Good Morning Security Gang!
Happy Fourth of July! What a great day it is to be alive when we get to celebrate our country's birthday - 249 years young and looking as good as ever, just unbelievable! Welcome to a very special Fourth of July episode of the Cyber Hub podcast, broadcasting live from the bunker on July 3rd, 2025. I'm your host and CISO James Azar, back with my signature double espresso. Coffee cup cheers, y'all!
More than anything else, we mark 249 years young for America - next year will be 250 years and should be an epic celebration. We live in an unbelievable place at an unbelievable time where opportunities are afloat, and I'm grateful for it.
"I've been to over a hundred countries and lived in about six or seven of them, including Ukraine, Israel, the Emirates, Romania, and Bulgaria. Still, whenever I come back home, I just go 'I'm home.' There's something special about America that makes people come on boats here, trying to find any way into our country because of that special promise our founders worked on. that promise of a free nation. We're blessed, we're lucky. Happy birthday America!" - James Azar On why America remains special after 249 years
Qantas Breach Update: Significant Data Theft Expected
Yesterday we talked about Qantas' cybersecurity incident, and now they're giving more information about what happened. They're saying the proportion of data stolen is expected to be significant, noting it's likely going to include customer names, emails, phone numbers, frequent flyer numbers, and birth dates based on what they've already seen. The affected system doesn't hold financial information or passport details according to the airline, but I want to address that because to me that's a scary thought.
Ever get a text message from someone pretending to be your boss saying "hey got a minute" and asking you to run to CVS and get them gift cards? People fall for it all the time. They collect information from LinkedIn - they know you work with so-and-so and that so-and-so is your boss, so they can say "hi, it's so-and-so, I'm your boss." That's publicly available information. They have your number and spoof it to look similar to your company phone number.
So while Qantas says no financial information or passport details were compromised, a lot of that information is readily available. If they have all that information and people reuse passwords, threat actors can take over accounts. If Qantas really wants to secure customer accounts, they should do a forced password reset on next login for every single customer - maybe in batches to keep cybercriminals on their heels rather than giving them a roadmap.
DOJ Investigates Ex-Ransomware Negotiator for Corruption
An ex-ransomware negotiator is now under criminal investigation by the Department of Justice for working with ransomware gangs to profit from extortion payment deals. The suspect is a former employee of Digital Mint, a Chicago-based IR and digital asset services company that specializes in ransomware negotiation and facilitating cryptocurrency payments.
The company claims to have negotiated over 2,000 ransomware cases since 2017. Bloomberg first broke the story saying DOJ is investigating whether the suspect worked with ransomware gangs to negotiate payments then allegedly received a cut of the ransom that was charged to the customer. Digital Mint confirmed that one of its former employees is under criminal investigation and said they terminated the employee after learning of the alleged conduct.
The company said it's not the target of the investigation, but they're trying to minimize this. Profiting from crime is really, really easy and so tempting, and it just shows you that we deal with people, and even on the cyber side, sometimes people fall into that trap.
Columbia University Hacker's Political Agenda Revealed
A hacktivist with a political agenda broke into Columbia University's IT systems and stole targeted student data in recent weeks, according to officials. It's unclear how long the attacker was in university systems, but a Columbia spokesperson said there's been no threat activity detected since June 24th. The investigation indicated that attackers were highly sophisticated and very targeted in their theft of documents - they broke in and stole student data with the apparent goal of furthering their political agenda.
Columbia has been at the center of the pro-Hamas camps - obviously a very radical school that has not been safe for Israeli or Jewish students since October 7th. So I wonder what political agenda is being furthered here. They're not saying which one, but I guarantee you if it was the other way around, we'd know all about it.
It's likely that Jewish student information was stolen here, potentially, or pro-Israel students' information was stolen to further a political agenda that Columbia has been at the center of since October 7th. I've been told by someone who I asked about this that they kind of know what it is but they're not releasing it as of yet - which tells me everything I need to know.
North Korean Mac Malware Targets Web3 and Crypto Organizations
North Korean attackers are luring employees at Web3 and crypto-related organizations and installing a NIM-compiled macOS malware through a fake Zoom software update, according to SentinelOne. The attack followed an infection chain recently attributed to Pyongyang APT Blue Noroff. Attackers impersonate a victim's trusted contact, invite them over to Telegram to schedule a meeting via Calendly.
The victim then receives an email containing a link to a Zoom meeting and is instructed to run a malicious script posing as a Zoom SDK update. The script execution triggers a multi-stage infection chain leading to deployment of malicious binary that SentinelOne tracks as "NimDoor." NIM is a statically typed compiled system programming language that combines concepts from other programming languages like Python, Ada, and Modula.
It contains unique features including encrypted configuration handling, asynchronous execution built around NIM's native runtime, and a signal-based persistence mechanism previously unseen in macOS malware. The North Koreans are getting really, really good at this - two different payloads are dropped on the device, so you want to make sure you block this and train your people.
Critical Cisco Vulnerability Allows Root Account Access
Cisco announced a critical vulnerability in their Unified CM and Unified CM SME communication management software that could allow attackers to log in as the root account. The issue is CVE-2025-20091 with a CVSS score of 10.0 - as critical as it gets. According to Cisco, it's been resolved and affects versions 15.0.1.13010-1 through 13017-1. New versions are out in the wild, but there have been no active exploits that they've seen thus far. This is the kind of perfect 10 vulnerability that demands immediate attention from any organization running Cisco Unified Communications infrastructure.
Hunters International Ransomware Gang Shuts Down, Offers Free Decryptors
Hunters International ransomware-as-a-service announced today that it's officially shutting down its operation and will offer free decryptors to help victims recover their data without paying a ransom. In a statement they write: "After careful consideration in light of recent developments, we have decided to close the Hunters International project. The decision was not made lightly and we recognize the impact it has on the organizations we have interacted with." As a gesture of goodwill, they're offering free decryption software to all companies impacted by their ransomware.
Either someone got a conscience or these guys have been feeling the heat. They attacked the U.S. Marshal Service, Japanese optics giant Hoya, Tata Technologies, Auto Canada, Austell, and Integris. So they've been after a lot of organizations. They're retiring and giving you free decryptors - go get it, get it now.
Google Ordered to Pay $314 Million for Android Data Collection
A California jury ordered Google to pay $314 million for collecting data from Android phones while they were connected to cellular networks, a practice that plaintiffs said equated to stealing a resource they had paid for. The verdict issued Tuesday by a jury in Northern California state court is the culmination of a class action that began in 2019. Plaintiffs argued that Google could have waited until devices were connected to Wi-Fi, thus avoiding costs related to cellular plans.
The cellular data activity occurred silently and without users' consent while Android phones were in purses, pockets, or even sitting seemingly idle on a nightstand as they slept. Plaintiffs argued that Google used that data to further their corporate interests, including targeted digital advertising. Google strongly disagrees with the decision and will be appealing, saying the ruling misunderstands services critical to the security, performance, and reliability of Android devices.
Cybersecurity M&A Market Consolidation Accelerates
More consolidation in M&A - 405 acquisitions were announced in 2024, and we can see that in June 2025 alone: The market is consolidating folks - pay attention, it's going to be really impactful. A lot of these acquisitions over time will show you how the market's consolidating to best-of-platform rather than best-of-suite. I'm seeing that with Palo Alto, Checkpoint, SentinelOne, CrowdStrike, Cisco - you name it, it's coming.
James Azar's CISO Take
My analysis today on this special Fourth of July episode reflects both gratitude for living in the greatest country ever created and deep concern about the evolving threat landscape we face as cybersecurity professionals. The Qantas situation perfectly illustrates why I always emphasize that data breaches aren't just about the immediate information stolen - it's about how that information gets weaponized through social engineering and credential reuse.
When airlines say "no financial information was compromised," they're missing the bigger picture of how threat actors use seemingly innocuous data like frequent flyer numbers and personal details to conduct sophisticated social engineering attacks. The Columbia University incident particularly troubles me because it shows how cybercrime is increasingly being used to further political agendas, and the fact that they won't openly discuss what agenda was being pursued tells me everything I need to know about the likely targets.
What gives me hope on this Independence Day is seeing some positive developments alongside the concerning trends. The DOJ investigation into the corrupt ransomware negotiator shows that law enforcement is serious about going after bad actors on all sides - including those who profit from cybercrime even when they're supposed to be helping victims.
Hunters International shutting down and offering free decryptors is either a rare case of criminals developing a conscience or more likely shows that law enforcement pressure is working. The massive M&A consolidation I'm tracking shows the cybersecurity industry is maturing into comprehensive platforms rather than point solutions, which should ultimately make us more secure.
But the North Korean macOS malware targeting Web3 organizations and the critical Cisco vulnerability remind me that as we celebrate our freedoms today, we must remain vigilant about protecting the digital infrastructure that enables those freedoms. As I reflect on 249 years of American innovation and resilience, I'm confident we'll rise to meet these cybersecurity challenges just as previous generations met theirs.
Action Items for Security Teams
Qantas customer protection: If using Qantas services, immediately force password resets for all customer-facing accounts
Cisco Unified CM patching: Update all Cisco Unified CM systems to address CVE-2025-20091 (CVSS 10.0) immediately
Hunters International decryptors: Check if your organization was affected and obtain free decryption tools before they become unavailable
North Korean macOS malware: Block NimDoor indicators and train staff on fake Zoom update social engineering tactics
Ransomware negotiator vetting: Review all third-party incident response providers for potential conflicts of interest
Columbia-style targeting: Assess if your organization could be targeted for political agenda advancement and implement appropriate controls
Android data collection review: Evaluate mobile device policies regarding automatic data collection and cellular usage
M&A security assessment: Prepare for vendor consolidation impacts and evaluate platform vs. point solution strategies
Web3 organization security: Implement enhanced controls for cryptocurrency and blockchain-related business operations
Student data protection: For educational institutions, review access controls and monitoring for politically motivated attacks
Social engineering awareness: Update training to include trusted contact impersonation and fake software update scenarios
Cellular data monitoring: Implement controls to prevent unauthorized background data collection on corporate mobile devices
Fourth of July security: Ensure adequate coverage during holiday period when many security teams are reduced
Free decryptor opportunities: Check if any historical ransomware incidents can be resolved with newly available free tools
✅ Story Links:
https://therecord.media/qantas-airline-data-breach
https://therecord.media/hacker-political-agenda-columbia-cyberattack
https://www.securityweek.com/north-korean-hackers-use-fake-zoom-updates-to-install-macos-malware/
https://www.securityweek.com/cisco-warns-of-hardcoded-credentials-in-enterprise-software/
https://therecord.media/google-lawsuit-data-collection-android-cellular
https://www.securityweek.com/cybersecurity-ma-roundup-41-deals-announced-in-june-2025/
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1
🚨 Important Links to Follow:
👉Website:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
Share this post