Good morning, Security Gang,
Before we dive in, let me frame what we’re seeing today. The stories we’re covering this morning represent the full spectrum of modern cyber threats – from nation-state espionage to financially motivated cybercrime, from supply chain attacks to critical infrastructure targeting. What strikes me looking at today’s lineup is how the threat landscape has matured. We’re not just dealing with opportunistic attacks anymore.
We’re seeing calculated campaigns by well-resourced adversaries who understand supply chains, who weaponize trusted platforms like LinkedIn, and who are specifically targeting AI infrastructure because they know that’s where the value is. Whether you’re defending a government agency, a manufacturing plant, or a software development shop, today’s stories have lessons for you. So let’s get into it.
LG Energy Solution ransomware (Akira claims 1.7TB)
I opened with LG Energy Solution confirming a ransomware incident at one overseas site. The Akira gang claims ~1.7 TB of corporate data, including some employee information. HQ operations continue, and the affected facility is back online while forensics proceed.
Impact to business: Production interruptions, IP exposure on next-gen batteries, and downstream risk for automotive OEMs tied to LG’s supply chain.
Mitigations:
Segment plant networks from corporate IT; restrict vendor remote access to time-boxed, jump-hosted sessions.
Validate immutable/offline backups of MES/ERP and run a timed restore.
Hunt Akira TTPs: data staging on NAS, exfil via rclone/rsync, and new SFTP services on unusual hosts.
MI5: Chinese intel is mass-recruiting via LinkedIn
MI5 warned UK lawmakers that actors linked to China’s MSS are approaching targets on LinkedIn en masse to build influence and harvest information.
Impact: Executives, board members, researchers, and policy staff are prime for tailored asks (briefings, “research collaborations,” conference invites). This often precedes credential theft or insider recruitment.
Mitigations:
Enforce phishing-resistant MFA and session risk checks on VIP accounts.
Mandatory LinkedIn hygiene training; verify sensitive requests via a second channel.
Add DLP rules for uploads from executive devices to personal clouds/DMs.
CBO: “Hackers expelled” from congressional email
The Congressional Budget Office director testified that a foreign actor compromised a subset of email accounts; the intruders were detected and expelled, with operations continuing.
Impact: Anyone corresponding with Hill staff should expect follow-on spear-phishing that leverages stolen context.
Mitigations:
Tighten DMARC/DKIM/SPF on policy domains and add external-sender banners for government threads.
Detections for bulk mailbox export, suspicious OAuth grants, and new inbox rules on policy teams.
Rotate any API keys used by scheduling/CRM integrations tied to those mailboxes.
Google flags new Iran-linked backdoors
Google researchers detailed fresh backdoor families tied to Iranian units, leaning on credential theft, living-off-the-land PowerShell, and cloud persistence.
Impact: Long-dwell espionage against defense, energy, academia, and government contractors; theft of plans, bids, and R&D.
Mitigations:
Block consumer C2 channels (Telegram/Discord) from corporate hosts; enable AMSI + PowerShell transcription.
Cloud hunts for newly minted service principals, anomalous tokens, and silent mailbox access.
Enforce admin MFA + device health and rotate long-lived secrets.
National cyber strategy preview: “shape adversary behavior”
ONCD leadership previewed a shorter, more operational strategy focused on imposing costs, faster public-private execution, and sector exercises.
Impact: Expect more joint advisories, takedowns, and asks for rapid telemetry sharing.
Mitigations:
Identify your government touchpoints now; prep an NDA’d “break-glass” bundle (asset map, SBOMs, contacts).
Map which of your services qualify as “essential” and align reporting/IR timelines.
Cloudflare outage — operational, not an attack
A highly disruptive global outage wasn’t caused by an attack; it was an internal operational issue.
Impact: Even when it’s “not cyber,” your apps and SSO still go dark. Customer support spikes, SLAs take a hit.
Mitigations:
Multi-CDN or fail-open for static assets; synthetic checks that differentiate CDN vs origin failures.
Status-page webhooks wired into your incident comms; graceful-degradation modes for auth.
FortiWeb zero-day actively exploited
Fortinet warned of CVE-2025-58034 (OS command injection) under active exploitation; earlier mass-exploited CVE-2025-64446 enabled rogue admin creation. Fixed trains include ~8.0.2+ / 7.6.6+ / 7.4.11+ / 7.2.12+ / 7.0.12+.
Impact: WAF takeover → tampered rules, credential theft, pivots to internal apps.
Mitigations (do now):
Patch; remove internet-exposed management; IP-allowlist admin plane.
Hunt for new/unknown admin accounts, odd POSTs to admin endpoints, and config drift.
Add WAF policy immutability alerts (hash configs; alert on change outside CAB windows).
“ShadowRay” hijacks Ray clusters to mine crypto
New attacks convert exposed or weakly secured Ray (AI/ML) clusters into miners, abusing open dashboards, permissive security groups, and cloud creds on nodes.
Impact: Surprise cloud bills, throttled training jobs, and possible data leakage from shared volumes.
Mitigations:
Require auth on Ray Dashboard/Serve; restrict ports via security groups/VPC; block public exposure.
Rotate node/API creds; baseline job schedules to spot rogue workloads; quota alerts for GPU/CPU spikes.
Seven npm packages using Adspect cloaking to push crypto scams
Researchers found seven npm packages (e.g., signals-embed, integrator-2829, integrator-2830) fingerprinting visitors and cloaking behavior to evade analysis, redirecting to scam pages.
Impact: Developer supply-chain contamination and potential injection into web apps.
Mitigations:
Enforce version pinning and private mirrors (Artifactory/Nexus); quarantine low-reputation publishers in CI.
Turn on SCA with policy to block new packages by default; rotate any tokens on machines that installed the packages.
Suspected Void Blizzard member detained in Thailand
Thai authorities arrested a Russian national allegedly tied to the APT commonly linked to spear-phishing against Western targets; U.S. extradition is possible.
Impact: Short-term disruption of certain phishing/infrastructure clusters; expect quick rebrands.
Mitigations:
Keep O365/Entra phishing detections hot: impossible travel on fresh sessions, suspicious
prompt=loginspikes, and consented apps.Rotate credentials/tokens exposed to recent phishing runs; rehearse extortion-only incident flows.
Action List (move these today)
Edge: Patch FortiWeb (CVE-2025-58034); lock admin plane behind allowlists; hunt for rogue admins and config drift.
AI/ML: Lock down Ray dashboards/ports; rotate node creds; set cloud spend + GPU/CPU alarms.
VIP security: Train execs on LinkedIn honeytraps; enforce phishing-resistant MFA and second-channel verification.
Email/Cloud: Add detections for mailbox exports, OAuth grants, and external-forwarding rules on policy teams.
Supply chain: Pin npm deps; use a private mirror; auto-quarantine new/low-reputation packages in CI.
Resilience: Wire multi-CDN or graceful-degradation for critical apps; route status-page signals into on-call comms.
IR prep: Assemble your NDA’d gov-sharing bundle (asset maps, SBOMs, contacts) ahead of the new strategy asks.
CISO Talk by James Azar
This slate reinforces three truths: identity, edge, and vendors are still the fastest paths to material impact; attackers don’t need novel zero-days when exposed admin planes, weak auth, and helpful wizards are everywhere; and “not an attack” outages still cost you money and goodwill. If you anchor this week on FortiWeb, Ray, and LinkedIn hygiene for VIPs, you’ll measurably reduce incident probability and blast radius.
Strategically, the ONCD’s “shape adversary behavior” line matters. Expect more asks for telemetry and faster joint operations. Be ready with a pre-agreed sharing package and a clear decision tree on what you’ll provide and when. Meanwhile, assume Iran-linked operators will live in your cloud tenants by abusing the controls you already have. Treat service principals and access tokens as crown jewels, not convenience features.
That’s the set. If it touches identity, your edge, or your vendors, it’s in your blast radius this week—treat it that way. Patch FortiWeb, lock down Ray, brief the execs on LinkedIn outreach, and make your CDN/SSO failures boring.
Thank you all for tuning in this morning. Have a great rest of your day, and most importantly, y’all stay cyber safe.
