Good Day Security Gang,
🎙️ Nation-State Intrigue Meets Infrastructure Vulnerabilities in a Cyber-Charged Week
Episode 915 of the CyberHub Podcast, hosted by CISO James Azar, dropped ahead of Memorial Day weekend with a heavy-hitting lineup: a new ransomware gang hitting U.S. healthcare, advanced Russian APT attacks targeting the Ukrainian supply chain, stealthy Chinese espionage tactics exploiting job boards, and a tsunami of critical vulnerabilities across key enterprise products like Cisco, Versa, and GitLab. There’s also reason to celebrate—with Microsoft and global law enforcement finally dismantling Luma Stealer.
Let’s dive in.
🏥 Kettering Health Hit by Interlock Ransomware, Patients Targeted by Scammers
Ohio-based nonprofit Kettering Health suffered a significant ransomware attack, likely linked to the Interlock group, associated with the Nefarious Mantis threat cluster. The breach took critical systems offline and led to scam calls impersonating hospital staff to extract payment info from patients. Interlock RAT was reportedly used for reconnaissance before ransomware deployment. No confirmation yet on whether sensitive data was exfiltrated.
🎯 APT28 (Fancy Bear) Tracks Military Supply Chain to Ukraine
Russian GRU-affiliated APT28 is expanding its hybrid warfare operations by infiltrating the entire supply chain supporting Ukraine, from defense contractors to IT and air traffic systems. A joint advisory from dozens of countries confirms that APT28 is exploiting:
Outlook NTLM CVE-2023-23397
WinRAR CVE-2023-38831
Roundcube CVEs 2021-26413, 35730, 44026
APT28 also uses compromised SOHO devices and cameras to monitor material movements, showing their deep targeting precision and living-off-the-land techniques.
🛰️ EU Sanctions GRU and Tech Supporters for Hybrid Warfare
The EU launched fresh sanctions against GRU agents and Russian tech companies allegedly supporting GPS jamming, cyber sabotage, and disinformation campaigns. Sanctioned entities include infrastructure and web hosting firms, as well as individual Kremlin influencers. But James notes—these may not meaningfully deter Moscow’s cyber war machine.
👨💼 China’s New Espionage Front: Job Ads for Laid-Off Feds
Chinese cyber operatives are leveraging fake job sites and LinkedIn posts to lure laid-off U.S. federal employees into unintentionally sharing sensitive resumes and metadata. The domains—hosted by Tencent and allegedly tied to firms in Singapore, Japan, and the U.S.—have surfaced as fronts for PRC recruitment ops, echoing a similar 2018 campaign that led to a conviction.
🧹 Microsoft & DOJ Dismantle Luma Stealer Malware Operation
In a coordinated global operation, Microsoft and U.S. law enforcement seized 2,300+ domains and central control infrastructure tied to Luma Stealer—malware designed to vacuum up passwords, crypto wallets, and PII. Europol and Japan’s JC3 helped neutralize command servers, while Microsoft’s Digital Crimes Unit rerouted traffic for threat analysis.
🌐 HazyHawk Hijacks Misconfigured DNS to Serve Porn via .gov Domains
Threat actor HazyHawk is exploiting abandoned DNS records tied to .gov and other high-reputation domains, including the U.S. CDC, to redirect users to malicious and explicit content. They’re targeting neglected AWS S3 buckets and Azure endpoints. This is a wake-up call to clean up legacy DNS assets before attackers do it for you.
🚨 Versa Networks Hit by Trio of Critical Vulnerabilities
A set of three critical CVEs in Versa Concerto's SD-WAN orchestration platform could allow unauthenticated RCE and full host compromise:
CVE-2025-34027 (CVSS 10.0): URL decoding flaw bypasses auth
CVE-2025-34026 (CVSS 9.2): Reverse proxy manipulation of X-Real-IP header
CVE-2025-34025 (CVSS 8.6): Docker config flaw allows binary override via cron
Exploit activity is now live. Patching is urgent for enterprise WANs, MSPs, and government users.
🔐 Cisco Issues Patches for High-Risk ICE and Intelligence Center Bugs
Two notable vulnerabilities fixed:
CVE-2025-20152: Remote, unauthenticated RADIUS message flaw causing DoS on Cisco ISE
CVE-2025-20113: Authenticated privilege escalation in Unified Intelligence Center
Admin teams should update immediately due to the risk of network control compromise.
🧩 GitLab & Atlassian Drop Critical Patches
GitLab patched 10 bugs, including:
CVE-2025-9093: DoS flaw allowing authenticated users to exhaust system resources
Atlassian patched six high-severity bugs across:
Bamboo
Confluence
Jira
Crucible
Fisheye
Most involve third-party libraries and could lead to DoS or privilege escalation.
✅ Action List for Security Teams & Decision-Makers
Patch Versa Immediately: CVE-2025-34027 is live and unauthenticated—update now.
Reaudit DNS Records: Search for stale entries pointing to S3, Azure, or cloud storage.
Monitor Job Postings for Red Flags: Federal orgs must brief employees on China’s new espionage tactic via fake recruiting.
Update Cisco ICE & Unified Center: Prevent DoS and privilege abuse risks immediately.
Educate Healthcare Staff: Run phishing simulations and monitor post-breach fraud attempts in healthcare orgs.
Block Legacy Exploits from APT28: Watch for Exchange, Outlook, and WinRAR vulnerabilities still active in the wild.
Run Simulations with GRU TTPs: Use the new advisory from Western governments to test your organization’s readiness.
Encourage Alumni OpSec: Guide laid-off employees in sensitive industries to avoid revealing too much on resumes.
Get Latest GitLab & Atlassian Patches: Apply updates to community and enterprise editions alike.
Celebrate Wins: Microsoft’s Luma Stealer takedown is a big one—share with your teams and encourage more collaborative defense.
🔚 That’s it for today’s CyberHub Podcast. We’ll be off Friday, but back Monday at 9AM EST for a special Memorial Day edition.
Subscribe at CyberHubPodcast.com for full transcripts, Saturday articles, and daily cyber summaries right to your inbox.
Until next time—thank you for tuning in, and most importantly, y’all stay cyber safe.
✅ Story Links:
https://www.cybersecuritydive.com/news/china-espionage-campaign-laid-off-workers/748607/
https://www.securityweek.com/cisco-patches-high-severity-dos-privilege-escalation-vulnerabilities/
https://www.securityweek.com/gitlab-atlassian-patch-high-severity-vulnerabilities/
https://www.bankinfosecurity.com/scammers-troll-dns-records-for-abandoned-cloud-accounts-a-28456
https://therecord.media/eu-sanctions-orgs-individuals-tied-to-russia-disinformation
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1
🚨 Important Links to Follow:
👉Website:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
Share this post