Good Morning, Security Gang!

Welcome back to the CyberHub Weekend Briefing, your practitioner-focused intelligence download covering everything that mattered in cybersecurity this week, broken down by category and built for Monday-morning action.

Pour yourself a double espresso. This week was heavy.

We opened with what may be the most significant healthcare cyber incident in recent memory Iranian-linked wiper malware reportedly destroying 200,000 servers across Stryker’s global operations in 79 countries. Not ransomware. Wiper malware. That distinction matters. Then came the FBI investigating a breach of its own wiretap infrastructure, a fresh Patch Tuesday with 83 Microsoft vulnerabilities, Fortinet and Adobe patches piling on, and Iranian APT groups continuing to probe U.S. critical infrastructure with no signs of slowing down.

Meanwhile, a data broker breach at Cognizant’s TriZetto platform exposed 3.4 million patient records, North Korea’s APT37 continued targeting air-gapped networks, and researchers discovered over 100 malicious GitHub repositories distributing credential-stealing malware disguised as developer tools. AI was in the news too, Anthropic’s Claude was used to discover 22 vulnerabilities in Firefox, signaling how rapidly automated vulnerability discovery is changing the threat landscape for defenders and attackers alike.

The thread tying this week together is painfully clear: the attack surface is no longer expanding at the edges. It’s being hit at the core, law enforcement infrastructure, healthcare supply chains, ERP platforms, developer ecosystems, and national cyber command. The fundamentals still win the war. But you have to execute them every single day.

Let’s get into it.

🌐 Geopolitical Cyber Warfare

Iran-Linked Handela Group Wipes 200,000 Stryker Servers

The week’s defining story: the Handela group, an Iranian-linked threat actor deployed wiper malware against Stryker, one of the world’s largest medical device and equipment manufacturers. The group claims to have wiped more than 200,000 servers, shut down operations across 79 countries, and exfiltrated 50 terabytes of data. The Wall Street Journal confirmed Stryker acknowledged a global outage, with staff and contractors seeing the Handela logo on their login screens.

This is not ransomware with a negotiation table attached. Wiper malware means destruction is the objective. When production and logistics systems at a medical equipment giant go dark, hospitals downstream feel it. The timing is not coincidental, this attack falls squarely within the operational window of escalating U.S.–Iran tensions and what some are calling Operation Epic Fury / Roaring Lion. Russia and Iran have been deepening their collaboration for years, and this looks like that partnership bearing its most disruptive fruit yet.

Board and executive questions about wiper malware are coming. Security teams should be ready.

Iranian Cyber Activity Targets U.S. Critical Infrastructure

Iranian-linked actors continue running active reconnaissance and credential harvesting campaigns against U.S. critical infrastructure sectors — energy, telecommunications, transportation, and government agencies. These campaigns are not yet destructive in nature. They are persistence operations designed to establish access that can be activated for retaliation at the right moment. The Stryker attack demonstrates exactly what that activation looks like.

Organizations in any critical sector should treat current reconnaissance activity as a prelude, not background noise.

Iran Targets Albania’s Parliament

Iranian actors also claimed responsibility for a cyber attack targeting Albania’s parliament. Albania has been a recurring Iranian target following diplomatic tensions and its secular democratic alignment with the U.S. and Israel. These operations are designed to sow disruption, but they are unlikely to produce the political instability Iran is seeking.

New U.S. Cyber Strategy Released

The Trump administration released an updated national cybersecurity strategy emphasizing market-driven innovation over regulatory mandates, strengthening public-private partnerships, and expanding offensive cyber deterrence capabilities. The strategy prioritizes protecting critical infrastructure, developing the cyber workforce, and integrating security into AI development. The underlying thesis — that cybersecurity can become a competitive business advantage rather than a compliance exercise — represents a meaningful philosophical shift.

China and Russia Escalate Espionage Across Europe

Finland’s intelligence services issued formal warnings about intensifying Chinese and Russian espionage across Europe. Operations span cyber intrusions, influence campaigns, and targeting of research institutions and critical infrastructure. Organizations involved in defense technology, government contracting, and academic research should actively hunt for espionage indicators and strengthen insider threat monitoring.

iPhone Hacking Tools, Russian Intelligence, and L3Harris

Reporting emerged this week suggesting that iPhone exploitation tools used by Russian intelligence operations in Ukraine may have originally been developed by U.S. defense contractor L3Harris. This echoes the Shadow Brokers precedent — government-developed offensive tools leaking or being repurposed by adversaries. It raises serious, unresolved questions about how the lifecycle of cyber weapons is managed once they leave development.

🏥 Ransomware & Critical Infrastructure

Bell Ambulance Breach: 235,000 Patient Records Exposed

A cyber attack against Bell Ambulance in Wisconsin exposed personal data belonging to approximately 235,000 individuals, including patient records tied to emergency medical services. This follows a clear and growing pattern: attackers are targeting the logistics and services layer surrounding healthcare — billing platforms, EMS providers, health IT vendors — rather than hospitals directly. When a service provider is compromised, multiple healthcare organizations are affected simultaneously.

Healthcare service providers handling patient data require the same security posture as hospitals themselves. There is no lower-risk tier in this ecosystem.

🔓 Major Data Breaches

FBI Wiretap Infrastructure Breach Under Investigation

The FBI is investigating a hack into its own wiretap and lawful intercept infrastructure — the systems that support surveillance operations during criminal investigations. If attackers gained meaningful access, the exposure could include investigative targets, operational metadata, and intelligence collection techniques. This is an adversary targeting the tools of the defenders. Rather than disrupting operations directly, the goal may be understanding who is being watched and how.

FBI Epstein Investigation Files Allegedly Compromised

In a separate incident, reports surfaced that files related to the FBI’s investigation into Jeffrey Epstein were involved in a cyber intrusion. The full scope of this breach has not been disclosed. Investigative repositories contain evidence chains, witness information, and materials critical to legal proceedings. Compromise of such systems has consequences that extend well beyond the digital environment.

Cognizant TriZetto Healthcare Platform: 3.4 Million Records Exposed

Cognizant confirmed that its TriZetto healthcare platform breach exposed data tied to approximately 3.4 million patients. TriZetto is widely deployed across healthcare providers and insurers for data management and billing. By targeting a centralized multi-tenant platform, attackers accessed data spanning numerous healthcare organizations simultaneously. This is the efficiency attackers are seeking — one compromise, many victims.

Michelin Confirms Impact from Oracle EBS Breach

Michelin confirmed data exposure tied to the Oracle EBS breach that has been unfolding over recent weeks. Oracle’s EBS platform is used across large enterprises for supply chain, HR, and financial operations. The cascade of organizations disclosing impact from this single platform breach is still growing. Enterprise software serving multiple tenants creates systemic single points of failure when compromised. Tenant-level isolation is not a luxury — it is a structural requirement.

🕵️ Nation-State & APT Activity

APT37 Continues Targeting Air-Gapped Networks

North Korea’s APT37 remains active against air-gapped networks using malware designed for insertion via removable media, supply chain pathways, or insider assistance. Air gap means harder to reach — not unreachable. Strict removable media controls, hardware validation, and behavioral monitoring within sensitive zones remain essential for any isolated environment handling classified or high-value data.

Russian Intelligence Targets Signal and WhatsApp Users

Dutch intelligence warned that Russian state-sponsored hackers are targeting users of encrypted messaging platforms including Signal and WhatsApp. The approach does not involve breaking encryption. Instead, attackers focus on compromising the devices connected to these platforms or harvesting account access through phishing and social engineering. This is particularly relevant for government officials, journalists, and executives communicating sensitive information through consumer messaging apps.

ShinyHunters Targets Salesforce Aura Environments

The ShinyHunters threat group is actively targeting Salesforce Aura environments to steal CRM data. ShinyHunters has built a track record of SaaS platform data theft and extortion. Organizations using Salesforce should implement strict API access controls and continuous monitoring for unauthorized data access.

Cloudzy Hosting Platform Linked to Iranian Operations

Intelligence reporting identified Cloudzy, a hosting provider, as a potential infrastructure front operation tied to Iranian cyber activity and various APT groups. The platform reportedly accepts cryptocurrency payments and operates without standard identity verification, enabling anonymous threat actor operations. Covert hosting infrastructure like this is increasingly foundational to nation-state and criminal cyber campaigns alike.

🛡️ Vulnerabilities & Patch Tuesday

Microsoft Patch Tuesday: 83 Vulnerabilities

Microsoft addressed 83 vulnerabilities this month spanning remote code execution, privilege escalation, and denial of service. Exploitation timelines continue to compress — AI-assisted exploit development is now enabling attackers to move from disclosure to working exploit in hours rather than days.

Key vulnerabilities requiring immediate attention:

• CVE-2026-26127 — Denial of service in .NET

• CVE-2026-21262 — Elevation of privilege in SQL Server

• CVE-2026-21536 — Remote code execution in Device Pricing Program (mitigated by Microsoft)

• CVE-2026-26118 — Azure MCP Server exploitation via crafted input

Fortinet Security Updates Across Core Products

Fortinet released significant updates addressing command injection and privilege escalation vulnerabilities across FortiManager, FortiAnalyzer, FortiSwitch, and FortiSandbox. These are perimeter and management devices — compromising them gives attackers visibility and control over network traffic. Patching is especially urgent because these products sit at the heart of enterprise defensive infrastructure.

Adobe: 80 Vulnerabilities Across Eight Products

Adobe patched 80 vulnerabilities across Acrobat, Reader, Adobe Commerce, and other products. Many involve memory corruption flaws exploitable through malicious documents. Key privilege escalation CVEs: CVE-2026-21290, CVE-2026-21361, CVE-2026-21284, CVE-2026-21311, CVE-2026-21309. Security feature bypass: CVE-2026-21289. Enforce application sandboxing for document viewers and prioritize deployment across enterprise endpoints.

CISA Shortens Patch Deadlines for Ivanti and SolarWinds

CISA announced shortened patch deadlines for federal agencies covering Ivanti (CVE-2026-1603) and SolarWinds Web Help Desk (CVE-2025-26399). Delayed patching has repeatedly enabled persistent attacker access inside federal networks. The tighter deadlines reflect how seriously CISA views the current threat environment.

Active Directory Zero-Day: CVE-2026-21437

A newly disclosed vulnerability in Active Directory Domain Services enables privilege escalation and authentication manipulation. Active Directory is the identity backbone of most enterprise environments — control AD, and you effectively control the organization. Patch immediately and implement tiered access controls.

CISA Orders Urgent Patch for N8N Automation Platform

CISA ordered federal agencies to urgently patch a remote code execution vulnerability in the N8N automation platform, which is already being actively exploited. Automation platforms integrate with multiple systems and APIs, making them high-value targets. Restrict automation platforms to least-privilege API permissions across the board.

SAP NetWeaver ERP Vulnerabilities

SAP released patches for NetWeaver, one of the most widely deployed enterprise ERP platforms globally. These systems contain financial records, HR data, and supply chain intelligence — high-value targets for both espionage and fraud. Continuous monitoring of privileged activity within ERP environments is essential.

HP Enterprise AOS-CX Networking OS Vulnerability

HP Enterprise warned customers about a critical vulnerability in its AOS-CX network operating system that could allow attackers to reset administrative passwords and gain control of networking devices. Network operating systems receive less security attention than endpoints — and attackers have noticed. Enforce MFA for all administrative access to network infrastructure.

ICS/SCADA Patches: Siemens, Schneider Electric, Moxa, Mitsubishi

Multiple ICS vendors released critical patches this week:

• Schneider Electric: High-severity vulnerabilities in EcoStruxure and Power Monitoring Expert

• Siemens: Critical XSS vulnerability in SIMATIC S7-1500 devices plus third-party component flaws

• Mitsubishi: Remotely exploitable denial-of-service in numerical control systems

• Moxa: Multiple advisories including Intel component vulnerabilities

Several of these have been added to the CISA KEV catalog. Prioritize accordingly.

🤖 AI, Developer Ecosystems & Emerging Threats

AI Discovers 22 Firefox Vulnerabilities

Researchers using Anthropic’s Claude AI identified 22 vulnerabilities within Firefox through large-scale automated security analysis. This demonstrates AI’s capacity to dramatically accelerate vulnerability discovery at scale — a capability that is equally available to defenders and attackers. Organizations should begin integrating AI-assisted scanning into secure development pipelines before attackers use the same approach to find their vulnerabilities first.

12 Million Code Repositories Scanned Automatically

Automated tools scanned more than 12 million open-source repositories to identify vulnerabilities. The scale of this analysis reflects a fundamental shift: vulnerability discovery is no longer bottlenecked by human bandwidth. Continuous security testing throughout the development lifecycle is now a baseline requirement.

100+ Malicious GitHub Repositories Distributing Malware

Researchers discovered over 100 GitHub repositories distributing a credential-stealing malware strain called “Boy Up Grab,” disguised as legitimate development tools. Developer workstations with access to production codebases and enterprise systems are high-value targets. Automated dependency scanning and open-source code verification must be standard practice before integrating third-party tools.

Malicious NPM Packages Targeting Developers

New malicious packages were discovered in the NPM ecosystem, stealing credentials and system information from developer machines. Supply chain attacks across NPM, PyPI, and GitHub are accelerating. Because compromised developer environments can provide pathways into production infrastructure, strict package verification is essential, not optional.

Windows RDP Zero-Day

A newly reported vulnerability in Windows Remote Desktop Services is raising concerns. RDP remains one of the most common enterprise entry points for ransomware and initial access operations. RDP services should never be directly internet-exposed — restrict access behind VPN or zero-trust gateways.

Cisco SD-WAN Actively Exploited

A previously disclosed vulnerability in Cisco Catalyst SD-WAN is now being actively exploited in the wild. These edge devices manage connectivity across branch environments. Compromise gives attackers network routing manipulation, traffic interception, and persistent access paths. Patch immediately and restrict SD-WAN management interfaces to internal networks only.

Satellite Communication Systems: Critical Vulnerabilities

Researchers identified hardcoded credentials, remote command execution paths, and weak configurations across satellite receiver systems supporting government communications and broadcast networks. These systems are rarely patched and carry outsized risk given their role in critical communication infrastructure.

Attackers Abusing ARPA DNS and IPv6 to Evade Phishing Detection

Threat actors are abusing ARPA DNS records and IPv6 infrastructure to route phishing campaigns around traditional email filtering systems. By leveraging obscure DNS mechanisms, attackers are hiding malicious infrastructure from domain-based filtering tools. Expand DNS monitoring to include reverse lookup records and IPv6 traffic analysis.

Microsoft Teams Phishing Campaigns

Attackers are increasingly weaponizing Microsoft Teams to deliver phishing links and malware. Because Teams is perceived as a trusted internal platform, users extend it more trust than they would external email. Phishing detection and security monitoring must extend to all collaboration platforms — not just email.

⚖️ Law Enforcement, Policy & Industry

NSA and Cyber Command Leadership Confirmed

The U.S. Senate confirmed Lieutenant General Joshua Rudd to lead both the NSA and U.S. Cyber Command with a bipartisan vote of 71-29. Leadership stability at both agencies arrives at a critical moment given ongoing Iranian and Russian cyber escalation. This is the continuity that national cyber defense requires.

Major Ghanaian Cyber Fraud Actor Pleads Guilty

A Ghanaian national pleaded guilty to orchestrating a massive cyber fraud scheme involving romance scams and business email compromise attacks totaling over $100 million in theft. The defendant faces up to 20 years in prison. International cooperation continues to chip away at the financial cybercrime ecosystem slowly, but meaningfully.

EU Phishing Liability Proposal

A European court advisor suggested that banks should immediately refund phishing victims even when the customer bore partial responsibility. If broadly adopted, this ruling would shift financial liability to institutions, likely accelerating investment in stronger authentication and fraud detection though at increased cost to consumers.

UK Pushes Fraud Responsibility to Tech Platforms

The United Kingdom is considering policy requiring telecommunications providers and technology platforms to take on greater responsibility for preventing fraud at the source. This raises difficult questions about the balance between platform-level monitoring, user privacy, and enforcement obligations.

Meta Disables 150,000+ Influence Campaign Accounts

Meta disabled more than 150,000 accounts tied to coordinated influence and social engineering campaigns, working in coordination with authorities across the U.S., UK, Canada, Australia, and several Asian nations. Influence operations increasingly blend information warfare with cybercrime infrastructure.

Kevin Mandia Raises $190 Million for Autonomous Security Startup

Cybersecurity veteran Kevin Mandia raised $190 million for Armadin, a new AI-driven autonomous security operations startup. One of the largest early-stage investments in cybersecurity history, this funding reflects the industry’s accelerating shift toward AI-powered threat detection and response. As threat volume scales beyond human capacity, autonomous defense is moving from concept to operational reality.

Wiz Acquisition by Google Cloud Closes at $32 Billion

Google’s acquisition of cloud security company Wiz officially closed this week. Wiz joins Mandiant and other security assets inside Google Cloud, making Google a genuinely significant player in enterprise cybersecurity. Cloud security visibility at this scale, integrated with Google’s infrastructure intelligence, changes the competitive landscape.

✅ This Week’s Priority Action List

Immediate (Do This Now)

• Assess Stryker/Handela exposure — review flat network architectures in healthcare environments and deploy next-gen anti-malware capable of detecting wiper attacks

• Prepare executive and board briefing on wiper malware risks and Iranian APT escalation

• Patch Active Directory CVE-2026-21437 immediately — identity infrastructure is under active targeting

• Patch N8N automation platform RCE vulnerability — actively exploited in the wild

• Deploy all Microsoft Patch Tuesday updates with priority on .NET, SQL Server, and Azure MCP vulnerabilities

• Apply Fortinet security appliance patches across FortiManager, FortiAnalyzer, FortiSwitch, and FortiSandbox

• Apply ICS patches for Siemens, Schneider, Moxa, and Mitsubishi per CISA KEV guidance

Short-Term (This Month)

• Restrict RDP and SD-WAN management interfaces behind VPN or zero-trust gateways

• Implement strict removable media controls and behavioral monitoring for air-gapped environments

• Extend phishing detection and monitoring to Microsoft Teams, Slack, and all collaboration platforms

• Implement automated dependency scanning and open-source code verification for developer environments

• Enforce MFA for all administrative access to networking and security infrastructure devices

• Expand DNS monitoring to include ARPA reverse lookup and IPv6 traffic analysis

• Review Oracle EBS tenant exposure and require tenant-level isolation in shared ERP platforms

• Deploy API access controls and continuous monitoring for Salesforce and other CRM environments

🎙️ James Azar’s CISO’s Take

When I look at this week in totality, what stands out most is how the attack surface is no longer just expanding at the perimeter it’s being targeted at the core. Law enforcement wiretap infrastructure was breached. A medical equipment giant had 200,000 servers wiped by nation-state-aligned actors using destruction-first tooling. Healthcare service providers, developer ecosystems, ERP platforms, and national cyber command leadership were all in the crosshairs simultaneously. This isn’t a spray-and-pray threat environment. It’s systematic, layered pressure across every tier of the infrastructure stack. Adversaries understand that modern organizations are only as resilient as their weakest layer and they’re probing all of them at once.

For CISOs and security practitioners, the playbook doesn’t change, it just has to be executed with more discipline and speed than ever before. Strong identity controls, network segmentation, patch velocity, and secure development practices remain the foundation of cyber resilience. When organizations combine that execution discipline with geopolitical awareness and meaningful threat intelligence, they raise the cost of attack to the point where most adversaries move on to softer targets. That’s not a guarantee. But it’s the job — and it matters more this week than it did last week.

Stay Cyber Safe. 🔐