Good Morning Security Gang
Today’s show is a heavy one. We’re diving into ransomware, geopolitics, AI exploitation, and one Supreme Court case that could reshape how we handle data.
Coffee cup cheers — double Lavazza mid-roast perfection. Let’s get started.
We’ve got McDonald’s India hit by the Everest ransomware gang, the EU launching a full-scale phase-out of Huawei and ZTE, and a phishing campaign targeting Afghan allies of Western forces. Then we’ll pivot to China’s e-buses under scrutiny in Australia, North Korean threat actors going after crypto and research professionals, Google Gemini’s AI calendar exploit, Anthropic’s Git flaws, record-breaking ransomware stats, and the Supreme Court hearing on geofencing warrants.
Buckle in — this one’s loaded.
McDonald’s India Breached by Everest Ransomware
The Everest ransomware gang has claimed responsibility for breaching McDonald’s India, exfiltrating 861 gigabytes of HR, financial, and third-party data across its franchise network. The group reportedly disrupted point-of-sale systems, payroll, and delivery integrations, impacting both corporate and customer operations.
As I said on the show:
“If your POS goes down and business stops, that’s not ransomware — that’s bad planning.”
The attackers leveraged east-west movement, suggesting long dwell time and deep compromise. To mitigate, retail operators should stage clean-room rebuilds, keep offline POS backups, and equip managers with alternate payment apps to maintain business continuity during outages.
EU Moves to Phase Out High-Risk Telecom Vendors
The European Union has announced a structured phase-out of high-risk telecom suppliers, effectively targeting Huawei and ZTE. Brussels is mandating 5G core network replacements, vendor diversification, and regional security carve-outs.
I said it straight:
“Europe is finally waking up — but it’s last call at the bar, and they’re only now realizing who they were drinking with.”
The impact? Multi-year hardware replacements, multi-billion-euro swap-outs, and supply shortages. Telecom operators should start building decade-long transition roadmaps, ring-fencing Chinese hardware, and prioritizing regional interoperability standards to avoid collapse during cutovers.
Phishing Campaign Targets Afghan Allies
Threat actors are impersonating NGOs and immigration offices to phish Afghans who worked with Western forces, luring them with fake visa processing, relocation, and aid offers. These attacks aim to identify and dox refugees and their families, compromising human rights case files.
If you’re part of a support network, consolidate communications through verified Signal channels and publish a public “we only contact via X” policy to prevent impersonation.
As I noted: “Every fake visa email is more than fraud — it’s a potential death sentence.”
Australia Probes Chinese-Made E-Buses
Australia’s Canberra transport authority is investigating Chinese-made electric buses after experts flagged telemetry backdoors and remote control risks. Analysts fear these buses could enable data exfiltration or remote disablement, giving Beijing potential leverage over city infrastructure.
As I said bluntly:
“If you buy cheap, you’re not getting a deal — you’re buying someone else’s remote control.”
Cities should demand independent firmware pen tests, require escrowed signing keys, and encrypt all telemetry leaving Chinese devices using non-standard symmetric ciphers to disrupt eavesdropping attempts.
North Korea Targets Researchers and Crypto Firms
North Korean operators continue targeting researchers, diplomats, and fintech professionals via LinkedIn, GitHub, and Telegram social engineering. These campaigns focus on credential theft and wallet compromise, seeking long-term espionage footholds.
To defend, implement risk-based session reauthentication — prompt MFA whenever users perform sensitive actions like data exports or wallet transactions. It’s not perfect, but as I said: “Eight out of ten blocks beats zero out of ten excuses.”
Google Gemini Exploited via Calendar Invite Trick
Attackers have found a way to abuse Google Gemini’s AI summarization features through malicious calendar invites, embedding data that tricks AI agents into exfiltrating sensitive content or performing unintended actions.
This new attack vector blends prompt injection with context poisoning — exploiting trust between human input and automated AI actions.
Mitigate by disabling agent-driven actions on unverified calendar events and requiring manual human confirmation for any AI-triggered outbound activity.
Anthropic Git Server Flaws Disclosed
Researchers disclosed three critical vulnerabilities in Anthropic’s MCP Git server, tracked as CVE-2025-68143 through -68145, allowing unauthenticated repository access and workflow leakage.
The risk? Exposed AI models and secret keys embedded in misconfigured repos.
Defenders should restrict Git access to read-only service accounts, rotate agent tokens, and validate repository provenance before allowing model integration.
Ransomware and Supply Chain Attacks Hit Record Highs in 2025
According to Sybil’s annual threat report, 2025 saw 6,604 ransomware attacks, up 52% from 2024, while supply chain compromises surged in parallel. Attackers increasingly use malicious NPM packages and CI/CD tampering to deliver payloads.
Even as ransom payments dropped, attackers compensated with volume and visibility, turning to data theft over encryption to increase leverage.
As I summarized:
“When payments go down, attackers turn up the noise — and they’re using your dev tools to do it.”
Mitigate by enforcing artifact provenance (SLSA, attestations) and blocking unverified workspace extensions.
Supreme Court to Rule on Geofencing Data Collection
The U.S. Supreme Court is set to hear a landmark case on whether geofence warrants — which collect user location data from broad areas — violate constitutional privacy protections.
A ruling restricting such warrants could reshape law enforcement’s use of digital location data in investigations.
CISOs and compliance officers should review legal hold policies and tighten warrant response procedures to meet potential new standards for specificity and retention.
Action List
🍔 Retail: Stage clean-room rebuilds and maintain offline POS backups.
🇪🇺 Telecom: Build multi-year 5G replacement roadmaps and diversify vendors.
🕊️ Humanitarian: Enforce verified communication channels for at-risk persons.
🇦🇺 OT Security: Require firmware escrow and pen tests for foreign hardware.
🪪 Identity: Implement risk-based MFA for sensitive user actions.
🤖 AI Security: Disable untrusted AI actions and monitor prompt injection vectors.
🧑💻 Development: Enforce repo provenance, token rotation, and signed builds.
💥 Ransomware Defense: Harden dev environments, monitor for poisoned packages.
⚖️ Compliance: Update warrant and data retention policies before new SCOTUS ruling.
James Azar’s CISO’s Take
Today’s show painted a clear picture: resilience isn’t about tools — it’s about foresight. McDonald’s India learned that segmentation is more than a best practice; it’s survival. The EU finally learned that dependency comes at a national price. And as AI, hardware, and data governance blur together, the attack surface is now everywhere — from your code pipeline to your courtroom.
My takeaway? Cybersecurity is converging with policy, and the future belongs to those who plan ahead. Whether it’s an AI assistant, a POS terminal, or a Chinese bus, every system now carries geopolitical weight. The only way forward is layered defense, relentless verification, and cultural readiness for disruption.
Stay sharp, stay caffeinated, and as always — stay cyber safe.
