Good Morning Security Gang!
Happy Monday! I’m finally back in the studio after a week on the road, and that means I get to enjoy my double espresso with y’all while diving into today’s loaded show.
We’ve got major breaches, ransomware fallout, crypto theft, nation-state activity, and a pile of new vulnerabilities to patch. From Salesforce-targeted blackmail campaigns and telecom outages to Parliament breaches, hotel ID leaks, and even sanctions against shady Russian crypto exchanges—this episode has it all. Let’s jump right in.
"If you can do vulnerability management and patching effectively within your organization, you reduce your risk by 90 to 95 percent. Literally."
🏢 Workday Salesforce Breach – Blackmail and Data Abuse
Workday disclosed a breach tied to the broader Salesforce campaign hitting enterprises worldwide. Attackers accessed business contact info—names, phone numbers, and emails—and used it to impersonate IT and HR staff in phishing and blackmail campaigns. The likely culprits? Scattered Spider or ShinyHunters (Shiny Spiders). This wasn’t malware-driven but credential-focused, exploiting weak MFA setups. Once in, attackers targeted administrators and directors to exfiltrate data and extort companies. Even if victims pay, data is often resold, showing the decentralized nature of today’s cybercrime ecosystem.
📡 Colt Technology Services Breach – Telecom Knocked Offline
UK-based Colt Technology Services, operating across 30 countries with nearly 900 data center links, was hit with a ransomware attack, leading to outages in hosting, porting, and voice API services. Colt initially called it a “technical issue” but later confirmed a cyberattack. The Warlock ransomware gang claimed responsibility, demanding $200,000 for over 1M stolen documents. Data samples include financial, executive, and software development info. Experts link the breach to exploitation of a Microsoft SharePoint zero-day (CVE-2025-53770).
🇨🇦 Canadian House of Commons Breach
The Canadian Parliament fell victim to the same SharePoint zero-day. Attackers accessed databases managing employee devices, exfiltrating staff names, titles, email addresses, and asset details. Staff were warned to be on alert for phishing and scams. This highlights the critical metric every CISO lives by: time to patch and time to mitigate—the faster you close the window, the lower your exposure.
"Time to patch, time to mitigate. That's your maturity. Those are the two you need to focus on. Everything else, AI, all of that – those are all complementary to the fact that initial access always either starts with a zero-day vulnerability on an unpatched server or unmanaged identities effectively."
🇮🇹 Italian Hotel ID Leak – 90K Passports for Sale
Italy’s CERT warned that a hacker known as MyDocs is selling 90,000+ identity documents stolen from 10 hotels. High-resolution passport and ID scans are being marketed on underground forums, fueling identity theft, fake account creation, and fraud schemes. Travelers are being urged to monitor for unauthorized credit or banking activity.
💸 $49M Stolen from Turkish Crypto Exchange
Turkish exchange BTC Turk confirmed a security incident that drained $49M from hot wallets, with $38M in Ethereum and $10M in other tokens stolen. The company assured users their assets were safe due to cold wallet reserves. Still, this attack underscores why crypto remains a prime target for nation-states and cybercriminals, especially in countries with struggling economies like Turkey.
🌐 Chinese APT Targeting Taiwanese Web Hosts
Cisco Talos revealed UAT-7237, likely tied to Volt Typhoon, has been breaching Taiwanese web hosting providers since 2022. Using Cobalt Strike, web shells, and RDP access, the APT deployed SoftEther VPN for long-term persistence and surveillance. This campaign shows China’s growing focus on leveraging infrastructure providers for regional espionage.
🛠 Vulnerability Roundup – Plex & Cisco
Plex: Users must update servers (v1.41.7–1.42.0) to patch a new flaw with no CVE assigned yet.
Cisco: Released 20+ advisories. The most critical, CVE-2025-20265, affects Secure Firewall Management Center (FMC) with RADIUS enabled, enabling unauthenticated RCE.
⚖ DOJ Seizes $2.8M from Zeppelin Ransomware Operator
The DOJ indicted Ionis Elektrangevich Entropico for deploying Zeppelin ransomware and laundering profits. Authorities seized $2.8M in crypto, $70K in cash, and luxury cars. Charges include conspiracy, fraud, and money laundering—showing increasing enforcement against individual operators.
💰 Treasury Sanctions Russian Crypto Exchange Grinex
The U.S. Treasury sanctioned Grinex, successor to the already-blacklisted Garnetnex, for laundering ransomware proceeds. This move, happening just before the Trump-Putin Alaska summit, could have been a bargaining chip—or simply a crackdown on Russian cyber-financing pipelines.
🧠 James Azar’s CISO Take
Today’s stories reinforce the two biggest pillars of security right now: identity management and vulnerability patching. Whether it’s Salesforce abuse, SharePoint zero-days, or crypto theft, attackers don’t need to reinvent the wheel. They exploit unpatched systems and weak MFA, then move laterally until they find something valuable. CISOs must build programs where patch cycles and identity governance aren’t afterthoughts—they are the foundation.
The second theme is geopolitical. China’s campaigns in Taiwan, sanctions against Russian laundering hubs, and Turkey’s crypto losses all show how cyber, finance, and politics are deeply intertwined. We can’t treat cyber as siloed anymore—it’s part of global strategy. For organizations, that means resilience planning must account for both direct attacks and indirect geopolitical shocks. If you’re not aligning cyber strategy with global risk, you’re already behind.
✅ Action Items
🔐 Enforce MFA across Salesforce, Workday, and all SaaS platforms.
🛡 Patch Microsoft SharePoint zero-day (CVE-2025-53770) immediately.
📉 Monitor for scams if linked to Canadian Parliament or Italian hotel data leaks.
💾 Audit crypto hot wallet security; prioritize cold storage.
🌐 Track Chinese APT activity in hosting/ISP environments.
🎬 Patch Plex media servers and Cisco FMC platforms (CVE-2025-20265).
⚖ Monitor DOJ/OFAC actions against ransomware and laundering channels for compliance exposure.
✅ Story Links:
https://www.securityweek.com/workday-data-breach-bears-signs-of-widespread-salesforce-hack/
https://therecord.media/hackers-compromise-canada-house-of-commons
https://therecord.media/italy-hotel-guests-possible-data-breach-ids
https://therecord.media/turkish-crypto-exchange-warns-cyber-incident
https://www.securityweek.com/cisco-patches-critical-vulnerability-in-firewall-management-platform/
https://www.securityweek.com/us-seizes-2-8-million-from-zeppelin-ransomware-operator/
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1
🚨 Important Links to Follow:
👉Website:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
Share this post