Good Morning Security Gang
Today, we’re breaking down a massive set of updates: the Senate finally confirms a new Pentagon CIO, China hacks the UK Foreign Office, North Korea steals another $2 billion through crypto, Russia disrupts Denmark’s utilities ahead of elections, Docker releases hardened base images, and critical vulnerabilities hit Cisco, WatchGuard, and FortiCloud.
We’ll also cover Iran’s Infy APT resurgence, Palo Alto’s mega AI partnership with Google, Trump’s NDAA boosting Cyber Command, and NIST’s new AI cybersecurity framework.
So grab your espresso — I’ve got my festive cup this morning — coffee cup cheers, y’all! Let’s get into it.
Senate Confirms Kirsten Davis as Pentagon CIO
After months of delay, the U.S. Senate has officially confirmed Kirsten Davis as the new Chief Information Officer of the Department of Defense, replacing acting CIO Katie Arrington. Davis, who brings leadership experience from Unilever, Barclays Africa, and Booz Allen, will oversee the Pentagon’s Zero Trust rollout, cloud modernization, and software procurement initiatives.
This confirmation is a big deal for the Defense Department’s digital transformation. For the first time in years, the Pentagon has a permanent CIO with deep cybersecurity and business modernization expertise.
As I said on the show: “Competence in leadership isn’t just refreshing — it’s national security.”
North Korea Steals $2 Billion in Crypto; Amazon Blocks 1,800 Fake IT Workers
According to multiple intelligence reports, North Korean state hackers have stolen over $2 billion this year from cryptocurrency exchanges and financial institutions. The regime has expanded its “fake remote worker” campaigns to infiltrate tech companies and launder stolen funds.
Amazon Web Services reported blocking 1,800 fraudulent job applicants, using anomaly detection and latency analysis to spot North Korean operatives posing as software contractors.
I broke this one down simply: live KYC for contractors, device attestation, and geofencing should be standard. For financial firms — enforce 24-hour holds on first-time crypto withdrawals, and auto-hold transactions interacting with known mixer clusters.
This is less about crypto theft — it’s about infiltration. North Korea is weaponizing the remote economy.
China Hacks UK Foreign Office; Government Downplays Risk
The UK Foreign, Commonwealth, and Development Office (FCDO) confirmed it was hacked in a China-linked operation tied to APT Storm-1849, which has been active since October. The group accessed tens of thousands of visa records and government email data, exploiting unpatched Cisco firewall vulnerabilities .
Officials initially called the incident “low risk,” but let’s be honest — when the Foreign Office gets compromised, that’s national security exposure.
As I said on the show: “If you call a Foreign Office breach low-risk, you’re not managing risk — you’re avoiding accountability.”
Russia Targets Danish Elections and Water Utilities
Russia-linked NoName057(16) has been blamed for cyberattacks on Danish local governments and water utilities ahead of national elections. The campaign used living-off-the-land attacks with valid credentials and scheduled task persistence, blending espionage with pre-election disruption.
This is part of Moscow’s broader push to undermine European trust in institutions — a hybrid model combining misinformation, DDoS, and destructive attacks.
Western responses have been limited to diplomatic condemnations.
As I said during the show: “And the best we're doing right now, the best some of these Western nations are doing is diplomatic. They're not really – kick people out, limit traveling visas, tariff their trade. Do something, something of meaning, something to weaken the Russian administration within Russia... Not a lot of backbone, unfortunately, in the Western world today.”
Docker Releases Open-Source Hardened Base Images
Docker announced open-source, minimal hardened images for developers, aimed at reducing attack surface and preventing secret leakage in builds.
These images are CIS-aligned, and Docker is encouraging enterprises to mirror them internally and enforce policies requiring that builds start from approved base layers.
This is a huge win for secure DevOps. Organizations should scan all containers for embedded credentials and standardize base image security before moving anything to production.
Cisco and WatchGuard Zero-Days Under Exploitation
Two critical edge vulnerabilities are being exploited in the wild:
Cisco AsyncOS Zero-Day (CVE-2025-20393): Enables root-level command execution on Secure Email and Web Manager appliances. China-linked APTs are actively abusing it.
WatchGuard Firebox RCE (CVE-2025-14733): Lets unauthenticated attackers execute code remotely. Admins should patch to firmware 12.12.4+ and disable public management.
For both: patch immediately, rotate credentials, and monitor for rogue config changes.
If it’s on the internet and unpatched, assume it’s already compromised.
FortiCloud Authentication Bypass Leaves 25,000 Devices Exposed
Fortinet’s FortiCloud SSO vulnerability, previously patched, remains unaddressed in tens of thousands of instances still exposed to the internet. Attackers are now exploiting unpatched FortiOS and Proxy Web Manager versions to hijack admin sessions.
If your organization hasn’t upgraded — do it today. And as I said bluntly on air: “Edge devices are your moat and your minefield. Neglect either, and you’re inviting disaster.”
Iran’s Infi APT Resurfaces with New Loaders and Beacons
The Infi APT, linked to Iran, has resurfaced targeting diplomatic, NGO, and policy organizations. The group is deploying custom loaders, macro abuse, and PowerShell-based beaconing for long-term persistence.
Organizations should block all macros, enforce script execution policies, and monitor for black TLS traffic to rare ASNs.
This campaign proves that regional espionage groups are thriving amid global political distraction.
Palo Alto and Google Cloud Partner on AI Security
Palo Alto Networks and Google Cloud announced a multi-billion-dollar AI security partnership, integrating Prisma AI and Google’s Vertex/Gemini LLM platforms to unify SOC operations, app security, and posture management.
The deal marks one of the largest AI–security integrations to date — but also signals pricing pressure and consolidation coming in 2026 as renewals align across XDR, CSPM, and cloud suites.
Trump Signs $901B NDAA with Major Cyber Funding
President Donald Trump has signed the 2026 National Defense Authorization Act, securing $901 billion in defense spending — with major boosts to Cyber Command, NSA operations, and AI innovation.
Highlights:
$73 million for offensive digital operations.
$314 million for Fort Meade infrastructure.
Preservation of NSA–Cyber Command’s dual-hat structure.
This is the most cyber-focused NDAA in U.S. history — a strong signal that cyber capability is now a core defense pillar.
NIST Releases Draft Framework for AI Security
The National Institute of Standards and Technology (NIST) has released a draft “Cybersecurity Framework for AI”, mapping AI system risks to traditional CSF controls.
It provides guidance on AI supply chain security, data poisoning detection, and safe AI model deployment, aligning cybersecurity and AI governance practices.
Organizations building or buying AI systems should treat this as a blueprint for AI assurance and accountability heading into 2026.
Action List
🏛️ Track DoD leadership changes and watch for Zero Trust rollouts.
💰 Audit remote contractor onboarding and enforce KYC and device attestation.
🇨🇳 Review network telemetry for Chinese APT indicators.
🇷🇺 Segment OT systems to mitigate Russian-style “living off the land” attacks.
🐳 Adopt Docker’s hardened base images and restrict container registries.
🔐 Patch Cisco, WatchGuard, and FortiCloud edge devices immediately.
📜 Block macros and script execution to mitigate APT campaigns.
🤖 Align AI programs with NIST’s new AI Cybersecurity Framework.
James Azar’s CISO’s Take
Today’s stories all circle back to one truth: cybersecurity is leadership. Whether it’s the Pentagon finally confirming a capable CIO or governments pretending breaches don’t matter, the gap between words and action defines our risk landscape. We don’t lose to attackers because they’re smarter — we lose because bureaucracy moves slower than compromise.
My biggest takeaway? Cyber resilience isn’t technical — it’s cultural. It’s the discipline to patch, the humility to listen, and the courage to admit when systems fail. 2026 is shaping up to be the year of visibility, AI augmentation, and accountability — but only for organizations willing to lead like defenders, not react like victims.
Stay sharp, stay caffeinated, and as always — stay cyber safe.
