Good Morning Security Gang
Good morning, Security Gang — James Azar here, and welcome back to the CyberHub Podcast, Episode 1002! Monday marked our 1,000th episode milestone, and I can’t thank y’all enough for the incredible outpouring of support, comments, and messages. You keep me going every morning — and trust me, with today’s packed lineup, I needed my double espresso more than ever.
We’ve got data breaches, nation-state operations, and some much-needed FCC action against robocalls. Let’s jump right in — coffee cup cheers, Security Gang!
Dentsu Confirms Data Breach at Merkle Subsidiary
We start with Dentsu, which confirmed a data theft at its U.S. subsidiary Merkle. The breach involved the exfiltration of files containing client, supplier, and employee data, including payroll, banking, and National Insurance details. While some systems were proactively shut down, this incident highlights supply-chain vulnerabilities in marketing and ad tech ecosystems.
Practitioners should note: this kind of third-party breach creates cascading risks — from business email compromise to fraudulent vendor banking changes. Immediate mitigations include rotating API and SFTP keys, enabling VIP watch lists for vendor payments, and tightening financial change control policies to detect tampering early.
Schneider Electric and Emerson Named in Oracle Hack
The Oracle E-Business Suite (EBS) campaign continues to widen, with Schneider Electric and Emerson now officially listed as victims by the Clop/FIN11 group. The leaked data includes engineering documents, supplier communications, and contractual records, posing high-value risks for intellectual property theft and targeted phishing.
If your organization runs Oracle EBS and hasn’t patched yet — stop reading and patch now. Update WAF rules, rotate integration secrets, and check for unusual data pulls or downloads from EBS servers. Remember, these systems often connect deep into procurement and finance operations — making them treasure troves for attackers.
HSBC Denies Breach Claims After Threat Actor Post
Threat actors are claiming to have breached HSBC USA, alleging access to customer financial records. HSBC has publicly denied any compromise, and investigators are currently reviewing the claims. This follows a familiar pattern — similar to the Gmail “breach” hoax last week — where cybercriminals post exaggerated or fabricated leaks for credibility clout.
The key takeaway: treat all “breach” claims with skepticism until confirmed, but always review your fraud-monitoring controls, customer notification templates, and third-party vendor incident response playbooks. Sometimes the claim itself, even if false, sparks phishing and social engineering campaigns.
F5’s Nation-State Breach Impacts Business Forecast
F5 Networks has disclosed that its nation-state breach — where attackers accessed engineering environments — is now hurting its sales pipeline. The company warned investors that growth may flatten for 2026, as customers delay renewals and new deals amid trust concerns.
“Reputation is a security control — once it’s compromised, no patch can fix it.” James Azar
Unlike Microsoft’s near-immunity to post-attack revenue dips, F5’s smaller market and security-focused brand mean customers expect perfection. This story underscores how reputation risk can quickly translate into financial damage for security vendors. F5 insists no source code tampering occurred, but the hesitation in the market tells another story.
Russia’s “Living Off the Land” Tactics in Ukraine
Russia-linked actors are increasingly using built-in administrative tools and Windows features to maintain stealthy persistence across Ukrainian networks — classic “living off the land” techniques. Instead of deploying malware, they’re abusing legitimate utilities like PowerShell and Task Scheduler to avoid detection.
“Living off the land isn’t a technique anymore; it’s the attacker’s full-time job description.” James Azar
This mirrors Sandworm’s known tactics and signals a broader evolution toward malware-less intrusion. Defenders should enhance behavioral EDR telemetry, enforce just-in-time and just-enough admin rights, and monitor execution chains for lateral movement patterns. This is where defense-in-depth stops being a buzzword and starts being survival.
Apache Tomcat RCE Vulnerabilities — Patch Now
Two critical Apache Tomcat vulnerabilities — CVE-2025-55752 (directory traversal and potential remote code execution) and CVE-2025-55754 (log escape injection) — are being actively exploited. The flaws affect versions 9, 10, and 11.
Admins should upgrade immediately to patched builds (9.0.110, 10.1.45, 11.0.11), disable HTTP PUT, lock down web roots, and deploy WAF rules to block traversal patterns. These RCEs are already in attacker playbooks — and exploitation is trivial once exposed endpoints are identified.
CISA Adds Dassault Exploits to KEV Catalog
CISA has issued new warnings, adding Dassault Systemes vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Attackers are abusing these flaws for initial access and privilege escalation in enterprise environments. CISA recommends upgrading to patched versions (R2020–R2025), restricting application access by network policy, and monitoring for new admin account creation or API endpoint abuse.
Malicious npm Packages Target Developer Credentials
Ten newly discovered malicious npm packages are stealing developer credentials across Windows, macOS, and Linux. The packages exfiltrate authentication tokens, build secrets, and API keys — setting the stage for supply chain poisoning and repository hijacking.
Developers should enforce package allowlisting, rotate personal access tokens (PATs), quarantine suspect packages, and restrict CI/CD environments from connecting to unknown repos. Package trust has become a security control — not a developer convenience.
North Korea Tops Nation-State Cyber Activity
A new Trellix report ranks North Korea as the leading nation-state threat actor of Q3 2025, outpacing Russia and China. Their campaigns blend crypto theft, espionage, and defense supplier infiltration, with growing focus on fintech and developer environments. Expect persistent attacks targeting source code management, build systems, and cryptocurrency wallets across both public and private sectors.
Myanmar’s Cyber Scam Compounds Collapse
In one of the wildest developments of the week, over 1,500 people escaped Myanmar scam compounds near the Thai border after the army demolished several buildings used by cyber slavery operations. These criminal networks have trafficked workers under false job offers, forcing them into global phishing and crypto scams.
Thailand’s response, alongside Myanmar’s raids, is a sign that regional kinetic responses to cybercrime are increasing — a controversial but effective approach. As I said on the show, “There’s nothing wrong with a little force against cyber scammers when you’re dealing with modern-day slavery.”
FCC Cracks Down on Robocalls
Finally, the FCC approved new rules expanding carrier accountability for illegal robocalls. This will close loopholes that attackers exploited for OTP interception and MFA fatigue scams. Carriers will now need to verify international call origins and prevent misuse of U.S. area codes. It’s a long-overdue move that could significantly reduce one of the biggest enablers of phishing and fraud.
Action List
🔒 Rotate API keys and vendor credentials post-breach (Dentsu, Oracle).
🧱 Patch Apache Tomcat immediately and enforce WAF inspection.
🧑💻 Audit developer tokens and CI/CD integrations for npm risk.
💼 Review vendor risk exposure from Merkle or F5 integrations.
🔎 Harden EDR behavioral analytics for “living off the land” TTPs.
📉 Run reputation risk drills — customer trust can impact revenue.
📱 Prepare for MFA re-enrollment and OTP delivery changes post-FCC action.
🧠 Review incident response playbooks for false breach claims (HSBC).
🌍 Continue patching KEV vulnerabilities before attackers do.
James Azar’s CISO’s Take
Today’s episode highlights how cybersecurity is no longer just about stopping ransomware — it’s about maintaining trust and operational continuity in a hyper-connected business ecosystem. From Dentsu’s data leak to Oracle’s supply-chain compromises, the message is clear: your third party is your threat surface. We can’t patch our partners, but we can monitor, segment, and prepare for when — not if — they get hit.
I also see a turning point in how governments are responding. From the FCC’s robocall crackdown to Myanmar’s armed raids against scam compounds, we’re witnessing policy and kinetic force converge against cybercrime. It’s messy but necessary. For practitioners, our challenge is balancing compliance with realism — patch fast, validate vendors, and always remember: security isn’t just defense, it’s resilience.
Stay sharp, stay caffeinated, and as always, stay cyber safe.
