Daily Drop (1042)
05-21-25
Wednesday, May 21, 2025 // (IG): BB // GITHUB // SN R&D
Vladimir Putin’s manipulation of Donald Trump
Bottom Line Up Front (BLUF): President Donald Trump’s ambivalence on U.S. support for Ukraine emboldens Russia and unsettles Western allies. With military aid hanging in the balance, there are growing calls for Europe to take the lead in economic sanctions and cybersecurity resilience against Russia.
Analyst Comments: Trump's wavering stance signaled a geopolitical shift that could spark a strategic recalibration among NATO allies. This presents heightened risk for cybersecurity professionals as Russia may intensify hybrid warfare tactics, including cyberattacks, disinformation, and infrastructure targeting. Europe’s need to fill the vacuum may accelerate investments in cyber defense and coordination frameworks. The broader implication is a potential weakening of transatlantic unity that adversaries could exploit digitally and militarily.
FROM THE MEDIA: Despite repeated threats to get tough on Moscow, Trump has consistently refrained from pressuring the Kremlin, undermining peace talks, and leaving Ukraine vulnerable. European officials are now preparing contingency plans, including purchasing American arms and increasing sanctions, to support Kyiv in the event of a U.S. pullback. The EU's recent sanctions targeted 200 shadow tankers used to bypass oil price caps, and a G7 proposal aims to tighten financial pressure further. Meanwhile, a U.S. Senate bill, reportedly with veto-proof support, seeks to impose 500% tariffs on countries buying Russian energy, offering Congress a path to act independently if Trump does not.
READ THE STORY: FT
Russia’s Cyber Ecosystem Defies Expectations but Remains a Persistent Threat
Bottom Line Up Front (BLUF): Russia's full-scale invasion of Ukraine in 2022 did not result in the devastating cyber onslaught many Western experts anticipated. However, Russia’s cyber threat remains potent and deeply complex, involving a blend of state agencies, cybercriminal groups, patriotic hackers, and private military actors. This ecosystem's murky and decentralized nature demands a strategic reassessment by U.S. and allied cybersecurity policymakers.
Analyst Comments: While expectations of synchronized cyber-kinetic strikes were largely unmet, Russia’s multifaceted cyber apparatus makes it both unpredictable and dangerous. The lack of a unified command structure, rampant corruption, and ad hoc alliances create a chaotic but persistent threat landscape. Cyber defense efforts must account for Russia’s dynamic mix of state and non-state actors and adapt by emphasizing resilience, intelligence sharing, and offensive readiness.
FROM THE MEDIA: Rather than large-scale destructive attacks, Russia deployed wiper malware, conducted espionage, and relied on disorganized efforts by the FSB, GRU, and SVR. These were compounded by interagency rivalry and misaligned objectives. Russia’s cyber operations remain an ongoing threat, with ransomware gangs, state-coerced hackers, and private military contractors continuing to target Western infrastructure. Analysts stress the importance of distinguishing between Russia’s cyber capabilities and its wartime execution. The report recommends five key actions for Western policymakers: broadening threat analysis, enhancing information sharing, and investing in cyber defense and offense.
READ THE STORY: Atlantic Council
Horabot Malware Delivered via Weaponized HTML Targets Latin American Users in Sophisticated Phishing Campaign
Bottom Line Up Front (BLUF): A new phishing campaign uncovered by FortiGuard Labs is using weaponized HTML files to deliver the Horabot malware, targeting Spanish-speaking users across Latin America. The malware steals email credentials, banking information, and propagates laterally through corporate and personal networks using advanced obfuscation and scripting techniques.
Analyst Comments: The use of culturally specific phishing lures, multi-stage payload delivery, and fileless execution tactics showcases an evolution in social engineering and technical sophistication among cybercriminals. Horabot’s use of PowerShell, AutoIt, and Outlook automation for lateral movement makes it particularly dangerous for enterprises. The combination of browser credential theft and network propagation indicates a dual-threat model—monetary gain through fraud and long-term espionage potential. Organizations in the region should prioritize defense-in-depth strategies and reinforce employee phishing awareness.
FROM THE MEDIA: Victims receive Spanish-language phishing emails claiming to contain invoices. Attached ZIP files hold malicious HTML documents that execute obfuscated scripts when opened, initiating a multi-stage infection chain. The campaign deploys VBScript and AutoIt scripts, along with PowerShell commands to harvest credentials, steal browser data, and extract Outlook contact lists to propagate malware further. Horabot then uses fake login windows and persistent shortcuts to maintain covert access. Fortinet has flagged domains and IPs associated with the threat and issued IOCs for defensive measures.
READ THE STORY: GBhackers
Water Sector Cybersecurity Threats Mount as Experts Push for Regional Defense Model
Bottom Line Up Front (BLUF): The U.S. water sector is increasingly vulnerable to cyber threats, especially in systems controlling physical infrastructure. A recent report recommends a regional cybersecurity approach to help utilities overcome staffing shortages, limited budgets, and outdated technology by pooling resources and coordinating defenses.
Analyst Comments: A regional strategy could be a pragmatic solution, helping smaller utilities access specialized talent and technology they couldn’t afford independently. But achieving this shift will require cultural change and sustained investment, particularly as federal grant funding begins to dry up.
FROM THE MEDIA: A new industry report finds that while water utility leaders recognize the risks, many remain under-resourced and early in their cybersecurity maturity. The report notes that cybersecurity must now be treated as a public safety investment, not just an IT issue. Black & Veatch’s Ian Bramson argues for a “consequence-driven” model, stressing that an IT breach could easily trigger OT disruptions. He advocates for regional cooperation, enabling utilities to collectively procure services, share cyber intelligence, and attract skilled staff. However, most utilities operate in isolation and struggle to hire or train dedicated cybersecurity professionals.
READ THE STORY: Route Fifty
Senators Press DHS Secretary Noem on $491M CISA Budget Cut Amid National Cyber Threats
Bottom Line Up Front (BLUF): Homeland Security Secretary Kristi Noem faced bipartisan scrutiny during a Senate hearing over the Trump administration’s proposed $491 million budget cut to the Cybersecurity and Infrastructure Security Agency (CISA). Noem provided few specifics, reiterating that the cuts would focus on dismantling CISA’s disinformation-monitoring functions, which the administration claims infringe on free speech.
Analyst Comments: As ransomware, espionage, and critical infrastructure threats continue to rise, stripping CISA of personnel and programs, especially without transparent justification, could hinder national cyber resilience. The framing of disinformation monitoring as "censorship" may reflect a broader ideological shift that deprioritizes non-technical cyber threats, despite their strategic implications. Allies, industries, and state governments may have to shoulder more responsibility as federal cyber support potentially diminishes.
FROM THE MEDIA: During a Homeland Security and Governmental Affairs Committee hearing on May 20, 2025, Secretary Noem repeatedly avoided providing detailed explanations of how the nearly half-billion-dollar cut to CISA would be implemented. She reiterated that the administration's priority is to eliminate what it views as duplicative and politically motivated disinformation tracking offices. Noem claimed the cuts will restore CISA to its “core cybersecurity mission.” Senate Democrats, including Gary Peters and Elissa Slotkin, expressed concern about the national security impact of removing functions that help defend against foreign influence operations. The White House's fiscal 2026 budget suggests that CISA’s previous focus on foreign interference risked First Amendment violations—an argument most in the cybersecurity community did not support. A DHS spokesperson later clarified that the agency would continue to support state and local cybersecurity needs, though specifics remain scarce.
READ THE STORY: The Record
Ivanti Zero-Days Under Active Exploitation: Cloud Instances Compromised via Spring and JEL Flaws
Bottom Line Up Front (BLUF): Two vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), CVE-2025-4427 and CVE-2025-4428, are being actively exploited in the wild, impacting both on-prem and cloud-based environments. Originally downplayed as affecting only on-premises deployments, the flaws are now being used to hijack cloud assets and deploy persistent malware like Sliver, prompting urgent patching and investigation.
Analyst Comments: Using popular open-source libraries like Spring and Java Expression Language highlights the growing attack surface introduced by third-party components. Evidence points to a previously known malicious IP reused from Palo Alto appliance attacks, making the campaign appear coordinated and opportunistic. Expect broader targeting of enterprise assets via these bugs, particularly among unpatched or misconfigured systems.
FROM THE MEDIA: Security researchers from Wiz confirmed that exploitation of CVE-2025-4427 and CVE-2025-4428—affecting Ivanti’s EPMM software—has expanded into cloud environments, contradicting Ivanti’s earlier claims of limited on-premise impact. These flaws, which involve improper Spring route configurations and insecure Java Expression Language (JEL) injection, allow pre-authentication access and remote code execution when chained. The researchers observed attackers deploying Sliver, a post-exploitation toolkit commonly used by nation-state actors and ransomware groups. A command-and-control (C2) server linked to prior attacks on Palo Alto Networks appliances is again active, suggesting repeated infrastructure use. CISA has added both CVEs to its Known Exploited Vulnerabilities Catalog, underscoring the severity of the threat.
READ THE STORY: The Register
New HTTPBot Botnet Targets Windows with Precision DDoS Attacks and Stealth Techniques
Bottom Line Up Front (BLUF): The HTTPBot botnet, a sophisticated malware strain written in Go, has rapidly expanded its reach since its discovery in August 2024, increasingly targeting Windows-based systems. Unlike typical botnets that flood networks with brute-force traffic, HTTPBot focuses on high-precision HTTP-based Distributed Denial-of-Service (DDoS) attacks, mimicking real user behavior to evade detection.
Analyst Comments: Its use of advanced evasion techniques, like dynamic URL manipulation and real browser emulation, challenges traditional anti-DDoS defenses. Targeting Windows systems—especially within the gaming, tech, and education sectors—represents a notable shift in adversary focus. Organizations relying on real-time digital services should urgently adopt behavior-based defenses and real-time traffic analysis to counter this new breed of botnet threats.
FROM THE MEDIA: Notably deviating from the norm of Linux or IoT-focused botnets, HTTPBot targets Windows systems using stealthy HTTP-layer DDoS techniques. These include seven HTTP methods—HTTP_FP, PostAttack, and HttpFpDlAttack—designed to overload specific business functions like game logins and payment portals. It bypasses rule-based security tools by disguising traffic through randomized User-Agent headers, cookie spoofing, and HTTP/2 multiplexing. The malware persistently installs through Windows registry changes, hides GUIs, and disables event logging to remain undetected. NSFOCUS Fuying Lab recommends adaptive, behavior-based mitigation strategies over static defenses, highlighting HTTPBot as a systemic risk to organizations dependent on continuous online services.
READ THE STORY: GBhackers
UK Ministry of Justice Confirms Major Data Breach Impacting Legal Aid Applicants
Bottom Line Up Front (BLUF): The UK Ministry of Justice (MoJ) confirmed a significant data breach involving the Legal Aid Agency, potentially affecting every legal aid applicant in England and Wales since 2010. The breach, which was more extensive than initially believed, may include sensitive personal data, including criminal histories, addresses, financial records, and national ID numbers.
Analyst Comments: The exposure of information tied to legal aid applicants could have grave consequences, including the risk of retribution in domestic violence cases and long-term identity theft. It raises questions about the cybersecurity maturity of public service platforms that handle personal data at scale. With over 2 million individuals reportedly affected, this incident may demand reevaluation of government cybersecurity oversight, particularly for services that directly impact public safety and justice.
FROM THE MEDIA: The attack, first discovered on April 23, was later found to be more severe, with unauthorized access to records dating back to 2010. The affected data potentially includes names, addresses, dates of birth, criminal records, employment details, and financial information. The threat actors claim to possess information on over 2 million people and have threatened to publish it unless a ransom is paid. The MoJ has since taken the legal aid platform offline and secured a court injunction against the publication or distribution of the stolen data, though experts note this is unlikely to deter threat actors operating from outside the UK jurisdiction. The UK’s National Crime Agency and National Cyber Security Centre are investigating the incident.HTTPBot poses a systemic risk to organizations dependent on continuous online services.
READ THE STORY: The Record
Kuva Space Expands Hyperspectral Constellation for Maritime and Environmental Intelligence
Bottom Line Up Front (BLUF): Finland-based Kuva Space is accelerating deployment of its hyperspectral satellite constellation with the upcoming launch of Hyperfield-1B in June 2025. The company aims to provide near-real-time maritime-domain insights and environmental monitoring through a 100-satellite network by the decade’s end. Key capabilities include detecting dark vessels and supporting agriculture, aquaculture, and crop-yield forecasting.
Analyst Comments: Kuva’s focus on hyperspectral imagery addresses a critical gap in maritime-domain awareness, especially in regions where vessel tracking via AIS is deliberately disabled. Its ability to process and analyze data onboard, enhanced by AI and Nvidia-powered payloads, positions Kuva as a major player in next-gen Earth observation. The company’s pivot toward offering insight-as-a-service, rather than raw imagery, reflects a broader industry trend prioritizing actionable intelligence. With defense, agriculture, and environmental sectors as potential beneficiaries, Kuva’s constellation could play a pivotal role in global situational awareness.
FROM THE MEDIA: Kuva Space is set to launch Hyperfield-1B, a 6U cubesat, on a SpaceX Falcon 9 rideshare mission from Vandenberg Space Force Base in June 2025. This marks the next step toward Kuva’s planned 100-satellite hyperspectral constellation. CEO Jarkko Antila highlighted the constellation’s ability to monitor sites, such as those in the Arctic, multiple times daily, with primary use cases in dark vessel detection and maritime security. Beginning in 2026, future satellites will be significantly larger (60 kg) and equipped with propulsion, onboard processing via Nvidia chips, and AI-powered analytics. The European Space Agency is backing Hyperfield-1B through its InCubed program. Kuva is also expanding its U.S. presence via a new office in Fairfax, Virginia.
READ THE STORY: SN
Hazy Hawk Hijacks CDC and Corporate Cloud Domains via DNS Misconfigurations for Malware Campaigns
Bottom Line Up Front (BLUF): A threat actor, Hazy Hawk, has been exploiting abandoned DNS CNAME records to hijack cloud-based resources from high-profile entities, including the U.S. CDC and multinational firms like Deloitte and EY. These compromised domains deliver scams and malware through traffic distribution systems, highlighting serious DNS hygiene lapses across government and enterprise networks.
Analyst Comments: Using abandoned CNAME records lowers the barrier to domain hijacking, allowing attackers to inherit reputable domains' trust and search engine rankings. This campaign underscores the need for continuous domain monitoring and decommissioning protocols, especially for organizations with sprawling cloud footprints. Expect broader abuse as affiliate ad fraud ecosystems continue to provide financial incentives for such operations.
FROM THE MEDIA: The group was discovered in early 2025 after hijacking subdomains tied to the U.S. CDC. Since then, it has compromised domains belonging to global corporations and academic institutions. Once hijacked, these domains are entry points to browser-based scams, push notification spam, and malware delivery chains via Traffic Distribution Systems (TDS). Infoblox suspects the domain hijacking capability may be part of a broader service model used by multiple actors. Organizations are advised to immediately remove unused DNS records and monitor subdomain activity to prevent such takeovers.
READ THE STORY: THN
Chinese APT Group Linked to BPFDoor Malware Attacks on South Korean Telecoms in 2024
Bottom Line Up Front (BLUF): Trend Micro has confirmed two significant cyber intrusions in 2024 targeting a primary South Korean telecom provider using BPFDoor malware, attributed to the Chinese state-linked group Red Menshen. The attacks raise alarms about national infrastructure security and point to long-term cyber espionage operations likely sponsored by a foreign state.
Analyst Comments: The overlap with Chinese APT group behavior, such as Salt Typhoon’s, and the coordinated nature of weekday-only activity patterns indicate a structured, likely state-sponsored campaign. The attack’s similarity to past incidents, including the theft of 3TB of Korean telecom data by Chinese hackers, signals that telecom infrastructure remains a high-priority intelligence target for China. Broader cooperation between international telecom operators and governments is needed to respond effectively.
FROM THE MEDIA: Trend Micro, a South Korean telecom company, was attacked twice in 2024—once in July and again in December—using BPFDoor malware, a tool associated with espionage-focused attacks. The malware enables lateral movement within networks and evades detection, posing a serious threat to national security. The attack is linked to Red Menshen, a Chinese APT group. Experts believe the attacks are not financially motivated but are part of a broader campaign to compromise national infrastructure. South Korea’s telecom, financial, and public sectors remain potential targets, and the government has yet to confirm specific entities impacted. Experts warn that BPFDoor could also be used by actors in North Korea or Russia, complicating attribution. Calls for international cooperation have grown as concern rises over the systemic risk to telecom infrastructure.
READ THE STORY: Pulse
Russian APT Groups Escalate Cyber Operations Across Europe with Zero-Day Exploits and Wipers
Bottom Line Up Front (BLUF): ESET Research reports a sharp increase in cyberattacks by Russian-aligned advanced persistent threat (APT) groups targeting Ukraine and European Union nations between Q4 2024 and Q1 2025. Threat actors, including Fancy Bear, Gamaredon, and Sandworm, have deployed zero-day vulnerabilities and destructive malware, with a focus on espionage and infrastructure sabotage.
Analyst Comments: The use of zero-days and wipers such as ZEROLOT suggests a desire for maximal operational impact with minimal attribution. As geopolitical tensions remain high, particularly with ongoing negotiations and Western support for Ukraine, expect Russian groups to persist in targeting critical infrastructure and government networks across Europe. Coordination between intelligence agencies and private sector threat-sharing platforms will be essential in mitigating this evolving threat landscape.
FROM THE MEDIA: Russian cyber threat groups intensified their operations from October 2024 through March 2025. Gamaredon, linked to the FSB, introduced a new malware dubbed PteroBox, using Dropbox for exfiltration. Fancy Bear (APT28), affiliated with GRU, exploited a zero-day in MDaemon Email Server (CVE-2024-11182) in a campaign named Operation RoundPress. Sandworm (APT44), also tied to GRU, targeted Ukrainian energy systems with a new wiper, ZEROLOT, delivered via Active Directory Group Policy. Other groups, like RomCom, exploited flaws in Firefox (CVE-2024-9680) and Windows (CVE-2024-49039). These attacks coincide with heightened diplomatic activity and reflect a broader trend of cyber-enabled influence and disruption operations by Russian APTs.
READ THE STORY: Infosec Mag
Astronomers Propose Satellite Classification Method Using Stellar Occultations
Bottom Line Up Front (BLUF): A new proof-of-concept study suggests that astronomers can classify low Earth orbit (LEO) satellites by analyzing how they block background stars—known as occultations. This approach bypasses traditional radar or optical methods, which are often undermined by stealth designs and operational limitations, offering a potentially powerful future tool for space domain awareness.
Analyst Comments: The method of using stellar occultations to classify satellites offers an intriguing avenue for overcoming the limitations of current satellite tracking systems, especially as LEO grows increasingly crowded with both commercial and secretive military assets. While still theoretical due to current hardware constraints, this research could eventually help identify covert or non-cooperative satellites, contributing to more transparent orbital situational awareness. Given the geopolitical tensions and potential for space-based conflict, enhanced visibility into satellite characteristics could play a key role in monitoring national security threats and managing orbital traffic.
FROM THE MEDIA: Researchers at the University of Warwick’s Center for Space Domain Awareness developed a technique to classify satellites by observing their silhouettes as they pass in front of stars. Simulating 100,000 satellite passes, the study focused on two simplified shapes—boxwing and square—using occultation data to infer rotation angles and edge contours. The method bypasses challenges posed by radar cross-section minimization and solar reflection, which stealth or dark-surfaced satellites exploit to remain hidden. Though promising, the researchers acknowledge that the approach requires ultra-fast exposure times and dense stellar fields, placing it beyond the capabilities of current optical systems. Nevertheless, the study, published on arXiv, lays the groundwork for future observatories that could deploy this classification method to enhance tracking of active and defunct satellites in increasingly congested orbital regimes.
READ THE STORY: Phys
DDoS Attacks Disrupt Major Russian State Services Amid Cyber Escalation
Bottom Line Up Front (BLUF): Several key Russian state services, including the Federal Tax Service (FNS), Goskey, and Saby, suffered outages reportedly due to a large-scale distributed denial-of-service (DDoS) attack from foreign sources. The disruptions impacted access to government platforms critical for taxation, document processing, and product tracking. While no group has claimed responsibility, Ukraine-linked hacktivist groups are suspected based on previous attack patterns.
Analyst Comments: The recurrence of outages across Russia’s public and private sectors highlights significant vulnerabilities in the country’s cyber defense posture. The timing—closely following a Trump-Putin ceasefire discussion—raises questions about whether these operations are timed to influence diplomatic proceedings or signal opposition to potential concessions. Expect ongoing cyber operations to remain tightly linked to geopolitical flashpoints and potentially escalate in frequency and scale.
FROM THE MEDIA: Russia's primary state services experienced significant outages on May 20 due to a foreign-origin DDoS attack. Impacted platforms included the Federal Tax Service (FNS), digital key service Goskey, and the document platform Saby. Other affected systems tracked goods and controlled alcohol distribution, disrupting governance and commerce. The disruptions follow similar outages last week involving banking apps, Yandex, and mobile networks, which were also tied to a DDoS attack targeting telecom provider Severen-Telecom. Although no group has claimed responsibility for the most recent incident, Ukraine-aligned hacktivists such as the IT Army and 4B1D have conducted similar attacks. The incidents occurred just after a high-profile U.S.-Russia diplomatic call, suggesting potential strategic timing.
READ THE STORY: The Record
NIST’s Moonlight Dataset Revolutionizes Satellite Calibration Accuracy
Bottom Line Up Front (BLUF): The National Institute of Standards and Technology (NIST) has released a lunar irradiance dataset that improves satellite sensor calibration accuracy tenfold. The data from a NASA ER-2 high-altitude aircraft offers a reliable benchmark for Earth-observing satellites by using the Moon’s consistent reflectance properties. This breakthrough is expected to enhance the accuracy of satellite-based measurements in fields like agriculture, climate science, and mineral exploration.
Analyst Comments: The dataset offers a standardized and repeatable calibration source by bypassing atmospheric distortion using airborne telescopes and tying the measurements directly to SI units. This development will likely improve trend detection across environmental monitoring systems and reduce reliance on heavier, costlier self-calibration technologies aboard satellites. It also underscores the growing need for precision in satellite imagery as Earth observation becomes more integral to global policy and commerce.
FROM THE MEDIA: These irradiance readings, collected since 2022 using a specialized telescope mounted on NASA’s ER-2 aircraft flying above 95% of the atmosphere, offer a tenfold increase in calibration accuracy over previous lunar models. Satellite sensors can now use this data to verify their readings more precisely, correcting for color and light discrepancies in imagery used for weather, agriculture, and resource management. Unlike traditional pre-launch calibration or self-calibration systems, the Moon provides a stable, ongoing reference that does not require onboard hardware. The new dataset is formatted in netCDF and publicly available via NIST’s portal.
READ THE STORY: NIST
Kimsuky APT Group Deploys PowerShell-Based XWorm RAT in Sophisticated Multi-Stage Attack Chain
Bottom Line Up Front (BLUF): The North Korean-linked APT group Kimsuky has launched a stealthy malware campaign leveraging obfuscated PowerShell scripts to deliver the XWorm Remote Access Trojan (RAT). The operation employs fileless execution, LOLBAS techniques, and decoy content to evade detection while maintaining persistent access to victim systems.
Analyst Comments: Its modular approach and use of trusted system tools reflect a deliberate effort to bypass endpoint defenses and forensic analysis. Given Kimsuky's historical targeting of geopolitical and intelligence assets, this campaign likely aims at high-value entities across government, defense, or research sectors. The use of XWorm RAT, a commodity malware, suggests blending state-sponsored intent with cybercriminal tools, reinforcing the need for heightened detection around PowerShell and LOLBAS behavior.
FROM THE MEDIA: Researchers have uncovered a new campaign by the Kimsuky APT group involving PowerShell payloads encoded in Base64 to initiate multi-stage malware delivery. Initial scripts download a mix of executables (e.g., orwartde.exe), decoy PDFs, and password-protected archives from IPs 185.235.128.114 and 92.119.114.128, establishing command-and-control (C2) channels. The payloads include files like eworvolt.exe and enwtsv.exe, executed under obfuscation and with event logging disabled to evade forensic tools. Inline C# hides terminal windows, while archive extraction tools automate payload delivery. Invoke-Expression enables final-stage code execution, activating the XWorm RAT with remote access, keylogging, and data exfiltration capabilities.
READ THE STORY: GBhackers
Items of interest
China’s CNVD vs. CVE: Widening the Global Vulnerability Gap
Bottom Line Up Front (BLUF): Security researcher Kristin Del Rosso has highlighted a critical transparency gap between China’s National Vulnerability Databases (CNNVD and CNVD) and Western databases like CVE/NVD. China’s state-linked systems not only publish vulnerabilities not seen in U.S. records but also allegedly alter disclosure dates and withhold key information—creating advantages for Chinese APT groups. The CNVD, often overlooked, now appears to be a new focal point for untracked and potentially weaponized vulnerabilities.
Analyst Comments: Delays in CVE publication compared to CNVD entries, and difficulties in parsing the latter’s data due to inconsistent naming schemes and site obfuscation, exacerbate global cyber defense disparities. The ability to hoard and manipulate disclosure for offensive advantage raises national security concerns for countries reliant on the U.S. CVE system. Del Rosso’s call for better incentives, gamification, and automation in Western vulnerability reporting is timely and pressing.
FROM THE MEDIA: At LABScon, Sophos' Kristin Del Rosso presented findings from her research into disparities between Chinese and U.S. vulnerability disclosure systems. She uncovered vulnerabilities in CNVD—China’s lesser-known but active vulnerability database—that were not mirrored in CVE/NVD systems, including CVEs relevant to U.S. critical infrastructure. China’s Ministry of State Security allegedly manipulates CNNVD disclosure timelines and uses the CNVD for vulnerabilities potentially deployed in red-teaming exercises like the HVV Operation. Del Rosso also highlighted challenges in automated analysis due to CNVD’s obfuscated naming conventions, throttled access, and deletion of historical data. Her gap analysis revealed numerous vulnerabilities listed on CNVD that are absent from U.S. systems, including exploits targeting Siemens and Schneider software, suggesting Western systems lag significantly in situational awareness.
READ THE STORY: SentinelLABS
Intellexa and Cytrox: From fixer-upper to Intel Agency grade spyware (Video)
FROM THE MEDIA: Mercenary spyware companies need to evolve their spyware capabilities just like software from any other commercial company. This presentation details an account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.
A Walking Red Flag (With Yellow Stars) | Cary & Benincasa (Video)
FROM THE MEDIA: China's cybersecurity competition ecosystem has grown significantly since 2017, with over 150 unique events and more than 400 total competitions. While some, like Tianfu Cup, focus on software vulnerabilities, most serve as talent pipelines for government agencies, including the MSS and PLA. APT40, Jiangsu MSS, and iSoon have leveraged CTFs for recruitment and vulnerability sourcing.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.