Good Morning Security Gang,
Back in the saddle after a short break, and yes, the Azar family growing by one (sleep optional, coffee mandatory), we’re back to business.
The Azar gang did grow by one! A beautiful, amazing, great little boy who's just phenomenal with his older brother now. The family feels a bit bigger. Sleep is rarer. But I'll take it because there's nothing more gratifying than fatherhood—really, there isn't. Mom's doing great!
Thank you to the amazing team at Northside Hospital for a job well done keeping mom and baby safe. What a joy it is to be in the room to see a new life come into it. Quite a bundle of joy!
And today’s show? It’s a reminder that cybersecurity doesn’t live in dashboards, it lives in hospitals, factories, payroll systems, and people’s lives.
We’re not talking about theoretical risk anymore. We’re talking about real-world operational impact, financial damage, and human consequences.
Let’s get into it. Coffee Cup Cheers,
Stryker Attack: When Cyber Hits the Earnings Report
We kick things off with Stryker confirming that the Iran-linked March 11 attack had a material impact on Q1 earnings. This wasn’t just a disruption—it was a full-blown business event.
The attackers, tied to the Handala group, inserted a malicious file into Microsoft Intune, wiping over 200,000 devices and disrupting ordering systems. While operations have now been restored, the real story here is what happened in between.
This wasn’t just IT downtime. This impacted hospital supply chains. Medical staff had to adapt, extend usage of equipment, and operate under constrained conditions.
This is what happens when cyber leaves the SOC and lands on a hospital floor.
And if you’re a CISO and you’re still struggling to quantify cyber risk in dollars this is your example.
North Korea’s $280M Crypto Theft: Corporate-Grade Cybercrime
Next, we dig into the Drift crypto theft post-mortem, and it reads less like a hack and more like a business operation.
North Korea orchestrated a $280 million theft using fake companies, social engineering, and even physical presence at industry conferences. Let that sink in—this wasn’t just keyboard warriors. This was relationship-building, long-game infiltration.
This is the evolution of cybercrime into full-scale enterprise operations.
They’re not exploiting systems, they’re exploiting trust, process, and human behavior.
If your security model doesn’t account for that level of persistence, you’re already behind.
4,000 U.S. Industrial Devices Exposed to Iranian Targeting
Now let’s talk about something that should make every critical infrastructure operator pause nearly 4,000 U.S. industrial devices remain exposed online, vulnerable to Iranian-linked activity.
This isn’t about immediate destruction. This is reconnaissance. Foothold building. Positioning.
And here’s the dangerous part, these are operational technology environments. We’re talking about systems that control physical processes.
The exposure of OT-adjacent devices is essentially leaving the front door open in a high-risk neighborhood and hoping no one walks in.
Spoiler alert: someone will.
Microsoft Finds Android Crypto Wallet Flaw
Microsoft uncovered a vulnerability that could have exposed millions of Android crypto wallet users, allowing malicious apps to steal sensitive wallet data.
And here’s the kicker no need to break blockchain security.
Just compromise the endpoint.
We keep saying it on the show: the endpoint is still the weakest link.
You can have the most secure system in the world, but if the device accessing it is compromised, game over.
Payroll Diversion Attacks Hit Canadian Employees
We’re also seeing a rise in payroll diversion attacks, targeting Canadian employees by manipulating direct deposit workflows.
This is cybercrime at its most efficient no ransomware, no noise, just quietly redirecting money.
And it works because payroll systems are trusted, routine, and rarely questioned.
This is where identity, HR systems, and financial controls intersect—and where attackers are increasingly focusing.
Glassworm Expands Supply Chain Attacks into Developer Environments
Glassworm is back, and it’s evolving—this time using a Zig-based dropper to target developer environments and IDE ecosystems.
This is a continuation of a trend we’ve been tracking: attackers moving upstream into the development lifecycle.
Why? Because if you control the developer environment, you control what gets built. This is supply chain compromise at scale.
Adobe Reader Zero-Day Exploited for Months
Adobe patched a Reader zero-day that had been exploited in the wild for months.
Let me repeat that months.
Document-based attacks continue to work because we trust them. PDFs are still one of the easiest delivery mechanisms for malware. And despite all the awareness, users still click.
This isn’t a tooling problem. It’s a trust problem.
Marimo RCE Under Active Exploitation
A critical pre-authentication RCE flaw in Marimo is now under active exploitation. This hits a growing category developer and data science tools exposed to the internet.
Convenience is killing security here. If your experimental tools are internet-facing without proper controls, you’re essentially inviting attackers in.
Juniper and Chrome Patch Cycles Highlight Ongoing Risk
Juniper patched dozens of Junos OS vulnerabilities, reinforcing the ongoing risk in network infrastructure. At the same time, Chrome released version 147 with 60 vulnerability fixes, including two critical ones.
Browsers and network devices remain prime targets because they sit at the intersection of trust and exposure. They’re not flashy but they’re foundational.
Action Items for Security Leaders
Quantify cyber risk in business terms—tie incidents to revenue and operations
Eliminate direct internet exposure for OT and industrial systems
Enforce strict endpoint security for high-value assets like crypto wallets
Implement multi-layer verification for payroll and financial workflows
Lock down developer environments with signed plugins and access controls
Patch aggressively—especially for document readers and edge systems
Move experimental and developer tools behind authentication layers
Treat supply chain security as a top-tier priority, not a secondary concern
James Azar’s CISOs Take
What stood out to me today is how cyber incidents are no longer contained within the boundaries of technology. The Stryker story is the clearest example this wasn’t just a breach, it was a disruption to healthcare delivery and a hit to financial performance. That’s the reality we’re operating in now. Cybersecurity is no longer a support function. It’s a business function.
The second takeaway is that attackers are consistently targeting trust. Whether it’s payroll systems, developer tools, mobile devices, or industrial infrastructure, the common thread is exploitation of what organizations assume is safe. We need to rethink that assumption. Security today isn’t about protecting everything, it’s about validating everything, continuously.
Stay Cyber Safe
