Wednesday War Room – 11/04/2025

This Wednesday's threat landscape has been particularly spicy, featuring a major cloud breach at a "Big Four" accounting firm, an indictment of cybersecurity's own for running a ransomware operation, and a prestigious university getting schooled in social engineering.

Author

J.W. Croley
November 05, 2025

In partnership with

Will A Book Grow Your Business?

No one buys a beach house from selling a book. They buy the beach house from the opportunities the book gets them.

Author.Inc helps experts, executives, and entrepreneurs turn expertise into world‑class books that build revenue, reputation, and reach. 

Their team—behind projects with Tim Ferriss and Codie Sanchez—cuts through uncertainty to show whether your book can realistically hit those targets. 

Schedule a complimentary 15‑minute call with Author.Inc’s co‑founder to quantify potential ROI from your offers, speaking engagements, royalties, and more. 

This isn’t writing advice. It’s a strategic consultation to decide whether now is the right time to put pen to paper. 

If it’s a go, they’ll show you how to write and publish it at a world-class level. If it’s a wait, you just avoided wasting time and money.

Welcome to another week of cybersecurity headlines that make you question the very fabric of digital trust. It seems the only thing more certain than death and taxes is a major data breach. Let's get into it.

Ernst & Young's Massive Cloud Data Breach

Risk Level: Critical

Business Impact: Significant reputational damage, regulatory scrutiny, potential for widespread client impact

What You Need to Know: A major cloud misconfiguration has exposed a staggering 4TB of Ernst & Young's data on Microsoft Azure. The data, discovered by researchers during a routine scan, was contained in a publicly accessible .BAK file – a full SQL Server database backup. The exposed data likely includes sensitive client information, API keys, credentials, and other proprietary data, as reported by Kaseya.

Why This Matters:

  • This is a textbook example of how a simple cloud misconfiguration can lead to a catastrophic data breach, even at a major, security-conscious organization.

  • The incident underscores the critical importance of robust cloud security posture management (CSPM) and continuous monitoring.

  • The potential for this data to be used in follow-on attacks against EY's clients is extremely high.

Executive Actions:

🔍 Immediately review your organization's cloud security posture, with a focus on storage bucket and database configurations.

🛡️ Implement a robust CSPM solution to continuously monitor for and remediate misconfigurations.

📜 Review and update your third-party risk management program to include specific requirements for cloud security.

🤝 Engage with your cloud service providers to understand and leverage their native security capabilities.

The Foxes Guarding the Henhouse: Cybersec Insiders Indicted for BlackCat

Risk Level: Critical

Business Impact: Erosion of trust in the cybersecurity industry, increased insider threat risk, significant legal and financial repercussions

What You Need to Know: In a stunning turn of events, U.S. federal prosecutors have indicted three cybersecurity professionals for their alleged involvement in the BlackCat/ALPHV ransomware operation. The individuals, who worked as an incident response manager and ransomware negotiators, are accused of using their insider knowledge to attack and extort at least five U.S. companies, demanding ransoms as high as $10 million.

Why This Matters: 

  • This case represents the ultimate insider threat scenario, where the very people hired to defend against attacks become the attackers.

  • It highlights the critical need for robust background checks, access controls, and activity monitoring for privileged users, especially in the cybersecurity industry.

  • The incident could have a chilling effect on the trust between organizations and their third-party security providers.

Executive Actions: 

🕵️ Review and enhance your organization's insider threat program, with a focus on privileged user monitoring.

🔒 Implement the principle of least privilege to ensure that employees only have access to the data and systems they need to do their jobs.

📜 Conduct thorough background checks on all employees and contractors with access to sensitive systems and data.

🤝 Strengthen your third-party risk management program to include specific requirements for insider threat prevention.

Penn University Schooled in Social Engineering

Risk Level: High

Business Impact: Reputational damage, loss of donor and student trust, regulatory scrutiny

What You Need to Know: The University of Pennsylvania is grappling with a significant data breach resulting from a sophisticated social engineering attack. The attackers gained access to multiple systems, including Salesforce and SharePoint, and exfiltrated sensitive data, including internal memos, donor information, and PII. The university has stated the breach is "contained," but the full extent of the damage is still unclear.

Why This Matters: 

  • This incident is a powerful reminder that the human element is often the weakest link in the security chain.

  • Even organizations with robust technical defenses can be compromised by a well-crafted social engineering attack.

  • The breach highlights the importance of comprehensive security awareness training and a culture of security that extends to all levels of the organization.

Executive Actions: 

📚 Review and enhance your organization's security awareness training program, with a focus on social engineering and phishing.

Implement multi-factor authentication (MFA) across all critical systems to mitigate the impact of credential compromise.

📢 Develop a clear and consistent process for reporting and responding to suspected social engineering attacks.

🤝 Conduct regular phishing simulations to test your employees' awareness and your organization's response capabilities.Leadership Insight:

This week’s events underscore a fundamental truth of cybersecurity: trust is a vulnerability. 

We can no longer afford to blindly trust our employees, our vendors, or even our own security tools.

A healthy dose of skepticism, combined with a relentless focus on the fundamentals of security, is our best defense against the ever-evolving threat landscape. Stay vigilant, and don't be afraid to question everything.

Free, private email that puts your privacy first

Proton Mail’s free plan keeps your inbox private and secure—no ads, no data mining. Built by privacy experts, it gives you real protection with no strings attached.

CISA's Urgent Warning on Actively Exploited Linux Flaw

Risk Level: Critical

Business Impact: High risk of ransomware infection, potential for widespread system compromise, urgent patching requirements for federal agencies

What You Need to Know:The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive mandating that federal agencies patch a critical use-after-free vulnerability in the Linux kernel (CVE-2024-1086) by November 20. The vulnerability, which allows for local privilege escalation to root, is being actively exploited in ransomware attacks.

Why This Matters:

  • This is a clear and present danger to any organization running unpatched Linux systems.

  • The fact that CISA has issued a binding operational directive underscores the severity of the threat.

  • The vulnerability has been known and patched since January 2024, highlighting the critical importance of timely patch management.

Executive Actions: 

🩹 Immediately patch all vulnerable Linux systems in your environment.

🔍 Conduct a thorough vulnerability scan to identify any unpatched systems you may have missed.

🛡️ Implement enhanced monitoring and security controls around your Linux environment.

📜 Review and update your patch management policy to ensure that critical vulnerabilities are addressed in a timely manner.

Gone Phishin': LinkedIn Executive Board Phishing Campaign

Risk Level: High 

Business Impact: High risk of executive credential compromise, potential for follow-on attacks, reputational damage

What You Need to Know: A sophisticated phishing campaign is targeting finance executives on LinkedIn with fake invitations to join the executive board of a non-existent investment fund. The campaign uses convincing social engineering tactics and malicious links to harvest Microsoft account credentials.

Why This Matters: 

  • This campaign highlights the increasing sophistication of phishing attacks, which are now targeting high-value individuals on professional networking platforms.

  • The use of a professional networking platform like LinkedIn adds a layer of legitimacy to the attacks, making them more difficult to detect.

  • The campaign underscores the importance of a multi-layered security approach that includes technical controls, security awareness training, and a healthy dose of skepticism.

Executive Actions:

🎣 Review and enhance your organization's phishing awareness training, with a focus on targeted attacks against executives.

⚙️ Implement advanced email filtering and security controls to block malicious links and attachments.

✈️ Encourage your executives to be cautious of unsolicited offers and to verify the legitimacy of any requests for sensitive information.

🕵️ Monitor for and respond to any suspicious activity on your executives' accounts.

The Rise of the Machines: AI-Enhanced Social Engineering Attacks

Risk Level: High 

Business Impact: Increased risk of successful social engineering attacks, potential for significant financial and data loss, erosion of trust in digital communications

What You Need to Know: Cybercriminals are increasingly using artificial intelligence to create and scale sophisticated social engineering attacks. These campaigns, dubbed GhostCall and GhostHire, use AI to generate convincing fake investor pitches and job offers, complete with stolen video clips and legitimate-looking websites

Why This Matters: 

  • AI is making social engineering attacks more convincing and harder to detect than ever before.

  • The use of AI allows attackers to scale their operations and target a larger number of victims with personalized attacks.

  • This trend represents a significant evolution in the threat landscape and requires a corresponding evolution in our defenses.

Executive Actions:

🔬 Invest in AI-powered security solutions that can detect and block sophisticated social engineering attacks.

🧠 Educate your employees about the threat of AI-enhanced social engineering and how to spot the signs of a fake communication.

🧪 Conduct regular security awareness training and phishing simulations to keep your employees on their toes.

🤖 Embrace a zero-trust security model that assumes all communications are potentially malicious until proven otherwise.

⚙️ Immediate Leadership Checklist ⚙️

🔄 Ensure that all critical systems are patched and up-to-date, especially those running Linux.

📦 Review and strengthen security configurations and administrative access controls

🧠 Review and enhance your security awareness training program, with a focus on social engineering and phishing.

📊 Review and enhance your insider threat program, with a focus on privileged user monitoring.

📜 Review your cloud security posture and ensure that all storage buckets and databases are properly configured.

💡 Stay vigilant, patch promptly, and remember that in cybersecurity, paranoia isn't a disorder… It's a job requirement. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

Will A Book Grow Your Business?

No one buys a beach house from book sales—they buy it from what the book makes possible.

Author.Inc helps founders turn ideas into world-class books that build revenue, reputation, and reach.

Book a free 15-minute ROI call to see if your book is a go—or a smart wait.