Good Morning Security Gang!
It’s Tuesday, August 12, 2025, and I’m coming to you from the road—traveling again, no espresso in hand (tragic, I know), but still ready to bring you a packed episode.
Today, we’ve got an inside look into a rare state-backed hacker leak, a ransomware paralysis in St. Paul, active exploitation of Citrix NetScaler and Erlang OTP, big fraud arrests, a UK court ruling on Wikipedia’s contributor rules, and a win for victims of an Iranian-linked ransomware gang. Let’s get right into it.
🇰🇵 Kimsuky Hackers Exposed by Ethical Hackers
North Korea’s Kimsuky APT suffered a massive breach by two hackers, Saber and Cyborg, claiming ethical motives. They accused Kimsuky of serving political agendas rather than “true hacking.” The 8.9GB data dump, released via Distributed Denial of Secrets, includes phishing logs, South Korea’s Ministry of Foreign Affairs email source code, certificates, phishing kits, Cobalt Strike loaders, reverse shells, and SSH connection logs.
"Now mind you, this is how you know this wasn't a US-type operation - look how they spelled 'favor,' they added the 'u' - that's a classic indication of British English." - James Azar on analyzing the linguistic clues in the Kimsuky breach attribution
For defenders, this is a goldmine—providing unprecedented insight into North Korean TTPs, forcing Kimsuky to rebuild infrastructure and tools.
🏙 St. Paul Ransomware Fallout
Weeks after a ransomware attack by Interlock, St. Paul’s government is still crippled. 43GB of stolen data was posted online, and services like water bill payments, permit processing, and library Wi-Fi remain offline. Fake invoices are now circulating to trick residents into paying fraudulent bills. The incident revealed a lack of resilience and disaster recovery readiness, prompting expectations that the city will appoint a CISO and overhaul its cybersecurity posture.
"Ransomware is difficult, but when you build a resilient program, you don't have weeks of inactivity. You may have a week of shutdown, but then you have a good business continuity plan to start rebuilding and bringing services online." - James Azar critiquing St. Paul's prolonged recovery from the Interlock ransomware attack
🔓 Citrix NetScaler Flaw Actively Exploited
The Netherlands’ NCSC warns that CVE-2025-6543 in Citrix NetScaler ADC and Gateway is being exploited against critical organizations. Attackers used it for remote code execution months before patches were available, then wiped logs to hide their tracks. Patching is urgent—and admins must terminate all active sessions post-update.
After installing the updates, it is crucial to end all active sessions with:
kill icaconnection -all
kill pcoipConnection -all
kill aaa session -all
kill rdp connection -all
clear lb persistentSessions⚡ Erlang OTP SSH Vulnerability Targeting OT Networks
CVE-2025-32433 in Erlang OTP SSH libraries is under active attack, especially in OT and 5G environments. Exploitation can give full host control. Palo Alto found 70% of attacks targeting OT systems, many using non-standard SSH ports like TCP 2222. Patch immediately and strengthen OT segmentation.
🔐 SonicWall Attack Traced to Old Credentials
SonicWall confirmed that the recent ransomware attacks on Gen 7 customers were due to a previously disclosed vulnerability plus legacy credential reuse—not a zero-day. Only ~40 compromises were confirmed. Customers should upgrade to SonicOS 7.3.0 and change credentials immediately.
💸 $100M Fraud Ring Dismantled
Four Ghanaian nationals, part of the “Sakawa boys,” were extradited to the U.S. for romance scams and BEC attacks that stole over $100M. They face multiple federal charges, each carrying sentences of up to 20 years.
🇬🇧 Wikipedia Loses UK Court Challenge
The Wikimedia Foundation failed to overturn rules in the UK’s Online Safety Act requiring identity verification for contributors if Wikipedia is classified as a “category one” platform. Wikimedia argues this could expose editors to harassment, but the High Court said it will only revisit the challenge if the classification occurs.
🔓 DarkBit Ransomware Decrypted
Profero researchers cracked DarkBit ransomware, linked to Iran’s MuddyWater, and released a free decryptor. The group had targeted Israeli institutions with ransom demands of 80 BTC. Victims can now recover files without paying.
🧠 James Azar’s CISO Take
Today’s stories drive home two truths: First, intelligence is power. The Kimsuky leak is a once-in-a-decade look into a state-backed APT, giving defenders a rare opportunity to preempt their next moves. But as the St. Paul case shows, intelligence means little without resilience. If your recovery plan still involves weeks of downtime, you’re doing it wrong.
Second, we’re entering an era where AI will surface vulnerabilities at an unprecedented pace. Citrix, Erlang OTP, and SonicWall all show that attackers are exploiting flaws long before the public knows they exist. Building resilient, segmented environments—and killing old, insecure credentials—is now survival 101. We can’t stop the wave of vulnerabilities, but we can choose whether it knocks us down or we surf it.
✅ Action Items
🔍 Review threat intel from the Kimsuky leak and update detection rules.
🛡 Patch Citrix NetScaler (CVE-2025-6543) and terminate active sessions.
⚡ Apply Erlang OTP SSH updates and harden OT/ICS networks.
🔐 Update SonicWall devices to 7.3.0 and eliminate legacy credentials.
🧠 Test ransomware recovery playbooks—reduce downtime to days, not weeks.
📜 Track UK’s Online Safety Act developments if your platform allows user contributions.
💾 Share the DarkBit decryptor with any impacted organizations.
🚨 Educate local governments on fraud risks after cyber incidents.
✅ Story Links:
https://therecord.media/ransomware-gang-behind-minnesota-attack
https://therecord.media/wikipedia-loses-challenge-online-safety-act-uk
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1
🚨 Important Links to Follow:
👉Website:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
Share this post