Happy Friday Security Gang,

If you blinked, you missed a lot. Ransomware turned into macro-economics, OAuth tokens behaved like skeleton keys, and edge devices reminded everyone that “perimeter” still exists. Below is a fast, readable rundown—organized by category—with added context so you can brief leadership, guide your teams, and prioritize fixes without drowning in tabs.

Macro & Critical Infrastructure

• JLR bailout & day-29 outage:
  The UK’s £1.5B loan guarantee is a liquidity lifeline to prevent supplier failure as JLR’s downtime stretches past four weeks. Analysts estimate £50–70M/day in lost output, with 180k jobs tied to the ecosystem. The guarantee isn’t a grant—expect strings: segmentation proof, backup testing evidence, and improved vendor risk controls. Treat this as a case study in OT continuity planning, not just an IR headline.

• Airports disrupted by RTX/Collins “Muse” hit:
  Airline counters at Heathrow/Brussels/Berlin stalled while kiosks and baggage drops limped on, and Brussels kept ~85% of departures with manual fallbacks. The reinfection risk in airline ground systems shows why gold images and clean-room rebuilds matter. Airports with printed contingency playbooks performed best—practice beats theory.

• Asahi stops production across 30 plants:
  The owner of Peroni, Pilsner Urquell, and London Pride paused IT and OT, impacting orders, shipments, and call centers. OT recovery is measured in weeks, not days—PLC checks, vendor callouts, and staged restarts. Expect downstream shortages and pricing knock-ons; suppliers will ask for force-majeure terms.

• Hidden telecom network dismantled near the UN:
  A covert mesh with 100k+ SIMs could have jammed 911 or flooded SMS at city scale. It’s a reminder to inventory rogue base stations (IMSI catchers/femtocells) near critical sites and monitor for anomalous paging storms. Nation-state price tags apply; so should city-level response plans.

Enterprise Breaches & Ransomware

• Co-op UK: $275M revenue impact:
  Outages hit warehouse management and replenishment, causing empty shelves and spoilage. Data theft confirmed; look for fraud waves abusing loyalty details. Lesson: secure supplier portals and EDI paths like crown jewels.

• Harrods & WestJet:
  Harrods: a provider leak of names + contacts; WestJet: IDs and contact info, not card data (saved by PCI segmentation). Expect spear-phish and travel scams; verify call-back numbers against authoritative sources. Audit CRM objects for secrets parked in “notes/attachments.”

• Union County, Ohio:
  45,487 residents’ SSNs/financials exposed; county budgets strain under response costs. The fix: consolidate systems, remove shared local admin, and pre-negotiate IR retainers to avoid decision paralysis.

• Boyd Gaming & OneBlood:
  Hospitality and healthcare nonprofits remain juicy for double extortion. Legal and notification spend lingers for quarters—model this in your cyber reserve and insurance renewals.

Supply Chain & Developer Ecosystem

• Salesforce/Drift OAuth campaign:
  Stolen Drift tokens let actors pull contacts, cases, and sometimes embedded secrets from Salesforce across marquee brands. The killer move: support tickets often contain passwords, API keys, or screenshots with creds. Rotate tokens, re-consent scopes, and quarantine any integration with “wide” permissions.

• NPM/GitHub waves:
  Trojanized packages (e.g., the debug/chalk fiasco) and a worm that invoked TruffleHog to steal secrets from CI/CD showed how fast taint spreads. Enforce trusted publishing, short-lived tokens, and build-time SBOM with policy gates; don’t wait for daily scans.

• Malicious MCP server:
  A trojanized NPM package quietly cc’ed every email to an attacker—think 2FA codes, reset links, invoices. Rip and replace, rotate all exposed secrets, and sandbox MCP servers with egress controls.

• Fake GitHub repos & VS Code extensions:
  SEO-poisoned repos trick macOS users into pasting one-liners that drop AMOS; 24 rogue VS Code/Open-VSX extensions funneled wallets to Lumma Stealer. Lock marketplace sources, require extension allow-lists, and disable shell execution in dev environments where possible.

Identity, Cloud & Edge Vulnerabilities

• Microsoft Entra ID global-admin path:
  Undocumented actor tokens + Graph API flaw could bypass normal logging and elevate across tenants. Backfill with token inventory, conditional access tightening, and sign-in anomaly hunting for stale OAuth grants.

• Cisco ASA/FTD zero-days:
  Attackers achieved root, disabled logging, even touched ROM for persistence on older models. CISA issued an Emergency Directive; patch, rotate certs/keys, and consider replacing EoS devices lacking Secure Boot/Trust Anchor.

• Ivanti EPMM & SonicWall VPNs:
  China-nexus operators abused EPMM loaders/listeners; Akira is bypassing OTP MFA—assume seed theft or replay. Patch, re-enroll MFA with new seeds, block legacy auth, and restrict VPN by device compliance.

• Fortra GoAnywhere (CVSS 10), VMware Aria Ops/Tools, Dassault Delmia Apriso:
  GoAnywhere forgery = unauth RCE; VMware flaw actively exploited since 2024; Delmia Apriso (CVE-2025-5086) hits factory floors. Patch now, then hunt for web shells and unusual scheduler tasks.

• Apple & Samsung zero-days:
  Mobile zero-clicks continue; push updates to iOS/iPadOS/macOS and Samsung Android fleets. MDM: disable iMessage/FaceTime previews and restrict profile installs to shrink blast radius.

Geopolitics & Espionage

• China operations (APT41, BrickStorm, Red November, Great Firewall leak, 1-hr rule):
  From impersonating a US Congressman to year-long dwell on perimeter appliances, the focus is intel at the edge where EDR is blind. A 500–600GB censorship leak and a draft 1-hour breach rule suggest Beijing’s also under pressure—expect faster, harsher responses and broader supplier scrutiny.

• Russia & DPRK:
  Turla + Gamaredon coordination blends precision with mass intrusion against Ukraine. DPRK’s BeaverTail/Invisible Ferret target crypto/Web3 seekers across all OSes, using job lures and fake conferencing tools.

• Recruitment & arrests:
  MI6 onion site opens a safer channel for human intel; two Scattered Spider suspects nabbed in the UK; Dutch teens coaxed on Telegram to spy with Wi-Fi sniffers—invest early in white-hat pipelines.

Policy, Enforcement & Market

• TikTok under US oversight:
  80% US ownership, Oracle-hosted US data, and third-party algorithm monitors would be the strongest social platform regime to date. Watch for scope creep and audit cadence.

• Privacy & consumer protection:
  Amazon settles $2.5B over Prime dark patterns; Tractor Supply gets CCPA’s largest fine; FTC sues teen app Sendit for COPPA deception—expect stricter dark-pattern enforcement in funnels and cancellations.

• Interpol Haechi:
  $439M recovered, 68k accounts frozen across 40+ countries—coordinate with your banks for rapid recall playbooks.

• CISA: CVE roadmap vs. shutdown furloughs:
  Commitment to expand CVE participation, but 65% furloughed during a shutdown means slower advisories and less surge help—plan private-sector backups.

Do This Now

1. Rotate & re-consent OAuth for Salesforce/Drift and any “chat/agent” integrations; least-privilege scopes only.

2. Patch priority: Cisco ASA/FTD, Ivanti EPMM, SonicWall, Fortra GoAnywhere, VMware Aria Ops/Tools, Apple & Samsung.

3. Identity hardening: Re-enroll MFA seeds, disable legacy/basic auth, enforce device-based access.

4. CI/CD trust: MFA-gated publishing, short-lived tokens, provenance attestations, build-time SBOM with policy gates.

5. OT resilience: Segment IT/OT, verify offline restores, and rehearse manual ops (airports/plants).

6. Vendor continuity: Map top-20 suppliers’ cash exposure; create 30-day contingency plans.

7. Dev protections: Extension allow-lists, repo reputation checks, block “copy-paste” install scripts.

8. People & pipelines: Youth white-hat pathways, insider-risk playbooks, and secure whistleblower routes.

Leave a comment

James Azar’s CISO Take

Cyber is now a business-continuity instrument. JLR’s bailout and airport delays show that ransomware’s true blast radius is jobs, GDP, and public confidence. Resilience isn’t a slide—it’s segmentation, gold images, restore tests, and practiced manual procedures. Measure yourself by time-to-patch and time-to-mitigate.

At the same time, the threat edge keeps shifting: OAuth integrations, perimeter appliances without EDR, and poisoned developer ecosystems. The fix isn’t another tool—it’s governance of trust: identity, integrations, and pipelines. Do the boring basics brilliantly and what could be a crisis becomes a Tuesday.

Thanks for reading the weekend catch-up. Share this with your team, brief the board with the “Do This Now,” and keep your playbooks sharp.
Stay Cyber Safe, Security Gang!