Good Morning Security Gang!
Welcome back to another action-packed Wednesday episode of the Cyber Hub podcast, broadcasting live from the bunker on July 2nd, 2025! I'm your host and CISO James Azar, back with my signature double espresso as we count down just one more day until the Fourth of July. For those of us with kids, the Fourth of July also means fireworks, and my little one has been counting down the days asking "Dad, we're gonna go see fireworks?" And absolutely, we're gonna go see tons of fireworks this weekend - so many fireworks! Tomorrow we'll wrap up this week before heading out for the holiday.
Today I'm covering a massive breach at Qantas affecting 6 million customer records, France getting hammered by Chinese attackers exploiting Ivanti vulnerabilities (my favorite punching bag strikes again!), and a critical security flaw in Anthropic's AI development tools. From AT&T's new SIM swap protection to Senate actions on AI regulation, I'm delivering the essential cybersecurity intelligence you need before we celebrate America's independence.
France Hit by Massive Chinese Campaign Exploiting Ivanti Zero-Days
France's cybersecurity agency reported yesterday that a range of government, utility, and private sector entities in the country were impacted by a hacking campaign last year leveraging zero-day vulnerabilities in Ivanti appliances. The campaign targeted organizations from governmental, telecommunications, media, finance, and transport sectors according to the report from ANSSI.
The attackers exploited bugs such as CVE-2024-8190, 8196, and 9380, with the intrusion being tracked under the code name "Hawkin" by ANSSI. This is being pinned to China, and we knew China was taking advantage of these vulnerabilities - that attribution was done on the U.S. side.
"Why anyone still has Ivanti after everything they've gone through is a glutton for punishment. At some point you just have to admit you have a dud in your environment. Rip and replace it. Go to Best Buy, go to Carrefour, pick up a new firewall off the shelf - it'll probably do better than the Ivanti one you have in your environment. Guarantee it." - James Azar On France's Ivanti exploitation by Chinese attackers
Less exploitations, less rootkits, less malware, less Chinese cruising around in your network.
Qantas Breach Affects 6 Million Customer Records Through Third-Party Attack
Qantas is now notifying customers that their information was stolen in a recent cyber attack targeting one of its contact centers. Australia's flag carrier detected an intrusion on June 30th after attackers accessed a third-party platform used by the call center. While no Qantas systems were accessed and airline operations weren't affected, the attackers managed to exfiltrate data from the compromised platform.
There are 6 million customers that have service records on this platform, and they're investigating the proportion of data that's been stolen, though they expect it to be significant. They're not saying frequent flyer accounts were compromised, nor have passwords, PIN numbers, or login details been accessed, so it's probably large in scope. Australia has a really weird view on cyber - they have a cybersecurity minister that somehow thinks companies that are victims of crimes are also perpetrators because they have something someone wants and don't do "enough" (though what's enough isn't defined).
Airlines have been hit hard - WestJet yesterday, Hawaiian Airlines, and now this. The attackers have figured out the business process - third-party help desk and customer support people need lots of customer information, they're not paid much, and they're very easy to social engineer because their job is to help the customer and support the business.
Russian State-Linked Institute Connected to Media Attack
A cyber attack on Russian independent media is being linked to a U.S.-sanctioned institute, according to researchers. The Russian hosting provider allegedly involved in a recent cyber attack against independent media organizations is connected to a state-affiliated research center sanctioned by the United States. The hosting provider, Vitrica, generated one-third of the junk traffic that flooded websites of iStories and Verstica after they published an exposé on child sex trafficking networks in Russia that allegedly involve oligarchs and other powerful officials.
Isn't it amazing that every time we expose perversions, there's someone attacking the people exposing the perversions? I mean, just mind-boggling how that always happens. I'm not a conspiracy theorist, but man, you start connecting those dots. Vitrica was previously flagged as a high-risk hosting provider associated with anonymization services, proxy abuse, and infrastructure that enables potentially malicious internet activity.
The company's main owner, Valentina Elshin, is a software engineer at a Russian state-linked tech center that's part of the Moscow Institute of Electronic Technology, also sanctioned by the U.S.
AT&T Launches Wireless Lock to Combat SIM Swapping
AT&T is doing something to help tackle SIM swapping attacks with a new feature called "Wireless Lock" that protects customers by enabling a feature in their account that prevents anyone trying to phish their way to a SIM swap. The new feature has been available for some customers for almost a year and is now rolled out to all AT&T customers.
SIM swaps, for those watching the show for the first time, is when someone calls AT&T pretending to be you, says they got a new phone and want to swap out their SIM, gives them the new SIM number, they swap it out because they can validate your information, then they try to log into your bank account and get the text MFA. That's why you want to do app-based multi-factor authentication and not text-based MFA.
Roger Grimes has a book called "Hacking MFA" - if you're a practitioner looking to implement MFA, it's really worth it. To enable this AT&T feature, just log into your mobile app or website to lock your number, preventing anyone, including AT&T employees, from changing it unless it's first disabled by you in your AT&T account.
Good job to AT&T - maybe Verizon and T-Mobile will pick up on it and do the same.
CISA Warns of New TeleMessage Vulnerabilities Under Active Exploitation
CISA is calling attention to two new vulnerabilities in the messaging application TeleMessage, urging organizations to patch them immediately. The application allows users to archive messages sent using WhatsApp, Telegram, and Signal. TeleMessage landed in the spotlight after Trump's former national security advisor Mike Flynn was seen using it on his phone, and tens of government employees were later found to have been using the application.
Shortly after, Oregon-based communication company Smarsh, which owns the Israel-based TeleMessage, suspended all TeleMessage services after attackers demonstrated that lack of encryption allowed them to obtain chat logs. The weakness CVE-2025-47729 has a CVSS score of 4.9 and was added to CISA's KEV catalog in May. Now they're adding two additional CVEs - 48927 and 48928 - both being exploited by attackers, so you want to make sure you get those patched up as soon as humanly possible.
Critical Security Flaw Found in Anthropic's AI Development Tools
Cybersecurity researchers discovered a critical security vulnerability in Anthropic's MCP Inspector project that could result in remote code execution and allow an attacker to gain complete access to the host, according to Oligo Security. This is one of the first critical RCEs in Anthropic's MCP ecosystem, exposing a new class of browser-based attacks against AI developer tools.
The vulnerability CVE-2025-49596 carries a CVSS score of 9.4 out of 10. Through code execution on a developer's machine, attackers can steal data, install backdoors, and move laterally across the network. It highlights serious risks for AI teams, open source projects, and enterprise adopters relying on MCP. MCP, introduced by Anthropic in November last year, is an open protocol that standardizes how LLMs integrate and share data with external data sources and tools.
I was talking to an investor yesterday who said they're seeing a lot of MCP, MCP, MCP - I called it the next day, and here it is. The impacted versions of MCP are below 0.1.4.1, so you want to make sure you're on a later version.
Senate Strips AI Regulation Limits from Federal Bill
The Senate stripped the limit of a ten-year federal ban on state regulations for AI from a bill that faced bipartisan support. The bill originally triggered pushback after it passed the House - people didn't notice the clause was there, then noticed it after they voted for it and said "whoa, wait a minute, this violates everything we believe in." The Senate stripped it back and the bill has passed the Senate back to Congress where they'll re-vote on it with that clause removed.
Expect a lot of AI regulation to come from the states - I know Texas, California, New York, and Colorado all have laws pending on the books. This removal actually expedites their approval to get through the House and then implement it. Europe already has the EU AI Act - it's coming folks, it's coming.
FERC Withdraws Cybersecurity Inquiry for Energy Sector
FERC has withdrawn its notice of inquiry and terminated related rulemaking proceedings. The notice requested public comment on whether CIP reliability standards in place sufficiently addressed cybersecurity risks related to data security and detection of anomalies and events. The withdrawal is effective as of the end of this month, however the commission also asked for input on potential risks of coordinated cyber attacks on geographically distributed targets.
For those who don't understand, the energy industry has FERC, which oversees NERC, and NERC is the standard commission, and then the CIP are essentially the protocols. I did a whole training on NERC CIP last September with SANS with Jason Christopher, who's so knowledgeable when it comes to NERC CIP. This is significant because FERC really tries to navigate the line - that's how new CIP standards are adopted, through FERC with industry feedback. What you're seeing now is they're looking more at how the grid's interconnected and those risks.
Cairncross Clears Committee for National Cyber Director Role
National Cyber Director nominee Sean Cairncross cleared the Senate Homeland Security and Government Affairs Committee on Monday and will now go to the Senate for a full vote where he's expected to pass with flying colors. The nomination has been met with some controversy, but overall he's a very qualified individual. Yes, he's not a technical cyber guy, but this is a policy role, not a technical role.
Can a policy person have enough technical people around him to make good policy decisions? Yes, inherently yes. So we'll take that - he clears committee and we'll see what happens in the full Senate vote.
James Azar's CISO Take
My analysis today focused heavily on what I see as recurring patterns of organizational failure to learn from previous incidents. The France situation with Ivanti is particularly frustrating because this isn't the first, second, or even third time we've seen massive exploitation of Ivanti products by sophisticated threat actors. At some point, organizations need to admit they have a dud in their environment and just rip and replace it. I've been saying this for years - when a product becomes more of a liability than an asset, you don't try to patch around the problem, you eliminate it entirely.
The Qantas breach shows another concerning pattern in the airline industry - attackers have figured out that third-party customer support platforms are goldmines of information with relatively weak security postures. These support staff are underpaid, undertrained, and their entire job is to be helpful, making them perfect social engineering targets.
What really concerns me is how these supply chain attacks are becoming more sophisticated while our defensive strategies remain reactive rather than proactive. The Anthropic MCP vulnerability shows how quickly new attack surfaces emerge as we adopt AI development tools - I literally called this trend yesterday when talking to an investor about MCP proliferation, and here we are with a 9.4 CVSS vulnerability.
The AT&T SIM swap protection is a step in the right direction, but it shouldn't have taken this long to implement basic controls against such well-known attack vectors.
On the regulatory front, the Senate stripping the AI regulation ban is actually good news - we need state-level innovation in AI governance because federal processes move too slowly.
The Cairncross nomination moving forward gives me some optimism that we'll have competent policy leadership, even if he's not technically focused. Sometimes policy people with good technical advisors make better decisions than technical people trying to navigate political realities they don't understand.
Action Items for Security Teams
Ivanti systems audit: Immediately identify and plan replacement of all Ivanti appliances - prioritize internet-facing systems
TeleMessage patching: Update all TeleMessage applications to address CVE-2025-48927 and CVE-2025-48928 immediately
Anthropic MCP updates: Ensure all MCP Inspector deployments are updated to version 0.1.4.1 or later
Third-party contact center review: Audit all customer support platforms and implement enhanced monitoring for data exfiltration
SIM swap protection: Enable wireless lock features across all corporate mobile accounts with AT&T and similar protections with other carriers
Aviation sector monitoring: Implement enhanced supply chain security controls if operating in transportation sector
AI development tool security: Review all AI development environments for potential browser-based attack vectors
State AI regulation tracking: Monitor pending AI legislation in Texas, California, New York, and Colorado for compliance requirements
MFA implementation review: Replace all SMS-based MFA with app-based or hardware token solutions
Supply chain vendor assessment: Evaluate all third-party platforms handling customer data for security posture
NERC CIP compliance review: For energy sector organizations, prepare for potential new coordinated attack standards
Russian media exposure monitoring: Check for any hosting or infrastructure dependencies on sanctioned Russian entities
Firewall replacement planning: Develop migration strategies away from problematic vendor appliances
Customer data mapping: Document all third-party platforms with access to customer information for risk assessment
✅ Story Links:
https://therecord.media/france-anssi-report-ivanti-bugs-exploited
https://www.securityweek.com/qantas-data-breach-impacts-up-to-6-million-customers/
https://therecord.media/cyberattack-on-russian-media-linked-to-sanctioned-institute
https://thehackernews.com/2025/07/critical-vulnerability-in-anthropics.html
https://www.securityweek.com/cisa-warns-of-two-exploited-telemessage-vulnerabilities/
https://therecord.media/trump-national-cyber-director-pick-clears-senate-panel
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1
🚨 Important Links to Follow:
👉Website:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
Share this post