Good morning, Security Gang!

This week fundamentally changed how we must think about modern cyber threats. We’re no longer dealing primarily with loud, smash-and-grab ransomware attacks or opportunistic credential stuffing. Instead, we’re witnessing a methodical, patient, and terrifyingly sophisticated campaign of long-term persistent positioning by nation-states who are playing a multi-year game while most defenders are still focused on quarterly patch cycles.

The U.S. government issued joint warnings confirming that China’s Warp Panda has been quietly embedding itself inside critical infrastructure networks—energy, water, transportation—using living-off-the-land techniques and custom BrickStorm malware that masquerades as legitimate VMware processes.

Meanwhile, Russia has taken everything it learned from three years of hybrid warfare against Ukraine and is now actively targeting Western critical infrastructure, already causing physical operational damage through minimally secured vendor VPNs.

As James warned: “What scares me the most is what the Russians learned in cyber warfare against Ukraine over the last three years, and when that gun no longer points at Ukraine and points to the rest of the world.”

On the vulnerability front, React2Shell is now being actively exploited in the wild just days after disclosure—becoming this quarter’s Log4j moment for the entire front-end ecosystem—while ransomware payments have blown past $4.5 billion in the past 12 months, making cybercrime the world’s fourth-largest economy.

This isn’t just another busy week—it’s a preview of 2026’s threat landscape, where patience beats speed, persistence beats disruption, and supply chain blindness remains our greatest vulnerability.

Let’s break down the strategic implications coffee ready, Security Gang, because the war just went long.

🎯 NATION-STATE THREATS & CRITICAL INFRASTRUCTURE

U.S. Warns of Chinese Long-Term Persistent Malware in Critical Infrastructure

The U.S. Department of Justice and CISA issued a joint advisory confirming that Chinese state-linked threat actors—specifically Warp Panda—are maintaining long-term, low-noise persistence inside critical infrastructure networks across the United States. This isn’t reconnaissance or data theft—this is pre-positioning for disruption.

Investigators say Warp Panda is leveraging living-off-the-land techniques and targeting VMware vCenter servers, using legitimate credentials and known vulnerabilities to move laterally. The group’s custom malware, BrickStorm, masquerades as a vCenter process and tunnels data between hosts using SFTP, making detection extraordinarily difficult without deep behavioral analysis.

The Strategic Implications

This isn’t just espionage—it’s warfighting preparation. By embedding themselves inside energy grids, water treatment facilities, and transportation systems, Chinese actors are building the capability to disrupt critical services at a time of their choosing—potentially as leverage during geopolitical crises or conflicts over Taiwan.

James’s assessment was chilling: “Persistence is the new payload — China’s playing chess while most defenders are still chasing pawns.”

Defense Guidance for Critical Infrastructure:

• Patch and isolate edge systems and management consoles immediately

• Remove public IP exposure for administrative panels—use VPN + MFA only

• Hunt for indicators: new local admin accounts, suspicious scheduled tasks, odd authentication on dormant accounts

• Build isolation playbooks for critical facilities—assume compromise and practice air-gapping

• Deploy EDR on all hypervisors and monitor for process masquerading

If you’re running VMware or OT environments, this is your wake-up call: segmentation isn’t optional anymore, and quiet persistence is the new exploitation strategy.

DOJ and CISA Warn of Russia Targeting U.S. Critical Infrastructure

In a parallel advisory, the DOJ and CISA confirmed that Russia-linked threat groups are actively targeting critical infrastructure sectors—including energy, water, transportation, and healthcare—using valid account exploitation and living-off-the-land techniques.

The alert attributes activity to Russia’s Cyber Army of Russia, NoName057(16), and affiliated APTs that have been quietly probing networks since 2022. In some cases, attacks resulted in physical damage at operational sites, primarily through minimally secured vendor VPNs and VNC connections.

James’s warning was stark: “What scares me the most is what the Russians learned in cyber warfare against Ukraine over the last three years, and when that gun no longer points at Ukraine and points to the rest of the world.”

Russia’s Ukraine-Tested Playbook

What makes this terrifying is that Russia spent three years perfecting hybrid warfare tactics against Ukraine’s infrastructure—disabling power grids, disrupting water systems, and crippling transportation networks. Now those same capabilities, refined through real-world testing, are being deployed against Western targets. This isn’t theoretical—it’s operational.

CISA’s Mitigation Guidance:

• Enforce MFA on all remote access, including vendor jump hosts

• Segregate IT and OT networks with firewalls and data diodes

• Deploy monitoring for after-hours admin activity and unauthorized new accounts

• Hunt for persistence: look for webshells, unauthorized scheduled tasks, and lateral movement tools

• Test incident response specifically for OT/ICS environments where standard IR playbooks don’t apply

As James noted about blue-collar critical infrastructure jobs: “When you work in tech or banking, getting home safe is just taken for granted. When you’re doing these blue-collar jobs, the number one concern is always safety. Are my guys going home in the same shape they came into work for? It’s a bad day when they’re not.” When nation-states can cause physical damage remotely, worker safety becomes a cybersecurity responsibility.

Russian Hacker Extradited to U.S.

The DOJ charged Viktoria Dubrovnik, a 33-year-old technical operator for NoName057(16) and Cyber Army of Russia, with providing infrastructure and coordination support for attacks on U.S. and European water systems. She faces up to 32 years in prison after extradition from a European ally.

This case confirms what the advisory hinted at: Russian “hacktivism” is state-managed, not freelance chaos. These groups operate with government coordination, funding, and strategic direction.

🔥 CRITICAL VULNERABILITIES & ZERO-DAYS

React2Shell Vulnerability Impacts React and Next.js Applications

Developers are racing to patch a critical code injection vulnerability in React and Next.js server components, known as React2Shell. The flaw allows attackers to inject arbitrary JavaScript into user sessions, opening paths for account takeover, data exfiltration, and supply chain compromise.

Just Days Later: React2Shell Exploitation Surges Across the Web

Within 24 hours of disclosure, React2Shell attacks spiked in the wild. Researchers are seeing real-world exploitation chains starting with client-side injection, DOM-based XSS, or prototype pollution, escalating to server-side command execution via misconfigured SSR templating or debug endpoints.

The result? Customer data exfiltration, admin session hijacking, and CI/CD token theft from developer consoles. Even analytics snippets can be entry points for these compromises.

This is shaping up to be this quarter’s Log4j moment for front-end ecosystems—except it’s cross-layer and harder to detect because the vulnerability exists at the intersection of client-side rendering and server-side execution.

Immediate Mitigation Steps:

• Update React and Next.js to patched versions immediately

• Kill dangerous DOM sinks: disable dangerouslySetInnerHTML

• Enforce CSP headers with strict script source restrictions

• Enable React Strict Mode and dependency auditing

• Pin framework versions and remove debug routes from production

• Add WAF rules to block known React2Shell payloads

• Implement step-up MFA for admin actions

Even Cloudflare reportedly faced cascading outages after deploying emergency React2Shell mitigations, illustrating just how disruptive this vulnerability is when widespread dependencies collide.

Microsoft Fixes 57 Flaws and 3 Actively Exploited Zero-Days

Microsoft’s December Patch Tuesday dropped fixes for 57 vulnerabilities—including three actively exploited zero-days affecting Windows, Office, Edge, and Chromium components.

The Most Critical:

• CVE-2025-62221: Use-after-free flaw in Windows Cloud Files Mini Filter Driver (7.8 CVSS) being exploited for privilege escalation after initial phishing or web delivery

• CVE-2025-64671: Remote code execution in Copilot for JetBrains via command injection

• CVE-2025-54100: PowerShell injection risk leading to post-compromise persistence

This patch cycle is all about post-exploitation risk management. Attackers are using these flaws not for initial access, but for privilege escalation and lateral movement after gaining a foothold.

Priority Actions:

• Patch zero-day KBs immediately

• Enable Attack Surface Reduction (ASR) rules

• Monitor for token manipulation and new local admin creation in patch windows

• Treat help desk and jump hosts like tier-zero assets—attackers target them first

SAP Patches 3 Critical Vulnerabilities (CVSS 9.6)

SAP’s December security release includes three critical vulnerabilities with CVSS scores as high as 9.6:

• CVE-2025-55754 (9.6): Remote code execution in SAP Commerce Cloud

• CVE-2025-42928 (9.1): Deserialization flaw in SAP JConnect exposing backend services

These vulnerabilities pose major risks to ERP and financial systems—exploitation could trigger compliance violations and enable fraud at scale.

In plain English: Your SAP isn’t just accounting—it’s your business’s financial bloodstream. Patch it like your paycheck depends on it.

Immediate Steps:

• Apply all SAP hotfixes; restrict management endpoints by IP

• Enable EDR visibility on app servers

• Monitor for RFC anomalies, job tampering, and mass data exports

• Test failover and backup restoration for SAP systems

Adobe Patches 140 Vulnerabilities Across Creative Suite

Adobe released fixes for over 140 vulnerabilities spanning Acrobat Reader, Premiere, After Effects, Substance tools, and Experience Cloud. Several were critical code execution bugs.

While Adobe exploits rarely start attacks, they’re often the pivot point for lateral movement. A malicious PDF or plugin update can compromise creative teams and marketing systems tied to sensitive data.

The good news? Adobe patches are relatively easy to deploy—roll out Creative Cloud updates enterprise-wide and verify version compliance.

Fortinet FortiCloud SSO Authentication Bypass

Fortinet issued an emergency warning for a FortiCloud SSO authentication bypass that could allow attackers to hijack tenant environments and alter security configurations. The issue lies in improper cryptographic signature validation in FortiCloud’s SAML implementation.

Result: Complete tenant takeover.

If you can’t patch immediately:

• Disable FortiCloud SSO login via CLI

• Enforce phishing-resistant MFA (FIDO2 keys)

• Hunt for unexpected new admin accounts and API tokens

This is being actively tested in the wild. If you use FortiManager or FortiGate with cloud linkage, isolate those tenants immediately.

Ivanti EPM Remote Code Execution (Again)

Here we go again—Ivanti is back with another critical flaw. A new vulnerability in Ivanti Endpoint Manager (EPM) allows remote unauthenticated attackers to execute JavaScript code on management servers.

Identified as CVE-2025-10573, this XSS vector requires minimal user interaction and can result in credential theft, script injection, and estate-wide compromise. Rapid7 notes the exploit is trivial to execute.

Mitigation:

• Restrict console access to corporate networks or VPN only

• Rotate service credentials

• Review recent software distribution jobs for rogue scripts

As James said: “If ‘Ivanti’ sounds familiar, it’s because they’re patched so often it’s practically a monthly segment.”

Chrome Zero-Days Under Active Exploitation

Google rolled out an emergency update to patch two Chrome zero-days under active exploitation:

• CVE-2025-14372: Use-after-free flaw in Chrome’s password manager

• CVE-2025-14373: Toolbar implementation bug

Both vulnerabilities allow arbitrary code execution and memory corruption. Users should immediately upgrade to Chrome version 143.0.7499.109 or later across all platforms.

Intel & AMD PCIe Vulnerabilities Expose Memory Paths

Newly disclosed PCI Express (PCIe) DMA flaws affecting Intel and AMD chipsets could allow attackers with physical or firmware-level access to read or modify system memory, potentially breaching hypervisors and high-value servers.

Vulnerabilities:

• CVE-2025-90612

• CVE-2025-90613

• CVE-2025-90614

These are particularly dangerous in build labs and developer environments where physical security may be relaxed.

Mitigation:

• Enable IOMMU/VTD/SMMU in BIOS and OS settings

• Disable Thunderbolt or external PCIe ports in secure facilities

• Enforce kernel DMA protection and approved device lists

These flaws highlight that hardware exploitation remains a blind spot in most enterprise risk models, especially when threat actors operate below the OS layer.

Apache Tika Critical XXE Vulnerability

Apache Tika, a library used for file indexing and content extraction, has a critical XML External Entity (XXE) injection flaw enabling Server-Side Request Forgery (SSRF) and file disclosure.

Attackers can extract internal credentials, system metadata, and network details simply by uploading malicious documents for parsing.

To Mitigate:

• Upgrade to the latest Tika release

• Disable XXE processing in parser configurations

• Run Tika in sandboxed containers with no egress access

• Restrict file parsing to read-only temp directories

• Monitor for outbound calls from Tika pods and hosts

Siemens, Schneider, Rockwell OT Patches

In a critical OT update wave, Siemens, Schneider Electric, Rockwell Automation, and Phoenix Contact all released patches addressing authentication bypass, RCE, and DoS vulnerabilities across PLCs, HMIs, and engineering tools.

• Siemens: 14 advisories, three rated critical

• Schneider: Fixes affecting EcoStruxure Foxboro DCS products

• Rockwell: DoS flaws in GuardLink Ethernet IP interfaces

Organizations running industrial environments must patch immediately or isolate vulnerable devices behind segmented firewalls with no internet-facing access.

💰 RANSOMWARE & FINANCIAL CRIMES

Ransomware Payments Surpass $4.5 Billion

According to a new U.S. Treasury report, ransomware payments have exceeded $4.5 billion in the past 12 months—reversing the supposed decline narrative.

This isn’t just another statistic—it’s a warning that the cybercrime economy has become the world’s fourth-largest economy, rivaling Japan in scale. That’s $4.5 billion that could have funded jobs, innovation, or shareholder returns—instead funneling into criminal networks that operate with impunity.

James put it bluntly: “I said it last week when I was at an event with the great Kevin Mandia and the legendary Tom Noonan – cybercrime is a $6 trillion a year business, and that number is unsustainable. That’s the fourth-largest economy in the world.”

Board-Level Question:

“If security spending is up, why are losses still rising?” That’s a fair question. Security budgets continue to climb, but attack surfaces are growing faster than defenses.

Strategic Actions:

• Review cyber insurance policies—retention limits and exclusions are tightening rapidly

• Prioritize patching and MFA across all remote access points

• Enforce least privilege for service accounts; disable NTLM

• Maintain immutable backups and run time-to-restore drills regularly

• Pre-negotiate IR retainers and outside counsel before incidents happen

This is the financial reality of our profession—and if we don’t address it strategically, regulators and insurers will do it for us.

LockBit 5.0 Infrastructure Exposed

In a major blow to the ransomware ecosystem, researchers have mapped and burned portions of LockBit 5.0’s infrastructure, including gateway panels and mirrors. This disrupts one of the most prolific ransomware-as-a-service operations to date.

However, expect rebrands, copycats, and successor variants to emerge quickly. The exposure gives us breathing room—but don’t mistake it for a knockout punch.

Defenders Should:

• Block known LockBit IOCs and infrastructure as published

• Prioritize EDR detections on LOLBins and SMB signing

• Focus on controls that persist across rebrands, not just single threat names

Threat Actors Hide EDR Killers Behind New Packer

Ransomware affiliates are now using a custom Shana.exe packer to hide EDR killers and obfuscate behavior. The packer throttles API calls, blinds heuristic sensors, and drops kernel-level drivers to terminate endpoint agents.

Traditional EDRs don’t stand a chance when payloads are wrapped like this. The new standard should be defense in depth at the endpoint, not “set it and forget it” EDR.

James warned: “Defense in depth isn’t just a slogan; it’s your only hope when EDR dies first.”

That Means:

• Block unsigned drivers and enable kernel-mode code integrity

• Detect service tampering and mass stop events for security services

• Use application control policies allowing only signed installers

• Alert on child processes spawned from archive managers

James’s Pro Tip: Layer your tools. If you’re using Defender, complement it with CrowdStrike or SentinelOne, then top it with something kernel-level like Mimic. Single-point EDRs are becoming single points of failure.

Storm-0249 Ransomware Campaign Evolves

Microsoft’s threat intel team is tracking Storm-0249, a ransomware actor now expanding into edge device exploits, DLL side-loading, and PowerShell payloads. The group’s targeting manufacturing and service organizations, blending phishing with living-off-the-land techniques.

Defenders Should:

• Block unsigned PowerShell scripts

• Monitor edge device configurations

• Update detections for ClickFix and side-loading activity

Ransomware groups are evolving faster than patch cycles—and 2026 looks poised to be the year of hybrid extortion.

Android “DroidLock” Ransomware Locks BYOD Devices

New Android ransomware dubbed DroidLock is spreading through SMS phishing and sideloaded APKs, locking devices and demanding ransom. Once installed, it abuses accessibility and admin permissions to reset PINs and biometrics, then displays a ransom screen via webview overlays.

Victims are threatened with permanent data destruction within 24 hours if they refuse to pay.

Mobile Device Admins Should:

• Disable sideloading and enforce managed app stores

• Deploy mobile threat defense (MTD)

• Mandate remote wipe policies for BYOD fleets

BYOD just became a ransomware risk vector.

California Man Pleads Guilty in $263M Crypto Theft Case

A 22-year-old California man pled guilty to RICO conspiracy after laundering over $263 million in stolen cryptocurrency through social engineering schemes. The group targeted wealthy crypto holders, socially engineered wallet access, and even broke into victims’ homes to steal devices.

This case proves crypto crime isn’t just digital—it’s increasingly physical.

🤖 AI SECURITY & EMERGING THREATS

Researchers Uncover 30 Flaws in AI Assistants and Agents

A cross-vendor study found over 30 vulnerabilities across AI assistants, agentic systems, and LLM plug-ins, including prompt injection, over-privileged bindings, and command execution flaws.

Attackers could manipulate these AI agents to exfiltrate files, send emails, or execute commands by embedding malicious prompts into legitimate workflows. For example, a poisoned document or ticket comment could turn an agent into a data-exfiltration bot.

Best Practices:

• Treat agents like production applications—use least privilege and short-lived tokens

• Fuzz-test AI agents before production deployment

• Audit all actions taken by AI systems

• Implement step-up verification for destructive tasks

AI security is quickly moving from “research topic” to enterprise exposure—and this report proves why governance must catch up to innovation.

Google Fixes Gemini Enterprise Data Leak

Google patched a Gemini Enterprise vulnerability that leaked sensitive prompt and output data between tenants. Attackers could use indirect prompt injection to instruct Gemini to collect all files containing keywords like “confidential” or “API key.”

Admins Should:

• Disable sending PII in prompts

• Limit model access to approved groups

• Enforce short-lived tokens and monitor bulk AI export requests

Zero-Click Browser Attacks Target AI Automation Platforms

Researchers uncovered a zero-click browser exploit affecting Perplexity’s Comet browser, which automates AI interactions. The attack allows adversaries to execute commands or harvest data without user clicks, leveraging auto-follow workflows and headless automation.

If your organization uses automated browsers or AI testing pipelines:

• Sandbox these tools

• Disable cookie reuse

• Require human validation for sensitive tasks like file deletion or transfer

The automation convenience that powers AI workflows also creates a new class of high-speed, high-impact vulnerabilities.

Google Hardens Chrome’s Gemini AI

Google is tightening Chrome’s AI guardrails to block prompt injection attacks that abuse browser-integrated AI assistants. Chrome’s Gemini AI now uses stricter origin isolation and refuses cross-domain reads triggered by malicious sites.

Organizations Should:

• Enable Chrome AI security policies enterprise-wide

• Restrict which extensions and origins can access AI features

• Log all AI agent exports for compliance and auditing

Google’s move reflects a growing recognition: AI security is browser security now.

🔗 SUPPLY CHAIN & VENDOR RISK

Russia’s Aeroflot Breached via Tiny Vendor Bakasoft

Russia’s flagship carrier Aeroflot was breached through a little-known Moscow-based vendor called Bakasoft, which developed its iOS app and quality systems. The pro-Ukrainian hacktivist group Silent Crow, alongside Belarusian Cyber Partisans, claimed responsibility, reportedly grounding over 100 flights and stranding tens of thousands of passengers.

James put it perfectly: “You’re never stronger than your weakest supplier — and most don’t even know they’re weak.”

This incident highlights how small third-party vendors remain the Achilles’ heel of major enterprises. Organizations must:

• Double down on TPRM (Third-Party Risk Management)

• Continuously vet software vendors

• Isolate high-privilege third-party integrations

10,000 Poisoned Docker Images Found Containing Secrets

Researchers found over 10,000 Docker Hub images containing hardcoded secrets, including cloud keys, database passwords, and SSH credentials—many still active and regularly pulled by CI/CD pipelines.

The Breakdown:

• 41% had five or more keys

• 25% had two to five

• 32% had at least one

To Mitigate:

• Ban direct pulls from public registries

• Mirror and scan images internally before use

• Rotate and vault all discovered keys

• Adopt multi-stage builds to minimize spillage

Developers need to treat secrets like radioactive waste—isolate, rotate, and minimize exposure.

Attackers Exploit AWS IAM “Eventual Consistency”

Adversaries are now abusing the propagation delay between IAM policy changes and enforcement in AWS environments. This “eventual consistency” allows attackers a brief but exploitable window (seconds to minutes) to perform actions—like creating roles, exfiltrating data, or escalating privileges—even after permissions have supposedly been revoked.

Mitigation Requires Strong Governance:

• Use session policies and permission boundaries

• Apply deny-by-default guardrails at organization level

• Enable real-time alerts for IAM key creation and assume-role events

• Quarantine suspicious accounts and rotate credentials to zero during incidents

Even cloud automation comes with latency—and attackers are living in those milliseconds.

🌐 VPN & REMOTE ACCESS ATTACKS

Palo Alto GlobalProtect VPNs Targeted in Credential Attacks

Security teams are reporting a surge in brute-force and credential-stuffing attacks against Palo Alto’s GlobalProtect VPN portals. Unlike previous zero-days, this isn’t an exploit—it’s a global password-spray and OTP-fatigue campaign.

Attackers are flooding portals with automated login attempts, exploiting reused passwords and weak MFA implementations to gain initial access. Once inside, they move laterally and deploy data theft or persistence tools.

Recommended Mitigations:

• Enforce phishing-resistant MFA (FIDO2) and device posture checks

• Restrict VPN access by source IP and geography

• Alert on repeated failed login attempts from diverse IPs

• Rotate compromised credentials immediately

Remote access is still the front door for many organizations—and these attacks prove that poor MFA hygiene is all the leverage attackers need.

🚨 MAJOR BREACHES & INCIDENTS

Coupang Investigation Escalates as Seoul Police Raid HQ

South Korea’s largest online retailer, Coupang, is under heavy scrutiny after a major data breach allegedly tied to a former Chinese employee. Police raided Coupang’s Seoul headquarters, seizing devices and servers after authorities claimed the company initially withheld information, forcing investigators to intervene.

The insider reportedly exfiltrated customer and operational data before leaving the country. If true, this could redefine insider risk management across global enterprises.

For CISOs:

• Review offboarding and remote access controls

• Implement DLP tools for insider exfiltration monitoring

• Establish clear law enforcement cooperation protocols

Insider risk isn’t a product—it’s a culture. Coupang just became a case study in what happens when you miss that memo.

🏛️ GEOPOLITICAL & REGULATORY DEVELOPMENTS

NATO Holds Largest Cyber Defense Exercise in History

NATO’s annual “Cyber Coalition” drill, hosted in Estonia, brought together 1,300 participants from 29 member nations and seven partner countries in the largest exercise to date. Teams practiced incident response, intelligence sharing, and threat hunting across simulated scenarios—including ransomware, espionage, and supply-chain compromise—all staying below the threshold for collective defense under Article 5.

This event highlights the alliance’s growing focus on cyber resilience, not retaliation, as the global threat landscape blurs the line between state and criminal actors.

Trump Administration Moves Toward Federal AI Regulation

President Trump hinted at a new AI Executive Order that would preempt state-level AI regulations, establishing a single federal standard for risk disclosure, compliance, and model safety.

He said: “We’re going to win in AI — we can’t have 50 states doing 50 different rules.”

As James noted: “Mr. President — while you’re at it, how about a federal data breach notification law and national privacy regulation? It’s time we stopped making enterprises juggle 50 different disclosure frameworks.”

A unified federal standard could finally reduce compliance fragmentation—and cost.

EU Fines X (Formerly Twitter) $140 Million for DSA Violations

The European Union fined X (formerly Twitter) $140 million for failing to comply with the Digital Services Act (DSA), citing deceptive blue checkmark practices and transparency failures.

This marks the first non-compliance ruling under the DSA, a regulation requiring platforms to remove harmful content and enforce user protection standards. Whether X will pay or challenge the fine remains uncertain, but the move intensifies the clash between EU regulatory power and U.S. free speech advocacy.

Australia Bans Social Media for Minors Under 16

Australia has officially banned social media access for anyone under 16, with fines up to $50 million AUD for companies that fail to enforce it. Platforms including Facebook, X, TikTok, and Reddit face impossible compliance hurdles—how do you verify user age without over-collecting data?

The law has sparked backlash from privacy groups and digital rights advocates, calling it “performative politics over practical policy.”

As James said: “You can’t stop kids from getting online — you can only push them toward darker corners of the web.”

UK Sanctions Russian and Chinese Firms Over Cyber Operations

The UK government sanctioned six Russian and Chinese entities for their roles in disinformation and cyber operations. Russian targets include the Rybar Telegram channel and the Center for Geopolitical Expertise, linked to the GRU. Chinese firms ISUNA and Integrated Technology Group were sanctioned for cyber espionage and influence campaigns.

Organizations should review vendor lists for exposure to sanctioned entities and update compliance workflows—because secondary sanctions are where businesses get blindsided.

EU Cybersecurity Investment Report Shows Talent Gaps Widening

A new EU cybersecurity investment report shows cyber spending now averages 9% of IT budgets, yet talent shortages persist across the bloc. Companies are leaning heavily on outsourced SOCs and managed services as NIS2 compliance strains in-house resources.

The report highlights a troubling reality—technology investments are outpacing workforce growth, leaving visibility gaps across supply chains. Europe needs people, not just platforms. Until they fix that, breaches will continue to outpace budgets.

🎭 SOCIAL ENGINEERING & DEEPFAKE THREATS

FBI Warns of Deepfake Virtual Kidnapping Scams

The FBI is warning about a rise in AI-generated virtual kidnapping scams—where criminals use deepfaked voices and photos from social media to demand ransoms from families or employers.

Victims receive distressing calls claiming a loved one has been abducted, complete with synthesized audio crying or screaming. The scam is particularly effective against executives and their families, where corporate blackmail may follow.

James warned: “You can’t patch people, but you can train them to spot the difference between real fear and synthetic manipulation.”

Companies Should:

• Implement executive protection protocols

• Train families on safe words for emergency verification

• Establish clear incident reporting channels for extortion attempts

💼 INVESTMENT & INDUSTRY TRENDS

Israel’s Cyber VC Boom Hits $4.4B in 2025

Despite ongoing regional conflict, Israeli cybersecurity startups raised $4.4 billion in funding across 130 rounds this year—a 9% increase from 2024. Key players like Armis, Cato Networks, and Island led major rounds, with 71 seed investments totaling $680 million.

U.S. venture firms led 44 of those rounds—signaling sustained confidence in Israel’s cyber innovation ecosystem.

🇵🇱 CRIMINAL OPERATIONS

Poland Arrests Ukrainian Hackers with Advanced Equipment

Polish police arrested three Ukrainian nationals using advanced hacking gear, including RF devices, rogue AP kits, and skimmer-style electronics. The group targeted retail, hospitality, and transport venues, deploying rogue Wi-Fi networks to harvest credentials and credit card data.

The suspects posed as IT contractors, using Flipper Zero devices and custom laptops for intrusions. The arrests follow a rise in Ukrainian-Russian-aligned sabotage cases in Poland—a stark reminder of how cybercrime thrives in geopolitical shadows.

For Enterprises:

• Train staff to avoid unknown Wi-Fi networks

• Audit guest network segmentation

• Disable SSID auto-connect on corporate devices

Europe is becoming a cyber proxy battlefield, and retail networks are now prime soft targets.

✅ YOUR COMPREHENSIVE ACTION LIST

IMMEDIATE CRITICAL INFRASTRUCTURE DEFENSE (This Weekend):

• 🎯 Hunt for Chinese persistence - Look for new local admin accounts, suspicious scheduled tasks, odd authentication on dormant accounts in VMware environments

• 🇷🇺 Review OT/IT segmentation - Deploy firewalls and data diodes; prepare isolation playbooks for critical facilities

• 🔐 Enforce MFA everywhere - Especially on vendor jump hosts, remote access, and administrative panels

• 🏭 Remove public IP exposure - Administrative panels should be VPN + MFA only

• 📊 Deploy EDR on hypervisors - Monitor for process masquerading and lateral movement

VULNERABILITY PATCHING (Priority Order):

1. ⚛️ React/Next.js - Patch React2Shell IMMEDIATELY; disable dangerouslySetInnerHTML; enforce CSP

2. 🌐 Chrome - Update to version 143.0.7499.109+ for actively exploited zero-days

3. 🪟 Microsoft - Deploy 3 zero-day patches (CVE-2025-62221, CVE-2025-64671, CVE-2025-54100)

4. 🏢 SAP - Apply CVSS 9.6 patches; restrict management endpoints

5. ☁️ Fortinet FortiCloud - Disable SSO if patching impossible; hunt for rogue admin accounts

6. 💻 Ivanti EPM - Patch CVE-2025-10573; restrict console to VPN only

7. 🎨 Adobe - Roll out 140 vulnerability fixes across Creative Suite

8. ⚙️ Siemens/Schneider/Rockwell - Apply OT patches; isolate vulnerable devices

9. 📂 Apache Tika - Upgrade and sandbox; disable XXE processing

10. 🔌 Intel/AMD PCIe - Enable IOMMU/VTD; disable Thunderbolt in secure facilities

SUPPLY CHAIN & VENDOR RISK:

• 📦 Ban direct Docker pulls - Mirror and scan images internally; rotate exposed secrets

• 🔍 Vet ALL vendors - Especially small suppliers with high-privilege access

• 🔐 Isolate third-party integrations - Limit scope of vendor access

• ☁️ Harden AWS IAM - Use permission boundaries; enable real-time alerts for role creation

• 🧱 Review UK/EU sanctions - Update vendor compliance lists

• 📊 Conduct TPRM assessments - Don’t just check boxes; validate actual security controls

VPN & REMOTE ACCESS:

• 🔑 Enforce phishing-resistant MFA - FIDO2 keys, not SMS or push notifications

• 🌍 Restrict VPN by geography - Block suspicious source countries

• 🚨 Alert on failed logins - Especially repeated attempts from diverse IPs

• 🔐 Rotate compromised credentials - Don’t wait for confirmation of breach

• 📊 Implement device posture checks - Verify endpoint health before VPN access

MOBILE & ENDPOINT SECURITY:

• 📱 Disable APK sideloading - Enforce managed app stores only

• 🛡️ Deploy Mobile Threat Defense - Detect DroidLock and similar threats

• 🔒 Mandate remote wipe policies - For all BYOD devices

• 🔐 Application control - Allow only signed installers

• 📊 Monitor for service tampering - Mass stop events for security services

INSIDER THREAT & DLP:

• 🕵️ Review offboarding controls - Ensure access revocation is immediate and complete

• 📊 Implement DLP tools - Monitor for unusual data exfiltration patterns

• 🔐 Establish law enforcement protocols - Know how to cooperate effectively

• 👤 Monitor privileged accounts - Especially after-hours activity

• 📧 Restrict data export - Require approval for bulk transfers

DETECTION & THREAT HUNTING:

• 🔍 Hunt for BrickStorm - VMware process masquerading, SFTP tunneling

• 🎯 Monitor for living-off-the-land - PowerShell, WMI, legitimate tools misused

• 🚨 Watch for lateral movement - Especially in OT environments

• 📊 Detect token manipulation - Unusual privilege escalation patterns

• 🧱 Track webshells - Especially in edge devices and management consoles

🧠 JAMES AZAR’S CISO TAKE

Today’s episode was a wake-up call about resilience at every layer—from OT to AI, from hardware to supply chain. What we’re seeing from Russia’s hybrid warfare playbook and China’s patient infrastructure positioning is the blueprint for how nation-state tactics bleed into enterprise risk. This isn’t about shutting down networks anymore—it’s about embedding quietly, learning your environment, and waiting for the strategic moment to flip the switch. The DOJ and CISA advisories this week confirm what many of us suspected: the lessons Russia learned through three years of real-world hybrid warfare against Ukraine are now being deployed against Western critical infrastructure.

When you can cause physical damage remotely—when workers at water treatment plants or power stations can’t go home safe because of a cyber attack—cybersecurity becomes a blue-collar safety issue, not just an IT problem. Meanwhile, React2Shell’s rapid progression from disclosure to active exploitation in 48 hours, combined with $4.5 billion in annual ransomware payments making cybercrime the world’s fourth-largest economy, proves that the velocity and financial stakes of cyber threats have reached unsustainable levels.

My biggest takeaway from this week is that visibility and control win wars—but only if we redefine what visibility means. Whether it’s a Chrome zero-day, a poisoned Docker image, Chinese malware masquerading as VMware processes, or a tiny vendor like Bakasoft taking down Russia’s flagship airline, our defenses fail when we can’t see the full stack across hardware, software, vendors, and geopolitical context.

The job for CISOs in 2026 isn’t just cybersecurity—it’s attack surface governance across humans, code, machines, and relationships. We’re not defending networks anymore; we’re defending interconnected ecosystems where the weakest link is usually something we didn’t know we relied on. The subscription model squeeze that I’m documenting in my article series is compounding this problem flat budgets forced by ARR economics mean we’re making impossible trade-offs between tooling, talent, and resilience. But the adversaries aren’t operating under budget constraints.

China can be patient for years. Russia can test tactics in Ukraine and deploy them globally. Ransomware gangs are industrializing faster than we’re adapting. The only competitive advantage we have is speed of detection, clarity of response, and the discipline to assume we’re already compromised—because in most critical infrastructure environments, we probably are.

Stay sharp, stay segmented, assume compromise, and as always—stay cyber safe, Security Gang!

Leave a comment

Thanks for tuning in. We’ll be back Monday at 9 AM Eastern Live with all the latest. Tomorrow, we’ll have our summary of all the cyber news you missed this week in one comprehensive email. On Saturday, part three of “The Subscription Model Squeeze: How Subscription Models Turned the Cybersecurity Budget Into a Nightmare for CISOs and CFOs” drops the conclusion on how we fix it.

Check it all out at cyberhubpodcast.com.