Good Morning Security Gang!
It’s Wednesday, September 17th, 2025, episode 980 of the CyberHub Podcast—and we’re just 20 shows away from the big 1,000. I’ve got my double espresso in hand and a strong lineup of stories that really show the intersection of geopolitics, governance, and pure technical threats.
Today we’re covering Ukraine disrupting Russia’s elections, a historic leak from China’s Great Firewall, new reporting rules in Beijing, school ransomware in Texas, insider and supply chain breaches, malicious AI-powered extensions, and a DoD overhaul of the risk management framework. Let’s get into it.
👀 SHOW Supporters:
Today's episode is supported by our friends at Threat Locker. https://www.threatlocker.com/cyberhub
🇺🇦 Ukraine DDoS Attacks Russian Elections
Ukraine’s military intelligence claimed responsibility for hacking Russia’s Central Election Commission and government services during Russia’s “unified voting day.” The operation briefly disrupted systems in Moscow and in occupied Ukrainian territories. While this may feel like a symbolic victory for Kyiv, I pointed out it could backfire - Putin may simply revert to paper ballots while tightening control.
The real priority, I argued, should be isolating Russia diplomatically and ending the war.
🇨🇳 500GB Great Firewall Data Leak
In what may be the largest leak of its kind, 500–600GB of internal documents from China’s Great Firewall were dumped online. The files reveal operational details, source code, and the role of key Chinese labs in censorship and surveillance. They also confirm exports of surveillance tech to Myanmar, Pakistan, Ethiopia, and Kazakhstan under the Belt and Road framework. I analyzed them safely in a VM and urged anyone reviewing them to do the same. The leak offers an unprecedented view into China’s digital repression machine.
⏱ China’s New “1-Hour Breach Reporting” Rule
China’s Cyberspace Administration rolled out draft regulations requiring operators of critical infrastructure to report major cyber incidents within one hour. That level of urgency, I said, signals Beijing is getting hammered by foreign cyberattacks and needs visibility to respond quickly.
"China's getting hit and they're getting hit significantly to the point where now they're forcing people to report within an hour." James Azar
It’s a stark contrast to Western models like the SEC’s 4-day rule, and reflects China’s authoritarian ability to impose instant compliance.
"Now, if you've ever been part of an event, Within the first hour, the last person you want to call is your regulator. You're typically calling your IR team, your forensics, your third party providers, your incident response team." James Azar
🐍 SEO Poisoning Campaign Targets Chinese-Speaking Users
Fortinet researchers discovered an SEO poisoning campaign tricking users into downloading fake apps like Telegram, Chrome, and DeepL Translate. Malicious installers delivered Ghost RAT variants, using anti-analysis techniques and persistence tricks to evade defenses. The campaign targeted Chinese-speaking users—suggesting adversaries are hitting China just as hard as Beijing claims.
🤖 Chinese AI Pen-Testing Tool Raises Alarm
A package called Villager, uploaded to PyPI in July, has racked up 11,000 downloads. Pitched as an AI-powered pen-testing framework, it automates red team workflows. But experts warn it could follow the Cobalt Strike trajectory—legitimate security tools that criminals repurpose. Combined with the rise of HexStrike AI and other offensive AI tooling, the weaponization risk is real.
🏦 Insider Breach at FinWise Bank
FinWise Bank disclosed that a former employee accessed data from its partner American First Finance (AFF), impacting 680,000+ individuals. Information included personal loan details, SSNs, and PII. It’s unclear if the access was malicious or negligent, but affected users get a year of credit monitoring. Another reminder that insider threats remain one of the hardest challenges for CISOs.
🔐 Google Law Enforcement Portal Compromised
Google confirmed attackers created a fraudulent account in its law enforcement request system (LARS). While no data was accessed, the FBI is investigating. Had the attackers succeeded, they could have impersonated law enforcement and accessed sensitive user data. This highlights the risks of even trusted, government-linked portals being abused.
🎓 Uvalde Schools Ransomware Attack
The Uvalde, Texas school district - already scarred by tragedy in 2022 - was hit by ransomware, forcing schools to close until systems are restored.
I called out the systemic issue: schools nationwide are introducing tech without building resilience. Education shouldn’t be for sale to cybercriminals, and CISA must partner with the Department of Education to fix this.
"Our kids aren't up for sale. Their education is not up for sale." - On the Uvalde ransomware attack and the broader crisis facing American schools
💸 Malicious VS Code Extensions Drain Crypto Wallets
Threat group WhiteCobra planted 24 malicious extensions in the VS Code and Open VSX marketplaces. These wallet-draining extensions delivered Lumma Stealer payloads, stealing funds from unsuspecting developers.
Open-VSX (Cursor/Windsurf)
ChainDevTools.solidity-pro
kilocode-ai.kilo-code
nomic-fdn.hardhat-solidity
oxc-vscode.oxc
juan-blanco.solidity
kineticsquid.solidity-ethereum-vsc
ETHFoundry.solidityethereum
JuanFBlanco.solidity-ai-ethereum
Ethereum.solidity-ethereum
juan-blanco.solidity
NomicFdn.hardhat-solidity
juan-blanco.vscode-solidity
nomic-foundation.hardhat-solidity
nomic-fdn.solidity-hardhat
Crypto-Extensions.solidity
Crypto-Extensions.SnowShsoNo
VS Code Marketplace
JuanFBlanco.awswhh
ETHFoundry.etherfoundrys
EllisonBrett.givingblankies
MarcusLockwood.wgbk
VitalikButerin-EthFoundation.blan-co
ShowSnowcrypto.SnowShoNo
Crypto-Extensions.SnowShsoNo
Rojo.rojo-roblox-vscode
The same group stole $500,000 in July via fake Cursor editor extensions. Open-source ecosystems remain high-value targets.
🛡 DoD’s Risk Management Framework Overhaul
The Pentagon is preparing to unveil its new “Ten Commandments” of RMF, replacing the outdated 2019 framework. Goals include continuous monitoring, eliminating the “two-year valley of death” between approvals, and integrating fast-track software accreditation. This is part of the DoD’s Software Fast Track initiative, signaling a move to modernize cyber governance for defense contractors.
🧠 James Azar’s CISO Take
The running theme today is resilience and governance under pressure. Ukraine’s DDoS, China’s Great Firewall leak, insider threats at FinWise, and ransomware hitting Uvalde schools all show the fragility of critical systems—whether political, financial, or educational. We can’t treat resilience like a buzzword. It means segmentation, backups, and governance that don’t collapse under stress.
The second theme is AI weaponization and offensive cyber. From Villager to HexStrike AI, attackers are already experimenting with automation in ways defenders aren’t ready for. Meanwhile, the Pentagon and CISA are pivoting toward modernization and offense. CISOs must align business resilience with this broader geopolitical strategy—because the battlefield is no longer just IT; it’s everywhere data lives.
✅ Action Items
🌐 Monitor fallout from China’s Great Firewall leak; analyze safely in isolated VMs.
🛡 Patch and harden against SEO poisoning campaigns delivering Ghost RAT.
⏱ Prepare for shorter breach reporting timelines—China’s “1-hour rule” may foreshadow global shifts.
🔐 Audit insider access policies—ensure post-employment data lockouts.
📊 Monitor for fraudulent law enforcement requests; validate portals.
🎓 Support stronger resilience in school IT environments—federal & state coordination needed.
🐍 Vet VS Code/Cursor extensions before install; monitor for Lumma Stealer activity.
🏛 Track DoD’s new RMF Ten Commandments—contractor compliance will change.
