Good Morning Security Gang
I hope everyone’s doing great this Wednesday morning. From the bunker and studio, we’ve got a packed show that covers the global threat landscape — from North Korea’s latest crypto heist to Android zero-days, and even AI-driven phishing campaigns that are hijacking business ad accounts.
Before we dive in, you know the tradition: espresso time. After a fancy dinner last night, I was served cold espresso — which is a crime in my book — so today I’m making up for it with a double shot.
Coffee cup cheers, y’all. Let’s get into it.
University of Pennsylvania Confirms Oracle EBS Breach
The University of Pennsylvania (UPenn) has confirmed that it was affected by the Oracle E-Business Suite (EBS) exploit — the same attack chain behind recent corporate extortion waves. This incident is separate from the university’s alumni data breach earlier this year.
Attackers exploited an unpatched Oracle EBS instance to exfiltrate employee, vendor, and payment data, creating potential for invoice fraud and spear phishing. The scale of the attack suggests this may be part of a broader campaign targeting higher education ERP systems.
For defenders, this means tightening ERP workflows:
Restrict EBS access via VPN and IP allowlists.
Rotate service accounts, API keys, and SFTP credentials.
Add detection for bulk data exports and new admin creation.
When universities like UPenn keep getting hit, it’s a symptom of what I call “legacy system fatigue.” The systems are too critical to decommission but too old to defend easily.
North Korea Blamed for $30M Crypto Exchange Hack
South Korean authorities have confirmed that North Korea’s Lazarus Group is behind a $30 million cryptocurrency theft from the Upbit exchange. The attack used a familiar playbook — social engineering, seed phrase theft, and rapid laundering through OTC channels.
The breach came just one day after Korean tech giant Naver finalized a $10 billion acquisition of a crypto platform, raising fears of broader financial targeting. Investigators say the operation matched the revenue-generation model North Korea relies on to fund its weapons programs.
Upbit has promised to reimburse all losses, but this continues the trend of crypto confidence erosion. If you’re in Web3, you’re in DPRK’s crosshairs. This isn’t a one-off — it’s a sustained economic warfare campaign.
“If you’re in the crypto world, you’re already on North Korea’s radar — this isn’t random theft, it’s a state-run revenue stream.” James Azar
Shai Hulud 2.0 Exposes 400,000 Developer Secrets
The Shai Hulud 2.0 malware campaign has unleashed chaos across the developer ecosystem, compromising over 30,000 GitHub repositories and leaking 400,000 secrets — including SSH keys, tokens, and cloud credentials.
The malware propagated through malicious NPM packages, using typosquatting and impersonation to infiltrate CI/CD pipelines. Once installed, it harvested environment variables, GitHub credentials, and private package data — some of which are still valid.
Defensive action items:
Quarantine any systems that downloaded compromised packages.
Rotate all tokens and SSH keys.
Use vault-managed secrets with short TTLs.
Pin dependency versions and restrict package installs to vetted mirrors.
This attack shows how quickly supply-chain malware evolves — and how little margin for error exists in developer ecosystems.
Android December Patch Fixes Two Actively Exploited Zero-Days
Google’s December 2025 Android security update patched two actively exploited zero-days:
CVE-2025-48633 (privilege escalation in the Framework)
CVE-2025-48572 (WebView/Chromium drive-by exploit)
Both vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog within hours of disclosure. The update also addressed seven additional critical bugs affecting the Android kernel and Qualcomm components.
Fun fact: Israel recently banned Android devices for all military leadership due to ongoing Iranian targeting campaigns — showing how serious these exploits have become in nation-state espionage.
If your teams rely on BYOD or Android fleet devices, push these patches immediately.
Iranian Hackers Phish Israel and Egypt with MuddyViper Malware
Researchers at ESET uncovered a long-term Iranian phishing campaign targeting Israel and Egypt’s tech, local government, and manufacturing sectors. The group, linked to Iran’s Ministry of Intelligence, deployed a new backdoor called MuddyViper that can steal credentials, exfiltrate files, and execute shell commands.
What’s notable is how they used Telegram and Discord for command-and-control — proof that consumer apps have become covert channels for cyber operations. The campaign lasted nearly six months, blending fake document decoys and social engineering with precision.
If your organization operates in the Middle East, assume persistence and cross-border exposure. Implement geo-aware MFA, monitor exfiltration anomalies, and block non-corporate communication apps from sensitive networks.
North Korea’s “IT Worker Scam” Targets Western Firms
North Korean hackers are now renting the identities of Western software engineers to secure remote jobs at major tech companies.
In exchange for 20–35% of contract payments, these “identity brokers” allow DPRK operatives to pass verification checks and gain legitimate employment under fake names. Once hired, they can access source code, infrastructure credentials, and client networks.
“Warning: you will get found, you will get arrested, you will go to jail. Not worth it. Don’t do it. And don’t hire someone who doesn’t show up on camera. Also, kind of important.” James Azar
These actors use AI-generated deepfake interviews and voice synthesis tools to evade detection. If you’re hiring contractors remotely and they refuse to appear on video, you may be onboarding a state-backed spy.
Ukraine-Aligned Hackers Breach Russian Aerospace Firms
Pro-Ukrainian groups claim to have infiltrated multiple Russian aerospace organizations, exfiltrating sensitive engineering data.
These operations mix hack-and-leak tactics with denial-of-service attacks designed to cripple production lines. Analysts view these campaigns as “pre-ceasefire leverage” — an attempt by Ukraine to force favorable negotiations by demonstrating continued offensive capability.
Companies with supply-chain exposure to Russian firms should anticipate retaliatory phishing and vendor impersonation attempts.
Fortinet FortiWeb Vulnerability Under Active Exploitation
Researchers have confirmed that two critical FortiWeb flaws — CVE-2025-64446 and CVE-2025-58034 — are being actively exploited in the wild.
These bugs allow for unauthenticated command injection and bypass of administrative authentication, enabling attackers to hijack devices, steal credentials, and pivot internally.
Fortinet has issued patches for supported versions, but older builds remain vulnerable. Internet-facing FortiWeb appliances should be immediately upgraded or segmented behind firewalls.
AI-Powered Phishing Campaign Targets Google and Facebook Ads
Threat actors are now exploiting Calendly meeting invites and OAuth SSO flows to steal credentials for Google and Meta ad manager accounts.
The phishing emails — crafted with ChatGPT and AI code generation tools — impersonate over 75 global brands and redirect users to adversary-in-the-middle (AitM) pages that harvest authentication tokens.
This is a high-value pivot: attackers aren’t just stealing access; they’re running scam ad campaigns using victims’ budgets. Defenders should:
Enforce browser isolation for OAuth workflows.
Restrict third-party calendar and scheduling integrations.
Educate marketing teams — they’re now prime targets.
Action List
💰 Monitor crypto transactions for laundering patterns tied to DPRK wallets.
💻 Rotate developer secrets and implement vault-based credential storage.
📱 Patch Android devices — zero-days are already weaponized.
☁️ Block Discord/Telegram traffic in enterprise environments.
🧑💼 Verify all remote hires with video identity validation.
🧱 Patch FortiWeb immediately and review segmentation.
🎣 Train staff on OAuth phishing and AI-crafted lures.
🧩 Harden CI/CD pipelines and restrict unverified NPM packages.
James Azar’s CISO’s Take
What ties all of today’s stories together is the fusion of human trust and machine automation. From AI-generated phishing campaigns to deepfake job scams, attackers are turning automation into deception — and it’s working. The weakest link isn’t the system; it’s the assumption that the person on the other end of the screen is who they say they are.
My biggest takeaway? The new frontier of cybersecurity is identity resilience. Whether it’s verifying developers, detecting AI-crafted content, or authenticating enterprise users, trust verification is now core to risk management. We can’t patch people, but we can validate every interaction, automate trust boundaries, and keep humans accountable in the age of AI-driven deception.
“ARR Became King” – I’m going right at the subscription model that a lot of cybersecurity vendors are going after and how it killed and leads to the budget crisis that CISOs are experiencing over the last several years, especially heading into a flat budget year for many, many CISOs. In fact, a lot of the surveys I’ve seen from some of the largest companies say maybe 10% of CISOs are actually getting a budget increase. Almost everyone else is flat or under. So just tells you optimization is there and the subscription model is broken, and vendors and security partners should be working with CISOs in order to find a path forward. So there’s that. Go check that out, cyberhubpodcast.com. Thank you all for tuning in this morning.
Stay sharp, stay caffeinated, and as always — stay cyber safe.
