Good Morning Security Gang
We’ve got a powerhouse show today — packed with nation-state attacks, sanctions, ransomware, and the evolving monetization of cybercrime. Before we dive in, mark your calendars — the three-part Saturday series “How the Subscription Model Broke the CISO” starts this weekend exclusively at cyberhubpodcast.com. You won’t find it anywhere else.
Now, let’s get that coffee brewing — double espresso, extra hot — and dive into today’s stories. Coffee cup cheers, y’all.
Russian Insurer VSK Hit by Cyberattack Causing Nationwide Outages
We start in Russia, where major insurance company VSK — serving 33 million individuals and half a million businesses — was forced offline after a cyberattack disrupted its digital portals and customer service systems. The outage cascaded across regional branches as IT teams attempted to isolate and contain the intrusion.
While VSK insists no customer or partner data was stolen, the story here isn’t about the breach — it’s about what it represents. For years, Russian authorities censored or concealed cyber incidents within their borders. Now, those breaches are being publicly acknowledged, signaling a strategic shift or internal fracture within the Kremlin’s information control.
This attack shows that the same tactics Russia uses abroad — targeting infrastructure for disruption — are now hitting home. For Western defenders, it’s a reminder that nation-state TTPs have no borders, and the collateral of cyber conflict often rebounds.
U.S., U.K., and Australia Sanction Russian Bulletproof Hosting Providers
The United States, United Kingdom, and Australia have jointly sanctioned Russian-based bulletproof hosting networks, including Krishi NML Cloud and MediaLand, both operating from St. Petersburg.
These entities provided infrastructure and anonymity to ransomware groups, payment processors, and crypto laundering operations — essentially acting as the criminal underworld’s version of GoDaddy.
The sanctions target both corporate fronts and financial enablers, freezing assets and banning transactions with Western firms. While these sanctions won’t eliminate their operations inside Russia, they cut off foreign infrastructure partnerships, creating friction in ransomware logistics and cash-out chains.
Amazon Links Iranian Cyber Operations to Physical Missile Strikes
Amazon’s Security Division has released a remarkable report linking Iranian cyber-espionage operations to real-world kinetic strikes. According to the investigation, a group known as Imperial Kitten, associated with the Islamic Revolutionary Guard Corps (IRGC), used compromised maritime systems to track and target vessels later struck by Houthi missiles.
Amazon reconstructed a two-year timeline showing that the hackers first compromised a ship’s Automatic Identification System (AIS) and onboard CCTV, providing real-time visuals and location data. Days later, that same vessel was attacked in the Red Sea.
“Not long ago, this wasn’t a thing. Now it’s a thing. And so when you ask yourself, ‘Why would anyone target me?’ Just think of that. No one in the ship said, ‘So what if they got our AIS?’ Well, until they launch a missile at it. And then you have a problem.” James Azar
In a second incident, the MuddyWater APT, under Iran’s Ministry of Intelligence, infiltrated Israeli CCTV systems during the brief “Twelve-Day War,” attempting to geolocate and target rocket strikes.
This is one of the clearest examples yet of cyber operations directly enabling physical warfare. The fusion of digital and kinetic tactics underscores how threat intelligence, even from commercial vendors, is becoming a battlefield multiplier.
China Uses Routers and Edge Devices for Espionage Operations
ESET researchers uncovered a long-term China-aligned espionage campaign leveraging SOHO routers and aging edge devices as operational proxies. The campaign, attributed to Plush Damien, hijacks small, unmonitored network devices to route malicious traffic and conceal command-and-control servers.
Attackers also redirect DNS queries and firmware updates to deliver implants capable of data theft and persistence. The use of routers as “invisible staging points” highlights a growing blind spot — unmanaged hardware sitting at the edge of corporate or home networks.
Defenders should monitor router firmware integrity, enforce patch policies, and log DNS anomalies that could signal hijacked traffic.
New Ransomware-as-a-Service Emerges: ShinySp1d3r
The ShinyHunters crew is back, launching a Ransomware-as-a-Service (RaaS) platform under the name ShinySp1d3r. This offering bundles leak site hosting, negotiation playbooks, and access to initial broker markets — making ransomware operations turnkey for aspiring criminals.
ShinySp1d3r’s rise shows the continued industrialization of cybercrime, where extortion services now mimic legitimate SaaS business models, complete with customer onboarding and profit-sharing. Defenders should track affiliates’ TTP overlaps to map connections between ShinyHunters and emerging operators.
ASUS Routers Hijacked in “Wrthug” Campaign
A new campaign dubbed “Wrthug” is exploiting outdated ASUS consumer routers, converting them into nodes for DDoS attacks, proxy traffic, and credential harvesting. Attackers use default passwords, unpatched firmware, and exposed admin panels to take over devices.
These compromised routers act as jump points into corporate environments, particularly through remote workers and small business networks. Organizations should require minimum hardware standards in vendor and third-party risk management (TPRM) programs — including patch verification and administrative control documentation.
“This is part of what’s broken in our TPRM – it’s because you can’t really properly grade that risk. The question should be for small businesses: When was the last time the firewall was patched and who manages that firewall?” James Azar
7-Zip Vulnerability Actively Exploited
Attackers are now exploiting a newly disclosed 7-Zip path traversal vulnerability that allows remote code execution via crafted archive files. The flaw is particularly dangerous because 7-Zip is common on admin workstations and developer systems, often used for unpacking software packages.
One click on a malicious archive can lead to local privilege escalation and lateral movement across networks. Admins should immediately deploy the latest update, block execution from temporary archive paths, and monitor EDR alerts for scripting activity tied to 7-Zip extraction.
Phishing-as-a-Service Platform Uses “Browser-in-Browser” Technique
A new Phishing-as-a-Service (PaaS) kit is circulating, leveraging browser-in-browser attacks that perfectly mimic SSO login windows for providers like Microsoft and Google.
Victims see legitimate MFA prompts and URLs, but credentials and tokens are silently relayed to the attacker in real time. This approach has already bypassed multiple enterprise defenses.
Mitigation steps include migrating VIP accounts to FIDO2 hardware tokens, disabling legacy authentication, and deploying browser isolation to block embedded login flows.
Law Enforcement Tracks Crypto Behind Piracy and Fraud Rings
An international task force has dismantled a major crypto-laundering pipeline used by IPTV piracy and streaming scams. The operation traced millions in Bitcoin and Ethereum across payment processors, ad networks, and affiliate programs — all used to wash proceeds from fraud and ransomware.
Disrupting these laundering channels directly impacts the cybercrime supply chain, making it harder for groups to purchase initial access, infrastructure, or money mules.
California Man Pleads Guilty in $230 Million Crypto Heist
Federal prosecutors announced that 22-year-old Kunal Mehta from California has pled guilty to laundering cryptocurrency stolen through social engineering schemes that netted over $230 million between 2023 and 2025.
The group behind the heist included teenagers and young adults from the U.S. and abroad who met in online gaming communities. Their operations highlight how social networks and gaming platforms have become recruitment hubs for cybercriminal activity.
Congress Pushes to Strengthen SEC Cybersecurity Requirements
A new bipartisan bill — the SEC Data Protection Act of 2025 — aims to bolster cybersecurity controls and reporting obligations within the Securities and Exchange Commission itself.
The legislation mandates standardized procedures for handling, storing, and securing sensitive market data, as well as tighter incident disclosure timelines. Co-sponsored by Representatives David Scott (D-GA) and Barry Loudermilk (R-GA), the bill underscores growing bipartisan recognition that regulators themselves must uphold the same cybersecurity rigor they demand from the private sector.
Action List
🌐 Patch critical infrastructure: Fortinet, ASUS, Oracle EBS, and 7-Zip.
🧩 Audit unmanaged routers and SOHO devices for compromise.
🤖 Review exposure to Iranian-linked maritime tracking systems.
🪪 Move VIPs to phishing-resistant MFA (FIDO2).
💾 Segment backups and disable legacy protocols.
🧠 Rehearse incident workflows under SEC and CISA reporting standards.
🧱 Verify vendor TPRM compliance for firmware updates and device management.
💰 Track crypto-laundering patterns in internal fraud monitoring systems.
James Azar’s CISO’s Take
Today’s episode ties together the reality that geopolitics, crime, and technology have officially fused. What once lived in intelligence briefings is now part of corporate risk — from Iranian missile targeting aided by hacked ships to Chinese routers turned into espionage tools. The battlefield has expanded into our devices, our supply chains, and our inboxes.
My key takeaway is this: the line between cyber risk and operational risk is gone. Whether you’re patching routers, managing SEC disclosure workflows, or auditing cloud assets, you’re operating in a geopolitical theater. Our defenses must evolve beyond compliance — into continuous, context-aware resilience.
We’ll be back Monday, 9 a.m. Eastern with all the latest. Next week shows Monday, Tuesday, Wednesday. Thursday, Friday we are off for Thanksgiving, and then we’re back into the holiday season. So December is right around the corner, folks.
Stay sharp, stay caffeinated, and as always — stay cyber safe.
