Good Morning, Security Gang!

We’ve got a packed show today. We’re looking at an Iran-linked cyber attack crippling medical device giant Stryker, a breach impacting Enabling Services, Michelin confirming fallout from the Oracle EBS attacks we’ve been tracking, hackers claiming an intrusion in Albania’s parliament, and a shocking report that a hacker breached FBI systems tied to the Epstein investigation. We haven’t talked about Epstein here on the show, I’ve tried to avoid it by all means necessary.

Today’s show is heavy on healthcare, geopolitics, and critical infrastructure. If you’ve been listening/reading over the last few weeks, you’ll notice a few themes continuing to show up: Iran-linked cyber operations expanding beyond regional targets, healthcare infrastructure continuing to be attractive for both criminal and geopolitical actors, and enterprise platforms like Oracle EBS proving once again that supply chain breaches can ripple across entire industries. We’re also seeing vulnerabilities at the core of enterprise identity systems and ICS environments, reminding us all that the fundamentals of security architecture still matter. AI can’t solve it all.

I’ve got my double espresso here. Coffee cup cheers, gang!

Iranian Handela Group Wipes 200K Stryker Servers with Wiper Malware

Security researchers are reporting that medical technology giant Stryker was disrupted by a cyber attack linked to Iranian hackers, specifically the Handela group. The attack reportedly affected portions of the company’s operations and internal systems, which is significant given Stryker’s role in producing critical medical equipment used in hospitals worldwide.

This fits a broader pattern we’ve been discussing since the escalation of geopolitical tensions involving Iran. Historically, Iranian cyber operations targeted healthcare, energy, and infrastructure organizations as part of strategic pressure campaigns. Healthcare companies like Stryker sit at the intersection of supply chain logistics and patient care, when systems go down, the ripple effects reach hospitals and medical providers together.

The attackers claim to have wiped more than 200,000 servers using wiper malware, not ransomware, wiper malware.

They say they wiped 200,000 servers, shutting down offices in 79 countries and stealing 50 terabytes of data. This has been active since Operation Epic Fury/Roaring Lion kicked off. The Wall Street Journal reported Wednesday that Stryker confirmed dealing with a cyber incident with a global outage, with staff and contractors seeing the Handela logo on login pages.

We don’t know how they got in or what exact malware was used yet. Until we know, I’ll reserve judgment on mitigation. Wiper malware is real, and this is where next-generation anti-ransomware and anti-malware solutions come into play. These questions are coming from your boardroom and executive leadership over the next few days. Get ready to rock and roll, folks.

Albania Parliament Targeted by Iran-Linked Attackers

Iran-linked attackers have also claimed responsibility for a cyber attack targeting Albania’s parliament. Albania has been a frequent target of Iranian cyber activity following diplomatic tensions between the two countries. We’ve covered previous attacks against Albanian government networks, including disruptive campaigns that forced systems offline.

These operations appear designed to create political pressure while demonstrating cyber capabilities. While it’s a Muslim nation, it feels like Turkey in the eighties and nineties, very secular. They’ve got great relations with the US and Israel.

They’ve been frequent Iranian targets, low-hanging fruit trying to sow disruption and create unrest. That’s not something they’re going to be extremely successful with.

Bell Ambulance Breach Exposes 235,000 Patient Records

Continuing with healthcare attacks, a cyber attack against Bell Ambulance in Wisconsin exposed personal data belonging to approximately 235,000 individuals. The breach included patient information tied to emergency medical services.

Another example of attackers targeting healthcare service providers rather than hospitals themselves. We’ve seen this trend repeatedly over the last year attackers going after the logistics layer around healthcare, including billing, EMS, and health IT vendors. When service providers are compromised, multiple healthcare organizations can be affected simultaneously.

Healthcare service providers holding patient data need identical protections as hospitals themselves. Patient data exposure remains a high-value target.

Michelin Confirms Oracle EBS Attack Fallout

Michelin is now confirming a data impact tied to the Oracle EBS breach we’ve been tracking over the last few weeks. Oracle’s EBS platform is widely used for supply chain, HR, and financial operations across large enterprises.

When an ERP platform serving multiple companies is breached, the resulting exposure can cascade across customers. We’ve seen multiple organizations over the past month disclosing impacts from the Oracle EBS attack. This pattern highlights how enterprise software platforms act as single points of failure when compromised.

Supply chain-level ERP breaches can expose sensitive data across dozens of organizations. Enterprises need to require tenant-level isolation in shared ERP platforms.

FBI Epstein Investigation Files Allegedly Breached

The second major story involves reports that files related to the FBI’s investigation into Jeffrey Epstein were compromised in a cyber intrusion. While the full scope of the breach has not yet been disclosed, the incident raises serious concerns about the protection of highly sensitive investigative data within government systems.

Investigative repositories contain evidence chains, witness information, and intelligence records that are critical to law enforcement operations. A breach of these systems could expose confidential materials, compromise ongoing investigations, or undermine legal proceedings.

The attack highlights ongoing challenges facing government agencies tasked with protecting sensitive investigative databases while ensuring operational access for investigators. Strong segmentation, strict access controls, and continuous monitoring remain essential safeguards for protecting law enforcement data assets.

"Touch grass. Get out from behind your monitor. Walk around, talk to people, crack a few jokes, have a cup of coffee with someone. I walk around the office, give people capsules for espressos, say hello. I touch grass. We become friends. Get off the internet, it's not healthy." James Azar on Conspiracy Theories and Excessive Internet use

Active Directory Vulnerability CVE-2026-21437

Researchers are disclosing a vulnerability affecting Active Directory Domain Services, which sits at the heart of identity management in most enterprise environments. If exploited, attackers could potentially escalate privileges or manipulate authentication systems.

Active Directory remains one of the most frequently targeted systems in enterprise networks because control of AD essentially means control of the organization. This is CVE-2026-21437. Patch immediately and implement tiered access controls within AD environments.

Attackers Abusing ARPA DNS and IPv6 to Evade Phishing Detection

Phishing is getting really good, right? Threat actors have found workarounds. Researchers discovered attackers abusing ARPA DNS records and IPv6 infrastructure to evade phishing detection systems we put in place.

By leveraging obscure DNS mechanisms, attackers can hide malicious infrastructure from traditional email filtering systems. This highlights how attackers constantly adapt to bypass detection mechanisms.

The risk is phishing infrastructure bypassing traditional domain filtering tools. Expand DNS monitoring to include reverse lookup and IPv6 traffic analysis.

ICS/SCADA Patches: Siemens, Schneider, Moxa, Mitsubishi

We talked about Patch Tuesday yesterday, and the ICS world always makes the cut a day late for us. Siemens, Schneider Electric, Moxa, and Mitsubishi Electric, all provide equipment across manufacturing, utilities, and energy sectors. When there are vulnerabilities, address them ASAP.

• Schneider Electric: New advisories addressing high-severity EcoStruxure IT Data Center Expert, Power Monitoring Expert, Power Operations, and Automation Expert vulnerabilities

• Siemens: Critical stored cross-site scripting vulnerability in SIMATIC S7-1500 devices, plus vulnerabilities in Fortinet, OpenSSL, and third-party components

• Mitsubishi: Remotely exploitable denial-of-service vulnerability in numerical control systems

• Moxa: Four new advisories, three describing impact of Intel product vulnerabilities

CISA added some of these to the KEV catalog, pay close attention and prioritize patching.

CISA Orders Urgent N8N Automation Platform Patch

Speaking of CISA, they’re ordering federal agencies to urgently patch a remote code execution vulnerability in the N8N automation platform. The flaw is already being exploited in attacks.

Automation tools like N8N integrate with multiple systems and APIs, which makes them powerful and dangerous when compromised. The risk is attackers leveraging automation platforms to access integrated enterprise systems.

Restrict automation platforms to least-privilege API permissions when possible.

Meta Disables 150K+ Accounts Tied to Influence Campaigns

Meta announced it disabled more than 150,000 accounts tied to coordinated influence campaigns. These accounts were reportedly used to manipulate online narratives and conduct social engineering campaigns.

Influence operations increasingly blend information warfare with cybercrime tactics. Any large-scale social engineering campaign targeting users through social media networks is significant.

Good for Meta in knocking down these accounts through partnerships with authorities in Thailand, the US, UK, Canada, Korea, Japan, Singapore, the Philippines, Australia, New Zealand, and Indonesia.

Wiz Now Part of Google Cloud: $32 Billion Acquisition Closes

Finally, Wiz is now part of Google Cloud as the $32 billion acquisition has officially closed. Wiz has become one of the fastest-growing cloud security companies on the planet, focusing on cloud environment visibility and vulnerability detection.

The deal highlights how cloud security remains one of the most competitive areas in cybersecurity. Wiz will be joining Mandiant and many other products added to the Google suite. Wake up, look up, Google is now a big player in cyber after this acquisition.

Action Items for Security Practitioners

Immediate Priority (Healthcare/Iran Response):

• Review network segmentation in healthcare environments, flat networks don’t hold up against wiper malware

• Deploy next-generation anti-malware capable of detecting wiper attacks

• Monitor for Handela group IOCs and TTPs

• Prepare executive/board briefing on wiper malware risks

Immediate Priority (Patching):

• Patch Active Directory vulnerability CVE-2026-21437 immediately

• Patch N8N automation platform RCE vulnerability—active exploitation

• Apply Siemens, Schneider, Moxa, and Mitsubishi ICS patches per CISA KEV

• Restrict automation platforms to least-privilege API permissions

Short-Term (This Week):

• Expand DNS monitoring to include reverse lookup and IPv6 traffic analysis

• Review Oracle EBS exposure if you’re a customer—Michelin is latest in cascade

• Require tenant-level isolation in shared ERP platforms

• Implement tiered access controls within Active Directory environments

Memorable Quotes from James Azar

“Touch grass. Get out from behind your monitor. Walk around, talk to people, crack a few jokes, have a cup of coffee with someone. I walk around the office, give people capsules for espressos, say hello. I touch grass. We become friends. Get off the internet—it’s not healthy.”

“The attackers claim to have wiped 200,000 servers using wiper malware—not ransomware, wiper malware. Russia has been playing double agent, handing malware to actors like Handela. They’re not exactly saints. If you’re in healthcare, segmentation pays off. Flat networks don’t hold up as resilient in these types of attacks.”

Leave a comment

James Azar’s CISO’s Take

When I look at today’s stories collectively, the biggest takeaway is how cyber conflict has expanded into every layer of modern infrastructure. Healthcare devices, federal investigative systems, and enterprise cloud platforms are all now part of the same cyber threat landscape. Attackers are targeting wherever disruption, intelligence, or leverage can be achieved.

For CISOs and security practitioners, the path forward remains clear: execute the fundamentals while understanding the strategic environment around you. Strong identity controls, network segmentation, and cloud visibility remain the foundation of cyber resilience. When organizations combine those fundamentals with geopolitical awareness and strong threat intelligence, they put themselves in the best possible position to defend against the increasingly complex threats shaping the digital world.

Stay cyber safe.