Good Morning Security Gang
Today’s episode started on a somber note as we paid tribute to our friend Andy Smeaton, the late CISO of Jamf, whose sudden passing hit the cybersecurity community hard. Andy was a pillar of our world — a mentor, a leader, and a friend to so many. His loss reminds us that the work will always be there, but the people we love won’t be forever — hug them tighter today. Please consider supporting Andys family at GoFundMe
With that said, let’s dive into what’s shaping the cyber landscape this morning. From ShinyHunters’ broad phishing campaign to a Russian alarm company breach, ChatGPT session hijacks, and Fortinet’s zero-day chaos, this episode is stacked with stories that hit every layer of modern defense.
Coffee cup cheers, y’all — double espresso in hand — let’s roll.
ShinyHunters’ Phishing Blitz Hits 100+ Organizations
The ShinyHunters group is back with a massive credential-harvesting phishing campaign targeting over 100 organizations worldwide. Their attacks use realistic SSO and corporate login clones to steal OAuth tokens and MFA-bypassed credentials.
This isn’t the same crowd we saw months ago going after Okta and Microsoft — this is an evolved operation leveraging token replay and session persistence to achieve stealthy account takeovers.
As I said on air:
“One good identity is all an attacker needs to pivot downstream — identity theft is the new lateral movement.”
To mitigate, shorten session lifetimes, rotate refresh tokens upon device or ASN changes, and audit all cloud sign-ins for token anomalies. Expect public breach disclosures in the next 30–60 days as victims uncover the blast radius.
Russia’s Delta Security Suffers Disruptive Cyberattack
Russia’s largest alarm and monitoring company, Delta Security, suffered a major cyberattack that disrupted dispatch systems and subscriber monitoring nationwide.
This breach highlights how physical security systems are becoming high-value cyber targets, serving as bridges between OT and IT networks. Cameras, alarms, and access control panels — all managed from the same pane of glass — give attackers lateral movement opportunities that can cripple both digital and physical operations.
As I explained:
“The cyber and physical worlds always converge. When they finally meet, it’s catastrophic.”
The key takeaway: isolate your physical security stack into its own IoT network with strict allow-listing and no flat access from corporate IT.
Chrome and Edge Extensions Steal ChatGPT Sessions
Malicious Chrome and Edge browser extensions are stealing ChatGPT session tokens and cookies, allowing threat actors to hijack AI service accounts. Masquerading as productivity add-ons, these extensions exfiltrate credentials to command servers, enabling full account takeover without credentials.
Mitigate by enforcing enterprise browser controls, locking down extensions to an approved allowlist, and auto-revoking OAuth tokens whenever an extension is removed.
As I noted: “Once a session token leaks, it’s logging in without logging in — and that’s game over.”
800,000 Telnet Servers Still Exposed to the Internet
Internet-wide scans have identified nearly 800,000 open Telnet endpoints, primarily legacy DVRs, industrial devices, and IoT gear still running on plain-text authentication.
This is a dream scenario for botnet herders, who can exploit these devices for DDOS, lateral movement, or persistence in critical networks.
Mitigation here is simple but critical: block Telnet (port 23) at the edge, quarantine any devices still using it, and require SSH key-based authentication for CLI access.
As I said bluntly: “If Telnet’s still open in your environment, you’re just asking to be owned.”
Fortinet Confirms FortiCloud Zero-Day Exploited in the Wild
Fortinet confirmed active exploitation of a FortiCloud SSO authentication bypass vulnerability (CVE-2026-24858). Attackers can access cloud control planes, modify policies, and enroll rogue devices.
Fortinet temporarily blocked risky functionality while working on a permanent fix.
CISOs should rotate admin credentials and API keys immediately, prune stale accounts, and inspect audit logs for unauthorized logins during the exposure window.
“A patched system isn’t a clean system — especially if the bad guys were already inside,” I warned.
GitHub Desktop Repo Hijack Attempt
Attackers are attempting to hijack GitHub Desktop repositories, spoofing legitimate installer links to compromise developer workstations. Once infected, they can steal signing keys and inject backdoors into CI/CD pipelines — a textbook supply chain compromise vector.
The fix: host internal package registries, restrict developer installs to trusted sources, and disable arbitrary URL-based installations on managed endpoints.
New ClickFix Malware Wave Exploits Driver Prompts
The ClickFix malware campaign has evolved again, now posing as video card and driver update pop-ups. The fake installers deploy signed-looking VB scripts that drop stealers and RAT payloads.
Because users are conditioned to “fix the problem with a click,” this social engineering is highly effective.
Mitigate by enforcing Windows Defender Application Control and blocking script hosts (WScript/CScript) for non-IT users. When users can’t execute unsigned installers, the trap fails.
China’s Mustang Panda Deploys CoolClient Infostealer
China-linked APT Mustang Panda is deploying the CoolClient backdoor to install infostealers and credential theft tools across NGOs, government contractors, and policy think tanks.
This campaign uses targeted spear-phishing lures, focusing on political content to increase click-through.
Organizations should implement sandbox analysis for attachments, auto-quarantine suspicious documents, and monitor for unusual child process behavior in email clients.
$16B Chinese Crypto Laundering Network Exposed
Law enforcement agencies and blockchain analytics firms have identified a $16 billion Chinese crypto laundering operation, supporting ransomware gangs, pig-butchering scams, and North Korean affiliates.
These professionalized networks leverage nested exchanges, OTC brokers, fake KYC data, and mixers to obscure flows.
Financial institutions and crypto exchanges should increase AML/KYC friction, restrict withdrawals to pre-approved wallets, and require hardware wallet verification for transactions.
ATM Malware Operation Busted — 31 More Charged
Federal prosecutors have charged 31 new suspects tied to a Venezuelan ATM malware gang, known for jackpotting cash from U.S. ATMs across multiple states.
Over 87 members have now been indicted, with several sentenced to prison and slated for deportation. These takedowns highlight how physical and cybercrime have fully merged, targeting financial systems at both the hardware and network level.
As I summed it up:
“The cyber meets the physical in the worst way — and it’s happening in our own backyard.”
Action List
🧑💻 Shorten identity session lifetimes and rotate OAuth tokens.
🔐 Isolate physical security systems onto separate IoT networks.
🌐 Lock browsers to enterprise extension allowlists and revoke tokens automatically.
🚫 Block Telnet at the edge and migrate legacy devices to SSH.
🧱 Audit FortiCloud activity and rotate all API keys and admin credentials.
💻 Host internal registries for developer tools and disable public install links.
⚙️ Enforce WDAC policies and block unsigned scripts enterprise-wide.
📧 Enable sandboxing and quarantine for suspicious email attachments.
💰 Apply KYC friction and restrict crypto wallet withdrawals.
🏦 Audit ATM vendor access paths and enforce physical network segmentation.
James Azar’s CISO’s Take
Today’s show painted a clear picture: we’re living in the age of convergence — between cyber and physical, between trust and compromise. From ShinyHunters phishing and ChatGPT token theft to ATM malware and IoT alarms, everything we secure is now interconnected. And that interconnectedness means a single weak link — a token, a login, a flat network — can collapse the whole chain.
My takeaway is simple: assume compromise, design resilience. If your strategy relies on “not getting breached,” it’s outdated. Build faster detection, shorter trust windows, and cleaner recovery paths. Because whether it’s China, Russia, or a rogue GitHub repo — the threats are relentless.
Stay alert, stay caffeinated, and as always — stay cyber safe.
