Good Morning Security Gang
Atlanta’s gearing up for another storm this weekend, so I’m locking in at the studio with my double Lavazza espresso — coffee cup cheers, y’all.
Today’s show is jam-packed. We’ve got Russia-linked hackers targeting 30 Polish energy facilities, a trusted antivirus vendor pushing a malicious update, and the Pentagon’s rollout of CyberCom 2.0 to combat “living off the land” attacks. Plus, the FBI seizing a notorious ransomware forum, Fortinet patching a zero-day, and critical fixes for SolarWinds, Gemini, and TP-Link routers. We’ll wrap with an update on AI-powered endpoint abuse and ransomware brokers using new bots for access.
Before we dive in — a quick note of remembrance for Andy Smeaton, the late CISO of Jamf and a dear friend to many in our community. Andy’s passing hit us all hard. Please consider supporting his family via the GoFundMe.
On a personal note — baby Azar #2 is on the way! So, I won’t be at RSA this year, but the CyberHub family keeps growing. Let’s get into it.
Russia Targets Poland’s Energy Grid
Poland has confirmed that Russian-linked attackers breached 30 energy facilities in December 2025, disrupting control and communication systems. Investigators say the operation mirrored Sandworm’s destructive wiper tactics, targeting low-visibility distributed energy assets and attempting to cross IT-OT boundaries.
The attack didn’t cause blackouts, but it did disable equipment beyond repair at one site — forcing hardware replacements that could take months to source, impacting the energy supply chain.
As I said on the show:
“Wiper malware isn’t about ransom — it’s about economic destruction. Some companies never come back from it.”
For energy and critical infrastructure operators: validate network segmentation, test east-west traffic rules, and rehearse wiper-grade restore plans using out-of-band backups.
eScan Pushes Malicious Update After Server Breach
eScan, a major antivirus vendor, confirmed that attackers breached one of its regional update servers on January 20th, pushing a malicious binary to users for several hours.
The rogue update deployed a backdoor downloader (“contsctlx”) capable of modifying host files, blocking update servers, and maintaining persistence. This marks another trust chain compromise similar to SolarWinds and Kaseya — an attacker exploiting the vendor’s update mechanism itself.
As I warned:
“When your AV becomes your initial access, that’s not defense — that’s disaster.”
Mitigation: enforce package signing verification, proxy block unsigned updates, and audit all clients that fetched eScan updates on Jan 20. Always test software updates in isolated environments before organization-wide rollout.
Pentagon Unveils CyberCom 2.0
The U.S. Cyber Command announced its CyberCom 2.0 modernization plan, focusing on faster force generation, better hunt operations, and stronger detection of “living off the land” techniques.
Lt. Gen. William Hartman highlighted Chinese operators’ growing use of legitimate admin tools (PowerShell, WMI, PSRemoting, RDP) to blend into U.S. networks undetected.
CyberCom 2.0 will prioritize joint operations with private industry to identify and remove intruders already embedded in U.S. infrastructure.
My takeaway: “The Pentagon finally gets it — the next war isn’t about bombs, it’s about persistence.”
For defenders: map all LOLBins, move to allow-listing, and apply behavioral analytics to catch misuse of built-in admin tools.
UK Told to “Go Offensive or Be a Punching Bag”
At a national security hearing, UK officials were warned that Britain risks becoming a cyber punching bag without a visible offensive cyber policy. Experts argued that deterrence through response — not regulation — is what keeps hostile states at bay.
For CISOs operating in the UK:
Expect increased regulatory scrutiny and higher cyber insurance rates.
Strengthen threat hunting and collaboration with NCSC.
FBI Seizes RAMP Cybercrime Forum
The FBI and international partners have taken down the RAMP cybercrime marketplace, a major hub for ransomware negotiation, malware sales, and initial access brokering.
The forum’s clearweb and Tor versions now display federal seizure banners. While criminals will regroup elsewhere, this is still a temporary disruption for ransomware brokers and affiliates.
A small win for law enforcement — but a bigger win for defenders tracking these actors.
Fortinet Fixes FortiCloud Authentication Bypass
Fortinet has patched its FortiCloud SSO bypass vulnerability (CVE-2026-24858), which attackers were actively exploiting last week.
Admins must apply the patch immediately, rotate local credentials, and revoke API tokens. If your organization disabled SSO as a workaround, now’s the time to re-enable and resecure.
As I said:
“Patch day isn’t optional — especially when the cloud itself was the target.”
SolarWinds Web Help Desk Flaw Fixed
SolarWinds has issued patches for two critical authentication bypass and RCE vulnerabilities (CVE-2025-40552 and CVE-2025-40554) in its Web Help Desk product.
If exploited, attackers could achieve unauthenticated code execution, pivot laterally, and compromise ticketing automation systems.
Mitigation: patch immediately, isolate WHD from management networks, and review service account permissions tied to ticket automations.
Gemini MCP Zero-Day Allows Remote Code Execution
AI infrastructure isn’t safe either. Gemini’s MCP tool has an unauthenticated RCE flaw (CVE-2026-0755), allowing remote attackers to run commands on exposed endpoints.
To mitigate:
Restrict MCP endpoints behind VPNs and authentication layers.
Rotate API keys frequently.
Monitor for outbound traffic anomalies on AI servers.
As I warned:
“AI tools are the new soft targets — and the bad guys already know it.”
TP-Link Archer Router Command Injection Flaw
A command injection vulnerability (CVE-2025-14756) in TP-Link Archer MR600 v5 routers allows authenticated attackers to execute arbitrary commands via the admin panel.
Patches are available — update firmware immediately, disable remote admin, and replace any end-of-life routers still in production.
LLM Jacking: 35,000 AI Attacks in 40 Days
Researchers tracked 35,000 attack sessions abusing open AI-compatible ports (port 11434) for crypto mining, API reselling, and prompt data theft. This “LLM-jacking” trend shows how exposed AI endpoints are being hijacked for profit.
CISOs should:
Put AI endpoints behind auth.
Rotate API keys regularly.
Block egress to known crypto pools from AI servers.
Tsundere Bot Emerges as Ransomware Broker Tool
The Tsundere bot, paired with Xworm, is the latest tool leveraged by initial access brokers to sell footholds into enterprises.
These brokers evolve quickly especially after forum takedowns like RAMP — so defenders must hunt for rare outbound beacons and script-based downloaders on new endpoints.
Action List
⚡ Energy: Validate segmentation and rehearse wiper-grade restore playbooks.
🧩 Vendors: Test software updates before deployment.
🛡️ Cloud: Patch FortiCloud and SolarWinds systems immediately.
🧠 AI: Restrict exposed MCP and LLM endpoints behind authentication.
🧱 Network: Disable remote router admin and upgrade outdated hardware.
🕵️ SOC: Hunt for script-based loaders and rare outbound beacons.
🔐 Identity: Apply allow-lists and behavioral monitoring for admin tools.
🏛️ Collaboration: Engage with NCSC and law enforcement on threat intel sharing.
James Azar’s CISO’s Take
Today’s episode was a masterclass in convergence — the intersection of nation-state aggression, corporate vulnerability, and technological overreach. The Poland grid attack and eScan incident remind us that our dependencies — software, vendors, and infrastructure — are all part of the threat surface now.
My biggest takeaway? Resilience isn’t a checklist — it’s muscle memory. The companies that survive aren’t the ones with perfect firewalls, but those that can detect, isolate, and recover faster than their adversaries. Whether it’s a wiper in Poland or a zero-day in your cloud stack, your team’s response tempo is your true defense.
Stay alert, stay caffeinated, and as always — stay cyber safe.
