Good Morning Security Gang
Welcome back to the CyberHub Podcast. We are just thirteen days into the new year, and wow — it’s already chaos in cyberland. No rest for the weary, but hey, that’s job security for us defenders.
So grab that Lavazza espresso (mine’s been chilling in the fridge — pro tip: keeps it fresh), coffee cup cheers y’all, and let’s get right into today’s stacked show.
University of Hawaii Cancer Center Hit by Ransomware
We begin with a story that hits hard — the University of Hawaii Cancer Center suffered a ransomware attack impacting research and coordination systems
The attackers reportedly accessed clinical data, research material, and some personal information, delaying trials and billing processes.
The university made the difficult decision to pay the ransom, securing a decryptor and the deletion of stolen data. I’ve said it before — I’m against paying ransoms as a rule. But when lives are on the line, like in cancer research, it’s not black and white.
As I said on air:
“It takes a special kind of scum to hit a cancer center — but it takes even more courage for leadership to make the hard call when patients’ lives depend on uptime.”
The takeaway for healthcare and research institutions: backup resilience isn’t enough — data segmentation and vendor network hygiene are non-negotiable.
Spanish Energy Giant Endesa Suffers Major Data Breach
Spain’s largest utility provider, Endesa, confirmed a massive customer data breach after attackers accessed contract and payment records, including IBANs (bank account identifiers)
IBAN data is highly exploitable — threat actors can use it for fraudulent transfers, identity theft, and SIM-swapping campaigns. Early estimates suggest over one terabyte of data is being sold on dark web forums.
For European listeners: go to your bank and change your IBAN number immediately if you’re an Endesa customer. As I said:
“No one’s ever lost sleep from changing an IBAN, but you’ll lose a lot of it if your account gets hijacked.”
Expect GDPR regulators in Spain to come down hard on Endesa over segmentation failures and unencrypted database access.
Target Dev Server Taken Offline After Alleged Source Code Leak
Target is investigating claims that attackers breached a development server, stealing internal source code and configurations
Screenshots shared on hacking forums show repositories named Wallet Service, Gift Card UI, Target IDM, and Store Lab WAN. While it wasn’t production data, dev servers often hold real tokens, API keys, and credentials.
As I said: “Dev environments are the new beachheads. They’ve got prod-level secrets and zero prod-level protection.”
Target’s Git server is now offline and locked down, but this incident should remind every company — even development needs VPN access control and CI/CD key rotation.
Russia’s Fancy Bear Targets Energy and Research Collaboration
Russia’s APT28 (Fancy Bear) is back, targeting energy, defense, and research partnerships across Europe and Central Asia
Using phishing and OAuth abuse, the group impersonated Outlook Web Access (OWA) portals and hosted spoofed PDFs via webhook.site and ngrok tunnels. Their goal: credential harvesting and research espionage.
If your organization deals with international joint projects, implement conditional access policies, IP allowlists, and device posture management immediately.
These campaigns show that Russia is still prioritizing long-term espionage over smash-and-grab ransomware.
Feds Order Patch for Google RCE Zero-Day (CVE-2025-8110)
The U.S. government has ordered all federal agencies to patch a remote code execution (RCE) vulnerability in Gogs, a Git-based development platform written in Go.
This zero-day allows authenticated attackers to bypass directory restrictions via symbolic links, achieving file overwrite and RCE.
Admins should:
Rotate repository keys and deploy tokens.
Enable server-side secret scanning.
Monitor for new or suspicious webhooks.
This is part of a broader trend — attackers targeting open-source collaboration tools used across enterprises.
Instagram Patches Password Reset Exploit
Meta has fixed an Instagram vulnerability that allowed threat actors to trigger mass password reset emails for user accounts
The exploit was likely related to automation around reset token requests — enabling threat actors to flood user inboxes with fake alerts.
Instagram insists no accounts were compromised, but this is the second Instagram-related issue in as many days.
Brand managers should review their Meta Business MFA settings and token revocation policies — because at this pace, social engineering is just one spam wave away.
Facebook OAuth Phishing Uses “Browser-in-the-Browser” Trick
Threat actors are deploying browser-in-the-browser (BITB) phishing attacks targeting Facebook and Steam OAuth tokens
These pop-ups look pixel-perfect, tricking users into authenticating through what appears to be Facebook — even stealing MFA codes.
Defenses include:
Passkeys or hardware MFA.
Fresh-tab login redirects.
Blocking third-party cookie access for risky applications.
As I said: “If it pops up inside your browser, assume it’s fake — open a new tab, don’t take the bait.”
LLMs in the Crosshairs: AI Becomes a New Attack Vector
Attackers are now weaponizing Large Language Models (LLMs) by feeding them malicious prompts that trigger data exfiltration and lateral movement
A recent honeypot experiment recorded 91,000 attack sessions where threat actors used VPS-based infrastructure to exploit AI tools with sensitive retrieval plugins.
Defenders should:
Treat model inputs as untrusted.
Constrain retrieval and output actions.
Implement human-in-the-loop approvals for AI automation.
AI is officially part of the attack surface now — and CISOs must start treating it that way.
n8n Supply-Chain Abuse Expands
The n8n workflow platform is once again under fire after attackers uploaded eight malicious NPM packages disguised as official integrations
These packages target developers’ OAuth credentials, giving attackers access to connected enterprise tools.
Organizations should:
Update to the latest release.
Hide admin UIs behind VPN.
Rotate all stored API credentials.
Audit workflows for odd outbound traffic.
Low-code tools simplify workflows — and attackers know that means they simplify compromise too.
Dutch Hacker Sentenced for Hacking Port to Smuggle Cocaine
In one of the wildest stories of the week, a Dutch court sentenced a 44-year-old man to seven years in prison for hacking the port of Antwerp to smuggle 210 kilograms of cocaine
He persuaded a terminal worker to insert a malware-loaded USB drive into port systems, creating a backdoor that allowed traffickers to move containers without inspection.
It’s a stark reminder that cybercrime is now an enabler of traditional smuggling — a merger of tech skill and cartel cash.
Action List
🏥 Segment healthcare data and test ransomware tabletop scenarios quarterly.
⚡ Change IBANs if affected by the Endesa breach — don’t wait for fraud.
💻 Lock down dev servers and rotate API keys regularly.
🇷🇺 Harden conditional access for organizations with international collaboration.
🧩 Patch Gogs immediately — and restrict repo exposure.
📱 Revoke old social media tokens and enforce MFA for all business accounts.
🔐 Adopt passkeys and educate users about browser-in-the-browser scams.
🤖 Implement AI governance frameworks for all LLM integrations.
⚙️ Update n8n installations and review automation logs.
🚢 Audit physical access workflows in logistics and port operations.
James Azar’s CISO’s Take
Today’s episode underscores what 2026 is shaping up to be — the year where ethics, operations, and technology collide. When you’re hitting cancer centers and smuggling cocaine through hacked ports, it’s not just cyber risk — it’s societal decay powered by technology.
My biggest takeaway? Cybersecurity isn’t just IT risk anymore — it’s human risk. From Endesa’s banking chaos to AI’s growing exposure, this job now lives at the intersection of security, ethics, and survival. CISOs aren’t gatekeepers — we’re navigators in a storm where every system, every person, and every click matters.
Stay alert, stay caffeinated, and as always — stay cyber safe.
