Friday, Jul 11, 2025 // (IG): BB // GITHUB // SN R&D
PROJECT UPDATE:
This scrapes, parses, and dedupes stories every six hours. It’s not evaluated, but it’s a great way to get a glimpse of the news/threat-scape. (click the image)
NEWS:
Iranian APT Activity Spikes Against U.S. Transportation and Manufacturing Sectors
Bottom Line Up Front (BLUF): Nozomi Networks reports a 133% increase in Iran-linked cyberattacks on U.S. industries during May and June 2025, with a focus on transportation and manufacturing. The activity has been attributed to several known Iranian APT groups, including MuddyWater, APT33, OilRig, and Fox Kitten.
Analyst Comments: The renewed emphasis on ransomware monetization — with groups like Fox Kitten incentivizing attacks — suggests a hybrid state-criminal approach that merges cyberespionage with financially motivated operations. These trends should prompt urgent investment in operational technology (OT) defense across U.S. industries.
FROM THE MEDIA: Nozomi Networks observed 28 Iran-linked attacks on its U.S. customers in May and June 2025, up from 12 incidents during the previous period. The attacks focused on the transportation and manufacturing sectors. Prominent Iranian APT groups include MuddyWater (active since 2017), APT33, OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice. MuddyWater led the activity with at least five U.S. targets. The report did not specify the affected companies or methods used. A separate Morphisec report noted that Fox Kitten is encouraging ransomware attacks aligned with Iranian strategic interests by offering affiliates higher ransom proceeds.
READ THE STORY: The Record
Supply Chain Resilience Undermined by Cybersecurity Gaps in Manufacturing
Bottom Line Up Front (BLUF): As manufacturers rapidly reconfigure global supply chains to address geopolitical and economic pressures, they are increasingly exposed to cybersecurity risks. Each new vendor, system integration, and access point becomes a potential entry for threat actors, especially when security controls are bypassed or overlooked. Weak vendor cybersecurity practices, excessive access permissions, and "ghost" connections enable sophisticated attacks.
Analyst Comments: Threat actors exploit rapid onboarding, poor offboarding, and the lack of cybersecurity due diligence to gain footholds in manufacturing environments. Incidents like the MOVEit and Kaseya breaches underscore how third-party vulnerabilities can escalate into enterprise-wide compromises. As digital infrastructure becomes integral to physical production, cybersecurity must be treated as a core supply chain function. Future-ready manufacturers will prioritize secure integration, vendor audits, and continuous access governance.
FROM THE MEDIA: Supply chain compromises have moved from theory to preferred attack vector, with examples such as REvil’s Kaseya exploit and the MOVEit breach affecting Shell Australia. Attackers leverage poor vendor hygiene, excessive permissions, and dormant access points ("ghost connections" and "zombie accounts") to infiltrate networks. Common missteps include unsecured file sharing, lack of vendor offboarding procedures, and failing to verify suppliers' cybersecurity posture. Castellanos emphasizes early security involvement, third-party access management, and response playbooks.
READ THE STORY: MBT
World Food Programme reviews its partnership with BCG over Gaza work
Bottom Line Up Front (BLUF): The UN World Food Programme (WFP) is reevaluating its decades-long partnership with Boston Consulting Group (BCG) after revelations that BCG helped develop the controversial Gaza Humanitarian Foundation (GHF) aid system. The WFP says it was unaware of BCG’s involvement and expressed “shock and grave concerns” over the consultancy’s lack of transparency. GHF's operations have been widely criticized, with over 500 Palestinians reportedly killed while attempting to access its aid sites.
Analyst Comments: BCG’s involvement — especially in modeling mass displacement—may undermine trust in private-sector support within humanitarian frameworks. The WFP’s review and scrutiny from Save the Children and the UK Parliament signal a potential reckoning for consulting firms operating in high-stakes conflict zones. More broadly, this highlights the reputational and operational risks for organizations that fail to align internal oversight with the ethical implications of client work.
FROM THE MEDIA: The GHF, staffed by private U.S. security and guarded by Israeli forces, has drawn criticism from the UN as a “fig leaf” for military strategy. Since its May launch, over 500 people have died attempting to reach its distribution sites. BCG claimed the controversial modeling for Gaza’s reconstruction, including mass relocation scenarios, was unauthorized and subsequently fired two partners. The consultancy has also waived $4 million in fees and hired WilmerHale to review internal processes.
READ THE STORY: FT
Hackers Abuse GitHub to Spread Lumma Stealer via Fake VPN Software
Bottom Line Up Front (BLUF): Cybersecurity firm CYFIRMA has uncovered a malware campaign exploiting GitHub to distribute Lumma Stealer under the guise of legitimate software like “Free VPN for PC” and “Minecraft Skin Changer.” The attackers use password-protected ZIP files to evade browser defenses, hosting the dropper (Launch.exe) and malicious DLLs on a GitHub repository. The attack uses DLL side-loading and process injection to hijack legitimate Windows binaries for malware execution.
Analyst Comments: The attackers’ use of fake VPN software as a lure is particularly effective in a security-conscious user base. The Lumma Stealer payload is highly evasive, using API-level obfuscation and anti-debugging techniques. This campaign also illustrates an ongoing shift in malware delivery tactics, favoring social engineering over phishing and exploiting community trust in open-source platforms. Expect increased scrutiny of GitHub-hosted binaries and a growing call for repository-level content moderation.
FROM THE MEDIA: The DLL performs stealthy process injection into trusted binaries like MSBuild.exe and aspnet_regiis.exe, facilitating the deployment of Lumma Stealer. The attack employs MITRE ATT&CK techniques such as DLL side-loading (T1574.002), masquerading (T1036), and in-memory execution. Researchers identified command-and-control (C2) domains including explorationmsn[.]store and several others under the .sbs TLD. Despite a comprehensive analysis, the threat actor behind the campaign remains unidentified.
READ THE STORY: GBhackers
America is coming after China, accusing it of hacking
Bottom Line Up Front (BLUF): Italian authorities arrested Xu Zewei, a Chinese national accused of hacking U.S. COVID-19 research institutions, at America’s request. The U.S. alleges Xu worked for a front company tied to China’s Ministry of State Security and participated in cyberattacks via the Hafnium APT group.
Analyst Comments: By pursuing extradition, Washington signals that operatives tied to state-sponsored cyberespionage—particularly those involved in health and critical research—will face tangible consequences. The case also highlights the blurred lines between private Chinese firms and government-linked cyber militias. Expect increased caution among Chinese cyber actors traveling abroad and possible diplomatic pushback from Beijing.
FROM THE MEDIA: Xu is accused of working with Shanghai Powerock Network Co., a shell company allegedly connected to China's Ministry of State Security (MSS). U.S. prosecutors say Xu was part of the Hafnium group and conducted cyberattacks against American universities in 2020–2021, targeting COVID-19 vaccine research. He reportedly exploited vulnerabilities in Microsoft Exchange servers. Xu denies all charges, claiming to be a semiconductor technician on vacation. His arrest follows similar indictments of Chinese cyber operatives and reflects a broader U.S. strategy to hold individual hackers accountable. A recent report by Margin Research also highlights a growing network of cyber “militias” trained alongside China’s military, deepening concerns over Beijing’s cyber capabilities.
READ THE STORY: The Economist
Pentagon Invests $400 Million in Rare Earth Producer MP Materials to Counter China’s Dominance
Bottom Line Up Front (BLUF): The U.S. Department of Defense will invest $400 million in MP Materials, securing a 15% stake in the only domestic rare earth mining company. The deal includes commitments to build a U.S.-based magnet manufacturing facility and long-term offtake guarantees, part of a broader effort to reduce reliance on Chinese rare earths critical to defense systems.
Analyst Comments: By directly acquiring equity and underwriting production costs through price floors and purchase guarantees, the Pentagon is not just funding capacity but fundamentally altering market dynamics to favor Western resilience. While the facility will not be operational until 2028, this long-horizon commitment could attract further private and public investments, potentially reshaping the global rare earths ecosystem. However, China's ability to flood the market and manipulate prices remains a key geopolitical and economic challenge.
FROM THE MEDIA: The investment is part of a broader Trump administration initiative to reduce U.S. dependence on Chinese-controlled rare earth elements. MP Materials operates the Mountain Pass mine in California, which produces essential minerals like neodymium and praseodymium for use in F-35 fighter jets, submarines, and drones. The deal includes building a 10,000-metric-ton magnet production plant, a 10-year offtake agreement with the Department of Defense, and a price floor of $110/kg to protect against Chinese price manipulation. The Pentagon's involvement follows Beijing’s April 2025 decision to restrict exports of rare earths, which severely impacted global supply chains.
READ THE STORY: FT
Czech Intelligence Uncovers Russian-Backed Sabotage Network in Europe
Bottom Line Up Front (BLUF): Czech intelligence services have exposed a covert Russian influence operation involving sabotage and arson attacks across Europe, orchestrated from Russian-occupied Ukraine. The campaign, designed to create chaos and destabilize NATO nations, was allegedly run by Russian military intelligence (GRU) with support from local criminal elements and online propaganda.
Analyst Comments: Using proxy actors and encrypted communication from occupied Ukrainian territories shows a strategic pivot toward deniability and decentralized execution. As European elections approach and military aid to Ukraine intensifies, such operations will likely increase in frequency and sophistication. EU states may respond with enhanced counterintelligence cooperation and targeted sanctions against GRU-linked individuals.
FROM THE MEDIA: One of the primary bases for these operations was in occupied Donetsk, where Russian officers coordinated arson attacks on Western infrastructure and distributed payments via cryptocurrency. Czech authorities allege that Russian agents recruited local extremists and criminals through Telegram and other encrypted apps to carry out attacks in Germany, the UK, Poland, and other NATO states. The operation aimed to foster public unrest and undermine support for Ukraine. While the Czech Republic successfully dismantled the domestic branch of the network, other European countries are now investigating related incidents.
READ THE STORY: RBC-UKRAINE
New Scraper Botnet With 3,600+ Devices Targets U.S. and U.K. Using Behavioral Evasion
Bottom Line Up Front (BLUF): A newly discovered scraper botnet with over 3,600 unique infected devices has been targeting systems in the U.S. and U.K. since April 2025. Cybersecurity researchers at GreyNoise uncovered the botnet through advanced behavioral analysis, as traditional detection methods failed to identify the threat. Over half of the compromised IP addresses are based in Taiwan, suggesting a local vulnerability or infrastructure compromise.
Analyst Comments: Attackers have successfully bypassed conventional filters by focusing on behavioral fingerprinting and using deceptively simple indicators like the "Hello-World/1.0" user-agent. The high concentration of infected devices in Taiwan raises questions about supply chain risks or regional exposure through shared platforms. Defenders must adopt signature-agnostic detection techniques, such as JA4+ fingerprinting, to counter this stealthy, distributed threat.
FROM THE MEDIA: First observed in April 2025, the botnet makes repeated GET requests over ports 80–85 and employs a standard user-agent string ("Hello-World/1.0") to blend in with benign traffic. Its evasion is facilitated by sophisticated network behaviors captured using JA4+ signature technology, which analyzes HTTP header ordering (JA4H) and TCP connection patterns (JA4T). Among the infected devices, 1,359 IPs have been labeled malicious, and 122 are considered suspicious. This case emphasizes the need for advanced behavioral detection methods in combating modern botnets.
READ THE STORY: CSN
USDA Unveils National Farm Security Plan to Counter Cyber Threats and Chinese Land Acquisitions
Bottom Line Up Front (BLUF): The U.S. Department of Agriculture released its National Farm Security Action Plan to address escalating cyber threats and restrict foreign adversaries, particularly China, from acquiring American farmland. The plan proposes more vigorous enforcement of land ownership laws, tighter cybersecurity standards, and increased public-private cooperation to secure the U.S. agricultural sector.
Analyst Comments: Focusing on land ownership and cybersecurity aligns with growing concerns about China’s proximity to military installations and exploitation of supply chain vulnerabilities. However, the plan’s success hinges on congressional funding and execution capacity. Without substantial resource allocation, even well-intentioned measures may fail to secure a digitally connected and globally exposed food system.
FROM THE MEDIA: China owns approximately 270,000 acres of U.S. farmland, but many of these holdings are situated near military bases, raising espionage alarms. At the same time, the growing digitization of agriculture—through GPS systems, drones, and smart sensors—has increased susceptibility to cyberattacks. A recent breach at United Natural Foods Inc. disrupted operations and caused nationwide delivery shortages, illustrating the systemic risk. The plan calls for enhanced oversight, industry cooperation, and education initiatives, but lacks adequate staffing and cybersecurity standards to meet its goals without further legislative support.
READ THE STORY: FDD
AMD warns of new Meltdown, Spectre-like bugs affecting CPUs
Bottom Line Up Front (BLUF): AMD has disclosed four new side-channel vulnerabilities—akin to Meltdown and Spectre—collectively called the Transient Scheduler Attacks (TSA). These affect a wide range of its processors, including 3rd and 4th Gen EPYC chips. Although the CVEs are rated medium to low severity due to complexity and local access requirements, cybersecurity firms assess them as critical due to potential OS kernel data leakage.
Analyst Comments: While these TSAs are difficult to exploit and require local code execution, their ability to bypass privilege barriers and leak sensitive data, such as kernel memory, poses serious risks in shared computing environments like virtualized data centers and cloud platforms. The vulnerabilities highlight persistent challenges in securing CPU microarchitectures against speculative execution attacks. With mitigations potentially impacting performance, organizations must balance security needs with system efficiency. A lack of available exploit code offers temporary relief, but patching remains essential.
FROM THE MEDIA: Affected chip families include Ryzen, EPYC, Instinct, and Athlon. While AMD has downplayed the severity based on the complexity of real-world exploitation, Trend Micro and CrowdStrike have categorized the threat as “critical” for environments where low-privileged code can be executed. Mitigations, including microcode updates and a Windows VERW instruction, are now available, though they may impact performance.
READ THE STORY: The Register
Ruckus Network Management Tools Exposed by Multiple Unpatched Vulnerabilities
Bottom Line Up Front (BLUF): Claroty researchers have uncovered a set of critical vulnerabilities affecting Ruckus Networks’ Virtual SmartZone (vSZ) and Ruckus Network Director (RND). These flaws could allow attackers to bypass authentication, execute remote commands, and fully compromise wireless environments. No patches are available, and attempts to contact Ruckus or its parent company CommScope have been unsuccessful.
Analyst Comments: The potential for attackers to gain root-level access through default SSH keys and weak JWT validation mechanisms is particularly concerning. If left unpatched, these flaws could become a high-value target for threat actors aiming to compromise public infrastructure, such as hospitals, schools, and smart cities. Organizations using Ruckus tools should isolate management interfaces immediately and prepare contingency plans for vendor unresponsiveness.
FROM THE MEDIA: According to Carnegie Mellon University’s CERT Coordination Center, eight distinct CVEs affect Ruckus’ wireless network management solutions. The vSZ software is vulnerable to hardcoded secrets (CVE-2025-44957), OS command injection (CVE-2025-44960, CVE-2025-44961), and a backdoor user with root privileges (CVE-2025-44954). Meanwhile, RND suffers from flawed session token verification (CVE-2025-44963), weak password storage (CVE-2025-44958), and exposed root-level SSH keys (CVE-2025-6243). These vulnerabilities, if chained, allow for complete system takeover. CERT/CC has advised isolating affected systems and limiting access to trusted networks until Ruckus issues patches, but no remediation timeline has been confirmed.
READ THE STORY: HelpNetSecurity
"PerfektBlue" Bluetooth Vulnerabilities Enable RCE on Millions of Vehicles and Devices
Bottom Line Up Front (BLUF): A critical set of vulnerabilities in OpenSynergy’s BlueSDK Bluetooth stack—collectively dubbed PerfektBlue—can be exploited to achieve remote code execution (RCE) on millions of devices, including vehicles from major manufacturers like Mercedes-Benz, Volkswagen, and Skoda. Though patches were issued in late 2024, fragmented automotive supply chains have delayed their rollout, leaving many systems exposed into mid-2025.
Analyst Comments: Bluetooth-based RCE in vehicles opens the door to privacy invasions, GPS tracking, and lateral movement across in-vehicle networks. The delayed patch deployment highlights persistent issues in automotive cybersecurity, especially the lack of transparency and sluggish response from OEMs. This disclosure will pressure regulators and automakers to accelerate patch pipelines and improve supplier vulnerability communication.
FROM THE MEDIA: Researchers from PCA Security found these issues after analyzing compiled binaries from infotainment systems like Volkswagen’s ICAS3 and Mercedes-Benz’s NTG6, despite lacking source code access. The flaws were reported in May 2024, and OpenSynergy released patches by September 2024. However, due to complex supply chains, many OEMs failed to apply the fixes promptly, with some unaware of the issue as of June 2025. Experts recommend disabling Bluetooth as a temporary defense in the absence of updates.
READ THE STORY: GBhackers
Russian Basketball Player Arrested in France Over Alleged Ransomware Involvement
Bottom Line Up Front (BLUF): Daniil Kasatkin, a 26-year-old Russian professional basketball player, was arrested in France at the request of U.S. authorities, who suspect him of being involved in a ransomware group that targeted nearly 900 American entities between 2020 and 2022. Kasatkin is accused of helping negotiate ransom payments and is currently in extradition custody, though he denies any technical involvement.
Analyst Comments: If confirmed, Kasatkin’s alleged role in negotiating payments may point to the involvement of non-technical collaborators in ransomware operations — a trend law enforcement is increasingly focused on disrupting. His prior U.S. ties and travel to France could have made him more accessible to extradition, unlike many suspects who remain protected within their home countries. This case could signal a shift toward targeting facilitators and negotiators within ransomware ecosystems.
FROM THE MEDIA: He allegedly has been negotiating ransoms on behalf of a ransomware group linked to attacks on hundreds of U.S. institutions. Kasatkin previously attended Penn State and played for Moscow’s MBA basketball club. His legal team insists he has no cybersecurity skills and claims he purchased a second-hand computer unknowingly. A Paris court rejected a bail request amid concerns over his well-being in custody. The U.S. Department of Justice has yet to comment publicly on the arrest.
READ THE STORY: The Record
CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
Bottom Line Up Front (BLUF): The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-5777 — a critical vulnerability in Citrix NetScaler ADC and Gateway — to its Known Exploited Vulnerabilities (KEV) catalog. Despite earlier vendor claims of no exploitation, multiple security researchers and threat intelligence platforms have confirmed the flaw is being weaponized in the wild, exposing enterprise environments to session hijacking and unauthorized access.
Analyst Comments: Given their VPN and SSO capabilities, successful exploitation can lead to widespread lateral movement and persistent access. With exploitation now linked to ransomware actors like RansomHub, the urgency to patch and terminate active sessions cannot be overstated. This also underscores the limitations of relying solely on vendor advisories and reinforces the need for proactive threat intelligence and network monitoring.
FROM THE MEDIA: Exploitation has been observed from IPs in Bulgaria, China, the U.S., and Egypt, with affected regions including the U.S., France, India, and Germany. The flaw allows repeated memory leaks that expose sensitive data such as session tokens, potentially granting attackers full access to enterprise systems. Organizations are urged to update patched versions and terminate all active sessions immediately to invalidate compromised credentials.
READ THE STORY: THN
Trump’s 50% Copper Tariff Roils Markets, Sparks National Security Debate
Bottom Line Up Front (BLUF): President Trump has imposed a 50% tariff on copper imports starting August 1, citing national security concerns. The decision has triggered market panic, sent copper prices to record highs, and drawn criticism from manufacturers and policy analysts over its economic logic and long-term strategic impact.
Analyst Comments: The U.S. imports copper mainly from allies like Chile, Canada, and Mexico, with no immediate threat of adversarial control. Without significant permitting reform and investment, domestic smelting and refining capacity will not expand quickly enough to justify the economic disruption. The tariffs risk alienating allies and raising costs for industries critical to U.S. defense and infrastructure.
FROM THE MEDIA: Copper prices surged as businesses rushed to secure supply before the tariff deadline. Trump justified the move by highlighting the use of copper in military systems such as radar, missiles, and hypersonic weapons. However, domestic production and imports from free-trade partners largely meet U.S. copper demand. Critics argue the tariffs will raise costs for construction, manufacturing, and defense industries while failing to address root issues like permitting delays for new mining and smelting projects. The editorial board warned that tariffs without industrial strategy or regulatory reform will lead to “national insecurity, not security.”
READ THE STORY: WSJ
Items of interest
Ex-ASML engineer who stole chip tech for Russia gets three years in Dutch prison
Bottom Line Up Front (BLUF): A Dutch court has sentenced a former ASML and NXP engineer to three years in prison for stealing sensitive semiconductor manufacturing data and illegally sharing it with Russian contacts. The case, linked to geopolitical tensions and industrial espionage, highlights the growing threat of insider cyber-enabled IP theft in the semiconductor industry.
Analyst Comments: While the engineer was convicted under EU sanctions and cybercrime laws, the inability to prove financial transactions tied directly to the espionage reveals enforcement limitations. With chip technology at the center of global power struggles, especially between the West, China, and Russia, semiconductor companies are likely to face increasing espionage attempts, both digital and human. Stronger internal security monitoring and legal deterrents are now essential.
FROM THE MEDIA: A Dutch court sentenced a 43-year-old former engineer to three years in prison for violating EU sanctions and committing computer intrusion after stealing confidential chip technology from ASML and NXP. Identified in earlier reports as German Aksenov, a Russian national, the defendant admitted to copying technical documents and sending them to an unnamed contact in Russia via Signal and Google Drive. The shared data included semiconductor process guidelines and production setup advice. Although prosecutors alleged connections to Russia’s FSB, they could not prove a direct payment trail. NXP confirmed its cooperation with authorities, and ASML declined to comment.
READ THE STORY: The Register
ASML's Monopoly Ending? China's EUV Tech Leaps Towards 2026 Mass Production (Video)
FROM THE MEDIA: China has made significant technical advances (VIA IP THEFT) in EUV lithography, challenging ASML's global monopoly. With key breakthroughs in light sources, precision worktables, and trial production of domestic EUV systems, China is targeting 2026 for mass production, potentially reducing chipmaking costs and reshaping the semiconductor industry.
EUV Lithography: ASML's Lock & China's Quest for Independence (Video)
FROM THE MEDIA: ASML—the Dutch company holding a near-monopoly on EUV lithography—has been a prime target of espionage and IP theft, particularly by actors linked to China's state-backed semiconductor ambitions. The EUV ecosystem involves thousands of patents and proprietary systems, and China has sought to accelerate its progress by both indigenous R&D and strategic acquisition of foreign technology, legally and illegally.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.