Good Morning Security Gang
first show of 2026! That’s right, a brand new year, a patriotic one too as America turns 250 years old this July. And what a start to the year it’s been.
Before diving into today’s headlines, I had to take a moment to salute our men and women in uniform — the brave souls behind the successful operation in Venezuela that brought narco-dictator Nicolás Maduro to U.S. soil to face justice. Massive respect to law enforcement, the Pentagon, and the agencies that pulled that off.
Now let’s get into the cyber side of things — and trust me, this year’s opening lineup sets the tone for 2026: a Fortune 500 insurance and claims giant hit by ransomware, President Trump ordering a divestment in a Chinese chip deal, ReSecurity flipping a hack back on its attackers, and thousands of Fortinet firewalls still unpatched five years later. Plus, we’ll hit on botnets, Google Cloud email abuse, ColdFusion exploits, and some geopolitical fallout in the Baltic Sea.
So, coffee cup cheers, y’all, let’s kick off 2026 the right way. ☕
Sedgwick Confirms Ransomware Incident
We start with Sedgwick, one of the largest third-party risk and claims management firms in the world, confirming a cyber incident claimed by the TridentLocker ransomware gang. The attackers accessed a segmented file transfer system, leaked employee data samples, and are claiming credit.
Sedgwick says claims systems remain operational and no customer data was directly impacted, though investigators are still assessing potential PII exposure. For context, Sedgwick works with DHS, ICE, CISA, the Department of Labor, and other federal agencies — meaning federal employee data may be at risk if lateral movement occurred.
As I noted on the show: “If you’re in risk management and get hit yourself, it’s not just about forensics — it’s about credibility. How you respond defines whether clients stay or walk.”
This attack is yet another reminder that identity remains the new perimeter — access abuse, credential reuse, and privilege escalation are the real battlegrounds.
Trump Orders Divestment in $2.9M Chinese Chip Deal
In a move blending geopolitics and cybersecurity, President Trump ordered a divestment of a $2.9 million semiconductor deal between aerospace defense supplier EmmaCorp and Chinese buyer He Fu, citing national security risks.
The White House says the divestment order was based on credible evidence the acquirer is a Chinese citizen and that the deal could give Beijing access to sensitive U.S. chip fabrication technology. The president has given 180 days for full separation.
I called it out plainly: “Trump’s not just blocking chips — he’s signaling to China that technology is the new terrain of deterrence.”
Following Maduro’s capture — and his prior meeting with Chinese officials — this move rattled markets and sent a clear message: the U.S. is drawing hard lines between national defense and foreign tech influence. Expect a more aggressive Chinese posture in cyberspace this quarter.
ReSecurity Turns Hack Into Honeypot Victory
Cyber firm ReSecurity found itself at the center of controversy after the Scattered Lapsus group claimed to have breached its systems. They posted what they said were internal chats and client logs.
But ReSecurity immediately pushed back — revealing it was actually a deception campaign. The data came from a staged honeypot environment, built to gather threat telemetry and attacker TTPs.
Screenshots posted by hackers appeared to show employee collaboration tools, but forensic evidence confirmed they were synthetic and instrumented — exactly what a honeypot should produce.
My advice to companies: plan your communications strategy before a honeypot goes public. Threat actors love to overhype fake breaches. Handle it right, and it’s a win.
Adobe ColdFusion Servers Under Coordinated Attack
Researchers at GrayNoise have detected a coordinated exploitation campaign targeting unpatched or misconfigured Adobe ColdFusion servers. Attackers are deploying web shells and backdoors to maintain persistence.
Organizations running ColdFusion should immediately:
Confirm patch levels
Disable admin interfaces from the internet
Sweep for unexpected CFIDE artifacts or web shells
If you’re still running legacy ColdFusion workloads — isolate them now. These are high-value targets for ransomware operators.
10,000+ Fortinet Firewalls Still Exposed to 2FA Bypass
Here’s the jaw-dropper: 10,000 Fortinet firewalls remain vulnerable to a 2020 MFA bypass flaw (CVE-2021-2812).
Shadowserver’s scans show LDAP-enabled configurations are most at risk. The fix has been out for five years, but admins still haven’t patched.
If that’s you — update to 6.4.1+, 6.2.4+, or 6.0.10+ immediately, or at minimum enforce username case sensitivity and review SSL VPN logs for mismatched casing.
Unpatched Fortinet = open door to ransomware. Full stop.
RondoDox Botnet Weaponizes React2Shell
A new botnet named RondoDox is exploiting React2Shell vulnerabilities to recruit infected nodes and deploy payloads.
This is a continuation of the React2Shell ecosystem exploits (CVE-2025-55182), where attackers leverage vulnerable middleware for command injection.
You should treat any externally reachable Node or React-based app as high risk.
Enable WAF virtual patching rules
Lock admin routes
Monitor for unusual tunneling behavior
RondoDox demonstrates how open-source frameworks remain a prime target for automated bot recruitment.
Attackers Abuse Google Cloud Email to Evade Filters
Check Point researchers discovered cybercriminals abusing Google Cloud’s trusted email infrastructure to boost spam delivery rates and bypass corporate filters.
By sending through legitimate Gmail API chains, attackers improve inbox placement and evade DMARC and SPF checks.
To counter this:
Enforce strict DKIM and SPF alignment
Reduce implicit trust in cloud-originating mail
Monitor API service account activity
This is another example of attackers weaponizing trusted cloud infrastructure to exploit enterprise trust models.
Baltic Cable Sabotage Under Investigation
In a story blending kinetic and cyber, Finnish authorities have arrested two crew members of a Russian-linked cargo ship suspected of damaging undersea telecom cables in the Baltic Sea.
The ship, Fitzberg, carried sanctioned Russian steel and was reportedly dragging anchors or heavy gear that cut fiber cables operated by Finnish telecom Elisa in Estonia’s EEZ.
Finland’s National Bureau of Investigation is leading the probe, calling it “an act of sabotage under the veil of maritime activity.”
As I put it: “The kinetic side of cyber isn’t going away — it’s the other half of the same coin. You cut cables, you cut comms — and that’s war in 2026.”
Action List
🔐 Audit file transfer systems and rotate credentials regularly.
🇨🇳 Screen foreign investment and vendor ties for data access risk.
🧠 Pre-plan honeypot comms to control narrative when deception goes public.
🧱 Patch and segment ColdFusion and Fortinet systems.
⚙️ Apply WAF and EDR rules for React2Shell or Node.js apps.
📧 Tighten Google Cloud API policies and enforce email alignment standards.
🌊 Review physical redundancy plans for undersea cable dependencies.
James Azar’s CISO’s Take
Today’s show was the perfect snapshot of how 2026 starts exactly where 2025 left off — with identity, infrastructure, and geopolitics colliding. Sedgwick’s ransomware incident reinforces that even the companies managing others’ risk are only as strong as their access controls. And the Trump administration’s chip deal block proves that cyber strategy now is national strategy.
My biggest takeaway? This year will be defined by operational maturity. Patching, segmentation, and verification aren’t just best practices — they’re survival practices. Between ransomware gangs, nation-state escalations, and digital-to-kinetic overlap, 2026 is shaping up to be the year where cyber resilience becomes the new patriotism.
Stay sharp, stay caffeinated, and as always — stay cyber safe.
