Good Morning Security Gang,

On the heels of a bruising Patch Tuesday, today’s CyberHub Podcast tracks how quickly fresh vulnerabilities translate into real-world disruption.

China-linked Earth Emmot is weaponising trusted vendors in Taiwan and South Korea’s drone ecosystem; U.S. steel giant Nucor is forced to idle furnaces after an IT/OT–converged intrusion; and the U.K.’s Co-op stores still can’t restock a month after a ransomware hit.

Add new details from Nova Scotia Power and Australia’s Human Rights Commission breaches, Google’s warning that “Scattered Spider” has landed on U.S. retail, and yet another SAP NetWeaver zero-day feeding both ransomware crews and Chinese APTs—and it’s clear defenders can’t just patch and relax.

Below, each headline is unpacked, followed by an actionable checklist to steady your teams before the weekend.

Earth Ammit Targets the Drone Supply Chain

Trend Micro reveals two waves—“Venom” (2023) and “Tidrone” (2024)—in which the China-tied actor compromised ERP servers and RDP gateways at upstream drone vendors in Taiwan and heavy-industry firms in South Korea. By tampering with legitimate software builds and propagating CXCLNT/CLNTBACK backdoors, the group positioned itself to reach defense, satellite-tech and healthcare customers downstream, highlighting how supply-chain footholds can shape kinetic battlefields from Ukraine to South Asia.

Nucor Steel Shuts Mills After IT Breach

America’s largest steelmaker disclosed to the SEC that “unauthorized third-party access” forced it to sever parts of its network, halting production at multiple plants. With ERP systems tightly meshed to furnace controls, the company opted for a full shutdown while forensics and law enforcement investigate. The incident underscores how manufacturing’s IT/OT convergence turns an office-side intrusion into an instant operational crisis.

Co-op UK Shelves Still Bare

Five weeks after DragonForce ransomware struck, 3,000 Co-op supermarkets are running on a “contingency ordering” process that delivers <20 % of normal stock. CEO Shirine Khoury-Haq admitted customer data was stolen and critical logistics systems remain offline.

“The criminals that are perpetrating these attacks are highly sophisticated and our colleagues are working tirelessly to do three things: (1) protect and defend our Co-op, (2) fully understand the extent of the impact caused by the attack and (3) provide much needed information to the authorities that may help them with their investigations,” Khoury-Haq wrote.

Critics say the protracted outage exposes failures in business-continuity planning and illustrates why paying extortion rarely halts data leaks.

Nova Scotia Power Lists Stolen Data

The Canadian utility now confirms attackers exfiltrated names, SSNs, power-consumption stats and bank-account numbers (unencrypted) on or around March 7. While grid operations were isolated, the breach highlights how utilities still store billing PII in legacy systems that flout basic PCI-style safeguards.

The stolen information includes one or more of the following types of data: name, date of birth, phone number, email address, mailing and service addresses, as well as data such as power consumption, service requests, and payment, billing, and credit history.

Driver’s license numbers and Social Insurance Numbers were also compromised, and in some cases — for customers who provided such information — the attackers also obtained bank account numbers shared for pre-authorized payments.

Australian Human Rights Commission Leak Indexed by Google

A misconfigured submissions portal left 670 documents—containing religious affiliation, medical details and photos—publicly crawlable from late March to early May. The exposure lands as Australia logs its highest breach tally since 2020, with OAIC citing a 24 % jump in ransomware attacks.

Scattered Spyder Retargets U.S. Retailers

Google Threat Intelligence warns that UNC-3944 has moved from its spring spree against Marks & Spencer, Harrods and Co-op to U.S. retail chains. The group is notorious for SIM-swap–enabled MFA bypasses and living-off-the-land techniques; claims against U.K. victims already top £100 million in insurance requests.

SAP NetWeaver Visual Composer Under Active Second Wave

Ransomware crews and Chinese APTs alike are abusing CVE-2025-31324 (RCE, CVSS 10) and a newly found insecure-deserialisation bug (CVSS 9.1). Web shells implanted during January’s zero-day blitz are now being recycled for follow-on attacks. SAP admins are urged to patch, restrict uploader services and hunt for Chinese-language shells.

Chrome 136 Patches Four Flaws

Google fixed CVE-2025-4664—an insufficient-policy-enforcement bug in the Loader component—alongside three other issues. No exploits seen yet, but past Chrome bugs moved from patch to in-the-wild within days; auto-update should be verified.

CPU “Branch Privilege Injection” Gets Microcode Fixes

ETH Zurich researchers broke six-year-old mitigations, exposing a speculative-execution side-channel (CVE-2025-34656). Intel issued microcode; ARM updated guidance; AMD says its CPUs aren’t affected. Cloud tenants should confirm hypervisor rollouts.

Juniper, VMware & Zoom Post Multi-Product Advisories

Juniper bundled 90 third-party fixes (three critical) into Secure Analytics 7.5.0-UP11; VMware patched a cross-site-scripting flaw in Aria Automation and insecure file handling in Tools; Zoom closed a TOCTOU privilege-escalation bug (CVSS 8.8) across desktop and mobile clients.

Ivanti’s New 0-days Keep Coming

Hot on Tuesday’s disclosure, two more auth-bypass/RCE bugs (CVE-2025-4427/-4428) in Endpoint Manager Mobile are confirmed exploited in the wild. Calls to “divorce Ivanti” grow louder as defenders brace for mass scans.

CyberCom–NSA Split Back on the Table

With Gen. Tim Haugh out, the administration is expected to name separate leaders—and possibly pursue a standalone “Cyber Force” branch—before Memorial Day. A divorce between offensive (CyberCom) and intelligence (NSA) functions would reshape U.S. cyber doctrine and budget lines.

📌 Action Items for Practitioners

• Patch Priority: Microsoft zero-days (yesterday) ➜ SAP NetWeaver ➜ Chrome 136 ➜ Juniper/VMware/Zoom ➜ Ivanti EPMM chain.
• Supply-Chain Audit: Map software and service providers in aerospace, drone and satellite sectors for Earth Emmot compromise indicators.
• IT/OT Segmentation Drill: Manufacturing & utilities should rehearse “Nucor scenarios” where ERP loss forces controlled OT shutdowns.
• Retail Ransom Readiness: U.S. chains must enforce physical SIM-lock policies and review Identity governance against Scattered Spider tactics.
• Search-Engine DLP Sweep: Scan public indices for accidentally exposed documents, mirroring the AHRC leak lessons.
• Encrypt Billing Data at Rest: Utilities and retailers must treat bank-account fields as PCI-level assets—rotate keys and tokenise ASAP.
• Chrome & Browser Fleet Validation: Confirm auto-update success across VDI and kiosk systems prone to lag behind.
• Monitor Microcode Deployment: Coordinate with cloud/IaaS providers to ensure Branch Privilege Injection patches are live on shared hosts.
• Board-Level Briefing: Flag potential CyberCom/NSA restructure as a catalyst for new compliance directives and federal collaboration models.

✅ Story Links:

https://www.securityweek.com/chinese-hackers-hit-drone-sector-in-supply-chain-attacks/

https://www.bleepingcomputer.com/news/security/steel-giant-nucor-corporation-facing-disruptions-after-cyberattack/

https://thecyberexpress.com/co-op-cyberattack-causes-supply-disruptions/

https://www.securityweek.com/canadian-electric-utility-lists-customer-information-stolen-by-hackers/

https://www.bleepingcomputer.com/news/security/australian-human-rights-commission-leaks-docs-to-search-engines/

https://www.bleepingcomputer.com/news/security/google-scattered-spider-switches-targets-to-us-retail-chains/

https://www.securityweek.com/ransomware-groups-chinese-apts-exploit-recent-sap-netweaver-flaws/

https://www.securityweek.com/chrome-136-update-patches-vulnerability-with-exploit-in-the-wild/

https://www.securityweek.com/chipmaker-patch-tuesday-intel-amd-arm-respond-to-new-cpu-attacks/

https://www.securityweek.com/vulnerabilities-patched-by-juniper-vmware-and-zoom/

https://therecord.media/cyber-command-nsa-trump-leadership-picks-dual-hat

🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1

🚨 Important Links to Follow:

👉Website:

CISO Talk by James Azar

The latest news and topics from a cybersecurity practitioners discussing Cybersecurity, Privacy, Technology & Geo-Politics. I am a two times Founder and Chief Information Security Officer. All opinions are my own

👉Listen here: https://linktr.ee/cyberhubpodcast

✅ Stay Connected With Us.

👉Facebook: https://www.facebook.com/CyberHubpodcast/

👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/

👉Twitter (X): https://twitter.com/cyberhubpodcast

👉Instagram: https://www.instagram.com/cyberhubpodcast

🤝 For Business Inquiries: info@cyberhubpodcast.com

=============================

🚀 About The CyberHub Podcast.

The Hub of the Infosec Community.

Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.

Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.