This Week in Cybersecurity #28
From State Ransomware Recovery to Nation-State ERP Exploitation - A Week of Resilience, Regulation, and Reality Checks
Good morning, Security Gang!
I hope everyone had a meaningful Veterans Week and took time to honor those who served. As we gather this weekend to catch up on the latest in cybersecurity.
This week brought us everything from a masterclass in ransomware recovery (Nevada’s 28-day restoration) to the official launch of CMMC enforcement, a massive leak exposing China’s state-sponsored cyber operations, and nation-states weaponizing everything from Google APIs to Oracle ERP systems. Whether it’s disciplined backup hygiene or the geopolitics of surveillance expansion, one theme emerged crystal clear: complexity without discipline equals exposure.
Let’s power through this week’s headlines together.
coffee cup cheers, y’all!
🚨 RANSOMWARE ATTACKS & MAJOR BREACHES
Nevada’s Ransomware Recovery: The 28-Day Playbook – The State of Nevada provided a full post-mortem of its ransomware incident, revealing how a spoofed site download on May 14th led to backup wipes and VM encryption by August 24th. The impact hit 60+ state agencies including DMV, DHHS, and Public Safety. The silver lining? Nevada didn’t pay a dime and recovered 90% of data in 28 days, spending $1.3M on IR and vendor support. The breach came through 26 compromised accounts via RDP and remote monitoring misuse. James’s takeaway: “You should segment and lock backup networks – they should be immutable, they should be out of bounds. I say you should rehearse a recovery playbook, period.”
Asahi Beer Production Crippled – Japan’s Asahi Breweries remains disrupted following a ransomware attack claimed by the Kalin ransomware group. The attack hit both IT and OT systems, causing ripple effects across retailers and logistics. As James noted, manufacturing shutdowns are catastrophic because “if you lose six weeks of production, it can take six months to recover full capacity.” This is a textbook OT/ICS attack where downtime equals dollars.
Synnovis NHS Breach Fallout – The U.K.’s Synnovis pathology group confirmed its 2024 Kalin ransomware attack exposed NHS numbers, patient names, birth dates, and lab results, leading to cancellation of 800+ surgeries and 700+ outpatient appointments across London hospitals—one of the most disruptive healthcare cyber events in British history.
GlobalLogic Data Theft – GlobalLogic (Hitachi subsidiary) notified 10,000+ employees of a breach linked to Oracle EBS zero-day (CVE-2025-61882), with stolen data including SSNs, tax IDs, and bank details. The intrusion began in July-August with exfiltration traced to October 9th—a payroll redirection goldmine.
💰 EXTORTION CAMPAIGNS & CRIMINAL OPERATIONS
Clop Names 30 Oracle EBS Victims – The Clop ransomware group listed nearly 30 victims from Oracle E-Business Suite exploitation, including Logitech, The Washington Post, Cox Enterprises, Pan American Silver, LKQ, and Copeland. The attacks leverage CVE-2025-61882 and CVE-2025-61884, with CISA confirming active exploitation. Since Oracle EBS connects finance, HR, supply chain, and procurement, attackers gain deep operational access for ERP-level disruption.
$5.1M Fine for Credential Negligence – Education tech firm Illuminate (now Renaissance) was fined $5.1M by California, Connecticut, and New York AGs for its 2021 breach exposing student medical and special education records. The cause? Stale credentials from an ex-employee reused by attackers, plus failure to segregate backups from production and false privacy claims. The breach affected 49 states, triggering a complete brand overhaul.
Van Helsing Ransomware-as-a-Service Emerges – A new multi-platform ransomware family dubbed Van Helsing is targeting Windows, Linux, macOS, BSD, ARM, and ESXi, offering affiliates 80% profit shares with a $5,000 buy-in. It uses ChaCha20 and Curve25519 encryption with dangerous lateral movement capabilities in hybrid environments.
The Bitcoin Queen Sentenced – Zhimin Qian received 11 years and 8 months in the U.K. for laundering $5.3B+ in crypto linked to Chinese fraud schemes (2014-2017). Authorities seized 61,000 Bitcoin worth $7B+ in one of the largest crypto busts ever. James noted: “She should count herself lucky she was arrested in the U.K. If this trial happened in China, she’d have been executed within 30 days.”
U.S. Strike Force vs. Southeast Asian Scam Compounds – The U.S. launched a Strike Force initiative to dismantle Southeast Asian scam compounds behind global pig-butchering and investment fraud, with Treasury sanctions targeting operators and facilitators in Myanmar and Cambodia who’ve trafficked thousands into forced online fraud campaigns.
🔥 CRITICAL VULNERABILITIES & ZERO-DAYS
Oracle EBS Double Whammy – Two critical vulnerabilities (CVE-2025-61882 and CVE-2025-61884) are under active exploitation, allowing unauthenticated remote data access and RCE. Oracle issued emergency out-of-band patches after Clop weaponized these flaws for widespread extortion.
Microsoft Patch Tuesday: 60 Flaws, One Zero-Day – Microsoft patched ~60 vulnerabilities including actively exploited Windows kernel zero-day CVE-2025-62215 enabling local privilege escalation via race condition for EDR bypass and lateral movement.
SAP’s Perfect 10 CVSS – SAP’s November updates include a 10.0 CVSS vulnerability (CVE-2025-42890)—hardcoded credentials in SQL Anywhere Monitor—and a 9.9-rated code injection flaw in Solution Manager (CVE-2025-42887). SAP’s fix? Remove SQL Anywhere Monitor entirely.
Cisco ASA Zero-Days for DoS – Cisco’s chained zero-days (CVE-2025-20362 and CVE-2025-20333) are now weaponized for denial-of-service attacks on unpatched ASA and FTD firewalls by the Acrane Door group. 34,000 devices remain vulnerable.
Citrix Netscaler Active Exploitation – A new XSS vulnerability in Citrix Netscaler ADC and Gateway allows session hijacking, with attackers deploying custom web shells that inject into Tomcat threads using DES-encrypted traffic to evade detection.
QNAP’s Seven Zero-Days – After Pwn2Own Ireland, QNAP patched seven zero-days (CVE-2025-62847 through CVE-2025-11837) affecting QTS, HBS3, and QUTS Hero systems, enabling data theft, crypto-locking, and backup compromise.
Critical JavaScript RCE – CVE-2025-12735 in xbar-eval JavaScript library allows remote code execution through malicious input parsing. The fix is available in fork v3.0.0, but the original project remains unpatched—tailor-made for supply chain compromise.
Ivanti Exploit Spree – Multiple critical flaws including CVE-2025-12480 (authorization bypass in Trial Fox) actively exploited by UNC6485 to create rogue admin accounts and deploy Zoho Assist/AnyDesk for persistence. James quipped: “If China loves a tool, it’s time for you to retire it.”
Adobe 29 Vulnerabilities – Adobe patched 29 flaws across Photoshop, Illustrator, InDesign, InCopy, and Substance 3D Stager, including several critical code execution vulnerabilities.
Hardware Vendor Patch Storm – Intel, AMD, NVIDIA, and Zoom released coordinated updates covering 60+ combined vulnerabilities spanning firmware, drivers, and AI platform software—many are privilege escalation and code execution risks.
👥 THREAT ACTOR ACTIVITY & NATION-STATE OPERATIONS
KnownSec Leak Exposes China’s Cyber Playbook – In a massive irony, Chinese state-linked cybersecurity firm KnownSec was breached, leaking 12,000+ internal documents revealing offensive tools, source code, and target lists of foreign organizations (Japan, India, U.K.). The leak confirms deep CCP collaboration with spreadsheets mapping offensive operations against international businesses and government networks.
James emphasized: “There’s no private business in China. Everything goes to the Chinese Communist Party. Everything does, especially in cyber. And cyber is a warfare tool for the Chinese. It won’t stop.”
Congressional Budget Office Nation-State Breach – The CBO confirmed a nation-state intrusion compromising internal messaging and chat data with congressional staffers, likely exposing policy-sensitive communications valuable for foreign intelligence and disinformation.
APT37 Abuses Google Find My Device – North Korea’s APT37 (Konni) is using Google’s Find My Device Hub to geolocate, track, and remotely wipe Android devices. Targets receive malicious MSI installers with stolen certs that harvest Google/Naver credentials and hijack KakaoTalk desktop sessions. When defenders respond, attackers remotely wipe phones to cover tracks—espionage in the age of APIs.
China’s Bitcoin Propaganda – Chinese state media accused the U.S. of hacking $13B in Bitcoin from a mining pool—an unsupported propaganda operation to rally domestic support amid economic woes and trade tensions. James called it “textbook authoritarian disinformation.”
Google Sues Chinese Phishing Network – Google is suing a China-based phishing operation behind fake U.S. toll payment SMS campaigns that defrauded thousands of Americans, with court orders expected to authorize domain seizures. James noted this is “whack-a-mole” but makes the ecosystem more expensive.
🕵️ SUPPLY CHAIN & DEVELOPER SECURITY
GlassWorm Infects Dev Ecosystem – The GlassWorm campaign published three malicious VS Code extensions to Open VSX registry (ai-driven-dev.ai, hamu.history-in-sublime-merge, yasayuki.transient-emacs), using Unicode obfuscation and Solana transactions for C2. Downloaded 10,000+ times, targeting developers, crypto wallets, and government IT—”the new battleground is the developer’s workstation.”
“You always want to block typosquat downloads. You should enforce application control for installers. You should segment and lock backup networks – they should be immutable, they should be out of bounds. I say you should rehearse a recovery playbook, period.” James Azar
Wiz Report: AI Companies Leaking Secrets – Wiz revealed dozens of Forbes AI 50 companies are leaking credentials, datasets, and model endpoints through public GitHub repos, including API keys, config files, and training datasets—creating risks for model theft, IP leakage, PII exposure, and GDPR violations.
Maverick WhatsApp Malware – New Maverick malware spreading via WhatsApp Web in Brazil hijacks browser sessions using .NET-based PowerShell loaders, disables UAC/Defender, and abuses Selenium/ChromeDriver for automation targeting retail and hospitality.
📱 MOBILE & ENDPOINT THREATS
Landfall Android Spyware – Landfall spyware exploits Samsung device zero-day via WhatsApp message delivery, with overlaps to CVE-2025-21043. The zero-click campaign targets high-value individuals for surveillance.
MacOS “ClickFix” Evolution – Mac users face new ClickFix attacks mimicking Cloudflare verification pages with fake countdowns and tutorials tricking users into running terminal commands, dropping InfoStealer variants like Seamus and Amos. Adversaries are “blending UX design with malware deployment.”
🌐 GEOPOLITICAL & REGULATORY DEVELOPMENTS
CMMC Enforcement Officially Begins – After years of preparation, CMMC is live and enforceable as of November 10th, affecting hundreds of thousands of defense contractors. Noncompliance means loss of contract eligibility—no more extensions. Organizations must align with NIST 800-171/800-172 and prepare for third-party assessments.
Congress Extends Cyber Info-Sharing Law – Congress quietly extended the 2015 Cyber Information Sharing Act through January 30, 2026, keeping liability protections intact for public-private threat intelligence sharing amid shutdown drama.
U.K. Passes Sweeping Cyber Legislation – New U.K. regulations expand critical infrastructure definition to include MSPs/MSSPs, setting mandatory standards, rapid reporting rules, and turnover-based penalties—essentially mirroring and extending EU’s NIS2 directive. James: “In the U.K., they never met a fine they didn’t like.”
EU Expands Biometric Surveillance – The European Parliament voted to expand data sharing and biometric collection under anti-trafficking/anti-smuggling pretenses, sparking civil liberty concerns.
James: “I love how Europe’s always going after civil liberties by saying, ‘Look, we just want to fight human trafficking and migrant smuggling.’ So you created a problem with your own laws in the EU parliament when you allowed unvetted migrants and gangs to come into your continent. Now you want to go after the civil liberties of your dual citizens to do just that.”
OpenAI Preservation Order – OpenAI received a court order in the NYT copyright lawsuit requiring retention of all ChatGPT output log data—even deleted data—raising significant privacy implications and potentially redefining how AI-generated data is classified.
New York “Junk Fee” Law – New York’s pricing transparency law takes effect, requiring total price disclosure at checkout for SaaS and e-commerce, with noncompliance resulting in fines.
Army Officer Eyes Cyber Command – Lt. Gen. Joshua Reed (Indo-Pacific Command No. 2) emerged as contender to lead U.S. Cyber Command and NSA, bringing military-geopolitical perspective signaling harder Asia-focused cyber posture.
🏭 OPERATIONAL TECHNOLOGY (OT) SECURITY
ICS Vendor Security Advisories – Siemens (6 advisories including critical code execution in COMOS), Rockwell (5 advisories affecting Verve Asset Manager), Schneider (EcoStruxure Machine SCADA and Pro-Face Blue vulnerabilities), and AVEVA (HMI XSS bugs) all issued critical OT patches.
💼 MERGERS & ACQUISITIONS
Google’s $32B Wiz Acquisition Cleared – DOJ approved Google’s $32B acquisition of Wiz, one of the largest cybersecurity deals in history, expected to close early 2026. Wiz CEO called it “the next step in securing the cloud’s foundation”—a defining moment for cybersecurity as business driver, not just risk domain.
✅ YOUR COMPREHENSIVE ACTION LIST
IMMEDIATE PRIORITY:
🧩 Oracle EBS CRITICAL – Patch CVE-2025-61882 & CVE-2025-61884; rotate credentials and API keys; review SSO/SAML trust relationships
🧱 Cisco ASA/FTD – Patch CVE-2025-20362/20333; decommission EOL ASAs; restrict management by geography
💾 Citrix Netscaler – Update to v14.1-56.73 or v13.1-60.32; hunt for DES-encrypted traffic and web shells
🧩 Microsoft Zero-Day – Patch CVE-2025-62215; force reboots; hunt for token manipulation
🏢 SAP Critical – Apply November notes; REMOVE SQL Anywhere Monitor; rotate service credentials
🚨 Ivanti – Patch CVE-2025-12480; audit admin accounts; remove EOL versions
🧱 QNAP – Update all firmware; restrict admin UI to VPN; rotate credentials
HIGH PRIORITY (This Week):
🎨 Adobe Suite – Patch 29 vulnerabilities across Creative Suite products
🧬 JavaScript Libraries – Scan SBOMs for xbar-eval; patch to fork v3.0.0
🖥️ Hardware Vendors – Apply Intel, AMD, NVIDIA, Zoom updates; prioritize driver/firmware patches
🌐 Firefox – Roll out Firefox 145 with anti-fingerprinting improvements
🏭 OT Systems – Apply Siemens, Rockwell, Schneider, AVEVA patches; isolate from internet
BACKUP & RECOVERY:
🔐 Segment backups – Make immutable and out of bounds from production
💾 Test restore processes – Rehearse 28-day recovery playbook like Nevada
🧱 Isolate OT networks – Use data diodes if integration unavoidable; test offline backups
IDENTITY & ACCESS:
🧑💻 Delete stale credentials immediately – Audit and remove all ex-employee accounts
📲 Enforce phishing-resistant MFA – FIDO2/app-based, not SMS
🔑 Rotate credentials – Especially on remote tools, RDP, and remote monitoring systems
👤 Monitor mailbox permissions – Enable conditional access for shared inboxes
MOBILE & ENDPOINT:
📱 Update Samsung/Android devices – Patch Landfall spyware vulnerabilities
🍎 Train on MacOS ClickFix – Educate users on fake verification pages and terminal commands
🔐 Block ChromeDriver – Restrict WhatsApp Web on corporate devices; monitor PowerShell IOCs
📲 Enforce MDM patch compliance – Restrict sideloading; monitor unauthorized messaging permissions
DEVELOPER SECURITY:
🧩 Audit VS Code extensions – Blocklist GlassWorm-infected extensions; enforce publisher provenance
🔐 Enable secret scanning – On all repos; rotate leaked keys immediately
🧑💻 Separate dev environments – Public vs. private with DLP on CI/CD pipelines
🔑 Rotate developer tokens – Shorten TTLs; monitor for Solana RPC beacons
COMPLIANCE & GOVERNANCE:
🧑⚖️ CMMC gap assessments – Defense contractors must build/update SSP and POA&M before contract deadlines
🇬🇧 Prepare for U.K. MSP compliance – Understand new mandatory standards and reporting rules
💳 Audit NY pricing transparency – SaaS/e-commerce must show total prices at checkout
🧒 Review privacy policies – Update under new surveillance directives; audit data broker compliance
THREAT HUNTING:
🕵️ Hunt for nation-state TTPs – Long dwell-time patterns, data exfiltration to APT infrastructure
🔐 Monitor for MSI execution – Especially signed with stolen certs (APT37)
📡 Watch for API abuse – Google Find My Device, legitimate cloud services used for covert ops
🧱 Review downstream exposure – If using backbone providers like Ribbon, assess compromise chains
VENDOR & THIRD-PARTY:
🏥 Audit healthcare vendors – Strengthen third-party breach response plans
🔐 Review SSO/SAML integrations – Especially Oracle EBS trust relationships
📊 Monitor Wiz acquisition – Assess impact on cloud vendor dependencies
🌍 Segregate from China-based infrastructure – Assume all networks monitored
OPERATIONAL:
📋 Block typosquat downloads – Enforce application control for installers
🧱 Restrict admin UI access – VPN-only for QNAP, SAP, Cisco, Citrix
🔒 Enable EDR on hypervisors – Defend against cross-platform ransomware like Van Helsing
📊 Update IOC blocklists – Maverick malware domains (zapgrand[.]com), ClickFix indicators
🧠 JAMES AZAR’S CISO TAKE
Tuesday of this week marked Veterans Day, I want to start by emphasizing something I said at the beginning of the show: there’s nothing greater in life than service. Nothing. When you do something for others, it’s more rewarding than doing anything for yourself. To all my fellow veterans in the cybersecurity community and there are many of us, thank you for your continued service. You went from defending the nation to defending critical infrastructure, and that matters.
This week felt like the ultimate test of modern security maturity, from ransomware resilience to hygiene negligence to spyware weaponization. The pattern is crystal clear: complexity without discipline equals exposure. Nevada showed us that security isn’t just about patching code, it’s about patching habits. Old accounts, untested backups, unverified extensions; these are the cracks adversaries exploit. We keep underestimating operational risk. Everyone patches systems, but few patch processes.
CMMC, AI repos, ERP systems, OT networks they all expose the same flaw: lack of disciplined governance. Technology doesn’t fail us; negligence does. The good news? Every story this week had a recovery path. The bad news? Most came after impact. So as we salute our veterans today, remember resilience is built the same way they built readiness: repetition, discipline, and preparation before the fight. Build resilience before the breach, not after.
Stay sharp, stay caffeinated, stay grateful, and as always—stay cyber safe, Security Gang!
Thanks for tuning in. We’ll be back Monday at 9 AM Eastern Live!