Happy Friday Security Gang,

This week's cybersecurity landscape showcased the dangerous convergence of AI security failures, critical infrastructure vulnerabilities, and sophisticated nation-state operations. From Columbia University's massive breach affecting 860,000+ individuals to the concerning hack of the U.S. federal judiciary's case management system, we're witnessing attackers successfully exploiting both human weaknesses and technical flaws. Meanwhile, the revelation that GPT-5 was jailbroken within 24 hours of release underscores the urgent need for AI security governance as these tools become enterprise-critical.

🎓 Education & Government Sector Breaches

Columbia University Data Breach

Columbia University disclosed a massive breach affecting 868,969 individuals after summer attacks caused outages on June 24 and July 1. Compromised data includes SSNs, demographic information, academic history, insurance details, and some PHI. Network segmentation successfully protected Columbia Irving Medical Center patient records, demonstrating the value of proper infrastructure design.

U.S. Federal Judiciary System Compromised

The U.S. federal judiciary acknowledged a cyberattack on its electronic case management system hosting confidential court filings. Reports suggest exposure of sensitive information including identities of confidential informants and potentially unsealed indictments—creating massive implications for ongoing federal cases and national security.

Pennsylvania Attorney General's Office Knocked Offline

Pennsylvania's AG office suffered a cyber incident that disabled landline phones, email systems, and their public website. Kevin Beaumont identified vulnerable Citrix NetScaler appliances that remained unpatched for weeks before the attack, highlighting fundamental vulnerability management failures.

🔍 Advanced Persistent Threats & Nation-State Activities

North Korean Kimsuky APT Breached by Ethical Hackers

Two hackers, Saber and Cyborg, breached North Korea's Kimsuky APT, releasing 8.9GB of data including phishing logs, South Korea's Ministry of Foreign Affairs email source code, certificates, phishing kits, and Cobalt Strike loaders. The breach provides unprecedented insight into North Korean TTPs and forces infrastructure rebuilding.

Russian Dam Sabotage in Norway

Pro-Russian actors accessed and manipulated valve controls at a Norwegian dam in April, increasing water flow for four hours. While no damage occurred, control panel footage was posted to Telegram, representing Russia's evolving cyber-to-physical attack methodology.

"Charon" Ransomware Targets Middle East

Trend Micro identified Charon ransomware with APT-style capabilities targeting Middle Eastern government and aviation organizations. The strain shows similarities to China-linked Earth Baxia, suggesting possible knowledge transfer between nation-state and criminal groups.

🚨 Critical Vulnerabilities & Active Exploits

Massive Patch Tuesday - 107 Microsoft Fixes

Microsoft released 107 patches including a publicly disclosed zero-day in Windows Kerberos (CVE-2025-53779) allowing unauthenticated attackers to gain domain admin privileges. The update addresses 13 critical vulnerabilities across multiple categories.

Fortinet Under Active Attack

• FortiSIEM RCE (CVE-2025-25256): CVSS 9.8 vulnerability with public PoC enabling unauthenticated remote code execution

• FortiWeb Authentication Bypass (CVE-2025-52970): Allows remote attackers to log in as any existing user

• SSL VPN Brute Force Surge: 780+ malicious IPs targeting FortiOS profiles

Citrix Bleed 2 Continues

CVE-2025-57777 remains unpatched on 3,300 Citrix NetScaler devices despite proof-of-concept exploits and confirmed attacks against Netherlands companies weeks before the fix.

Enterprise Software Vulnerabilities

• N-able nCentral: Two CVEs enabling remote command execution, ~2,000 exposed instances

• Zoom Windows Client: Privilege escalation flaw in versions before 6.3.10

• Xerox FreeFlow Core: CVSS 9.8 path traversal bug enabling RCE

🤖 AI Security Breaches & Vulnerabilities

GPT-5 Jailbroken in 24 Hours

Two separate research teams independently bypassed GPT-5's safety filters within a day of release, exploiting multi-turn conversation contexts that single-prompt checks missed. This highlights critical gaps in AI model governance frameworks.

Passkey Bypass Demonstrated

SquareX researchers showed how malicious browser extensions can hijack WebAuthn API flows to bypass passkey authentication—not a cryptographic flaw but a browser security issue requiring enhanced controls.

Nvidia AI Framework Vulnerabilities

Nvidia patched flaws in its NeMo AI framework that could lead to remote code execution and data tampering, affecting enterprises rapidly adopting AI development tools.

💰 Financial & Enterprise Platform Breaches

Salesforce Breach Wave Continues

• Google Ads: Contact info and account notes exposed, ShinyHunters demanding 20 BTC (~$2.3M)

• Allianz Life: Data leak includes names, addresses, phone numbers from compromised Salesforce accounts

• ShinyHunters & Scattered Spider Merger: Now operating as "Spider Hunters" with escalated extortion tactics

Australian Optus Lawsuit

Australia's OAIC is suing Optus over its 2022 breach affecting nearly 10M customers, with potential fines exceeding AUD $21 trillion if maximum penalties were applied—raising questions about proportional punishment versus business viability.

🏭 Industrial & Critical Infrastructure

OT Network Vulnerabilities Surge

• Erlang OTP SSH (CVE-2025-32433): Under active attack, especially targeting OT and 5G environments with 70% of attacks on OT systems

• Largest ICS Patch Tuesday: Dozens of advisories from Siemens, Schneider, Honeywell, ABB, Rockwell, and Mitsubishi affecting SCADA and industrial control systems

DEF CON Water Utility Initiative

An inspiring community-driven effort pairs 350 white-hat hackers with underfunded U.S. water utilities across Indiana, Oregon, Utah, and Vermont, providing free OT mapping, password audits, and vulnerability assessments.

💸 Ransomware & Financial Crime

Embargo Ransomware Success

Embargo has generated $34M in one year, possibly succeeding BlackCat/ALPHV as a major RaaS operator. The group targets healthcare, business services, and manufacturing with ransom demands reaching $1.3M.

St. Paul Government Crippled

Weeks after an Interlock ransomware attack, St. Paul's government remains largely offline. 43GB of stolen data was posted online, and fake invoices are circulating to trick residents—exposing poor disaster recovery readiness.

$100M Fraud Ring Dismantled

Four Ghanaian nationals from the "Sakawa boys" were extradited to the U.S. for romance scams and BEC attacks that stole over $100M, each facing up to 20 years in prison.

Leave a comment

🎯 Notable Security Wins

DarkBit Ransomware Decrypted

Profero researchers cracked DarkBit ransomware (linked to Iran's MuddyWater) and released a free decryptor, allowing victims to recover files without paying the 80 BTC ransom demands.

SonicWall Clarification

SonicWall confirmed recent attacks were due to known vulnerability plus credential reuse—not a zero-day. Only ~40 compromises confirmed, with fixes requiring SonicOS 7.3.0 upgrade.

🧠 James Azar's CISO Take

"Is the government going after businesses to bankrupt them over fines? If that's the case, how do you have an economy?" - On the $21.9 trillion potential fine against Optus

This week crystallized two critical challenges facing our industry. First, the AI security findings around GPT-5 being jailbroken in 24 hours really highlight my concerns about rushing AI deployment without adequate security frameworks. We're integrating these powerful tools into enterprise environments while researchers can easily manipulate them through multi-turn conversations that bypass single-prompt filters. Model governance still focuses too narrowly on single-prompt checks rather than conversation context—creating dangerous exploitation gaps.

"I think that as more and more AI tools are introduced for defenders, we're gonna have a lot more vulnerabilities... the next two to three years are going to be really really rough."

Second, coming back to fundamentals, cyber defense remains equal parts process, technology, and human vigilance. From Columbia's successful segmentation protecting medical records to the help desk failures exploited by Scattered Spider, the contrast is stark. Breaches don't always mean total collapse—proper segmentation, strong IAM, and staff training can make the difference between targeted compromise and organizational chaos. My prediction stands: we're entering an era where Patch Tuesdays will reach astronomical numbers as AI-powered vulnerability detection becomes more sophisticated.

What gives me hope is our community's response. The DEF CON water utility initiative exemplifies what makes cybersecurity extraordinary—350 volunteers protecting critical infrastructure without compensation, driven purely by mission. Whether post-October 7th efforts in Israel, COVID hospital support, or now water utilities, our community consistently proves that when threats emerge, we unite. That collective spirit gives me confidence that no matter how astronomical patch numbers become, we'll manage the chaos and keep the lights on.

✅ Critical Action Items

Immediate Patching Required

• 🚨 Apply August Patch Tuesday updates for Microsoft, Adobe, SAP, Fortinet, Ivanti

• 🛡️ Patch Citrix NetScaler CVE-2025-57777 and terminate all active sessions

• 🔐 Update N-able nCentral to v2025.3.1+ and review MSP client exposure

• 📥 Apply Zoom updates to v6.3.10+ and Xerox FreeFlow Core v8.0.4

• ⚡ Patch Erlang OTP SSH and strengthen OT network segmentation

Security Hardening

• 🔍 Review threat intel from Kimsuky leak and update detection rules

• 🛠️ Train help desk teams on phishing-resistant identity verification

• 📦 Audit WinRAR usage and restrict untrusted archive handling

• 🧠 Implement network segmentation across sensitive data environments

• 🌐 Harden browser extension policies to protect passkey authentication

AI & Platform Security

• 📜 Monitor AI deployments for prompt injection and jailbreak vulnerabilities

• 💳 Review Salesforce/CRM access policies and enforce MFA

• 🤖 Audit connected apps and eliminate legacy credentials

• 💻 Educate users on phishing risks from "non-sensitive" personal data

Operational Resilience

• 🚨 Test ransomware recovery playbooks—reduce downtime to days, not weeks

• 💾 Review OT/ICS access controls to prevent remote system manipulation

• 📄 Track Charon ransomware TTPs and apply IOC blocking

• 💧 Share DEF CON water utility model with other critical infrastructure sectors

Monitoring & Intelligence

• 🔍 Monitor for Fortinet SSL VPN brute force attempts

• 📊 Track ICS/OT vulnerabilities from major vendors

• 🧾 Follow Optus case for precedent-setting breach penalty rulings

• 🔐 Kill all active sessions post-Citrix patching using provided commands

🛡️ Strategic Security Recommendations

1. Vulnerability Management Evolution: Shift from point-in-time patching to system-wide vulnerability chaining analysis

2. AI Security Governance: Implement comprehensive controls for AI assistant usage with proper sandboxing

3. Community-Driven Defense: Leverage industry collaboration models like the DEF CON water utility initiative

4. Infrastructure Segmentation: Prioritize network segmentation to contain breaches like Columbia's medical center protection

5. Resilience Over Detection: Build recovery capabilities that enable days-not-weeks restoration timelines

Stay Cyber Safe, Security Gang!