Good Morning Security Gang
I can’t believe we’re already in November. Pretty soon we’ll be talking about reflections, predictions, and all those “year in review” lists everyone loves. I try to avoid the clichés, but when the Security Gang asks, I deliver — so maybe we’ll do it this year.
I hope everyone had a great Halloween weekend, touched some grass, and is ready for a packed week. Because, folks, attackers didn’t take the weekend off. From a nation-state breach in U.S. telecom to multiple Chinese exploits on firewalls and OT systems, it’s been another wild one.
Let’s power through today’s headlines together — coffee cup cheers, y’all!
Nation-State Hackers Breach U.S. Telecom Backbone
A major breach has hit Ribbon Communications, a critical U.S. telecom backbone provider, with investigators confirming nation-state involvement. The intrusion began as early as December 2024 and was only detected this September — nearly nine months of dwell time. The attackers accessed corporate IT networks and historical customer data, impacting at least three downstream telecom customers.
Ribbon’s systems connect global voice and data infrastructure — including some U.S. government clients — making this not just a corporate issue but a national security risk. While the company claims no operational impact, the access achieved could enable surveillance, intercepts, or carrier pivoting in future campaigns.
This incident underscores the reality that telecom is the new battleground for state actors, and backbone providers need to treat themselves as Tier-1 national defense assets. Zero-trust segmentation, endpoint visibility, and telemetry correlation between NOCs and SOCs aren’t optional anymore — they’re survival requirements.
University of Pennsylvania Data Breach: 1.2 Million Donor Records
A hacker claiming responsibility for last week’s “we got hacked” email blast targeting the University of Pennsylvania now says they’ve stolen 1.2 million donor records and internal documents. UPenn hasn’t confirmed the breach yet, but screenshots shared by the attacker appear legitimate, and multiple researchers are verifying the authenticity of the exposed files.
This one’s personal. The attacker’s messaging suggests a vendetta rather than financial motivation. Still, the impact is real: expect phishing and fraud targeting wealthy donors, alumni, and staff. This is a textbook example of how data theft meets social engineering, especially in institutions that manage sensitive financial contributions.
China Deploys Advanced Malware Through MDM Exploits
Researchers at Palo Alto Networks discovered a China-nexus threat cluster (CL SDA-1009) deploying Airstalk malware variants targeting VMware AirWatch and Workspace ONE MDM platforms. The attackers leveraged stolen code-signing certificates and abused trusted APIs to exfiltrate browser data, screenshots, and credentials — all without noisy malware behavior.
The campaign targets business process outsourcing (BPO) providers, giving China indirect access to their clients’ environments. It’s a textbook supply chain espionage operation.
Defenders should log and alert for unusual API calls within AirWatch or Workspace ONE, force reauthentication, and minimize vendor scope to least privilege. In plain terms: if your vendor has MDM access, it’s also your attack surface.
China Exploiting Cisco ASA and FTD Zero-Days
China-linked actors are actively scanning and exploiting Cisco ASA and FTD devices using two chained vulnerabilities:
CVE-2025-20362 — Authentication Bypass
CVE-2025-20333 — Remote Code Execution
Targets include U.S., European, and Asian government agencies and enterprises. Attackers are creating rogue admin accounts, suppressing logs, and exploiting end-of-life ASA 5500 series firewalls. CISA issued an emergency directive urging public agencies to patch immediately.
If you’re still running unsupported ASA models, it’s time to retire them. Segment your VPN infrastructure, disable legacy authentication, and audit all administrative users. These are edge devices — compromise here means compromise everywhere.
“If you were wondering how they got into Salt Typhoon and you’re seeing everything happening with Cisco right now and you can’t connect the two dots, I’ll sit down with you and show you what I mean.” James Azar
China’s Landscope Exploit: Domain-Wide Compromise Risk
The Chinese APT group Bronze Butler is exploiting a Landscope Endpoint Manager zero-day, now patched but actively weaponized before disclosure. The flaw enabled remote code execution and domain-wide privilege escalation through deployment of an updated GoKCPDoor backdoor.
CISA added this to its Known Exploited Vulnerabilities (KEV) catalog, meaning it’s confirmed in the wild. Patching immediately is non-negotiable — once the endpoint manager falls, your entire fleet is compromised. This is another reminder that endpoint management systems are the new crown jewels for APTs.
Persistent “Bad Candy” Campaign Haunts Cisco IOS Devices
Australia’s ASD issued a new alert on “Bad Candy”, a lingering threat on Cisco IOS XE devices linked to CVE-2023-20198. Despite prior patching, hundreds of devices remain compromised through re-implemented web shells and rogue proof15 accounts.
The malware persists through reboots and configuration restores, granting attackers full control of traffic and lateral movement capabilities.
Defenders should disable the web UI, fully patch, and validate configs post-reboot. Continuous monitoring for reimplementation attempts is crucial — attackers are re-entering faster than defenders are cleaning.
Open VSX Supply Chain Attack Forces Token Rotation
After last week’s discovery of malicious extensions in the Open VSX and VS Code marketplaces, maintainers have rotated all exposed tokens and strengthened publishing controls. Attackers exploited leaked secrets to insert Unicode-obfuscated payloads, compromising developer workstations and repositories.
Security teams should enforce extension allowlisting, short-lived PATs, and software bill of materials (SBOM) checks at install time. Developer environments are now frontline targets — secure your CI/CD pipeline like you would your production network.
Japan Issues 130-Page OT Security Guide for Semiconductor Fabs
Japan’s Ministry of Economy, Trade and Industry (METI) has released a comprehensive OT security framework for semiconductor manufacturers. The 130-page guide aligns with the NIST CSF and Japan’s CPSF, covering asset inventories, vulnerability management, IR/DR, and physical security.
While designed for Japan’s fabs, this document is globally applicable. It provides a practical checklist for organizations handling complex OT networks. My recommendation? Use this guide to conduct a gap assessment and launch OT tabletop exercises. Semiconductor supply chains are now a prime geopolitical target — security here equals national stability.
CISA & NSA Issue Exchange Server Hardening Guidance
“When two agencies do it, it’s a red flag, and you should pay attention to that.” James Azar
The CISA–NSA joint advisory urges organizations to decommission end-of-life Exchange servers and enforce Kerberos Extended Protection (KEP) and modern authentication. The agencies cite ongoing exploitation of CVE-2025-53786 and similar legacy vulnerabilities.
If you’re still running hybrid Exchange remnants, you’re creating lateral movement bridges between on-prem and cloud. Patch now, enforce MFA, and lock down administrative access to prevent compromise across environments.
FCC Rolls Back Telecom Cybersecurity Mandate
The FCC has rolled back a telecom cybersecurity mandate passed hastily in January 2025 by the outgoing administration. The rule sought to impose broad network monitoring obligations under CALEA but lacked due process and industry input.
This rollback restores the proper rulemaking process, allowing collaboration between carriers and regulators before enforcement. From my perspective, this is the right move. Rushed regulation helps no one — policy built without operational buy-in only drives noncompliance and confusion. The new direction points toward a voluntary framework emphasizing industry-driven commitments over government edicts.
Action List
📡 Patch and isolate Cisco ASA, FTD, and IOS XE devices immediately.
🧩 Audit MDM API logs for unusual calls or exfiltration.
💾 Patch Landscope Endpoint Manager and verify domain controller integrity.
🔑 Rotate developer tokens and credentials across CI/CD pipelines.
🧱 Perform telecom and vendor network segmentation — assume your provider is a target.
🧠 Conduct OT tabletop exercises using Japan’s fab security checklist.
📤 Decommission legacy Exchange and enforce modern authentication.
📃 Review FCC developments — compliance landscapes are shifting fast.
James Azar’s CISO’s Take
This morning’s stories reinforce one truth — the line between geopolitics and cybersecurity has vanished. Whether it’s China’s relentless exploitation of firewalls, insider betrayal for cash, or telecom backbones being compromised, national defense now runs through corporate infrastructure. The battle for security resilience is being fought in boardrooms and server rooms alike.
I’ve said it before: resilience isn’t compliance, it’s capability. Japan’s proactive OT guidance shows what thoughtful security governance looks like — policy built with practitioners in mind. Contrast that with the FCC’s rushed mandate reversal, and the lesson is clear — we don’t need knee-jerk laws; we need frameworks grounded in reality. Security is a team sport, and regulation should empower defenders, not bury them in red tape.
So as we kick off November, let’s stay grounded, stay vigilant, and — as always — stay cyber safe.
