Good Morning Security Gang!
Welcome back to the CyberHub Podcast, episode 979—we’re just 21 shows away from hitting 1,000! I had to take a breather last week after the 9/11 anniversary and the tragic assassination of Charlie Kirk, but I’m back in the seat today with a double espresso and a jam-packed set of cyber stories.
From a Samsung zero-day being exploited in the wild, to a new ransomware strain bypassing Secure Boot, to FBI warnings on Salesforce theft, government data breaches in Vietnam and Panama, CISA’s CVE roadmap, and even calls for more offensive U.S. cyber operations - it’s one of those shows where every headline has major implications for CISOs and practitioners. Let’s dig in.
📱 Samsung Zero-Day Exploited in the Wild
Samsung issued an urgent patch for a zero-day vulnerability already being exploited. While details remain scarce, Meta and WhatsApp reported the flaw in August, and Samsung confirmed active exploitation. Like Apple’s recent iOS zero-day, this one is almost certainly linked to spyware operators. If you’re running Samsung Android devices, patch immediately—this is a live fire situation.
💀 HybridPetya Ransomware Bypasses Secure Boot
Researchers at ESET found HybridPetya, a ransomware strain inspired by the destructive Petya/NotPetya malware, capable of bypassing UEFI Secure Boot protections. It leverages CVE-2024-7344, a Microsoft-signed application flaw disclosed in January, to plant malicious code in the EFI system partition. While it may still be in early testing, it’s a stark reminder that bootkits remain an existential risk. CISOs should be pressing EDR/MDR providers on their detection capabilities for this.
⚙ Dassault Systèmes Factory Software Exploited
Threat actors are actively exploiting CVE-2025-5086, a deserialization flaw in Delmia Apriso factory software from Dassault Systèmes, widely used in aerospace, defense, and automotive. With a CVSS score of 9.0, this is a remote code execution risk for manufacturing floors worldwide. CISA added it to its KEV catalog—federal agencies must patch by October 2nd.
🕵 FBI Warns on Salesforce Data Thefts
The FBI issued a flash alert confirming that UNC6040 and UNC6395 are compromising Salesforce environments at scale. The attackers are using malicious OAuth apps disguised as “My Ticket Portal” to mass exfiltrate Salesforce data. Extortion attempts have already hit Google, Adidas, Cisco, Qantas, Dior, and Louis Vuitton. ShinyHunters is believed to be monetizing much of the stolen data. If you haven’t rotated Salesforce OAuth tokens, you’re already late.
🌏 Vietnam & Panama Suffer Government Data Breaches
Vietnam: Hackers hit the National Credit Information Center, leaking data tied to citizens and businesses. Scattered Spider and ShinyHunters claimed responsibility, boasting of stealing 160M records.
Panama: The Ministry of Economy and Finance disclosed a malware incident disrupting operations. Officials say containment is underway.
State-backed and criminal groups continue to target ministries and financial agencies, aiming for maximum disruption.
🛡 CISA Reinforces CVE Program
At the Billington Cyber Summit, Nick Anderson, CISA’s new Executive Assistant Director, reaffirmed commitment to the CVE program and promised more robust funding, transparency, and expansion. CISA released a roadmap outlining priorities for growing the program as the single trusted arbiter of vulnerabilities.
💸 DHS Audit Finds CISA Incentive Mismanagement
An Inspector General audit revealed that CISA mismanaged $138M in cybersecurity retention incentive funds between 2020–2024. Records were incomplete, payments lacked oversight, and $1.4M in questionable back pay was issued to employees without mission-critical skills. Another governance embarrassment at a time when workforce retention is critical.
⚔ U.S. Pushes for Offensive Cyber Operations
At the Billington Cyber Summit, Alexei Bolazal of the National Security Council stated the Trump administration is “unapologetically unafraid” to use offensive cyber capabilities to deter adversaries. He stressed these operations must be paired with basic defense and public-private collaboration but argued the status quo is unsustainable, with cybercrime draining $6 trillion annually from global economies.
“The status quo isn’t working. Cybercrime is a $6 trillion economy—and it’s bleeding us dry.” James Azar
🧠 James Azar’s CISO Take
Today’s stories hammer home the need for resilience and governance at scale. Whether it’s Samsung patching zero-days, Secure Boot bypasses, or Salesforce tokens being exploited, the underlying issue is the same: we can’t keep playing catch-up with attackers. CISOs need real-time visibility into integrations, build processes, and identity controls. If your detection window is days instead of hours, you’re flying blind.
The other big theme is policy direction. CISA’s roadmap for CVEs and the U.S. push toward offensive cyber signals a pivot point. We’ve tried “name and shame,” and it hasn’t worked. Offensive cyber won’t eliminate crime, but it can raise the cost for adversaries and give us room to breathe. As CISOs, we must align our internal resilience with this broader strategy—governance inside, deterrence outside. That’s the only sustainable model.
✅ Action Items
📱 Patch Samsung Android devices immediately—zero-day is active.
🖥 Ask EDR/MDR vendors how they detect UEFI bootkits like HybridPetya.
⚙ Patch Dassault’s Delmia Apriso CVE-2025-5086 by Oct 2.
🔐 Rotate Salesforce OAuth tokens; audit app permissions.
🌏 Monitor for fallout from Vietnam & Panama government breaches.
🛡 Track CISA’s CVE program updates—expect wider participation demands.
💸 Review incentive/governance models—funding mismanagement erodes trust.
⚔ Prepare for a more aggressive U.S. offensive cyber posture—factor it into threat modeling.
