Good Morning Security Gang
I hope everyone had a great weekend, and to those who reached out with birthday wishes — thank you. It really meant a lot, especially since I kept that off social media this year. We’re kicking off a jam-packed week with major updates: Iberia discloses a vendor-related data leak, law enforcement systems in Oklahoma and Massachusetts suffer cyber incidents, Oracle’s EBS breach grows, and an insider at CrowdStrike gets caught feeding data to hackers.
So grab that coffee, take a deep sip, and coffee cup cheers, y’all — let’s dive in.
Tim Brown’s SEC Case Dismissed — A Landmark Win for CISOs
Before we get into the breaches, I want to start with some great news for our profession. After five long years, the SEC’s case against Tim Brown, the CISO of SolarWinds, has officially been dismissed with prejudice. That means this ordeal is finally over — and it never should’ve happened in the first place.
The case, which followed the infamous SolarWinds attack, was widely criticized as a dangerous precedent for holding security leaders personally liable for nation-state breaches. The dismissal sends a strong signal that while accountability is critical, CISOs shouldn’t be scapegoated for complex systemic attacks.
SolarWinds deserves credit for standing by Tim throughout the ordeal — that kind of corporate loyalty is rare. A huge sigh of relief for CISOs everywhere, and what a Thanksgiving it’ll be for Tim and his family.
Iberia Airlines Discloses Customer Data Leak via Vendor Breach
Spanish air carrier Iberia Airlines confirmed a data breach after one of its vendors was compromised, exposing names, email addresses, and loyalty account IDs. The actor behind the attack is claiming to sell over 77GB of Iberia customer data online, though the company says no payment or password information was affected.
The incident underscores the rising third-party risk plaguing enterprise ecosystems. Loyalty programs often have direct cash value, so threat actors can use this data for travel fraud, phishing, or reward point resale. Iberia has enabled additional verification measures for account changes and notified regulators in Spain.
For defenders, this is another wake-up call to tighten vendor security reviews, monitor API data flows, and implement MFA and anomaly detection for loyalty programs and third-party integrations.
Cyberattacks Hit Law Enforcement Systems in Oklahoma and Massachusetts
Two law enforcement agencies — Cleveland County, Oklahoma, and Attleboro, Massachusetts — suffered disruptive cyber incidents impacting public portals and internal systems. Both departments experienced outages in evidence tracking and public reporting portals.
These attacks are concerning not just because of service disruptions, but because they target the digital backbone of public safety operations. The fact that smaller jurisdictions are being hit could indicate testing or reconnaissance for larger-scale kinetic-style attacks, where cyber disruption precedes physical or geopolitical escalation.
Agencies need to test offline evidence systems, backups, and chain-of-custody procedures through tabletop exercises. As cyberattacks increasingly cross into critical response systems, law enforcement becomes part of the national cyber perimeter.
Cox Enterprises Confirms Oracle EBS Breach Exposure
Cox Enterprises has joined the growing list of organizations impacted by the Oracle E-Business Suite (EBS) exploit. The company confirmed data exposure tied to the compromise of the EBS environment — the same exploit responsible for recent breaches at Logitech and The Washington Post.
These incidents highlight the scale of the Oracle supply chain exposure, where the same zero-day has been repeatedly leveraged against major corporations. Organizations using Oracle EBS should immediately:
Patch and harden EBS environments.
Rotate keys, tokens, and service accounts tied to Oracle integrations.
Review SSO trust relationships and limit API privileges to least privilege.
ERP systems are high-value targets because they combine sensitive PII, operational data, and financial workflows — compromising one can cripple entire business operations.
Salesforce Revokes Gainsight Access After Unusual Activity
Salesforce revoked access for the customer analytics platform Gainsight after detecting unusual data access patterns that may have exposed sensitive customer data. Gainsight’s application was removed from Salesforce’s AppExchange, tokens were revoked, and impacted customers were notified.
Threat actors claim to have accessed data from nearly 284 organizations through this integration. This is yet another example of SaaS-to-SaaS supply chain compromise, an area often overlooked by security teams.
CISOs should audit all Salesforce-connected apps, remove unused integrations, and enforce SSO with OAuth scopes. Additionally, monitor for abnormal API usage or mass report exports. This type of lateral exposure can quickly expand if not proactively controlled.
CrowdStrike Insider Terminated for Leaking Internal Screenshots
CrowdStrike confirmed the termination of an employee who leaked internal system screenshots to threat actors. The individual attempted to sell the access for $25,000, according to sources on dark web forums.
No customer or production systems were compromised, but this event underscores the real and growing risk of insider threats, even at top-tier security vendors. Screenshots of telemetry or internal tools can still give adversaries insight into detection capabilities or gaps.
Security leaders should implement DLP for screenshots, block clipboard captures on sensitive systems, and deploy insider risk analytics to detect abnormal access or burst-sharing activity.
China’s APT31 Targeting Russian Tech Firms in Espionage Campaign
Despite their public political alignment, China and Russia are waging quiet cyber warfare behind the scenes. New reports reveal that China’s APT31 has been hacking Russian tech firms tied to defense and government contracts for years.
The group leveraged public tools mixed with custom malware, often timing attacks for weekends or holidays to avoid detection. Exfiltrated data was funneled through Yandex Cloud, a tactic meant to blend into legitimate Russian traffic.
“With friends like China, who needs enemies, would be the statement of the day there.” James Azar
The breach exposes a geopolitical truth: alliances between autocracies are transactional, not trustworthy. In cybersecurity, even your allies can become your adversaries.
Oracle Identity Manager Zero-Day Exploited in the Wild
A critical Oracle Identity Manager vulnerability (CVE-2025-61757) is now under active exploitation. The flaw allows remote code execution on identity systems, potentially enabling full domain takeover.
CISA has added this to the Known Exploited Vulnerabilities (KEV) catalog. Organizations using Oracle Identity Manager should patch immediately, rotate all privileged credentials, and monitor for suspicious administrative changes.
Azure Bastion Input Validation Flaw
Microsoft disclosed a vulnerability in Azure Bastion (CVE-2025-49752) that allows attackers to bypass input validation and manipulate sessions to gain elevated access. Admins should ensure their Bastion hosts are on the latest build, enforce conditional access, and implement session recording and command logging for forensic traceability.
Grafana SCIM Flaw Enables Privilege Escalation
Grafana Enterprise 12.x was found vulnerable to a SCIM misconfiguration issue that could allow attackers to map external IDs to internal users, enabling unauthorized privilege escalation. The issue has been patched in versions 12.0.6, 12.1.3, 12.2.1, and 12.3.0.
Organizations using Grafana for observability stacks should upgrade immediately to prevent admin impersonation and data exposure.
SonicWall Fixes Critical Firewall and Email Appliance Bugs
SonicWall has released multiple patches addressing high-severity vulnerabilities in its firewalls and email security appliances (ESA). These flaws could enable remote code execution and privilege escalation if unpatched.
Admins are urged to apply fixes immediately across all affected models. Given SonicWall’s widespread use in mid-sized enterprises and MSP environments, delayed patching could lead to mass exploitation.
Action List
✈️ Audit third-party vendors for exposure — especially loyalty programs.
🧑💻 Review insider risk controls for screenshots and clipboard captures.
🧱 Patch Oracle Identity Manager, Grafana, Azure Bastion, and SonicWall.
☁️ Audit Salesforce apps and revoke unused OAuth tokens.
🧩 Conduct tabletop exercises for law enforcement or critical response systems.
🔐 Rotate credentials and keys after any Oracle EBS patch cycle.
🌐 Monitor for Chinese and Russian espionage TTPs within supply chain networks.
James Azar’s CISO’s Take
Today’s episode felt like the perfect cross-section of what being a CISO in 2025 really means — dealing with vendor breaches, insider threats, state-sponsored espionage, and SaaS integrations you never approved but are suddenly your problem. The scope of what we manage has never been wider, yet our influence across those domains often lags behind the risk.
My biggest takeaway? The threat landscape is becoming more interconnected, faster, and more human-driven. From an insider at CrowdStrike to espionage between supposed allies, security failures now start with trust — misplaced, misused, or mismanaged. This week reminds us all that resilience isn’t about tools or vendors; it’s about leadership, discipline, and constant vigilance.
Stay alert, stay caffeinated, and as always — stay cyber safe.
