Good Morning, Security Gang!

We’re back and yes, the Azar family grew by one beautiful baby boy this week. Sleep is rare. Coffee is mandatory. And James is back in the saddle with the double espresso running and the full Security Gang energy you’ve come to expect.

If this week’s stories have a common thread, it’s this: the most dangerous cyber threats aren’t the loudest ones. Sweden was nearly hit by a Russian attack on its heating infrastructure, and that attack failed, but the intent was unmistakable. Ukrainian hospitals and government agencies are being targeted with malware specifically designed to disrupt societal stability. Twelve thousand systems in the Middle East were scanned in an Iranian-style reconnaissance campaign.

And Patch Tuesday arrived with what may be the second-largest Microsoft patch cycle ever 167 vulnerabilities, including an exploited SharePoint zero-day arriving the same week as critical patches from Fortinet, SAP, Adobe, Ivanti, and eight major industrial vendors.

Meanwhile, the week’s breach stories reinforced a pattern we’ve been tracking for months: attackers exploiting trust rather than force. Booking.com, Rockstar Games via Snowflake, McGraw-Hill via a Salesforce misconfiguration, a Kraken insider threat, and supply chain compromises in GitHub, Jira, and npm all shared the same fingerprint legitimate access, trusted platforms, and no alarm bells until it was too late.

James opened one of this week’s shows with a reflection on Yom HaShoah Holocaust Remembrance Day and the quiet, slow erosion that precedes catastrophe. It was a reminder that whether in society or in cybersecurity, the warnings come long before the breaking point. The question is whether we’re paying attention.

“Attackers keep winning by abusing things we already trust — SaaS pages, support workflows, app authorization, collaboration platforms, and even our own security appliances, ERP systems, and VPN clients. The defensive move is not magic. It is knowing which trusted systems have the highest blast radius and hardening those first. That is how you reduce risk.”

Let’s get into it.

🌐 Geopolitical Cyber Warfare

Sweden Attributes Heating Plant Attack to Russian-Linked Group

Swedish officials attributed a cyberattack on a district heating plant to a pro-Russian group with ties to Russian intelligence. The attack failed operationally but that’s not the lead. The intent is. This fits a sustained European pattern of targeting civilian infrastructure not to destroy it, but to create instability and psychological pressure on populations. Heating. Power. Water. These aren’t military targets they’re societal pressure points. Gray-zone warfare doesn’t need to succeed to succeed. The attempt alone achieves its goal.

“If we treated our power plants the way pilots treat an airplane, we would likely have less of these events on the engineering side. As security practitioners, we ought to be planning for the day after. That day after is network obfuscation. That day after is inline data encryption even within your air-gapped networks.”

AgingFly Malware Targets Ukrainian Government and Hospitals

A new malware strain AgingFly is actively targeting Ukrainian government organizations and healthcare systems. This is not opportunistic cybercrime. It is deliberate targeting of the institutions that sustain public life. Hospitals and government agencies are being hit because disrupting them destabilizes society without requiring kinetic escalation. Cyber resilience in healthcare and public sector environments is no longer an IT goal, it is a national security imperative.

12,000 Systems Scanned in Iranian-Style Reconnaissance Campaign

More than 12,000 systems in the Middle East have been scanned in a campaign mirroring Iranian reconnaissance tactics. Scanning is not the attack, it’s the preparation for one. This is patient, methodical threat actor behavior: map the environment, identify weaknesses, and return with precision. This aligns directly with prior reporting on Iranian pre-positioning across U.S. industrial and critical infrastructure. Today’s scan is tomorrow’s disruption.

4,000 U.S. Industrial Devices Remain Exposed to Iranian Targeting

Nearly 4,000 U.S. industrial devices remain directly internet-exposed and vulnerable to Iranian-linked activity. These are operational technology systems, they control physical processes. Leaving them exposed is not a misconfiguration. It is an open invitation in a high-risk neighborhood. The question is no longer whether someone will walk through that door, it’s when.

Iranian Cyber Threats Target U.S. Energy Infrastructure

CISA and NERC continue to issue warnings around Iranian-linked activity targeting U.S. critical infrastructure, with particular focus on energy systems. The current activity remains focused on reconnaissance and persistence rather than immediate disruption. But in the Iranian threat model, today’s foothold is tomorrow’s leverage. OT environments with any internet exposure should treat this as an active threat, not a theoretical one.

💥 Stryker Fallout: Cyber Becomes a Business Event

Stryker Confirms Material Q1 Earnings Impact from Iran-Linked Attack

Stryker confirmed this week that the March 11 Iran-linked attack had a material impact on Q1 earnings. The Handala group gained access to Microsoft Intune, wiped more than 200,000 devices, and disrupted the company’s ordering and supply chain systems. Operations have since been restored — but the damage was real, measurable, and reported to investors.

This is the clearest example in recent memory of cyber leaving the SOC and landing on a hospital floor, and then in an earnings release. Medical staff adapted under constrained equipment conditions. Hospitals extended the use of existing devices. And a publicly traded company disclosed financial harm directly attributable to a nation-state-linked cyber operation. For CISOs still struggling to quantify cyber risk in business terms, this is the case study.

🔓 Data Breaches & Exposures

Booking.com Breach: Identity and Access, Not Infrastructure

Booking.com confirmed a breach affecting user data, likely tied to compromised credentials or third-party access workflows rather than a direct infrastructure intrusion. This is the modern breach pattern: no forced entry, just trusted access used incorrectly. Travel and hospitality platforms hold high-value identity data that fuels downstream fraud, social engineering, and impersonation at scale. For users, this is a direct reminder that passwords alone are insufficient MFA is non-negotiable on any platform holding financial or travel data.

Rockstar Games: Snowflake Environment Accessed via Third-Party Credentials

ShinyHunters claims access to Rockstar Games data stored in a Snowflake cloud environment via a compromised third-party analytics platform. The attack pattern is textbook: stolen credentials, legitimate API access, no alerts triggered. Once inside a cloud environment via valid credentials, attackers move at the speed of the platform itself. Cloud security monitoring must go beyond perimeter controls to include behavioral anomaly detection for API access patterns across every integrated third-party service.

McGraw-Hill Salesforce Misconfiguration: ShinyHunters Claims 45 Million Records

McGraw-Hill is the latest victim in ShinyHunters’ ongoing Salesforce campaign. The attackers reportedly exploited a misconfigured Salesforce-hosted web page not the core enterprise tenant, and are claiming 45 million records and threatening to leak if not paid. McGraw-Hill stated that core systems, customer databases, and student platforms were not accessed. But the blast radius of SaaS misconfigurations regularly extends far beyond what organizations initially assume. Every externally reachable SaaS-hosted page requires explicit access control validation, not just the main platform tenant.

Kraken Insider Threat: Support Employees Enable Extortion Attempt

Kraken disclosed that a cybercrime group attempted to extort the exchange using videos allegedly showing internal systems. At the root: two support employees accessed limited customer data improperly. Client funds were not at risk. But the incident demonstrates a consistent pattern, when externally hardened environments are difficult to breach, attackers pivot to the human layer. Support functions with access to customer data are high-value social engineering targets, particularly where wage disparities create vulnerability to outside influence. Just-in-time access and session recording for support teams are essential controls.

CPU-Z Trojanized Downloads: Supply Chain at Distribution Level

Attackers compromised the CPUID website to distribute trojanized versions of CPU-Z and HWMonitor. This is supply chain compromise at the final distribution point trusted tools from a recognized domain, delivering malware to users who never suspected anything was wrong. Most users will not verify cryptographic signatures before installing a familiar utility. That’s the gap attackers are exploiting. Enforce signature verification as a baseline requirement before any software installation in enterprise environments.

RCI Hospitality IDOR Vulnerability Exposes Contractor Data

RCI Hospitality disclosed an insecure direct object reference vulnerability in their web application that exposed contractor data without triggering traditional security alerts. IDORs are unglamorous but brutally effective the application hands attackers the data without any exploitation of authentication systems. Object-level authorization testing must be part of every application security release gate, particularly for portals handling workforce and contractor records.

🕵️ Nation-State Activity & Advanced Threats

North Korea’s $280 Million Crypto Theft: Corporate-Grade Operations

The post-mortem on the Drift crypto theft reveals an operation that reads less like a hack and more like a business. North Korea orchestrated a $280 million theft using fake companies, sustained relationship-building, social engineering, and physical presence at industry conferences. This was not remote exploitation, it was long-game infiltration. Fake identities. Real relationships. Trust built over months before a payload was ever deployed. If your security model doesn’t account for adversaries who operate at this level of patience and organizational sophistication, it is not accounting for the actual threat.

North Korea’s APT37: Facebook-Based Social Engineering Campaign

APT37 is running an active social engineering campaign using fake Facebook personas to build relationships with targets before deploying malware payloads. This is patience over speed, psychology over technology. Attackers establish trust across weeks or months before any technical action is taken. This is where most defenses still fall short, because they are built to detect technical indicators, not human behavioral manipulation. Employee awareness of relationship-building social engineering is a required defensive layer.

🛡️ Vulnerabilities & Patch Tuesday

Microsoft Patch Tuesday: SharePoint Zero-Day + 167 Fixes — Second Largest Ever

Microsoft addressed 167 vulnerabilities this month, the second largest Patch Tuesday by CVE count on record including an actively exploited SharePoint zero-day (CVE-2026-29231) that was publicly known before patches were released. Collaboration and content platforms continue to draw the most adversarial attention. Internet-facing systems like SharePoint must have a dedicated fast-lane patch process, they cannot wait in the same queue as routine workstation updates.

Fortinet: CVE-2026-27813 Across Multiple Products

Fortinet released a broad patch set with clear prioritization around CVE-2026-27813, affecting FortiAnalyzer, FortiManager, FortiOS, FortiProxy, FortiPAM, and FortiSwitch Manager. The perimeter and management plane continue to be primary targets. Every security appliance should be treated as production infrastructure and patched according to attack surface priority, not product popularity.

SAP: 19 Security Notes Including Critical CVSS 9.9 SQL Injection

SAP released 19 new security notes covering more than a dozen products, including CVE-2026-27681, a CVSS 9.9 SQL injection vulnerability in Business Planning and Consolidation and Business Warehouse that could lead to arbitrary code execution. ERP and core business systems must be treated as crown jewel infrastructure. Attackers who land in SAP don’t just steal data they learn how the business operates. Prioritize SAP remediation based on process criticality and direct business exposure.

Adobe: 55 Vulnerabilities Including Critical ColdFusion Flaw

Adobe patched 55 vulnerabilities across 11 products, with a critical ColdFusion vulnerability representing the highest real-world exploitation risk. ColdFusion has a consistent history of showing up in attack chains precisely because it sits in the internet-facing application layer. If ColdFusion is still running in your environment, place it behind additional network controls and treat it as a high-risk exception requiring active monitoring.

Ivanti: RCE and Authentication Bypass Return

Ivanti surfaced again this week with two new vulnerabilities — a remote code execution flaw and an authentication bypass. Platforms that broker access and manage systems sit in the critical flow of enterprise trust. Ivanti’s recurring presence in the threat landscape is not a coincidence it reflects consistent adversarial interest in control-plane compromise. Patch immediately and validate that no previous exploitation paths remain active.

CISA Flags Windows Task Host Privilege Escalation Under Active Exploitation

CISA flagged a Windows Task Host vulnerability as actively exploited, allowing attackers to escalate to SYSTEM-level access. Privilege escalation is where initial access becomes full control. Once an attacker reaches SYSTEM on a shared or high-value system, the scope of compromise expands rapidly. This vulnerability warrants immediate remediation prioritization.

NGINX UI Zero-Day: Management Interface Compromise

Active exploitation of a critical NGINX UI zero-day continues. Exposed administrative interfaces remain one of the most consistently effective attack vectors — not because they’re sophisticated, but because convenience keeps winning over security. Management panels left accessible to the internet are an open invitation. Remove or restrict all exposed administrative interfaces immediately.

ICS Patch Tuesday: Eight Major Industrial Vendors

Siemens, Schneider Electric, Rockwell, and five additional industrial vendors released advisories in this month’s ICS Patch Tuesday. OT environments accumulate risk over time long-lived systems, infrequent patching, and operational continuity constraints combine to create compounding vulnerability. Establish dedicated OT vulnerability management processes that account for the unique operational constraints of industrial environments.

Synology SSL VPN Client: Remote Access Vulnerabilities

Synology released updates for SSL VPN client vulnerabilities. Vendor guidance specifies upgrading to version 1.4.5-0684 or newer and calls for active monitoring of configuration changes and unusual traffic behavior. VPN configuration changes should be monitored with the same urgency as failed login attempts remote access is where trust and network access intersect most dangerously.

Juniper and Chrome Continue Steady Patch Cycles

Juniper patched dozens of Junos OS vulnerabilities, and Chrome released version 147 with 60 fixes including two critical. Neither is a single dramatic event both reflect the ongoing maintenance reality of foundational infrastructure. Browsers and network devices are prime targets precisely because they are ubiquitous and trusted. Keep them current automatically.

🤖 AI, Supply Chain & Developer Threats

Cloud Security Alliance Releases Mythos AI Threat White Paper

The Cloud Security Alliance, led by Gadi Evron, published a white paper on Anthropic’s Mythos AI model and its implications for the cybersecurity threat landscape reviewed by over 100 CISOs. The core concern: AI tools like Mythos dramatically accelerate both vulnerability discovery and exploit development, compressing the timeline between disclosure and weaponization in ways the industry has not yet calibrated for. This is required reading for security leadership. Download it at cyberhubpodcast.com.

OpenAI Caught in Axios npm Supply Chain Compromise

OpenAI was caught in the blast radius of the Axios npm package supply chain compromise. This confirms a pattern: supply chain attacks don’t stop at developers they propagate through enterprise apps, AI platforms, and into production systems. Once trust is compromised at the package level, everything downstream inherits that risk. Software composition analysis is foundational security hygiene, not an advanced practice.

Glassworm Evolves: Zig-Based Dropper Targets Developer IDEs

Glassworm returned with a new variant using a Zig-based dropper to target developer environments and IDE ecosystems. Attackers are moving upstream into the development lifecycle because controlling the developer environment means influencing what gets built. Supply chain compromise at the IDE layer is persistent, quiet, and extraordinarily difficult to detect after the fact. Lock down developer environments with signed plugins, approved extension lists, and access controls.

PHP Composer Flaws Enable Arbitrary Command Execution

New vulnerabilities in PHP Composer enable arbitrary command execution within software build workflows. This is the same threat surface the Team PCP group exploited in expanding across developer toolchains. Pin Composer and all build chain tooling to approved internal baselines rather than allowing developer environments to drift toward the latest available version.

GitHub and Jira Notification Abuse for Malware Delivery

Attackers are abusing GitHub and Jira notification systems to deliver malicious links inside expected, trusted workflow communications. Users don’t question notifications from platforms they rely on daily and attackers have learned to exploit exactly that behavioral pattern. Extend phishing inspection to collaboration platform notifications, not just email. Security teams often overlook these channels entirely.

⚖️ Policy, Regulation & Industry

FCC Cybertrust Mark: IoXT Alliance Named New Lead Administrator

The FCC Cybertrust Mark program, a consumer-facing security certification for connected devices has a new lead administrator after UL withdrew. The non-profit IoXT Alliance takes over, putting the program back on track. Given the persistent exploitation of routers, IoT devices, and unmanaged endpoints, any policy initiative that raises the baseline security floor for connected devices has real-world defensive value. This program matters.

FCC Grants Netgear Exemption in Router Certification Rules

The FCC granted Netgear an exemption related to router certification requirements and foreign-owned testing labs. This sits at the intersection of cybersecurity, geopolitics, and supply chain policy. Hardware certification decisions directly influence how secure or insecure network infrastructure becomes at the consumer and enterprise level alike. Policy decisions are now security decisions.

Privacy Research: Tracking Persists After User Opt-Outs

New research indicates major technology companies can continue tracking users even after opt-out mechanisms are activated. The security implication is not just privacy: if controls don’t behave as documented, then compliance assumptions break down. Defenders cannot rely solely on vendor claims. Validate privacy and tracking controls independently including within your own environment.

Leave a comment

✅ This Week’s Priority Action List

Immediate (Do This Now)

• Patch Microsoft SharePoint CVE-2026-29231 immediately — publicly known before patches released, active exploitation likely

• Patch SAP CVE-2026-27681 (CVSS 9.9) — arbitrary code execution in ERP core infrastructure

• Patch Fortinet CVE-2026-27813 across FortiOS, FortiManager, FortiAnalyzer, FortiProxy, FortiPAM, FortiSwitch Manager

• Patch Ivanti RCE and authentication bypass vulnerabilities — control plane compromise risk

• Patch Windows Task Host privilege escalation — CISA confirmed active exploitation, SYSTEM access at stake

• Remove or restrict all exposed NGINX UI management interfaces — active zero-day exploitation underway

• Patch Synology SSL VPN client to 1.4.5-0684 or newer and monitor for configuration anomalies

Short-Term (This Month)

• Audit every externally reachable SaaS-hosted page and Salesforce integration — McGraw-Hill is not an isolated incident

• Implement just-in-time access and session recording for all support functions touching customer data

• Enforce cryptographic signature verification for all software downloads in enterprise environments

• Add object-level authorization testing to application security release gates

• Eliminate direct internet exposure for all OT, industrial, and ICS systems 4,000 U.S. devices remain exposed

• Deploy behavioral anomaly detection for cloud API access across all third-party SaaS integrations

• Review and pin PHP Composer and developer build tooling to approved internal baselines

• Extend phishing inspection to GitHub, Jira, and all collaboration platform notification channels

Strategic (This Quarter)

• Establish dedicated OT vulnerability management processes separate from IT patch cycles

• Download and review the Cloud Security Alliance Mythos white paper — calibrate your AI threat timeline assumptions

• Build dedicated fast-lane patch processes for internet-facing collaboration platforms separate from workstation cycles

• Treat SAP and ERP systems as crown jewel infrastructure with process-criticality-based patching priority

• Implement network obfuscation and inline data encryption for critical infrastructure environments

🎙️ James Azar’s CISO’s Take

When I look across this week’s stories, the most important thing I see is how much risk sits below the surface — quiet, patient, and methodical. Sweden’s heating plant, Ukrainian hospitals, Iranian reconnaissance across 12,000 systems, a SharePoint zero-day already known to attackers before patches dropped. These are not loud, chaotic events. They are deliberate campaigns against the systems that keep society functioning. And that’s exactly what makes them dangerous — they accumulate unnoticed until the disruption is unavoidable. Stryker hitting a quarterly earnings report is the clearest signal yet that cyber risk is no longer an IT budget line. It is a business event, a financial event, and a human event.

The second takeaway is about the pace of change. The Cloud Security Alliance’s Mythos white paper, Jason Clinton and Kevin Mandia’s commentary, and this Patch Tuesday’s record-setting CVE count all point to the same reality: AI is compressing vulnerability discovery and exploit development into timelines defenders have never had to operate against before. The answer isn’t panic — it’s prioritization. Know which trusted systems carry the highest blast radius. Harden those first. Build resilience into how you operate, not just how you prevent. Because at the scale and speed this threat environment is moving, perfection isn’t achievable but preparedness is.

📋 Week in Summary

This was a week that reminded practitioners of something easy to lose sight of under the volume of daily threat intelligence: cybersecurity is not about protecting dashboards. It’s about protecting the systems that keep hospitals running, supply chains moving, heating plants operating, and governments functioning. Sweden, Ukraine, and Stryker all told the same story from different angles when cyber operations are targeted not at data but at operational continuity, the consequences extend far beyond the perimeter and into people’s lives.

Technically, the week was defined by volume and trust exploitation at scale. The second-largest Patch Tuesday ever. Critical patches from SAP, Fortinet, Adobe, Ivanti, and eight industrial vendors simultaneously. And breach after breach — Booking.com, Rockstar, McGraw-Hill, Kraken — sharing the same fingerprint: no forced entry, just trusted access misused, misconfigured, or manipulated through the human layer. The defensive posture this demands is not more tools or more rules. It is continuous validation of every trust assumption in your environment, prioritized by blast radius, executed with the speed the threat environment now requires.

Stay informed. Stay prepared. Stay Cyber Safe. 🔐

© CyberHub Podcast | Subscribe on Substack | Watch on YouTube | Follow on LinkedIn