Happy Friday, Security Gang,

welcome to a milestone week. Hitting Episode 1000 is fun; what’s consequential is the pattern behind this week’s headlines. We saw quiet data theft over loud encryption, edge devices and identity plumbing targeted more than endpoints, and cloud fragility reminding boards that resilience is a design choice, not a vendor feature.

If you read nothing else: treat patching pipelines, OAuth, and dev tooling as Tier-0, rehearse manual fallbacks in OT and healthcare, and keep your brand and finance teams on high alert for post-breach social engineering.

🎯 BREACHES & DATA INCIDENTS

Toys”R”Us Canada Customer Leak
A July data breach went public this week, exposing customer contact and order information. While payment data remains unconfirmed, downstream risks include phishing, account takeovers, and loyalty program scams. Companies should prioritize DMARC rotation and domain monitoring.

Dentsu Confirms Merkle Subsidiary Breach
Marketing giant Dentsu disclosed data theft at its U.S.-based Merkle division, compromising client, supplier, and employee data—including payroll and banking details. This supply-chain incident highlights cascading risks from business email compromise to fraudulent vendor banking changes.

Schneider Electric & Emerson Hit in Oracle Campaign
The Oracle E-Business Suite exploitation continues, with Schneider Electric and Emerson confirmed as victims. Leaked data includes engineering documents and supplier communications, creating high-value IP theft and phishing risks.

Conduent Breach Impacts 10 Million Americans
Government IT contractor Conduent revealed a January incident affecting over 10 million individuals across U.S. states, exposing Social Security numbers, medical data, and health insurance information tied to Medicaid, food assistance, and tolling systems. Despite $754M in quarterly revenue, the company spent just $2M on remediation.

F5 Nation-State Breach Hurts Business
F5 Networks disclosed that its nation-state breach—where attackers accessed engineering environments—is now impacting its sales pipeline. The company warned investors that growth may flatten for 2026 as customers delay renewals amid trust concerns.

Swedish Power Grid Operator Breach
Svenska Kraftnät confirmed a data breach involving a third-party file transfer system, with hundreds of gigabytes potentially exfiltrated. Grid architecture documents—subnets, network maps, device hierarchies—give adversaries reconnaissance blueprints for future attacks.

Canadian Critical Infrastructure Attacks
Hacktivists accessed and tampered with controls at multiple water, energy, and agricultural facilities, triggering false alarms and creating unsafe operating conditions. The attacks exposed weak authentication and internet-facing ICS/OT assets.

🦠 MALWARE & THREAT ACTORS

RedTiger Infostealer Targets Discord
A re-weaponized variant is harvesting Discord tokens, MFA data, and payment info, hijacking corporate support and development communities. Rotate all tokens, require re-authentication on device changes, and monitor webhook edits.

Qilin Ransomware’s Hybrid Resurgence
The Qilin crew returned with Linux-on-Windows payloads leveraging virtual-drive injection to disable EDR and wipe backups. Cisco Talos attributes 84 victims in August–September across manufacturing, scientific services, and wholesale sectors.

North Korea’s Dream Job Campaign
ESET uncovered Lazarus Group targeting European UAV and drone manufacturers through fake job lures to drop RATs and steal intellectual property. Companies in aerospace and defense should tighten recruitment verification and isolate design systems.

China’s Massive Smishing Operation
Palo Alto Networks revealed a China-linked campaign that exploded from 10,000 domains in 2024 to nearly 200,000 today, impersonating postal services, crypto exchanges, and payment gateways for credential and OTP theft.

Fake AI Browsers Deliver Malware
Threat actors are deploying fake installer apps and clone sites capitalizing on AI browser hype like Perplexity’s Comet, delivering infostealers to eager early adopters.

Italian Spyware Behind Chrome Zero-Day
New details link recent Chrome zero-day exploitation to Italian surveillance vendor Memento Labs (successor to Hacking Team). The spyware targeted media and government sectors across Europe and the Middle East.

Russia’s Living Off the Land Tactics
Russia-linked actors are increasingly using built-in administrative tools and Windows features for stealthy persistence in Ukrainian networks, abusing legitimate utilities like PowerShell and Task Scheduler.

Malicious npm Packages Target Developers
Ten newly discovered malicious npm packages are stealing developer credentials across Windows, macOS, and Linux, exfiltrating authentication tokens, build secrets, and API keys.

Botnet Surge Targets PHP and IoT
Researchers warn about automated botnets leveraging Mirai-style tactics to hijack PHP frameworks and IoT gateways, exploiting known CVEs in PHPUnit, Laravel, ThinkPHP, and DVR/camera firmware.

North Korea Tops Nation-State Activity
A new Trellix report ranks North Korea as the leading nation-state threat actor of Q3 2025, outpacing Russia and China with campaigns blending crypto theft, espionage, and defense supplier infiltration.

🔓 VULNERABILITIES & PATCHES

Windows Server WSUS Actively Exploited
Critical vulnerability (CVE-2025-59287) allows attackers to push malicious updates directly to endpoints via unhardened WSUS servers. Patch immediately, enforce HTTPS with valid certificates, and review logs back to early October.

Chrome Zero-Day & 20 New Vulnerabilities
Kaspersky tied a recent Chrome zero-day to Dante spyware campaigns, while Google released Chrome 142 addressing 20 security flaws. Force browser updates and audit for sandbox escapes.

HashiCorp Vault Secret Leakage
Two fresh CVEs (2025-12044 and 2025-11621) expose potential secret leakage and authentication bypass. Upgrade to fixed releases, rotate tokens and leases, and restrict Vault UI/API access.

QNAP ASP.NET Core Flaw
QNAP’s NetBak PC Agent for Windows is vulnerable to Microsoft’s highest-severity ASP.NET Core flaw, potentially allowing remote code execution. Patch immediately and add WAF rules.

Apache Tomcat RCE Vulnerabilities
Two critical flaws (CVE-2025-55752 and CVE-2025-55754) are being actively exploited. Upgrade to patched builds, disable HTTP PUT, lock down web roots, and deploy WAF rules.

Dassault Exploits Added to CISA KEV
CISA added Dassault Systemes vulnerabilities to its Known Exploited Vulnerabilities catalog. Upgrade to patched versions (R2020–R2025) and monitor for new admin account creation.

Kerberos Reflection Flaw
New Kerberos reflection attack chain (CVE-2025-33073) allows privilege escalation via ghost SPNs. Enforce admin workstations with privileged access restrictions and monitor for abnormal SPN creation.

☁️ INFRASTRUCTURE & OUTAGES

Microsoft DNS Outage Hits Azure and 365
For the second time in just over a week, Microsoft suffered a DNS outage impacting Azure, Exchange Admin Center, and 365 portals due to a misconfiguration in Azure Front Door’s DNS path.

Russia’s Food-Safety Agency DDoS
Rosselkhoznadzor suffered another major DDoS attack, disrupting systems tracking agricultural chemicals and food logistics, aiming to undermine public trust during wartime pressures.

📋 POLICY, INDUSTRY & TRENDS

Ransomware Economics Shift
Coveware’s Q3 2025 report shows attacks up 50% year-to-date, but average payments sharply down. Large enterprises are refusing to pay; mid-market payouts are shrinking as resilience improves.

Breach Forums Returns Again
Despite repeated FBI takedowns, Breach Forums is back on the clearnet under new administration, highlighting the decentralized, hydra-like nature of cybercrime.

U.S. Rejects U.N. Cybercrime Treaty
The United States declined to sign the U.N. Cybercrime Treaty, citing human rights and surveillance concerns, while China, Russia, and dozens of others supported it.

X Enforces MFA Re-Enrollment
X announced all users must re-enroll hardware security key MFA by November 10th or risk lockout due to domain-scoped migration requirements.

FCC Cracks Down on Robocalls
The FCC approved new rules expanding carrier accountability for illegal robocalls, closing loopholes exploited for OTP interception and MFA fatigue scams.

Myanmar Cyber Scam Compounds Collapse
Over 1,500 people escaped Myanmar scam compounds after army demolitions of cyber slavery operations that trafficked workers under false job offers.

NSA Leadership Shake-Up
The NSA is undergoing significant leadership changes amid the ongoing debate over separating NSA from U.S. Cyber Command—the “dual-hat” model.

MITRE ATT&CK v18 Launches
MITRE rolled out ATT&CK version 18, expanding detection guidance for mobile and industrial control systems with new techniques and campaign mappings.

🚨 INSIDER THREATS

U.S. Insider Sells Exploits to Russia
Peter Williams, 39, pleaded guilty to stealing and selling U.S. cyber exploits to a Russian broker for $1.3M in cryptocurrency. The DOJ says he worked at a cyber tools developer and sold at least eight components of offensive software used for national defense.

Leave a comment

Quick Action List

• 🔒 Patch WSUS; enforce TLS/signed updates; retro-hunt rogue approvals.

• 🧱 Pull Oracle EBS off internet; apply July/Oct patches; WAF Configurator; rotate secrets.

• 🌐 Push Chrome 142 (and Firefox/AEM/Adobe/SAP) to 100%.

• 🔑 Enumerate/revoke risky OAuth apps; rotate client secrets; enforce token revocation.

• 🧳 Segment OT/ICS; cut internet exposure; vendor VPN + MFA + jump-host.

• 🧪 Run a bare-metal restore exercise (include paper fallbacks).

• 🔐 Patch Vault; rotate tokens/leases; fence admin surfaces.

• 🧩 Lock npm/IDE supply chains (allowlists, signed manifests, CI/CD egress guards).

• ☁ Prove DNS/failover across clouds; isolate auth from app planes.

• 🛡 Hunt Kerberos/SPN anomalies; disable legacy auth.

James Azar’s CISO Take

This week made one thing unmistakable: trust is the target. Adversaries are stealing grid maps, payroll files, API keys, and support transcripts because those artifacts unlock bigger outcomes later—quietly. The strongest programs I see aren’t the flashiest; they’re the ones that detect fast, isolate faster, and restore without drama. “Resilience isn’t built in the cloud or on-prem; it’s built in preparation.”

Second, our Tier-0 has shifted. It’s not just AD and domain controllers—it’s WSUS, Vault, OAuth, CI/CD, and IDEs. Treat them as crown jewels and measure your team by time-to-contain and time-to-recover, not by the size of your tool stack. Because when trust cracks, the blast radius isn’t technical—it’s financial and reputational. “Reputation is a security control—once it’s compromised, no patch can fix it.”

Stay Cyber Safe, Security Gang! ☕👊