CISO Talk by James Azar
CyberHub Podcast
Luxembourg Telecom Suffers Major Outage in Reported Cyberattack, Hackers Leak Purported Aeroflot Passenger Data Online, Russia's FSB and Turla Launch Espionage Campaign Against Foreign Embassies
0:00
-20:10

Luxembourg Telecom Suffers Major Outage in Reported Cyberattack, Hackers Leak Purported Aeroflot Passenger Data Online, Russia's FSB and Turla Launch Espionage Campaign Against Foreign Embassies

Luxembourg's Huawei Infrastructure Targeted, Russia's ISP-Level Embassy Espionage, and SharePoint Ransomware Surge at Hacker Summer Camp

Good Morning Security Gang!

Welcome to a Hacker Summer Camp edition of the CyberHub Podcast. I’m your host James Azar coming to you from Las Vegas—where the energy is high, the espresso is weak (I’m looking at you, Starbucks), and the cybersecurity conversations are on fire.

Despite BlackHat deciding I’m not media enough for a badge (more on that later), I’m still out here covering the biggest headlines shaping our industry right now.

From Luxembourg’s telecom outage and Aeroflot’s data drama to a fresh wave of SharePoint ransomware and Microsoft uncovering Russian ISP-level espionage, this episode is loaded. Let’s jump in.

👀 SHOW Supporters:

Today's episode is supported by our friends at Threat Locker. https://www.threatlocker.com/cyberhub

📡 Luxembourg Telecom Infrastructure Brought Down in Huawei-Linked Cyberattack

Luxembourg experienced a three-hour telecom blackout affecting 4G/5G networks, internet, and mobile banking due to a cyberattack exploiting Huawei routers inside its national telecom backbone. The fallback to 2G failed to support traffic loads, exposing a lack of emergency preparedness. The government confirms it was an intentional attack and is now urging any entity using Huawei Enterprise routers to notify the country’s CSIRT. This appears to be a rare westward cyber strike against Chinese equipment on European soil.

✈ Aeroflot Denies Breach… But Flight Records Leak

Aeroflot continues to deny a cyber breach, yet leaked flight data allegedly linked to the airline’s CEO has surfaced, showing 30+ flights across 2024–2025. Belarusian hacktivists Cyber Partisans claim responsibility, saying they’ve had access for over a year. Russia’s Internet Watchdog calls the leak unconfirmed, while critics (myself included) note the typical denial tactics of authoritarian regimes. As I said on the show: “Show us the meat—or stop pretending nothing happened.”

"We know Russians lie, we know Russian state media lies – that's what they do. They deny bad things to save face because that's a common trait of communism." James Azar

🕵️‍♂️ Kremlin Espionage at the ISP Level

Microsoft revealed that Russia’s Secret Blizzard (a.k.a. Turla) is running adversary-in-the-middle (AitM) campaigns against foreign embassies in Moscow by intercepting internet traffic via local ISPs. Their Apollo Shadow malware masquerades as antivirus software, deployed through fake captive portals. This raises alarm bells about data integrity in hostile territories and highlights why embassies need hardened encryption protocols, not blind trust in “host nation” infrastructure.

💥 SharePoint Ransomware Wave Grows with ToolShell Exploits

A new ransomware variant (FourMD44R) was found leveraging the ToolShell SharePoint exploit chain. This malware demands 0.005 BTC per infection and is tied to Chinese state actors who initially weaponized the vulnerability. Now, other cybercriminals are piggybacking on it to launch their own payloads. Microsoft and Google have both linked this to China—but now the noise has been diffused by second-wave actors.

📞 Chinese APTs Target Southeast Asian Telecoms

Palo Alto Unit42 disclosed that a Chinese state-aligned group (linked to Liminal Panda and Light Basin) breached multiple telecom operators in Southeast Asia. The group used stealthy tools like GTPdoor, EchoBackdoor, and CourtScan to maintain remote access and exfiltrate geolocation and packet data. Their operational discipline, variety of backdoors, and telecom-specific tactics signal a very strategic and well-funded operation.

The threat actor maintained high operational security and employed various defensive evasion techniques to avoid detection. The cluster is tracked by CrowdStrike as Liminal Panda, a Chinese-nexus espionage group that could be related to another Chinese threat actor known as Light Basin. They employ brute force techniques against SSH authentication mechanisms for initial access, then leverage that to drop an "orc door," which is a malicious pluggable authentication module.

Their toolset is sophisticated, including CourtScan for network scanning and packet capture, GTP door malware designed for telecom networks adjacent to GPRS roaming exchanges, Echo backdoor as a passive backdoor listening to ICMP echo request packets, SGSN emulator software to tunnel traffic through telecom networks and bypass firewall restrictions, and Chronos RAT, a modular ELF binary capable of shellcode execution, file operations, keylogging, port forwarding, remote shell, screenshot capture, and proxy capability.

💻 Cursor IDE Vulnerability Affects Developers

A new CVE has been disclosed affecting Cursor—an AI-powered IDE used by thousands of developers. The exploit allows unauthorized code execution and potential access to sensitive codebases. A patch is now available, and teams relying on AI coding assistants should upgrade immediately.

🧬 Illumina Fined $9.8M Over Software Vulnerabilities

Biotech firm Illumina agreed to pay $9.8M in a DOJ settlement for selling vulnerable software to federal agencies between 2016–2023. The case was filed under the False Claims Act, holding vendors accountable for cybersecurity failings in government contracts. It’s a shot across the bow for compliance-lagging vendors.

🧪 U.S. Senate Introduces Quantum Cybersecurity Migration Strategy

A bipartisan bill from Senators Peters and Blackburn aims to formalize a federal strategy for quantum-resilient cybersecurity. The White House Office of Science and Tech Policy would oversee planning for migrating federal systems before quantum computing renders current encryption obsolete. The message is clear: post-quantum threats are real, and we can’t wait until it’s too late.

🏛 Trump Confirms Sean Cairncross as National Cyber Director

Cairncriss has officially been confirmed as the new National Cyber Director. Though lacking direct cybersecurity credentials, he brings high-level experience from the RNC and Millennium Challenge Corporation. His leadership will shape U.S. cybersecurity policy at the executive level under President Trump’s second term.

💼 Cyber M&A Reshapes the Industry

Hacker Summer Camp feels different this year—and that’s because the landscape just changed.

  • Palo Alto shocked the industry by acquiring CyberArk for $25 billion (yes, billion). The CyberArk deal especially stunned me - this is a negative-earning company with a -235 P/E ratio, and I still can’t figure out the logic. As I said: “Palo Alto overpaid. Significantly.”

  • Vanta absorbed Riskey.

  • Commvault acquired Satori Cyber.

  • Axonius bought Cynerio.

🧠 James Azar’s CISO Take

What strikes me most about today's stories is the sophisticated, multi-layered approach that state actors are taking to compromise critical infrastructure and diplomatic communications. Luxembourg's complete reliance on Chinese Huawei equipment for their national telecom infrastructure is a perfect case study of how supply chain dependencies can become national security vulnerabilities. When a tiny European nation can have their entire communication system brought down by attacking Chinese-manufactured equipment, it demonstrates the urgent need for supply chain diversification. The fact that their emergency alert system also failed because it relied on the same compromised mobile network shows a fundamental lack of emergency preparedness and resilience planning.

The second story here is about consolidation—and it’s not all good. While some M&A deals may add value, others feel like distressed assets being bundled into security giants trying to pad their portfolio. The CyberArk buyout in particular raises real questions about value versus hype. As we navigate regulatory shifts, AI risks, and rising state-sponsored activity, the smart CISOs will be the ones who balance innovation with clarity and skepticism.

✅ Action Items

  • 🔐 Patch all SharePoint servers to close the ToolShell exploit chain

  • 🛰 Evaluate supply chain exposure to Huawei and Chinese-manufactured network gear

  • 🔄 Upgrade Cursor IDE installations to mitigate the latest CVE

  • ⚠️ Secure remote developer access and AI-assisted development environments

  • 🧾 Review vendor software contracts for compliance under the False Claims Act

  • 🔑 Reassess secure comms protocols in hostile territories—do not trust local ISPs

  • 🧠 Monitor M&A movements and assess vendor risk post-acquisition

  • 📡 Upgrade telecom security for regional or global carriers in conflict zones

Stay Cyber Safe

Thanks for reading CISO Talk by James Azar! This post is public so feel free to share it.

Share

✅ Story Links:

https://therecord.media/luxembourg-telecom-outage-reported-cyberattack-huawei-tech

https://therecord.media/hackers-leak-purported-aeroflot-data

https://therecord.media/russia-fsb-turla-espionage-foreign-embassies-isp-level

https://www.bleepingcomputer.com/news/security/ransomware-gangs-join-attacks-targeting-microsoft-sharepoint-servers/

https://thehackernews.com/2025/08/cl-sta-0969-installs-covert-malware-in.html

https://www.securityweek.com/several-vulnerabilities-patched-in-ai-code-editor-cursor/

https://therecord.media/illumina-false-claims-act-doj-cybersecurity-settlement

https://www.securityweek.com/bill-aims-to-create-national-strategy-for-quantum-cybersecurity-migration/

https://www.cybersecuritydive.com/news/sean-cairncross-national-cyber-director-senate-confirmation/756649/

https://www.securityweek.com/cybersecurity-ma-roundup-44-deals-announced-in-july-2025/

🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1

🚨 Important Links to Follow:

👉Website:

👉Listen here: https://linktr.ee/cyberhubpodcast

Stay Connected With Us.

👉Facebook: https://www.facebook.com/CyberHubpodcast/

👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/

👉Twitter (X): https://twitter.com/cyberhubpodcast

👉Instagram: https://www.instagram.com/cyberhubpodcast

🤝 For Business Inquiries: info@cyberhubpodcast.com

=============================

🚀 About The CyberHub Podcast.

The Hub of the Infosec Community.

Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.

Discussion about this episode

User's avatar