Happy Friday Security Gang,

This week brought us everything from CitrixBleed's unwelcome sequel to a massive intelligence operation exposing the fragile trust between supposed allies China and Russia. While Iran's cyber capabilities were literally bombed into rubble, sophisticated threat actors continued their relentless assault on critical infrastructure, supply chains, and the very foundations of digital trust.

From Scattered Spider's surgical strike on Aflac (proving that mature security programs can contain even the most notorious threat actors) to Salt Typhoon's perfect 10.0 vulnerability exploitation across global telecommunications, this week demonstrated both the evolving sophistication of attacks and the critical importance of proactive defense strategies.

Whether you're catching up over coffee or preparing for Monday's security briefing, this summary provides the essential context and actionable intelligence you need to stay ahead of the threat landscape.

🚨 Critical Infrastructure Attacks

Scattered Spider Strikes Aflac Insurance The notorious cybercriminal group continued their insurance industry assault, successfully breaching Aflac and accessing sensitive customer data including claims information, health records, and social security numbers. Despite the breach, Aflac's mature security program under CISO Tim Callahan maintained zero business disruption, showcasing how proper incident response can minimize impact even against sophisticated threat actors.

Russian Dairy Supply Chain Crippled A cyber attack on Russia's Mercury veterinary certification platform caused widespread disruption to the dairy supply chain, marking the third such incident this year. Major retailers experienced supply chain chaos as distribution centers refused goods without proper electronic veterinary documentation.

🌍 Geopolitical Cyber Warfare

China-Russia Espionage Despite Alliance Intelligence reports reveal Chinese cyber groups have been actively targeting Russian military systems since the Ukraine war began, seeking information about nuclear submarines, drone systems, and battlefield tactics. Advanced Persistent Threat groups are impersonating Russian engineering firms to gather intelligence, highlighting underlying distrust between the supposed allies.

Israel-Iran Cyber Escalation Following US strikes on Iranian nuclear facilities, cyber warfare between Israel and Iran intensified dramatically. Israel deployed wiper malware against Iranian banking systems, completely deleting customer data and account balances. Iranian Revolutionary Guard Corps soldiers haven't been paid in three weeks due to banking disruptions, while Iran responded by severely restricting internet access.

Salt Typhoon's Perfect 10 Attack Chinese state-sponsored threat actor Salt Typhoon launched devastating campaigns against global telecommunications providers, exploiting a critical Cisco IOS XE vulnerability (CVE-2023-21998) with a perfect CVSS score of 10.0. The attackers created GRE tunnels for continuous traffic collection from compromised networks.

🔐 Critical Vulnerabilities & Patches

CitrixBleed 2: The Sequel CVE-2025-57777 represents a critical out-of-bounds memory read vulnerability in NetScaler devices, echoing the infamous original CitrixBleed. This new flaw allows unauthenticated attackers to access session tokens, credentials, and sensitive data from public-facing gateways.

"If you thought CitrixBleed 1 was kind of bad, CitrixBleed 2 - the sequel - be like kind of John Wick 1 and John Wick 2. Can you really say which one was better? It's not every day in cybersecurity we get sequels, so when we do, we cherish them." James Azar

Cisco ISE Perfect 10 Vulnerabilities CVEs 2025-20281 and 2025-20282 both scored perfect 10.0 CVSS ratings, allowing remote unauthenticated attackers to execute arbitrary code with root privileges through crafted API requests.

GitHub Enterprise RCE CVE-2025-35059 affects multiple GitHub Enterprise service versions, allowing remote code execution through pre-received hook functionality during hot patching processes.

💰 Financial Impact & Legal Developments

AT&T's $177 Million Settlement AT&T reached a massive settlement for data security breaches, raising questions about the definition of personally identifiable information (PII) and the economic impact of breach penalties on organizations.

$225 Million Crypto Seizure The Department of Justice moved to seize cryptocurrency stolen through romance scams operated from Vietnam and the Philippines, demonstrating improving law enforcement capabilities in tracking blockchain transactions.

IntelBroker Unmasked The notorious hacker known as IntelBroker was identified as 25-year-old Kai West, arrested in France and awaiting extradition to the US. Poor operational security led to his identification through IP address reuse and cryptocurrency transactions.

"Crime does not pay. You may get some limelight, but eventually you're tracked because eventually you need to spend that money. And so when you spend that money, it always gets traced back to you." James Azar

Leave a comment

🛡️ Supply Chain & Third-Party Risks

North Korea's NPM Attack Campaign Researchers uncovered 35 malicious NPM packages in an ongoing "contagious interview" operation, containing hex-encoded loaders designed to collect host information and deliver JavaScript stealers and Python backdoors.

SonicWall NetExtender Trojan A campaign distributed modified versions of SonicWall's NetExtender SSL VPN application with valid digital signatures, demonstrating sophisticated supply chain impersonation tactics.

Brother Printer Vulnerabilities Eight vulnerabilities affecting millions of Brother printers and related devices, with the most critical allowing remote unauthenticated attackers to bypass authentication using default administrator passwords.

🔍 Advanced Threat Tactics

AI Security: Echo Chamber Jailbreak Researchers discovered a sophisticated AI jailbreak technique using multi-turn conversations to progressively guide AI systems toward providing prohibited responses, exploiting contextual understanding gaps in current safety systems.

Iranian Surveillance Camera Exploitation Iran has been hacking Israeli security cameras to evaluate missile strike impacts and adjust targeting in real-time, representing tactical battlefield intelligence gathering through compromised IoT infrastructure.

APT29 Signal Messaging Campaign Russian APT29 adapted tactics to use Signal messaging for phishing attacks against Ukrainian government targets, delivering "Beer Shell" and "Slim Agent" malware through trusted communication channels.

📋 Action Items for Security Teams

Immediate Priorities:

• Patch CitrixBleed 2 vulnerability (CVE-2025-57777) in all NetScaler deployments

• Update Cisco ISE systems to address perfect 10.0 CVSS vulnerabilities

• Audit NPM packages for North Korean malicious dependencies

• Review GitHub Enterprise installations for RCE vulnerability

• Implement enhanced monitoring for Salt Typhoon TTPs

Strategic Initiatives:

• Expand security awareness training to cover mobile messaging platform risks

• Audit all publicly accessible cloud storage buckets for sensitive data

• Review MFA implementation to prioritize app-based over SMS authentication

• Assess supply chain security practices across all software vendors

• Strengthen blockchain forensics capabilities for incident response

Compliance & Communication:

• Prepare board communications showcasing business resilience metrics

• Review data classification policies distinguishing public vs. sensitive information

• Update incident response plans based on Aflac's successful containment model

• Validate backup and recovery systems against potential wiper malware attacks

🎯 James Azar's CISO Take

This week perfectly demonstrates the evolving cybersecurity threat landscape where mature security programs make all the difference. Aflac's exemplary incident response under Tim Calhander's leadership shows that when sophisticated threat actors like Scattered Spider gain access, proper tooling and resiliency measures can maintain business operations while containing the breach. This is exactly the kind of case study security teams need to present to their boards.

The geopolitical dimension cannot be ignored - while everyone focuses on Iran's pathetic cyber responses (basically defacement attacks masquerading as victories), China remains the persistent, strategic threat. FBI Cyber Division Director Brett Leatherman is absolutely right to warn against sleeping on China's Typhoon groups. Iran's cyber capabilities were literally bombed into rubble when Israel destroyed their IRGC cyber center, but China's long-game approach of death by a thousand cuts continues accumulating strategic damage in silence.

Show is back Live Monday morning 9AM EST on YouTube, LinkedIn and X

Stay Cyber Safe, Security Gang!