CISO Talk by James Azar
CyberHub Podcast
Oracle Confirms Hack, NSA Director Fired, China Targets Ivanti Again, EncryptHub Behind 618 Breachs, Woocommerce API Abuse Attack, TikTok Life line
0:00
Current time: 0:00 / Total time: -21:18
-21:18

Oracle Confirms Hack, NSA Director Fired, China Targets Ivanti Again, EncryptHub Behind 618 Breachs, Woocommerce API Abuse Attack, TikTok Life line

Major Cloud Breaches, Credential Storms in Australia, and NSA Leadership Shakeups Highlight a Busy Cyber Week

Good morning, Security Gang!

In this comprehensive rundown of the April 7th CyberHub Podcast, we cover a flurry of major cybersecurity developments that unfolded over the weekend.

James Azar opens with announcements on upcoming pre-recorded shows airing next week in observance of Passover, promising deep dives into tariffs, shifting cybersecurity paradigms, agentic AI, and more.

Then, the spotlight turns to critical incidents ranging from Oracle’s private admission of a cloud breach to massive credential stuffing attacks in Australia. Add in the Port of Seattle’s breach disclosure, a newly fired NSA Director, and extended negotiations for TikTok, and it’s clear that the cybersecurity world never rests.

Oracle’s Quiet Admission of a Cloud Breach

Oracle is privately acknowledging a breach after threat actor Rose87168 claimed to have millions of lines of data linked to over 140,000 Oracle Cloud tenants, including encrypted credentials. Though Oracle initially denied the incident, sources indicate they are now notifying certain impacted customers. Investigations by the FBI, CrowdStrike, and Oracle hint at a legacy environment from eight years ago. The biggest criticism revolves around Oracle’s lack of transparency, which could erode trust—yet major migrations away from Oracle remain unlikely due to the high cost and extended timelines of switching providers.

Credential Storm Targets Australian Super Funds

A sweeping credential stuffing attack hit multiple Australian superannuation funds, breaching thousands of member accounts. Various funds managing billions of dollars revealed over 20,000 compromised accounts, with some individuals reportedly losing savings. The incident underscores the essential need for multi-factor authentication (MFA) and identity-monitoring solutions. Experts criticized the apparent gaps in detection and response, emphasizing that financial institutions should prioritize protecting sensitive user credentials and investment balances.

Port of Seattle Discloses 90,000 Impacted by Last Year’s Breach

The Port of Seattle has revealed that a cyber attack in August of the prior year impacted 90,000 individuals. The intrusion disrupted systems at Seattle-Tacoma Airport, including check-in and passenger display boards, forcing staff to use manual methods like whiteboards. Newly released details show that attackers accessed names, partial Social Security numbers, birthdates, and even some medical information. While payment systems remain unaffected, this breach highlights the importance of swift public notifications and strong data-protection strategies.

Texas State Bar Notifies Victims

A February ransomware assault on the Texas State Bar network resulted in the theft of personal information for thousands of individuals. The compromised data may include social security numbers, driver’s licenses, and even credit card details—some apparently stored without proper encryption. State regulators and the public have called for clarity on why these sensitive records were left vulnerable. The episode raises crucial questions about how legal and government entities handle and secure potentially sensitive data.

“Encrypt Hub” Researcher Turned Cybercriminal

A lone actor known variously as “Encrypt Hub,” “SkoricARI,” or “Larva208” straddles the line between legitimate cybersecurity research and criminal activity. While Microsoft credits them for disclosing vulnerabilities in Windows, they have simultaneously leveraged zero-day exploits and distributed malicious software. This duality showcases how certain cyber actors operate in both legitimate and illegal spaces, complicating efforts to track and curb their harmful activities.

Chinese Espionage Exploits Avanti VPN Appliances

A suspected Chinese threat group labeled UNC-5221 has been exploiting Avanti Connect Secure VPN appliances through known vulnerabilities. The group reportedly drops malware families named “Trailblaze” and “Brushfire,” modifying internal security tools to remain hidden. Avanti has faced repeated, severe compromise incidents—often attributed to state-sponsored attacks—leading many cybersecurity professionals to recommend replacing or significantly reinforcing Avanti appliances to reduce ongoing risk.

Malicious PyPI Package Targets WooCommerce

A malicious Python package called “disgrasya” saw more than 34,000 downloads before removal from PyPI. It specifically targets WooCommerce sites using the Cybersource payment gateway to validate stolen credit cards. By emulating a genuine shopper’s workflow, it circumvents common fraud detection methods. This underscores the increasing threat of supply-chain attacks in widely used open-source repositories and emphasizes the need for continuous monitoring of software dependencies.

Critical Apache Parquet Vulnerability (CVE-2025-30065)

A severe bug in the Apache Parquet Java library could allow attackers to fully compromise any system or application reading Parquet files. The vulnerability stems from a deserialization flaw in parquet-avro, earning a perfect 10/10 severity rating. Projects relying on Apache Parquet for efficient data storage must upgrade to version 1.15.1 or higher. This urgent patching priority underscores how a single library vulnerability can jeopardize core components of data analytics infrastructures.

NSA Director Fired Amid Speculation

President Trump abruptly dismissed NSA Director and Cyber Command lead General Timothy Haw, who initially took the role under President Biden. Although political rumors abound, the deputy director has stepped in on an interim basis to maintain continuity. Observers question whether the NSA and Cyber Command positions will separate into two roles. Despite media portrayals of crisis, daily operations at the NSA and Cyber Command reportedly remain stable during this transition.

TikTok Granted an Additional 75-Day Extension

Finally, TikTok secured another 75 days to finalize negotiations enabling its continued U.S. operations. This follows ongoing national security debates involving trade tensions with China and privacy concerns for TikTok’s vast user base. The move signals a tempered approach by the administration, balancing security needs with the economic realities of businesses reliant on TikTok’s global popularity.

Action Items

  • Strengthen Authentication: Enforce mandatory MFA and bolster monitoring for credential-based attacks.

  • Improve Vendor Transparency: Evaluate the disclosures and incident response capabilities of third-party partners.

  • Encrypt Sensitive Data: Ensure robust encryption protocols for credit card, personal, and health records.

  • Patch Critical Systems Promptly: Address major vulnerabilities like Apache Parquet (CVE-2025-30065) without delay.

  • Monitor Open-Source Dependencies: Continuously audit software supply chains for malicious packages or updates.

  • Refine Incident Response: Conduct drills to test response plans during off-hours or weekends, where attackers often strike.

  • Stay Informed on Policy Developments: Track legislation and agency leadership changes that may impact cybersecurity practices.

Stay Cyber Safe!

Thanks for reading CISO Talk by James Azar! This post is public so feel free to share it.

Share

✅ Story Links:

https://www.securityweek.com/oracle-confirms-cloud-hack/

https://www.bleepingcomputer.com/news/security/australian-pension-funds-hit-by-wave-of-credential-stuffing-attacks/

https://www.bleepingcomputer.com/news/security/port-of-seattle-says-ransomware-breach-impacts-90-000-people/

https://www.securityweek.com/state-bar-of-texas-says-personal-information-stolen-in-ransomware-attack/

https://thehackernews.com/2025/04/microsoft-credits-encrypthub-hacker.html

https://www.bankinfosecurity.com/chinese-espionage-group-targeting-legacy-ivanti-vpn-devices-a-27939

https://www.bleepingcomputer.com/news/security/carding-tool-abusing-woocommerce-api-downloaded-34k-times-on-pypi/

https://www.securityweek.com/critical-apache-parquet-vulnerability-leads-to-remote-code-execution/

https://www.cybersecuritydive.com/news/trump-fires-nsa-director-head-us-cyber-command/744480/

https://www.wsj.com/tech/trump-grants-75-day-extension-to-reach-tiktok-deal-10f75554?mod=tech_lead_pos4

🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1

🚨 Important Links to Follow:

👉Website:

👉Listen here: https://linktr.ee/cyberhubpodcast

Stay Connected With Us.

👉Facebook: https://www.facebook.com/CyberHubpodcast/

👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/

👉Twitter (X): https://twitter.com/cyberhubpodcast

👉Instagram: https://www.instagram.com/cyberhubpodcast

🤝 For Business Inquiries: info@cyberhubpodcast.com

=============================

🚀 About The CyberHub Podcast.

The Hub of the Infosec Community.

Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.

Discussion about this episode