Good Morning Security Gang
Good morning, Security Gang — James Azar here with Episode 1001 of the CyberHub Podcast! Yesterday, we hit a major milestone: 1,000 episodes. The outpouring of messages, DMs, and comments from all of you has been nothing short of humbling. I can’t say thank you enough — your support is what fuels me every morning with that double espresso in hand.
So let’s keep the momentum rolling because, as always, the threat actors didn’t take a day off. We’ve got a packed lineup today: power grid breaches, North Korean espionage, Google drama, and even Italian spyware.
Let’s dig in. Coffee cup cheers, Security Gang.
Sweden’s Power Grid Operator Hit by Data Breach
We begin in Sweden, where state grid operator Svenska Kraftnät confirmed a data breach — but clarified that no operational impact occurred. The intrusion involved a third-party file transfer system, with hundreds of gigabytes of data potentially exfiltrated. While electricity delivery wasn’t affected, the real concern lies in what was stolen. Grid architecture documents — including subnets, network maps, and device hierarchies — are often shared through FTP servers, making them prime reconnaissance targets for attackers.
“What keeps me up at night isn’t the data theft itself - it’s what comes next. When threat actors steal grid architecture documentation, network layouts, and infrastructure designs, they’re not just looking for quick ransomware payouts; they’re building the intelligence foundation for potentially devastating attacks on physical infrastructure that could impact millions of people.” James Azar
This is the kind of data that gives adversaries a blueprint for future attacks. If this happened under NERC CIP jurisdiction in the U.S., it would be classified as a significant reportable event. For practitioners, the key here is third-party credential rotation and continuous monitoring of external data movement systems to detect exfiltration in real-time.
Google Denies Massive Gmail Breach Claims
Over the weekend, viral posts claimed that millions of Gmail accounts were hacked. Google quickly responded, saying no such breach occurred, and that compromised credentials circulating online are the result of credential stuffing and password reuse across multiple services.
Security researcher Troy Hunt confirmed that the 183 million leaked records stem from aggregated leaks and info-stealing malware — not a direct Gmail compromise. This story reinforces a timeless lesson: enforcing MFA and discouraging password reuse remain non-negotiables in our defense strategy.
North Korea Targets EU Drone Makers
In a campaign dubbed Operation Dream Job, ESET researchers uncovered North Korea’s Lazarus Group targeting European UAV and drone manufacturers through fake job lures. The goal? Drop remote access trojans (RATs) and exfiltrate intellectual property to accelerate Pyongyang’s drone program.
This mirrors earlier examples where Iran reverse-engineered a U.S. drone captured intact — fueling years of weaponized drone exports. North Korea is following the same playbook: steal, replicate, and militarize. Companies in aerospace and defense should tighten verification on recruitment communications, monitor for suspicious remote desktop sessions, and isolate design systems from the internet.
Critical ASP.NET Core Flaw Impacts QNAP Devices
QNAP issued a warning that its NetBak PC Agent for Windows is vulnerable to Microsoft’s highest-severity ASP.NET Core flaw. Exploitation could lead to remote code execution on unpatched systems.
Administrators should patch immediately, redeploy clean system images, and add WAF rules to detect abnormal traffic patterns. For organizations exposing these services online, now’s the time to review internet-facing assets and apply stricter segmentation between user-facing and backup systems.
China’s Massive Smishing Operation
Palo Alto Networks revealed a China-linked smishing campaign that has ballooned from 10,000 domains in 2024 to nearly 200,000 today. The domains impersonate postal services, cryptocurrency exchanges, and payment gateways, tricking users into credential and OTP theft.
“Credential reuse is the enemy of security — it’s the open door threat actors never stop walking through.” James Azar
Victims span across Argentina, Australia, Canada, Israel, the UAE, and the EU. For CISOs, the priority is to throttle SMS-based authentication, deploy number reputation checks, and push toward FIDO2/WebAuthn authentication to mitigate SMS OTP risks.
Fake AI Browsers Deliver Malware
With the rise of AI browsers like Perplexity’s Comet, threat actors are seizing the hype — deploying fake installer apps and clone sites that deliver infostealers. The tactic plays off FOMO-driven launches where users rush to try new AI tools.
“Technology evolves faster than policy — that’s why we, the practitioners, are the real first responders of cyberspace.” James Azar
Mitigation steps: implement domain allowlisting, enforce EDR policies to block unsigned executables, and ensure employees only download software from verified vendor platforms. AI’s marketing cycle may be fast, but attackers move even faster.
X (Formerly Twitter) Enforces MFA Re-Enrollment
X announced that all users must re-enroll their hardware security key MFA by November 10th or risk being locked out. Because security keys are domain-scoped, X.com’s migration requires fresh enrollment.
Corporate social media teams should update MFA now, document key ownership, and ensure backup authentication methods exist. The last thing you want is your corporate handle locked or hijacked during a campaign launch.
Italian Spyware Behind Chrome Zero-Day
New details have emerged linking the Chrome zero-day exploitation discussed yesterday to Italian surveillance vendor Memento Labs — the successor of the notorious Hacking Team. The spyware, part of Operation ForumToll, primarily targeted media and government sectors and shares overlap with the Dante spyware framework.
Kaspersky’s analysis shows the campaigns are active in Europe and the Middle East, suggesting commercial spyware continues to blur ethical lines. Practitioners should enforce Chrome updates, audit extensions, and monitor for sandbox escapes or privilege escalation attempts — especially on journalist and executive endpoints.
U.S. Rejects U.N. Cybercrime Treaty
The United States officially declined to sign the U.N. Cybercrime Treaty, citing human rights and surveillance concerns. The treaty, supported by China, Russia, and dozens of others, aims to create cross-border cooperation for prosecuting cybercrime.
Washington’s stance is pragmatic — the U.N.’s credibility and enforcement track record remain questionable. While international collaboration is critical, entrusting cyber norms to an ineffective global body risks enabling censorship and abuse under the guise of law enforcement.
Action List
⚙️ Rotate and review third-party credentials tied to external transfer or backup tools.
📩 Mandate MFA across Gmail and other corporate accounts.
🧑💻 Verify recruiters and cross-check sender domains to stop Dream Job campaigns.
🧱 Patch QNAP devices and redeploy clean system images.
📱 Reduce SMS OTP use — favor app-based or key-based authentication.
🌐 Whitelist trusted domains and block unsigned app installers.
🔑 Re-enroll MFA keys for all X/Twitter accounts before November 10th.
🕵️♂️ Audit browser extensions and monitor for zero-day exploit indicators.
🌎 Stay informed — international treaties won’t protect your data, but vigilance will.
James Azar’s CISO’s Take
Today’s episode underscores a recurring theme: data theft is the new battlefield — not just ransomware. From Sweden’s grid schematics to North Korea’s drone IP theft, adversaries are hunting intelligence, not just ransom payments. It’s all about access, leverage, and persistence. Meanwhile, misinformation around Gmail “breaches” and AI browser scams remind us that human psychology remains the ultimate vulnerability.
For me, this episode is a reminder that cybersecurity maturity isn’t measured by how fast you patch, but how well you anticipate where the next breach will hurt most — operationally, reputationally, and strategically. We’re living in an era where espionage, cybercrime, and influence operations overlap more than ever. So while we can’t control the UN or big tech narratives, we can control our resilience, our readiness, and our culture. That’s where real security leadership happens.
Stay spooky, stay sharp, and most importantly — stay cyber safe.
