Good Morning Security Gang
Good morning, Security Gang — and happy Veterans Day! James Azar here, your host and resident espresso-powered CISO. Episode 1009 coming at you from the CyberHub Podcast bunker. Today’s show is special — not just because we’re breaking down a massive wave of enterprise breaches and exploits, but because it’s Veterans Day, a day that means a lot to me personally.
To all my brothers and sisters who wore the uniform: thank you. For everyone listening, take a moment today to thank a veteran. Memorial Day is for the fallen — but today is for the living, the volunteers, the men and women who raised their hand and swore an oath to the Constitution. They deserve this one day of gratitude.
“If you’re thinking of service, don’t think about it. Just do it. There’s nothing greater in life than service. Nothing. When you do something for others, it’s more rewarding than doing anything for yourself. Every time.” James Azar
Now, let’s get to it. We’ve got nearly 30 Oracle E-Business Suite victims named, a Chinese state contractor leak blowing the lid on espionage operations, CMMC enforcement now live, a critical Ivanti exploit, and North Korean APTs abusing Google’s Find My Device to track and wipe phones. Plus, we’ll touch on Wiz’s bombshell report on AI model secrets leaking from GitHub.
Buckle up and grab that espresso — coffee cup cheers, y’all!
Clop Ransomware Gang Names Nearly 30 Oracle EBS Victims
The Clop ransomware group has now listed nearly 30 victims from the Oracle E-Business Suite (EBS) exploitation spree. Among the names: Logitech, The Washington Post, Cox Enterprises, Pan American Silver, LKQ, Copeland, and others. These attacks leverage two critical vulnerabilities — CVE-2025-61882 and CVE-2025-61884 — which are actively exploited according to CISA.
The damage goes beyond data theft. Oracle EBS connects finance, HR, supply chain, and procurement systems, meaning attackers gain deep operational access. Clop is weaponizing this to extort organizations directly through ERP-level disruption.
If you run Oracle EBS, patch both CVEs immediately. Then:
Rotate credentials and API keys used by EBS.
Review SSO and SAML trust relationships.
Hunt for unusual export jobs or data flows to unexpected destinations.
This isn’t just an IT problem — it’s an operational risk event with ripple effects across finance and supply chain.
Massive Leak at KnownSec Exposes China’s Cyber Playbook
In a twist of irony, one of China’s own state-linked cybersecurity firms, KnownSec, has been breached — and the fallout is enormous. Over 12,000 internal documents have been leaked, revealing offensive tools, source code, and target lists of foreign organizations, including Japan, India, and the U.K.
The leak also confirms deep collaboration between KnownSec and the Chinese Communist Party (CCP), with spreadsheets mapping out offensive operations against international businesses and government networks. It’s the clearest glimpse yet into China’s state-sponsored private-sector espionage pipeline.
“There’s no private business in China. Everything goes to the Chinese Communist Party. Everything does, especially in cyber. And cyber is a warfare tool for the Chinese. It won’t stop.” James Azar
If your company operates in or near Chinese infrastructure, assume all networks are monitored, and segregate environments accordingly. For Western enterprises, this leak underscores the realities of cyber-economic warfare — where “private firms” are extensions of state intelligence.
CMMC Enforcement Officially Begins
After years of preparation, CMMC (Cybersecurity Maturity Model Certification) is finally live and enforceable as of November 10th. The new rules affect hundreds of thousands of defense contractors and subcontractors, requiring alignment with NIST 800-171 and 800-172 controls.
Noncompliance means loss of contract eligibility — plain and simple. Defense organizations must prepare for third-party assessments, maintain a current System Security Plan (SSP), and flow down requirements to all subcontractors.
If you’re in the defense supply chain, you should already be:
Conducting gap assessments to 800-171.
Building or updating your SSP and POA&M.
Implementing asset inventories and access control logs.
This is the biggest compliance shift for defense contractors since DFARS — and there will be no more extensions.
Congress Moves to Renew Info-Sharing Law Amid Shutdown Drama
While Washington continues to stumble over budget battles, Congress is quietly extending the 2015 Cyber Information Sharing Act (CISA) through January 30th, 2026. This renewal keeps liability protections intact for public-private threat intelligence sharing.
The move prevents a lapse in collaboration between government and private entities — a rare win for operational continuity amid political gridlock.
Critical RCE in Popular JavaScript Library
Developers beware: a critical RCE vulnerability (CVE-2025-12735) has been found in the xbar-eval JavaScript library. The flaw allows remote code execution through malicious input parsing in parser.evaluate().
The fix is available in the xbar-eval fork v3.0.0, but the original project remains unpatched. Any application parsing untrusted math or AI model data may be exposed.
Patch immediately, pin versions, and scan your SBOMs for this dependency. This one’s tailor-made for supply chain compromise.
Ivanti Exploit Enables Admin Takeover via Trial Fox
Google’s Mandiant reports active exploitation of CVE-2025-12480, an authorization bypass flaw in Ivanti’s Trial Fox platform. Attackers are creating rogue admin accounts, then using Ivanti’s antivirus management path to deploy Zoho Assist and AnyDesk for persistence.
The culprit? UNC6485, a cluster known for stealthy domain escalation and remote access abuse. Ivanti has issued fixes in version 16.7.10368.56560 — patch immediately and audit all admin accounts.
If you see new installs of AnyDesk or Zoho UEM on Ivanti hosts — you’ve likely been compromised.
APT37 (North Korea) Abusing Google Find My Device
APT37, also known as Konni, is taking espionage to a new level — using Google’s Find My Device Hub to geolocate, track, and remotely wipe Android devices.
Targets receive malicious MSI installers signed with stolen certs. Once infected, the malware harvests Google and Naver credentials, then hijacks KakaoTalk desktop sessions to spread further. When defenders try to respond, attackers remotely wipe the phone to cover their tracks.
The campaign is another sign of nation-states leveraging legitimate cloud APIs for covert operations. Defenders should:
Enforce MFA on Google/Naver accounts.
Block untrusted MSI execution.
Monitor for remote Android wipes or Find Hub misuse.
This is espionage in the age of APIs.
Wiz Report: AI Companies Leaking Secrets on GitHub
A new report from Wiz revealed that dozens of companies from Forbes’ AI 50 list are leaking credentials, datasets, and model endpoints through public GitHub repositories. The exposed data includes API keys, configuration files, and training datasets, creating a playground for model theft and intellectual property leakage.
The implications are massive. Beyond IP loss, companies risk PII exposure, GDPR violations, and model inversion attacks.
To mitigate:
Enable secret scanning on all repos.
Rotate leaked keys immediately.
Separate public and private development environments.
Apply DLP controls to CI/CD pipelines.
This report is a wake-up call — AI security isn’t theoretical anymore; it’s operational.
Action List
🧩 Patch Oracle EBS CVEs 61882 & 61884 immediately.
🕵️♂️ Audit admin accounts on Ivanti, Zoho, and AnyDesk hosts.
🧱 Lock down MSI execution and enable MFA on Google accounts.
🧑💻 Conduct CMMC gap assessments before award deadlines.
🧬 Scan SBOMs for xbar-eval and other vulnerable dependencies.
🤖 Secure AI repos — enable secret scanning and rotate keys.
🌍 Segregate operations from China-based infrastructure.
James Azar’s CISO’s Take
Today being Veterans Day, I want to start by emphasizing something I said at the beginning of the show: there’s nothing greater in life than service. Nothing. When you do something for others, it’s more rewarding than doing anything for yourself. Every time. That applies to our profession too. As cybersecurity professionals, we’re in a service role – we’re protecting our organizations, our users, our customers, our communities. And sometimes that service requires sacrifice. Long hours responding to incidents, being on call, dealing with breaches at 3 AM – it’s not glamorous, but it’s necessary. And just like our veterans who volunteered to defend the Constitution regardless of the political class, we defend our organizations’ data and operations regardless of whether leadership always understands or appreciates what we do. So to all my fellow veterans in the cybersecurity community – and there are many of us – thank you for your continued service. You went from defending the nation to defending critical infrastructure, and that matters.
Today’s episode felt like the ultimate test of modern security maturity. We’ve got Oracle ERP exploits bleeding into supply chains, AI repos leaking corporate DNA, and North Korea using legitimate APIs as spyware. The threats aren’t isolated anymore — they’re interconnected, adaptive, and human-driven.
My biggest takeaway? We keep underestimating operational risk. Everyone patches systems, but few patch processes. CMMC, AI repos, ERP systems — they all expose the same flaw: lack of disciplined governance. Technology doesn’t fail us; negligence does.
So as we salute our veterans today, remember — resilience is built the same way they built readiness: repetition, discipline, and preparation before the fight.
Stay sharp, stay grateful, and as always — stay cyber safe.
