Good Morning Security Gang
Today, we’re covering ransomware crippling Romania’s national water agency, Nissan’s exposure from a Red Hat breach, the University of Phoenix’s massive 3.5 million-person data leak, and a DDoS attack knocking out France’s postal and banking services. Then we pivot to Spotify’s scraping crackdown, a DOJ takedown of ATM jackpotting malware crews, Interpol’s global ransomware decryptor success, npm malware impersonating WhatsApp APIs, CISA’s BrickStorm alert, and South Korea’s controversial biometric SIM verification policy.
Grab your espresso — mine’s a hot double this morning — coffee cup cheers, gang! Let’s get into it.
Romania’s National Water Agency Hit by BitLocker Ransomware
Romania’s National Water Authority was hit by a BitLocker ransomware attack, encrypting workstations and servers but leaving OT systems like dams and flood defenses untouched. Authorities confirmed hydrotechnical operations remain safe, thanks to strict segmentation between IT and OT environments.
Attackers used living-off-the-land (LOLBin) tools to evade detection, manipulating built-in Windows binaries to traverse the network. The Romanian National Directorate of Cybersecurity issued a statement warning against negotiation and ransom payment, aligning with EU best practice.
As I said on air: “Even when OT isn’t hit, taking down IT scheduling or billing can stop operations cold — that’s low-tech pressure with high-impact results.”
University of Phoenix Breach Impacts 3.5 Million Students and Alumni
The University of Phoenix disclosed a massive breach impacting 3.5 million learners and alumni, with stolen data including names, contact details, enrollment info, and student account metadata.
The breach originated in enterprise systems supporting student data before attackers pivoted to mass exfiltration. The Clop ransomware gang has claimed responsibility and added Phoenix to its leak site.
This is a textbook case of identity exploitation — we’re likely to see financial aid scams, phishing campaigns, and account takeovers. Higher education institutions should reset credentials, enable phishing-resistant MFA, and deploy anomaly detection for mass PDF generation or transcript requests.
Nissan Exposes 21,000 Customers via Red Hat Breach
Nissan Japan confirmed that 21,000 customers were affected by a third-party breach stemming from Red Hat’s recent incident, exposing names, physical addresses, emails, and service data.
This marks Nissan’s second cyber incident this year, following the Kaleen ransomware attack earlier in 2025.
The attackers, believed to be from the Crimson Collective, exploited shared API integrations across suppliers — a clear reminder that supply chain exposure is still the biggest blind spot in automotive security.
France’s La Poste Knocked Offline by Christmas DDoS
France’s La Poste, which handles both postal services and La Banque Postale banking operations, suffered a major DDoS attack just before Christmas.
The volumetric assault crippled parcel tracking, label printing, and customer logins, disrupting holiday shipments and online banking access. While no data theft occurred, operational downtime during peak holiday season caused nationwide delays.
European regulators continue to warn that essential service operators must maintain DDoS thresholds and redundancy — a lesson painfully learned by La Poste this week.
Spotify Cracks Down on 86 Million Scraped Songs
Spotify has disabled thousands of accounts tied to an open-source scraping operation that harvested over 86 million songs and metadata entries under the banner of “the largest open library in human history.”
The scraped data, posted publicly, poses major copyright and credential risk. Spotify is tightening API security and cracking down on automated third-party tools that fuel account takeovers and fraudulent playback networks.
Data scraping might sound harmless, but when weaponized, it becomes data laundering.
DOJ Arrests 54 in Global ATM Jackpotting Scheme
The U.S. Department of Justice has charged 54 individuals linked to the Tren de Aragua Venezuelan crime syndicate for deploying Ploutus ATM malware across American banks.
The malware bypassed ATM security systems, forcing machines to dispense cash on command. The syndicate laundered millions through crypto and prepaid cards.
This operation shows how cybercrime turns kinetic — malware meets organized street-level theft.
As I said: “Cyber always turns kinetic, folks. Always. We see with how Russia does that in Europe with critical infrastructure, with gas pipelines, with so much more. We're seeing it now with gangs in the US and in South America using cyber, turning it into kinetic... this isn't a victimless crime. Stealing money is never victimless, every dollar stolen turns into higher insurance and fees we all pay.”
Interpol’s Operation Sentinel Takes Down 574 Cybercriminals
Interpol’s Operation Sentinel, spanning 19 countries, led to 574 arrests, the seizure of $3 million, and the takedown of six ransomware strains with newly developed decryptor tools.
Highlights include:
Ghana: $120,000 recovered, 30 TB of data restored from 100 TB encrypted.
Nigeria: 10 suspects arrested for a fake fast-food scam defrauding 200 victims.
Cameroon: Rapid response froze accounts within hours of identifying fraud.
This operation underscores the global shift from reactive to offensive law enforcement collaboration — where arrests, decryptors, and domain takedowns hit cyber gangs’ wallets and credibility.
Malicious WhatsApp API Package Found on npm
Researchers have discovered a malicious npm package impersonating a WhatsApp API SDK to steal tokens and developer secrets.
The fake module has thousands of downloads, targeting CI/CD pipelines and app developers. Organizations must pin dependencies, use private registries, and enable secret scanning for every build job.
Rotate any exposed credentials immediately — this attack is a supply chain backdoor in disguise.
CISA Warns of BrickStorm Targeting U.S. Firms
CISA issued an advisory detailing BrickStorm, a living-off-the-land malware campaign leveraging runDLL32, PowerShell, and service abuse to infiltrate U.S. networks.
Organizations should block unsigned scripts, alert on suspicious service installs, and monitor local admin creation. This campaign mixes commodity loaders with stealthy persistence, blending ransomware and espionage tactics.
South Korea Plans Facial Recognition for SIM Registration
South Korea announced plans to require facial recognition for SIM activation starting March 2026 to combat SIM swapping and identity fraud.
Carriers will compare ID photos with real-time facial scans before issuing a new number. While this may enhance fraud prevention, it raises privacy and data storage concerns across civil rights groups.
As I noted: "At the end of the day, facial recognition, like passwords, like MFA, is a token. It's a token on a device... nothing is unhackable. It's just not done yet, has been my experience in our industry."
Action List
💧 Segment IT/OT networks and block LOLBin abuse across critical infrastructure.
🎓 Rotate credentials and enforce phishing-resistant MFA for all student accounts.
🚗 Audit third-party vendors and downstream Red Hat integrations.
🇫🇷 Implement DDoS thresholds and redundancy for essential services.
🎵 Block and monitor unauthorized scraping and API automation.
💰 Deploy ATM whitelisting and geofencing to prevent jackpotting.
🌐 Audit npm dependencies and enforce private registries.
🧩 Enable script logging and block unsigned execution to counter BrickStorm.
📱 Monitor policy implications of biometric SIM adoption.
James Azar’s CISO’s Take
Today’s show drove home a clear message — the weakest links are still human and vendor-based. From ransomware hitting Romania’s water agency to third-party breaches at Nissan and universities, the pattern repeats: supply chains expand faster than we can secure them.
My biggest takeaway? 2026 has to be the year of segmentation, automation, and validation. Segmentation for OT and vendor risk, automation for detection and response, and validation for every dependency, whether it’s npm, Docker, or API. The criminals aren’t pausing for Christmas — and neither can we.
Stay alert, stay caffeinated, and as always — stay cyber safe.
