Good Morning Security Gang!
Happy Tuesday, October 14th, 2025, and welcome back to the CyberHub Podcast. It’s a big week here, and there’s a lot to unpack in the world of cybersecurity today. I started the show this morning reflecting on the emotional reunion of twenty hostages returned to Israel, though many still await proper closure. Moments like that remind us of resilience and that’s exactly the theme of today’s packed episode.
We’re talking about the UK’s record year for cyber incidents, the latest Salesforce data extortion fallout, Oracle’s emergency patch for a new E-Business Suite flaw, a 1.2 million patient healthcare breach, and two active NPM phishing campaigns that show just how fast threat actors are evolving. So grab that double espresso and let’s get into it. ☕
🇬🇧 UK Sees Record 429 Cyber Incidents
The UK National Cyber Security Centre (NCSC) released its annual report, revealing 429 cyber incidents between September 2024 and August 2025 — of which 204 were nationally significant and 18 were classified as highly significant. These included attacks across government, critical infrastructure, and manufacturing sectors. For perspective, this doesn’t even count Jaguar Land Rover’s ransomware crisis that prompted a £1.5 billion government bailout earlier this year.
“This isn’t about more regulation. It’s rather about regulating standards. It’s about requiring organizations to meet a bare threshold of what’s required from them in order to operate resiliently in the marketplace and not be a burden on the economy.” James Azar
What’s most important here is the NCSC’s shift from volume metrics to impact-based reporting, measuring the economic and operational consequences of each breach. This is changing board-level conversations. I said it on the show: “This isn’t about counting breaches — it’s about measuring resilience. Boards finally have to care because the economy does.”
The key takeaway is that resilience, not regulation, will define the next stage of cybersecurity maturity in the UK.
☁ Salesforce Data Extortion Expands
The Scattered Lapsus Hunters gang — a coalition of three criminal groups tied to the earlier Salesloft/Drift OAuth compromise — has posted what it claims to be data from 39 Salesforce-using companies. While many of these claims appear exaggerated, confirmed leaks include customer loyalty records, user IDs, and internal support data. This breach shows how OAuth abuse and third-party app sprawl can lead to ecosystem-wide exposure.
I told the audience: “This isn’t ransomware anymore — it’s data blackmail at scale. They’re stealing, not encrypting.”
Salesforce customers should rotate API and OAuth keys, enforce least-privilege scopes, and strengthen third-party risk management (TPRM) immediately.
Expect a rise in targeted spear-phishing using leaked customer data, along with trust erosion across B2B partner networks.
⚙ Oracle Releases Emergency Patch
After confirming exploitation of CVE-2025-61884, Oracle issued an emergency out-of-band patch for its E-Business Suite (EBS). This info-exposure flaw allows unauthenticated remote access to configuration endpoints, potentially enabling attackers to view or alter runtime settings.
Organizations are urged to:
Apply both the July and September 2025 EBS patches (CVE-2025-61882/84).
Remove EBS from direct internet access and place it behind a web application firewall (WAF).
Hunt for abnormal activity targeting the Runtime UI Configurator endpoint.
As I warned, “If Oracle EBS is facing the open internet, it’s not a business app — it’s an open invitation.”
🏥 SimonMed Radiology Breach Impacts 1.2 Million Patients
SimonMed Imaging, one of the largest U.S. medical imaging providers, disclosed a ransomware breach from early 2025 that impacted 1.2 million patients. The Medusa ransomware gang accessed identity documents, medical imaging data, and radiology reports across 170 centers in 11 states.
This is a textbook example of data permanence risk — in healthcare, even after systems are restored, stolen data retains value for extortion, insurance fraud, and black-market resale.
I noted that “Medusa doesn’t just encrypt — it monetizes the long tail of healthcare data.”
Expect HIPAA investigations, potential state AG actions, and class-action lawsuits in the months ahead.
🧑💻 North Korean NPM Phishing Campaign
Clusters of North Korean operators are targeting developers via malicious NPM packages masquerading as “POSpec Theme Staging” and fake CI/CD tools. These packages include phishing payloads that capture developer credentials and pipeline access.
Mitigation measures include:
Enforcing allowlists for package dependencies.
Blocking unpackaged GitHub loaders unless explicitly required.
Treating all auto-redirecting HTML documentation as hostile.
I said it clearly: “North Korea doesn’t need your nuclear secrets — it just needs your GitHub keys.”
⚙ Secondary NPM Campaign Targets OT Sector
In a separate campaign, threat actors are planting benign-looking packages that link to phishing pages on unpkg.com, primarily targeting OT-adjacent industries in Europe such as energy and manufacturing. These attacks aim to harvest credentials from engineers and R&D portals, opening the door to IP theft and firmware tampering.
Defenders should:
Block unpkg.com domains where possible.
Scan inbound HTML for CDN redirects.
Monitor firmware repositories for unauthorized commits.
As I put it: “This is how OT gets compromised now — not through SCADA, but through source code.”
🧱 SonicWall VPN Credentials Compromised
Following last week’s revelation of a SonicWall cloud backup exposure, researchers have now confirmed valid credential logins across impacted devices. Some cases escalated to Windows lateral movement and LAN scanning.
Immediate actions:
Reset all VPN credentials and API keys.
Disable WAN management.
Enforce MFA for all admin logins.
The quiet nature of this attack means many organizations may already be compromised without knowing it.
🌍 Multi-Country Botnet Targets RDP
Security researchers identified a massive RDP-focused botnet enumerating user credentials from over 100,000 IPs. The botnet uses RDP Web Access timing inference to identify valid accounts for credential stuffing and ransomware staging.
To mitigate:
Remove RDP from public exposure.
Use VPN + app-based MFA for remote access.
Set off-hours access restrictions.
This campaign is responsible for an ongoing spike in failed login telemetry across Europe and the U.S.
🇺🇦 Ukraine Launches Dedicated Cyber Command
Ukraine’s Defense Ministry has formally approved the creation of a military cyber branch tasked with both offensive and defensive operations. The move comes amid intensified hybrid warfare targeting Russian logistics and media infrastructure.
Analysts warn that the escalation could trigger retaliatory cyber activity beyond the battlefield — particularly targeting multinational supply chains.
🇳🇱 Netherlands Moves to Block Chinese Semiconductor Decisions
The Dutch government invoked emergency investment screening powers to block governance decisions at Nexperia, a Chinese-owned semiconductor firm. Officials cited “acute risks to technological sovereignty” and national security concerns. This marks the latest example of Europe tightening control over dual-use and semiconductor technology amid fears of Chinese interference.
🧠 James Azar’s CISO Take
The theme of today’s episode is resilience through visibility. From the UK’s new impact-driven approach to Oracle’s emergency patch and SimonMed’s long-tail exposure, it’s clear that cybersecurity has moved beyond prevention — it’s now about response maturity and economic stability. We can’t measure success by the number of blocked threats, but by how quickly we recover when one lands.
The other major theme is supply chain fragility — whether through Salesforce’s OAuth abuse, NPM phishing, or SonicWall’s backup leak. The new attack surface isn’t just your company; it’s everyone connected to it. As CISOs, we have to stop pretending we can control everything and instead build resilient ecosystems with shared accountability, segmentation, and continuous validation. The future of cybersecurity leadership isn’t about fear — it’s about preparation.
✅ Action Items
🇬🇧 Align board metrics to impact-based resilience models.
☁ Rotate Salesforce OAuth/API keys and revalidate third-party apps.
⚙ Apply Oracle EBS emergency patch (CVE-2025-61884).
🏥 Enforce least-privilege access and vendor isolation in healthcare IT.
🧑💻 Implement CI/CD allowlists; block unverified NPM packages.
💡 Audit firmware pipelines for OT-adjacent credential exposure.
🧱 Reset SonicWall VPN credentials; disable WAN access until secured.
🌍 Restrict public RDP; enforce app-based MFA for all remote sessions.
🇳🇱 Monitor for regulatory updates impacting semiconductor supply chains.
And that’s a wrap for today’s show, Security Gang — stay alert, stay resilient, and as always, stay cyber safe! ☕👊
