuse them. As I said: “These attacks don’t go after your Wired subscription — they go after your lazy password hygiene.”
Coupang Insider Destroys Laptop to Hide Evidence
In South Korea, Coupang — the e-commerce giant often called “Korea’s Amazon” — continues dealing with fallout from a 33.7 million–user data breach. Authorities have now confirmed the insider responsible smashed their MacBook, sealed it in a bag with bricks, and threw it in a river to hide evidence.
The bizarre “movie-style” destruction attempt failed — investigators recovered the laptop. Coupang is now issuing $1.18 billion worth of compensation vouchers to affected customers, one of the most expensive breach responses in history.
This story highlights the real-world scale of digital negligence — and how insider threats continue to be the hardest to prevent and the most costly to clean up.
LastPass 2022 Breach Still Haunting Users
The 2022 LastPass breach continues to cause secondary compromises years later. Attackers are still mining stolen vault metadata and URLs, especially from users who never rotated their master passwords or API keys.
Blockchain analysis shows crypto wallets drained using credentials tied to old LastPass vaults, with activity traced to Russian exchange infrastructure.
CISOs and users alike must treat password vaults as living assets — rotate master keys and enforce phishing-resistant MFA. If it’s been more than six months since your last vault update, assume compromise and start fresh.
Russia Launches DDoS Attack on France’s Postal Service
Pro-Russian hacktivists launched a coordinated DDoS attack on France’s La Poste postal and banking services over the Christmas weekend. The attack, targeting public-facing portals, caused nationwide disruptions during one of the busiest mailing periods of the year.
The campaign was more symbolic than destructive, serving as a reminder that Russia’s hybrid cyber warfare extends far beyond Ukraine — it’s now about eroding European morale through disruption and frustration.
Georgia Arrests Ex–Spy Chief for Fraud Protection Scandal
The Republic of Georgia has arrested former spy chief Grigol Liluashvili, who allegedly took $1.4 million in bribes to ignore scam call center operations near his own agency’s office.
These “industrialized fraud hubs” ran voice phishing, crypto investment scams, and global laundering networks defrauding victims of $35 million since 2022.
The scandal underscores how corruption enables cybercrime, especially in post-Soviet states where law enforcement and criminal enterprises often blur together.
MongoDB Zero-Day Actively Exploited
A new MongoDB zero-day (CVE-2025-14847) is being actively exploited in the wild. The bug allows unauthenticated memory disclosure via mishandled zlib compression.
Patch immediately — or if you can’t, disable zlib and switch to Snappy or ZSTD. Versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30 contain the fix.
This follows a trend of attackers targeting open-source components embedded in enterprise stacks, exploiting slow patch cycles right before holidays.
Critical SNMP Trap Vulnerability in Infrastructure Devices
A critical Net-SNMP flaw (CVE-2025-68615) is putting enterprise monitoring systems at risk. The bug allows remote code execution through crafted SNMP trap packets.
If your environment still uses SNMP for network monitoring, you need to:
Patch immediately.
Bind SNMP TrapD to management VLANs only.
Restrict trap sources to known IPs.
Otherwise, your monitoring tool could become your attack vector.
China’s Evasive Panda Using DNS for Command and Control
Researchers have uncovered a new Evasive Panda campaign abusing DNS tunneling for stealthy command-and-control operations.
By hiding payloads inside DNS TXT records and mimicking legitimate resolution traffic, the APT can exfiltrate data without triggering firewalls. The technique uses domain fronting patterns and PowerShell scripts to persist.
Defenders should enable DNS logging, block newly observed domains, and alert on high-entropy TXT queries.
Volunteer MSSP Protects Rural U.S. Water Utilities
A grassroots initiative is helping rural water utilities in the U.S. strengthen their defenses through volunteer-run MSSP programs.
The effort, led by DEFCON contributors like Tara Wheeler, pairs white-hat professionals with underfunded municipalities in Arizona, Utah, Oregon, and Vermont, offering 24/7 detection, segmented access, and incident playbooks.
As I said on the show: “This is cybersecurity at its best — community over commerce.”
These volunteer models could become essential blueprints for defending critical infrastructure sectors that lack full-time SOCs or funding.
Action List
🇮🇱 Monitor geopolitical risk surfaces tied to Iran–Israel conflict.
🔐 Force password resets for users overlapping Wired’s 2.3M leak.
💻 Rotate vault keys and reissue API tokens for LastPass users.
🧱 Patch MongoDB and SNMP vulnerabilities immediately.
🌐 Enable DNS logging and block anomalous TXT query traffic.
💧 Adopt volunteer or shared MSSP frameworks for small critical services.
🕵️♂️ Audit privileged insider access in sensitive or regulated environments.
James Azar’s CISO’s Take
Today’s stories drive home one central message: cyber risk is no longer confined to our networks — it’s geopolitical, social, and systemic. From Iran hacking political leaders to insiders throwing laptops in rivers, the digital battlefield mirrors the chaos of the real one.
My biggest takeaway? Resilience now means readiness across every layer — people, process, and politics. Whether it’s MongoDB patches, DNS monitoring, or small-town water defenses, our success depends on how well we anticipate rather than react. The threat actors aren’t slowing down, and neither can we.
Stay sharp, stay caffeinated, and as always — stay cyber safe.
