Happy Friday Security Gang,

A wild, high-signal week: coordinated hits on the internet’s perimeter gear, data-blackmail campaigns rippling through the Salesforce ecosystem, emergency patches across the stack, and fresh reminders that OT outages are economic events—not IT footnotes. Below is a fast, expanded digest with added context, practical impact, and “do-now” guidance so you can brief leadership and tighten controls first thing Monday.

Municipal & Public Sector

Sugar Land, TX outage (Houston suburb). City portals for billing, permits, and 311 went dark, but 911 stayed online thanks to strict network segmentation and separate identity stacks. That separation prevented lateral movement into life-safety systems—exactly how municipal networks should be designed. Expect follow-on phishing using service-restoration lures; pre-draft resident comms and enable caller-ID verification at the help desk. If you provide MSP services to cities, validate out-of-band comms (radio/SMS trees) and back-office paper workflows.

UK threat picture—429 incidents. NCSC’s pivot to impact-first reporting forces boards to discuss lost revenue, supply-chain stoppage, and citizen services—not just “incident count.” Use that framing to justify segmentation and recovery SLAs as business KPIs. Bring finance into tabletop exercises so cash-flow risk (suppliers, payroll) is modeled alongside cyber metrics.

Ukraine launches Cyber Command. Expect more synchronized offensive/defensive operations that blend DDoS, psyops, and supply-chain targeting of logistics and media. Multi-nationals operating near the conflict should raise monitoring on identity providers, SaaS connectors, and satellite/IoT uplinks. Assume retaliation playbooks may extend into European suppliers of energy, transport, and food.

Critical Infrastructure & OT

Healthcare—SimonMed Imaging (1.2M). Beyond initial disruption, PHI and imaging data enable long-tail fraud (insurance, prescription, identity). Isolate vendor access, rotate tokens for radiology/archiving platforms, and restrict lateral movement between PACS, RIS, and corporate IT. Practice “degraded operations” (paper intake, offline imaging) quarterly.

ENISA warns on EU OT targeting. Pro-Russian groups are mapping ICS networks to stage future outages; JLR’s stoppage is the cautionary tale for convergence risk. Treat engineering workstations and historians like tier-0 assets; deploy one-way data diodes where feasible and make firewall fail-safe modes explicit. Brief the board using business-impact scenarios (lost production per hour/day).

China-linked ArcGIS persistence. Long-dwell web shells on municipal/utility GIS servers indicate attackers love systems that lack EDR and face the internet. Disable unused SOEs, require signed extensions, and monitor for odd child-process trees from the Java container. Review egress for SoftEther-like tunnels over 443.

Enterprise, SaaS & Supply Chain

Salesforce ecosystem extortion. OAuth sprawl + over-privileged connected apps = “steal-don’t-encrypt” data blackmail. Inventory all connected apps, revoke stale grants, and reduce scopes to read-only where possible; implement just-in-time tokens. Coordinate Legal/PR templates for no-ransom positions and customer notifications.

Oracle E-Business Suite pressure (CVE-2025-61884 + earlier). Internet-exposed EBS components and BI/Configurator endpoints are the soft belly. Put EBS behind a WAF, restrict by source IP, and hunt web-server logs for spikes against runtime/config URLs. Separate report/export servers from core ERP and require HSM-backed keys for integrations.

BreachForums takedown. Great morale win; limited operational impact. Expect mirror sites and Telegram “drops” to surge. Pre-stage detections for known leak-site domains and stand up a quick legal review path for takedown requests and brand-impersonation accounts.

Edge, Identity & Networking

Coordinated firewall/VPN hits (Cisco, Palo Alto, Fortinet). Three overlapping waves—zero-days, brute-force, and portal enumeration—show adversaries target the market share, not just a CVE. Patch ASA/FTD immediately, rate-limit/geo-fence GlobalProtect, enforce FIDO2 on all VPNs, and enable auto-ban on failed logins. Move admin planes to isolated management networks with PAM session recording.

SonicWall configuration exposure → valid logins. Treat backups as compromised credentials in bulk: reset all device passwords/API keys, re-issue certs, and disable WAN management. Add continuous config drift alerts to flag silent policy changes and unexpected NAT/DPI rules.

RDP botnet enumerating 100k+ IPs. Public RDP remains a breach onlay—retire it. Where RDP is essential, require VPN + device compliance, enforce time-bound access, and monitor for RDP Web Access timing side-channels.

Developer & Toolchain

North Korean NPM phishing (fake themes/CI tools). Targets developer identities and pipeline tokens because they unlock everything. Lock to private registries, require signature/provenance (Sigstore) for builds, and block “install from URL.” Alert on new repo secrets, PAT creation, and anomalous package maintainers.

OT-adjacent package lures (CDN redirects). Energy/manufacturing engineers are pulled to credential phish via innocuous docs. Block unpkg/OpenVSX where business-justified alternatives exist; sanitize HTML in READMEs; and require SSO for supplier portals with step-up MFA on firmware repositories.

Malicious VS Code extensions reappear. Pin extensions by hash and lock marketplaces; disallow user-installed plugins on build agents. Telemetry for suspicious onDidChangeTextDocument triggers and outbound HTTP to pastebins/pythonanywhere helps spot exfil.

Big Patches & Zero-Days

Microsoft (173 fixes; 2 exploited). Prioritize KEV entries, kernel/driver EoP, and anything touching credential material. Confirm reboots, enable driver block rules, and watch for persistence via vulnerable modem/legacy components. Use change windows to accelerate LAPS and LSASS protection.

Adobe & SAP (AEM/Connect; NetWeaver CVSS 10). AEM web shells often hide behind innocent-looking forms—hunt for child java processes, temp-dir JSPs, and web archive anomalies. For SAP, remove Admin UIs from public exposure, deploy WAF gadget-chain rules, and monitor for unexpected file writes in /usr/sap/*/DVEBMGS*.

Juniper (220+) & Ivanti (13 new). Treat management platforms as crown jewels: restrict by jump hosts, enforce MFA, and log command/config changes to immutable storage. If Ivanti is business-critical, isolate to management VLANs and pre-plan replacement.

Zimbra, Chrome, Firefox emergencies. Calendar .ics is now an executable surface—sandbox parsing and strip risky fields server-side. Push browser updates org-wide via your MDM; verify coverage with inventory reports.

Law Enforcement, Policy & Governance

Spain nabs GXC Team. Short-term dip in credential-phish volume; long-term actors will rebrand. Feed seized IOCs into your blocklists and add dynamic detection for look-alike domains.

Netherlands curbs China-owned chip governance (Nexperia). Supply-chain sovereignty is now an explicit state risk. If you rely on affected fabs/IP, re-score third-party risk and map alternates.

California privacy/AI child-safety moves. Browser one-click opt-out and youth protections bring enforcement beyond California’s borders in practice. Update consent flows, data broker contracts, and chatbot guardrails (safety overrides, escalation routes).

Quick Action List (save/share)

• 🔥 Patch Cisco ASA/FTD (CVE-2025-20333/20362); throttle/geo-fence GlobalProtect; harden Fortinet SSL VPN; auto-ban brute-force IPs.

• ☁ Rotate Salesforce OAuth/API keys; shrink scopes; re-review all connected apps.

• 🧱 Reset SonicWall creds/tokens; disable WAN management; re-issue certs; add config-drift alerts.

• 🧩 Prioritize Microsoft KEV; confirm reboots; block unsigned drivers.

• 🧾 Apply Oracle EBS July+Sept patches; remove from internet; add WAF rules; hunt runtime/config hits.

• 🧑‍💻 Enforce dependency allowlists; require provenance; pin NPM/VS Code by hash.

• 🗓️ Treat .ics as untrusted; sandbox calendar parsing; strip dangerous fields.

• 🏭 Map OT assets continuously; segment IT/OT; drill manual fallbacks (paper orders, radios).

• 💰 Verify payroll bank-change requests by call-back; alert on MFA device edits.

Leave a comment

James Azar’s CISO Take

Attackers are bypassing our “front doors” and going straight for the plumbing identity, VPN portals, connected apps, and developer pipelines. When the same three firewall vendors, OAuth tokens, and build tools show up in every incident, it’s not coincidence—it’s attacker economics. Build for failure: segment ruthlessly, rotate secrets on a clock, and rehearse data-extortion comms as seriously as ransomware restores. “Resiliency isn’t a magic word—it’s everything.”

At the same time, data theft has eclipsed encryption: it’s faster, quieter, and brutally effective against over-permissioned SaaS. Boards should measure time-to-mitigate and impact avoided, not just “patch counts.” Make identity phish-proof, treat integrations like privileged accounts, and give your SOC the authority to pull risky access in minutes—not meetings. “This isn’t ransomware anymore—it’s data blackmail at scale.”

That’s the week—high-tempo, high-impact, but manageable if you stay disciplined on identity, segmentation, and patch velocity. Share this brief with ops, legal, and finance; turn the action list into Monday tickets; and run one 30-minute tabletop on data-extortion comms.

See you next week—Stay Cyber Safe, Security Gang!