Good Morning Security Gang,

I hope everyone enjoyed their Thanksgiving holiday yesterday and was able to take a deep breath and spend time with their loved ones. As we wrap up the week and head into December and wrap up 2025, one can’t believe how fast this year has gone by.

Now, let’s get into this week’s headlines—coffee up, Security Gang!

Policy & Legal

Tim Brown dismissed. Five years after SolarWinds, a federal judge dismissed the SEC’s case with prejudice—effectively killing a dangerous precedent that could’ve made CISOs personally liable for complex supply-chain attacks. Translation: boards should double down on good disclosure hygiene and risk governance, not witch-hunts. Expect this to influence D&O underwriting and how general counsel structures incident narratives.

UK software liability push. Parliament’s exploring vendor liability for insecure code—SBOMs, remediation SLAs, and “secure-by-default” could become procurement table stakes. It would push costs left (engineering, QA, coordinated disclosure) and raise barriers for small vendors. If you sell into the UK public sector/MSP space, start aligning contracts now.

Supply Chain & SaaS Exposure

Oracle EBS wave (Cox, Logitech, WaPo; Mazda disputes). The same EBS zero-days let Clop/FIN11 exfiltrate ERP data across finance/HR/procurement. ERP is business logic—hit it and you can stop payroll, poison vendor banking, or leak contracts. Even for firms disputing impact, assume partial access, rotate service accounts, and hunt for historical bulk exports.

Salesforce ↔ Gainsight. Salesforce pulled Gainsight after anomalous API pulls—classic SaaS-to-SaaS blast radius where “least privilege” dies in scopes and convenience. If your CRM is a hub, every connected app is a spoke; treat them like third-party data processors with explicit data-minimization rules and anomaly alerts.

SitusAMC mortgage leak. Loan packages are a one-stop KYC kit (SSNs, income, bank data). Expect synthetic identity, deed/title fraud, and “seller proceeds” redirection attempts for months. Banks should flag atypical power-of-attorney filings and accelerate out-of-band callbacks on wire changes.

OpenAI–Mixpanel analytics exposure. No secrets/keys, but enough identity metadata to sharpen spear-phish and session-hijack attempts against API admins. This is the “analytics exhaust” problem—telemetry that looks harmless until it’s aggregated. Inventory every analytics sink and set retention to minimum viable.

Comcast vendor breach → FCC fine. A debt-collector you stopped using two years ago still had your customer data. That’s lifecycle failure. Regulators are signaling: data deletion and vendor offboarding are enforceable controls, not boilerplate. Expect auditors to ask how you verify vendor disposal, not just whether your MSA requires it.

Nation-State & Geopolitics

China’s APT31 on Russian tech. “Allies” in public, data thieves in private. The group blended LOLBins with custom loaders and exfil via Yandex to blend with domestic traffic. If you rely on country-local clouds, you also inherit their cover noise—plan detections accordingly.

Ukraine offensive cyber. Wipers against Russian postal/administrative systems show cyber used to delegitimize occupation logistics (identity docs, pensions, parcel flows). For enterprises: wipers don’t monetize—they punish. Your recovery muscle (immutable backups, bare-metal restores) matters more than ransom playbooks.

Russian grievance ops vs U.S. engineering firm. Not defense primes—civic partnerships. That widens the aperture: any public stance becomes targetable. Gate external sharing, tag sensitive mailboxes, and monitor mailbox search/export events around geopolitical flashpoints.

Researcher jailed in Russia. Responsible disclosure reframed as “treason.” Signal to local defenders: don’t expect safe channels. For multinationals operating there, assume chilling effects on vulnerability reporting and slower patch velocity.

Public Sector & Critical Services

Emergency alerts (CodeRED). Single-vendor failure created “dead zones.” Even a clean forensic bill doesn’t fix the trust debt with citizens. Agencies need multi-path alerting (cell broadcast + radio + social + sirens), plus rehearsed manual fallbacks when SaaS is down.

Local law-enforcement outages. Evidence rooms, e-filing, RMS/CAD—when they go dark, justice timelines slip and chain-of-custody gets messy. Departments should pre-print paper forms, validate offline entry paths, and time a full restore drill end-to-end (not just “we have backups”).

Enterprise & Consumer Breaches

Iberia loyalty breach. Loyalty IDs convert to cash-like assets (upgrades, vouchers). Attackers resell points, social-engineer phone agents, or pivot to SSO if identities overlap. Force step-up auth for account changes and flag high-velocity point transfers.

Ivy League donor databases (Harvard/Dartmouth/Princeton). Alumni CRMs are whale-hunting lists with context (giving history, relationships). Expect polished “pledge adjustment” scams and fake invoice lures tied to real events. Treat advancement systems as financial systems: RBAC, export approvals, and alerting.

DoorDash customer data. Not catastrophic alone, but perfect for refund fraud and account-recovery ATOs—especially where users reuse emails. Enterprises should tune heuristics for “refund + new device + new IP” chains.

Asahi ransomware. Classic OT/IT coupling story: breweries run plants on thin margins; downtime cascades into logistics and shelf space. Isolation between MES/SCADA and corporate IT determines whether you’re back in days or bleeding for weeks.

Identity, Cloud & Edge Vulns

Oracle Identity Manager RCE. If your identity tier is comped, every “privileged access” control above it is theater. Patch, rotate break-glass creds, and compare admin object counts pre/post.

Azure Bastion input validation. Bastion centralizes jump access—great… until it isn’t. Enforce Conditional Access + device health, require session recording, and mine command logs for abuse.

Grafana SCIM mapping flaw. SCIM can mint admins if identifiers map loosely. After patching, attest SCIM mappings and enumerate admin grants created via provisioning in the last 90 days.

SonicWall patches. Email security appliances and perimeter firewalls are frequent initial access—widely deployed, often lagging patches. Remove public mgmt, enforce MFA on mgmt plane, and snapshot configs to detect drift.

WhatsApp enumeration. Even “metadata only” creates a targetable directory. If WhatsApp is used in field ops/sales, move sensitive comms to managed channels and enforce contact-discovery limits on corporate devices.

Commercial spyware via messengers. Zero/one-clicks plus BYOD equals easy wins for states and mercenaries. MTD with network protection, disable sideloading, and separate “exec travel” devices with constrained profiles.

Developer & OSS Supply Chain

Shai Hulud on npm. Self-spreading packages poisoning CI, exfiltrating PATs and secrets. This is why you pin versions, use private mirrors, and block new publishers by policy until vetted. Rotate secrets that ever touched affected builders.

Blender/StealC. Booby-trapped .blend executes Python on open—great example of “document as code.” Disable auto-exec scripts, open untrusted assets in detached sandboxes/containers, and separate creative workstations from corp SSO.

W3 Total Cache RCE. One of the most popular WordPress plugins; PoC means botnets will spray exploit payloads at scale. Patch or disable, add WAF rules for command-injection patterns, and audit for rogue admin users.

Fluent Bit flaws. Observability ≠ harmless. Compromised collectors can poison telemetry, hide real incidents, or pivot inside clusters. Patch, least-priv containers, isolate networks, and sign configs.

Fraud & Crime

$262M bank-impersonation fraud. Social engineering plus remote-assist tools and “move money to a safe account.” Train staff and families: banks don’t ask you to transfer funds. Institutions should clamp down on recovery flows that can be coached over the phone.

Operation Endgame takedowns. Infra seizures for RATs/stealers raise adversary costs and shrink “commodity” access markets—for a while. Expect rebrands and new C2s; use the window to purge old implants and close common ingress paths.

Do-Now Checklist

• Patch/Rotate: Oracle EBS & OIM, SonicWall, Grafana 12.x, Azure Bastion, W3 Total Cache, Fluent Bit (then rotate tokens/keys tied to each).

• SaaS Sprawl: In Salesforce, revoke stale OAuth apps, reduce scopes, and alert on mass exports/API spikes.

• Donor/Advancement: Enforce MFA/RBAC, require approvals for data exports, and stage donor-focused phishing drills.

• Emergency/Justice: Add redundant alert channels; rehearse manual comms and offline chain-of-custody.

• Edge/Admin Plane: Remove internet-exposed mgmt, IP-allowlist, and snapshot configs to catch drift/EoL devices.

• DevSecOps: Use private mirrors, pin versions, auto-quarantine new npm publishers; rotate CI secrets.

• Mobile/Spyware: Enforce MTD, block sideloading, and separate “exec travel” devices.

Share

James Azar’s CISO’s Take

Accountability belongs in governance, not in scapegoating. Tim Brown’s dismissal closes a bad chapter; now we owe the business better fundamentals—short-lived creds, smaller blast radii, observable data flows, and rehearsed restores. “Resilience isn’t built in the cloud or on-prem; it’s built in preparation.”

The other throughline: dependencies are destiny. A CRM plug-in, an ERP zero-day, a “retired” vendor, an analytics sink—none look dangerous in isolation, but together they define your breach path. Shrink trust boundaries, instrument the crown jewels, and make recovery a muscle, not a memo.

This week proved that justice can prevail and that loyalty matters. But it also reminded us that vendor risk is the Achilles’ heel of even the strongest security programs. Stay vigilant, Security Gang.

Stay cyber safe!

We’ll be back Monday at 9 AM Eastern Live

Leave a comment