Good Morning Security Gang

Today’s show centers on one undeniable theme: persistence and evolution. Adversaries aren’t just breaking in anymore — they’re staying in, adapting faster, and leveraging automation and AI to scale their operations in ways most organizations simply aren’t ready for.

We’re covering Iranian cyber operators maintaining footholds inside U.S. networks, a botnet exploiting over 170 vulnerabilities at scale, ransomware groups shifting tactics, a massive supply chain attack spreading across hundreds of repositories, AI being used to evade detection, and new risks emerging from AI platforms themselves.

So grab your coffee — I’ve got my double espresso ready — coffee cup cheers, and let’s get into it.

Iranian Cyber Operators Maintain Footholds in U.S. Networks

We kick off with a deeply concerning development: Iranian cyber operators have successfully maintained persistent access inside U.S. networks, in some cases for extended periods of time.

This isn’t smash-and-grab cybercrime. This is strategic positioning. These actors are embedding themselves quietly, waiting for the right moment to execute — whether that’s disruption, retaliation, or intelligence collection.

This activity aligns with the broader geopolitical tensions tied to ongoing conflicts involving Iran. The objective here isn’t immediate damage — it’s long-term leverage. Think pre-positioning for future cyber operations.

From a risk perspective, this is one of the most dangerous scenarios: undetected persistence that enables coordinated attacks at scale when triggered.

To mitigate this, organizations must prioritize continuous network visibility, anomaly detection, and lateral movement monitoring — because once they’re in, the clock is already ticking.

Botnet Exploits 174 Vulnerabilities at Scale

Next up, we’re seeing industrialized cybercrime in action. The Rondo botnet has been observed exploiting 174 different vulnerabilities to compromise systems at scale.

Let that sink in — 174 vulnerabilities.

This isn’t sophisticated zero-day exploitation. This is attackers taking advantage of unpatched, known vulnerabilities across the internet. Automation allows them to scan, exploit, and compromise systems en masse.

Botnets like this fuel a wide range of malicious activities, including DDoS attacks, credential harvesting, and serving as initial access brokers for ransomware campaigns.

The takeaway here is simple: attackers don’t need cutting-edge exploits if organizations fail at basic patching.

Organizations must implement internet-facing asset discovery and vulnerability management programs to identify and remediate exposed systems quickly.

Ransomware Groups Shift to Data Theft and Stealth

Google is reporting a significant shift in ransomware tactics. Attackers are moving away from traditional encryption-based attacks and toward data theft and extortion.

Why? Because ransomware defenses are improving and payments are declining.

Instead of locking systems, attackers are now quietly infiltrating environments, exfiltrating sensitive data, and using that data as leverage for extortion often without triggering traditional ransomware alerts.

This aligns with recent trends, including destructive attacks like the Stryker incident, where disruption occurred without conventional malware.

The risk here is stealth. These attacks are harder to detect and often bypass traditional defenses. Organizations should implement egress traffic monitoring to detect unauthorized data transfers and identify exfiltration early.

GlassWorm Supply Chain Attack Spreads Across 400 Repositories

The GlassWorm supply chain attack continues to expand, now impacting over 400 code repositories across GitHub, NPM, VS Code, and OpenVSX.

This represents one of the largest coordinated supply chain attacks in recent memory.

Attackers are targeting developer ecosystems, poisoning trusted repositories and dependencies. Once malicious code enters these ecosystems, it propagates quickly into enterprise environments through software builds and integrations.

This is the nightmare scenario for modern development pipelines.

To mitigate this, organizations must enforce code signing verification and dependency validation for all third-party packages used in development environments.

AI Used to Evade Detection Through Hidden Malicious Code

Researchers have uncovered a new technique where attackers use font rendering tricks to hide malicious commands from AI-based detection systems.

This is a major shift.

As organizations increasingly rely on AI for threat detection and code analysis, attackers are now learning how to bypass AI itself — not just human analysts.

This creates a dangerous gap where malicious code can evade automated detection systems entirely.

The solution is clear: AI alone is not enough.

Organizations must combine AI-driven detection with traditional static and dynamic analysis techniques to maintain layered defenses.

Vulnerabilities Discovered in AWS Bedrock and Langsmith

Security researchers identified vulnerabilities in AWS Bedrock and Langsmith, two platforms used to build and manage AI applications.

These vulnerabilities could allow attackers to manipulate AI outputs or access sensitive data processed by these systems.

AI is rapidly becoming a new attack surface and many organizations are deploying these technologies faster than they can secure them.

The risk here extends beyond data breaches. Compromised AI systems can produce manipulated outputs, potentially impacting business decisions and operations.

Organizations must enforce strict input validation and output monitoring across AI systems to mitigate these risks.

Ransomware Group Uses Modern Development Tools for Stealth Attacks

The LeakNet ransomware group is evolving its tactics, now leveraging tools like ClickFix and the Deno runtime to execute stealthy attacks.

Rather than deploying traditional malware binaries, attackers are using legitimate development environments and scripting tools blending malicious activity into normal operations.

This makes detection significantly more difficult because these tools are widely used and trusted.

Organizations should implement runtime monitoring and anomaly detection for developer environments to identify suspicious execution patterns.

EU Sanctions Target Chinese and Iranian Cyber Actors

The European Union has announced sanctions against entities linked to Chinese and Iranian cyber operations.

This reflects a growing trend where governments are attempting to respond to cyber threats through economic and legal measures rather than purely defensive strategies.

However, the effectiveness of these sanctions remains questionable, particularly when targeting actors who may not have assets or operations within EU jurisdictions.

"Are you sanctioning people who don't work in Europe anyways, who don't have assets in Europe? You're just doing it to say you're doing something. As usual, late to the party. As usual, weak as always. These sanctions are useless— absolutely useless. These people already operate outside of those environments." James Azar

This raises broader questions about how effective policy-based responses are in deterring cyber adversaries.

Tech Giants Unite to Combat Online Fraud

Major companies including Google, Microsoft, Meta, Amazon, and others have formed a coalition to combat online scams and fraud. Cyber-enabled fraud continues to grow rapidly, driven by social engineering, large-scale phishing operations, and coordinated criminal networks.

This collaboration signals an industry-wide recognition that no single organization can tackle cybercrime alone. The effectiveness of this initiative will depend heavily on execution and cross-industry cooperation.

Georgia Arrest Highlights Targeted Phishing Campaigns

Authorities in Georgia arrested an individual accused of targeting NBA and NFL affiliates through phishing campaigns.

This case highlights a growing trend: attackers targeting high-value individuals with tailored phishing attacks designed to maximize financial gain.

Targeted phishing remains one of the most effective cyberattack methods, particularly when aimed at individuals with access to financial resources or sensitive systems.

Organizations should continue investing in user awareness training and identity protection controls to reduce phishing risks.

U.S. Department of Energy Prepares Cybersecurity Strategy

Finally, the U.S. Department of Energy is preparing its first comprehensive cybersecurity strategy focused on protecting energy infrastructure.

Given the critical importance of energy systems, this initiative reflects growing concerns about cyber threats targeting utilities and power grids.

The strategy emphasizes collaboration between government and private sector organizations, focusing on resilience rather than strict regulatory enforcement.

This could represent a shift toward more practical, operational cybersecurity frameworks for critical infrastructure.

Key Action Items for Security Teams

• Deploy continuous monitoring to detect persistent access and lateral movement

• Implement comprehensive vulnerability management and patching programs

• Monitor outbound traffic for signs of data exfiltration

• Enforce code signing and dependency validation in development pipelines

• Combine AI detection with traditional security analysis methods

• Secure AI platforms with strict input and output controls

• Monitor runtime environments for suspicious execution behavior

• Strengthen identity protection and phishing defenses

• Enhance collaboration across industry and government partners

• Review critical infrastructure resilience and incident response plans

Leave a comment

James Azar’s CISO Take

When I step back and look at today’s stories, what stands out is how much the battlefield has shifted. We’re no longer dealing with opportunistic attackers looking for quick wins. These are persistent, strategic adversaries embedding themselves deep inside networks and waiting for the right moment to act. That changes everything about how we defend.

At the same time, the attack surface is expanding faster than ever. AI, developer ecosystems, and supply chains are now primary targets, and attackers are learning how to exploit them just as quickly as we adopt them. The fundamentals still matter visibility, patching, identity protection — but they must now be paired with continuous monitoring and adaptive defenses. Because the goal isn’t perfection. The goal is resilience.

Stay sharp, Security Gang and most importantly, stay cyber safe.