As we head into a long weekend celebrating America’s 249th birthday, I wanted to pause and reflect on a truly chaotic week in cybersecurity. This recap isn't just a summary — it's a frontline report from the digital war zone. From China and North Korea exploiting our infrastructure and trust, to ransomware crews flipping their playbook, to CISOs like myself navigating both boardrooms and breach reports, this week reminded me that cyber is national defense, business continuity, and civil liberties all wrapped into one. And while I’m proud of how far we’ve come as a nation and as an industry, I’m also alarmed at how far our adversaries are willing to go.

So if you're spending this weekend with family, take a few minutes to digest this update. It’s not fearmongering — it’s situational awareness. And it’s the kind of awareness we need to lead with. From supply chain threats in Europe to SIM swaps in your pocket, the threats are global, but the fixes often start at home.

📌 Cybercrime & Nation-State Escalation

• Scattered Spider targets Hawaiian Airlines: This notorious cybercrime gang has escalated from attacking retail to targeting critical infrastructure, with Hawaiian Airlines now confirming a cyber incident affecting its IT systems. The attack didn’t ground planes, but it's a wake-up call that the aviation industry is now in the crosshairs. FBI and private security firms have warned other airlines to boost defenses immediately.

• United Natural Foods experienced a cyberattack that disrupted fulfillment and distribution operations for over a week. The company took systems offline and is now forecasting missed income projections for Q4 2025. This shows how operational disruptions from ransomware go far beyond data loss — they hit revenue.

• Ahold breach update: Dutch grocery giant Ahold disclosed 2.2 million records were compromised in a ransomware attack attributed to Inc Ransom. The stolen data includes sensitive PII, with passport images now leaked on dark web forums. This breach reinforces how deep ransomware groups can dig into employee and customer data when ransoms go unpaid.

• Qantas customer breach: Initially downplayed, this third-party breach of a contact center now looks to have exposed names, phone numbers, and loyalty program data of up to 6 million customers. No payment data was taken, but the stolen info is ripe for phishing campaigns.

• Columbia University attack: Hackers with a political agenda breached Columbia’s systems and selectively exfiltrated student data. The school has been embroiled in campus unrest since October 7th, and this breach raises questions about politically motivated targeting of student populations.

🌐 Geopolitical & Regulatory Shifts

• Canada bans Hikvision: After a national security review, Canada has outlawed the use of Hikvision surveillance equipment across all government operations. This mirrors earlier bans on Huawei and ZTE, as Ottawa moves to reduce Chinese surveillance tech from its infrastructure.

• Germany-Israel cyber alliance: Germany announced a five-point cyber cooperation pact with Israel, focused on intelligence sharing, anti-drone defenses, and a new cyber R&D hub. This formalizes a long-standing but increasingly vital partnership in cyber threat response.

• NATO 5% GDP defense rule: NATO members now aim to spend 5% of GDP on defense, including 1.5% earmarked for cyber, energy, and logistics resilience. This marks a dramatic shift from traditional defense spending toward modern threats like cyberattacks and supply chain disruptions.

• France exploited via Ivanti: Chinese APTs used Ivanti zero-days to breach French government and telecom networks. Despite prior warnings and multiple advisories, these appliances remain widely deployed. France’s ANSSI cybersecurity agency has called this a "wake-up call."

🛡️ Vulnerabilities & Threat Intelligence

• CitrixBleed 2: Over 1,200 vulnerable Citrix servers remain unpatched against CVE-2025-57777, a critical RCE flaw. Despite prior advisories, many organizations have yet to remediate, exposing themselves to known exploits.

• Anthropic MCP Inspector RCE: Researchers discovered a critical flaw in Anthropic's MCP tool, used by AI developers to integrate LLMs. The RCE vulnerability could allow attackers to hijack developer systems and move laterally in enterprise networks. Patch to version 0.1.4.1 or later.

• Cisco CVE-2025-20091: This perfect 10.0 CVSS-rated bug in Cisco’s Unified CM software allows root access via unauthenticated exploitation. While Cisco has issued patches, many environments likely remain exposed.

• Microsens ICS vulnerabilities: Critical flaws in Microsens' NMP Web Plus product allow attackers to bypass authentication and execute arbitrary code. These are especially dangerous for OT networks, where exploitation could impact physical infrastructure.

• Chrome zero-day: Google patched CVE-2025-65465, a type confusion flaw in the V8 engine. Exploits are confirmed in the wild, so immediate patching is advised.

• TeleMessage under active attack: CISA added two new vulnerabilities to its KEV list, citing active exploitation. TeleMessage is widely used in regulated industries to archive secure comms.

Leave a comment

👮️ Covert Ops & Cyber Espionage

• DOJ busts North Korean laptop farms: 29 clandestine operations across 16 states were shut down. These farms allowed North Koreans to pose as U.S.-based remote workers for sensitive companies, even accessing ITAR data in some cases. A stunning example of human and cyber infiltration.

• macOS malware campaign: North Korea is now using fake Zoom SDK updates to deliver macOS malware dubbed "NimDoor" to Web3 orgs. This campaign involves complex social engineering and advanced persistence techniques.

• Russia throttles Cloudflare: As part of its tech sovereignty push, Russia is deliberately degrading access to Cloudflare-backed services. This effectively breaks half the Western web for Russian users and isolates domestic networks.

• Swiss government supply chain attack: Attackers breached third-party contractor Radix Systems and stole data from Swiss federal agencies. Data was leaked online, and the scope of exposure is still under review.

• Russia-linked attack on journalists: Vitrica, a hosting provider tied to Russian academia, was behind DDoS attacks against independent media exposing elite abuse. Attribution points to a sanctioned entity, showing how state power intersects with criminal infrastructure.

🔐 Privacy, Policy & M&A

• Hunters International shuts down: The ransomware-as-a-service gang has ceased operations, offering free decryptors. This unusual gesture may reflect law enforcement heat or internal collapse.

• Google fined $314M: A California jury found Google liable for harvesting Android user data over cellular networks without permission. The data was allegedly used for targeted advertising, violating user trust.

• Senate drops AI regulation ban: A federal bill that blocked state-level AI laws for ten years has been stripped. States like CA and TX are now cleared to push their own regulations.

• AT&T rolls out SIM Lock: New security controls allow users to prevent SIM swaps, a common attack vector used in financial fraud. It’s a long-overdue but welcome update.

• Cybersecurity M&A accelerates: With over 400 deals announced this year, the industry is consolidating. Expect fewer point tools and more integrated platforms.

• Sean Cairncross clears committee: The nominee for National Cyber Director passed Senate committee. While not a technical expert, he's expected to bring solid policy acumen.

✅ Summary of Key Action Items

• Immediately patch all affected Citrix (CVE-2025-57777), Cisco (CVE-2025-20091), Chrome (CVE-2025-65465), Microsens (CVE-2025-49151/49153), and Anthropic MCP systems.

• Audit Ivanti and consider replacement if used in critical environments.

• Replace SMS-based MFA with app-based or hardware token solutions.

• Review and monitor third-party vendor security (especially contact centers and cloud tools).

• Train help desk, HR, and remote workforce teams on current phishing and impersonation tactics.

• Remove DeepSeek, Hikvision, and other high-risk Chinese software or hardware where possible.

• Monitor exposure from past ransomware attacks to claim free decryptors (e.g., Hunters International).

• Enable SIM swap protections on all mobile accounts.

• Engage with local CISA representatives for resources and threat briefings, especially in OT sectors.

• Track and prepare for state-level AI regulation impacts, especially in tech and compliance-heavy industries.

Stay Cyber Safe, Security Gang!
We'll be back Monday at 9 AM Eastern – Live.