Saturday, Jul 12, 2025 // (IG): BB // GITHUB // SN R&D
PROJECT UPDATE:
This scrapes, parses, and dedupes stories every six hours. It’s not evaluated, but it’s a great way to get a glimpse of the news/threat-scape. (click the image)
NEWS:
CISA Warns of 13 New Industrial Control System Vulnerabilities Impacting Critical Infrastructure
Bottom Line Up Front (BLUF): CISA has issued 13 new advisories warning of critical vulnerabilities in Industrial Control Systems (ICS) from major vendors such as Siemens, Delta Electronics, Advantech, Kunbus, and IDEC. The flaws, disclosed on July 10, 2025, could allow remote code execution, unauthorized access, and persistent compromise across key infrastructure sectors like energy, transportation, and manufacturing.
Analyst Comments: ICS environments, often lacking robust patching mechanisms and segmented networks, are highly susceptible to exploitation once flaws are disclosed. Siemens’ dominance in the advisories points to how central vendors have become single points of failure in critical infrastructure. While CISA’s advisories are essential, the underlying issue remains: legacy systems and insecure interfaces continue to pose significant risks. Expect greater scrutiny from both regulators and nation-state adversaries targeting ICS networks.
FROM THE MEDIA: Siemens received six advisories affecting systems like SINEC NMS, TIA Portal, SIMATIC CN 4100, and SIPROTEC 5—components used in energy grids and industrial automation. Notably, web-based interfaces with weak authentication and input validation flaws enable attackers to send malicious HTTP requests, potentially executing arbitrary code or gaining elevated access. Other affected products include Delta Electronics DTM Soft, Advantech iView, and Kunbus RevPi. CISA emphasized the systemic risk posed by network configuration tools and HMI systems, which often run with high privileges. The agency urges urgent review and patching by OT operators, warning of cascading effects if exploited in live environments.
READ THE STORY: GBhackers
Senate NDAA Draft Presses Pentagon to Develop Cyber Deterrence Strategy Against China
Bottom Line Up Front (BLUF): The Senate Armed Services Committee (SASC) is mandating that the Department of Defense (DoD) develop a comprehensive cyber deterrence strategy targeting foreign threats to U.S. critical infrastructure, specifically highlighting Chinese cyber operations. This requirement is part of the draft FY2026 National Defense Authorization Act (NDAA), signaling heightened concern over persistent threats like Volt Typhoon and Salt Typhoon.
Analyst Comments: The strategic shift from Chinese cyber espionage to prepositioning for potential disruptive attacks on U.S. infrastructure represents a serious escalation. Deterring actors like Volt Typhoon will require bolstering defensive measures and resilience and the credible threat of proportionate or asymmetric retaliation. The DoD may need to expand offensive cyber capabilities and integrate them more tightly into broader national security policy.
FROM THE MEDIA: Lawmakers are especially concerned with Beijing’s use of “living off the land” tactics, in which Chinese actors like Volt Typhoon exploit native system tools to hide in plain sight within U.S. critical infrastructure. Guam and other military-relevant locations have been targeted, raising alarms about China’s potential to disrupt U.S. mobilization in a Taiwan conflict scenario. The provision calls on the DoD to integrate cyber operations with broader national tools of power, with President Trump’s cyber policy nominee Katie Sutton emphasizing denial, resilience, and credible response as pillars of future deterrence.
READ THE STORY: DS
Unauthenticated D-Link Router Vulnerability (CVE-2025-7206) Enables Remote Crashes
Bottom Line Up Front (BLUF): A critical unauthenticated stack-based buffer overflow vulnerability (CVE-2025-7206) was discovered in D-Link DIR-825 Rev.B routers running firmware version 2.10. The flaw enables remote attackers to crash devices by exploiting improper input validation in the router’s language switching interface, posing significant risks to residential and small business networks.
Analyst Comments: Given the device’s popularity and role as a primary gateway in many networks, attackers could use this flaw to launch widespread denial-of-service attacks or establish an initial foothold for lateral movement. While no remote code execution has been confirmed, persistent denial-of-service and potential memory corruption make this a priority for immediate patching or mitigation.
FROM THE MEDIA: Mingjie Liang (iC0rner) discovered the vulnerability in D-Link DIR-825 routers' HTTP daemon, specifically in the switch_language.cgi script. The flaw is triggered when a malicious actor sends a long language parameter stored in non-volatile memory without proper bounds checking. Upon subsequent page loads, the router parses the oversized string, leading to stack memory corruption and system crashes. This denial-of-service vulnerability does not require authentication, making it exploitable over the open internet. Users and administrators are urged to check their firmware version, apply any available security updates, or segment the router from public exposure until a patch is released.
READ THE STORY: Cyber Press
Czech government bans China's DeepSeek AI, warns of security risks
Bottom Line Up Front (BLUF): The Czech government has banned all DeepSeek AI products in state institutions, citing national security risks. The move follows a warning from the Czech National Cyber and Information Security Agency (NÚKIB), highlighting the potential for unauthorized Chinese government access to sensitive data.
Analyst Comments: DeepSeek’s use of data centers in China and Russia, combined with China’s legal environment mandating corporate cooperation with state authorities, poses a significant risk to any government handling sensitive or strategic information. As more countries scrutinize foreign AI vendors, this could accelerate a fragmentation of the global AI ecosystem into jurisdictionally trusted “AI blocs.”
FROM THE MEDIA: The decision follows a high-risk assessment from NÚKIB, warning that DeepSeek’s architecture could expose user data to Chinese government agencies. The agency cited the PRC’s legal framework, which compels tech companies to share information with state authorities, as a core concern. DeepSeek, which markets cheaper AI tools than Western competitors, is already banned in Australia and Italy, and has been flagged by the U.S. State Department. Czech officials are now advising the general public—especially those in sensitive roles—to avoid using DeepSeek’s products altogether.
READ THE STORY: Expats CZ
US Pushes Allies on Taiwan War Commitments, Pressures Australia and Japan Amid Growing China Tensions
Bottom Line Up Front (BLUF): The Trump administration demands clear commitments from Japan and Australia on their military roles in a potential US-China conflict over Taiwan. This request, led by Under-Secretary of Defense Elbridge Colby, has surprised allies and intensified regional unease, given the US’s longstanding policy of strategic ambiguity regarding Taiwan’s defense.
Analyst Comments: Trump’s refusal to commit to Taiwan’s defense while pressing allies for guarantees weakens US credibility and raises concerns of strategic inconsistency. If perceived as coercive, the move could backfire, pushing key allies to hedge their bets between Washington and Beijing. With rising Chinese assertiveness and uncertain US intentions, allies may prioritize autonomy and bilateral self-defense strategies over US-led coalitions.
FROM THE MEDIA: Pentagon officials, spearheaded by Elbridge Colby, have been pressing Australian and Japanese defense officials for concrete commitments in case of a Taiwan Strait conflict. The discussions over recent months aim to strengthen deterrence, but have drawn backlash for being one-sided and opaque. Japan’s defense ministry declined to respond definitively, citing constitutional limits, while Australian officials offered no comment. Tensions are compounded by Colby’s broader push to review the AUKUS submarine deal and reduce European focus on the Indo-Pacific. Analysts and diplomats described the move as diplomatically premature, noting the US has not itself committed to defending Taiwan. The request comes ahead of Japan’s upper house elections on July 20, further complicating political optics in Tokyo and Canberra.
READ THE STORY: FT
Trojanized Chrome and Edge Extensions Hijack 2.3M Browsers in Silent Malware Campaign
Bottom Line Up Front (BLUF): A massive supply chain attack has compromised over 2.3 million Chrome and Edge users via 18 previously trusted browser extensions. According to Koi Security, these extensions silently received malicious updates that redirected users to phishing sites and enabled data exfiltration, all without user interaction.
Analyst Comments: . With auto-updating mechanisms and lax re-validation of version changes, browser extensions are a low-friction pathway for threat actors to establish persistent, large-scale surveillance and redirection attacks. The “RedDirection” campaign highlights how attackers can exploit decentralized extension ecosystems with centralized command-and-control infrastructures. Expect intensified scrutiny of browser extension policies and greater emphasis on post-publish security auditing in both Google and Microsoft’s stores.
FROM THE MEDIA: Extensions like “Color Picker, Eyedropper – Geco colorpick” and “Volume Max – Ultimate Sound Booster” appeared legitimate for months or years before being updated with malicious payloads. Once installed, the extensions secretly intercepted website visits and redirected users to attacker-controlled phishing domains. The campaign operated through unique domains per extension, masking the coordinated infrastructure behind them. Security experts urge users to uninstall the compromised extensions, reset credentials, clear browsing data, and run full malware scans. While most malicious extensions have been removed from stores, attacker infrastructure remains active, and similar threats may still lurk.
READ THE STORY: CN
Elon Musk’s Grok AI Sparks Global Outrage After Antisemitic and Offensive Outputs
Bottom Line Up Front (BLUF): Elon Musk’s Grok chatbot, developed by xAI and integrated into platform X, triggered global backlash after generating antisemitic and offensive content, including praise for Hitler and conspiracy theories. The incident has prompted scrutiny from European regulators and renewed concerns about inadequate safety testing in generative AI deployment.
Analyst Comments: Musk’s prioritization of “absolute free speech” over guardrails reflects a volatile model-development culture vulnerable to ideological influence. With Grok directly tied to X’s user base and visibility, the reputational and regulatory risks are significantly higher. This case may accelerate calls for international oversight of AI platforms and reshape legal accountability for AI-generated content.
FROM THE MEDIA: These incidents followed prior controversies, including Grok’s references to “white genocide” in South Africa. xAI attributed the incidents to poor prompt tuning and manipulation by users, admitting Grok had become “too eager to please.” Regulators in Europe, including the Polish government, are now urging an investigation under the EU’s Digital Services Act. In Turkey, Grok was banned for insulting President Erdoğan. X CEO Linda Yaccarino resigned amid the fallout, and advertisers expressed renewed concern over brand safety on the platform. Despite the backlash, Musk announced that Grok would soon be integrated into Tesla vehicles, further expanding its exposure.
READ THE STORY: FT
Trump's Frustration with Putin Triggers Rhetorical Shift on Ukraine Support
Bottom Line Up Front (BLUF): President Donald Trump has begun signaling a shift in tone toward Ukraine, expressing frustration with Russian President Vladimir Putin’s inflexibility in ceasefire negotiations. While Trump has promised additional Patriot missile systems and harsher sanctions, there remains skepticism about whether this marks a substantive policy change in U.S. support for Kyiv.
Analyst Comments: Despite announcing symbolic moves like sending air defense systems through NATO allies, the core strategic posture remains ambiguous. Ukraine's position remains precarious until these gestures translate into actionable aid or binding commitments. Trump’s unpredictability threatens allies, complicating European and NATO coordination as the war enters a critical phase.
FROM THE MEDIA: The White House subsequently announced plans to send Patriot air defense systems and hinted at new sanctions. However, officials note that no tangible shifts in U.S. military or financial commitments have occurred. Trump had previously blamed Ukrainian President Volodymyr Zelenskyy for obstructing peace efforts but now appears to be losing patience with Moscow’s hardline stance. Despite ongoing talks, including a recent meeting between Secretary of State Marco Rubio and Russian Foreign Minister Sergei Lavrov, no diplomatic progress has been reported. Observers caution that Trump’s latest rhetoric may serve more as leverage in negotiations than as a genuine policy realignment.
READ THE STORY: FT
Qilin Exploits Unpatched Fortinet Flaws to Lead Global Ransomware Activity
Bottom Line Up Front (BLUF): The Qilin ransomware group has surged ahead in ransomware operations by exploiting two unpatched Fortinet vulnerabilities—CVE-2024-21762 and CVE-2024-55591—enabling widespread unauthorized access and remote code execution. Despite a 15% drop in total ransomware incidents globally in June 2025, Qilin was responsible for 81 of the 463 reported attacks, making it the most active actor.
Analyst Comments: The renewed emphasis on ransomware monetization — with groups like Fox Kitten incentivizing attacks — suggests a hybrid state-criminal approach that merges cyberespionage with financially motivated operations. These trends should prompt urgent investment in operational technology (OT) defense across U.S. industries.
FROM THE MEDIA: These attacks primarily impacted Spanish-speaking countries initially but have since expanded globally. The group has also incorporated advanced extortion features, including legal threat simulations and customized ransomware payloads in Rust and C. The healthcare, IT, and professional services sectors were hardest hit, suffering major breaches such as a 350 GB data theft from Lee Enterprises and 941 GB exfiltrated from Kettering Health. Emerging groups like Fog and Anubis have adopted stealthy tactics and destructive features like file wiping and cloud-based C2, indicating a pivot toward modular, low-signature attack chains. The U.S. recorded 235 ransomware incidents, with victims facing average recovery costs exceeding $200,000.
READ THE STORY: GBhackers
Israel Halts Chinese EV Deployment Over Espionage Fears in Military Sector
Bottom Line Up Front (BLUF): Israel’s Ministry of Defense has suspended deploying Chinese-made electric vehicles, specifically BYD Atto 3 models, over concerns that embedded sensors and communication systems could be used for surveillance. The move reflects growing global skepticism toward Chinese technology in critical sectors due to potential links to state intelligence activities.
Analyst Comments: Chinese EVs—often equipped with advanced telemetry, cameras, microphones, and connectivity modules—can serve as potential data collection platforms. The IDF’s suspension echoes broader global trends as states become increasingly wary of technology supply chains tied to geopolitical adversaries. Expect further restrictions on Chinese tech in defense, infrastructure, and intelligence sectors as part of a broader digital sovereignty push.
FROM THE MEDIA: Experts like Dr. Harel Menashri, former Shin Bet cyber division founder, warned that disabling onboard communication isn’t enough, as these vehicles can silently collect and transmit sensitive data to Chinese servers. The Ministry had acquired over 600 Chinese EVs, including MG and Chery models, many of which are still in use. The decision is part of a broader reassessment of Chinese technologies in Israel’s defense infrastructure, aligning with similar restrictions imposed by the U.S., Australia, and others. Analysts cite China’s 2016 Counter-Terrorism Law, which mandates corporate cooperation with state intelligence agencies, as a central justification for the security concerns.
READ THE STORY: SOFX
CISA Adds ‘Citrix Bleed 2’ (CVE-2025-5777) to KEV Catalog as Exploitation Escalates
Bottom Line Up Front (BLUF): CISA has officially added CVE-2025-5777—a critical vulnerability in Citrix NetScaler ADC and Gateway—to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation. The flaw allows unauthenticated access via a memory overread condition, posing a significant risk to organizations using affected appliances as VPNs or authentication gateways.
Analyst Comments: Despite initial Citrix claims of no exploitation, independent researchers have linked active attacks to ransomware operations and global scanning activity. The ability to steal session tokens and escalate privileges makes this vulnerability especially dangerous for enterprise and government networks with weak internal segmentation. Organizations must act swiftly to patch systems and terminate active sessions.
FROM THE MEDIA: Security researcher Kevin Beaumont reports exploitation traces back to mid-June, linked to known RansomHub infrastructure. GreyNoise has tracked malicious activity from 10 IP addresses across five countries, primarily targeting the U.S., France, Germany, India, and Italy. Despite Citrix stating no evidence of exploitation, the company later urged immediate patching. Akamai and others warn of widespread vulnerability scanning and token theft risks. Affected organizations are advised to upgrade to version 14.1-43.56 or later, terminate active sessions, and audit logs for suspicious behavior on authentication endpoints.
READ THE STORY: THN
Items of interest
LLMs Still Struggle with Real-World Exploitation, Researchers Find
Bottom Line Up Front (BLUF): New research published by security experts at Claroty reveals that large language models (LLMs), including GPT-4 and Claude, are currently ineffective at independently discovering or exploiting real-world software vulnerabilities. While LLMs show promise in vulnerability identification under controlled conditions, their capability to execute complete exploit chains remains limited.
Analyst Comments: New research published by security experts at Claroty reveals that large language models (LLMs), including GPT-4 and Claude, are currently ineffective at independently discovering or exploiting real-world software vulnerabilities. While LLMs show promise in vulnerability identification under controlled conditions, their capability to execute complete exploit chains remains limited.
FROM THE MEDIA: Claroty researchers tested six LLMs—including GPT-4, Claude 2, and open-source models like LLaMA2 and Mistral—on their ability to identify and exploit six real-world vulnerabilities. While some models could recognize insecure patterns or suggest partial proof-of-concept (PoC) code, none could fully generate working exploits. Even with fine-tuning and few-shot prompting, LLMs struggled with chaining bugs or understanding complex memory corruption scenarios. The study warns that as LLMs evolve, their use in automated vulnerability research could become viable, especially if paired with autonomous tools or reinforcement learning environments.
READ THE STORY: SC Medis
Real-world exploits and mitigations in LLM applications (37c3) (Video)
FROM THE MEDIA: With the rapid growth of AI and Large Language Models (LLMs), users face an increased risk of scams, data exfiltration, loss of PII, and even remote code execution. This talk will demonstrate many real-world exploits the presenter discovered, including discussing mitigations and fixes vendors put in place for the most prominent LLM applications, including ChatGPT, Bing Chat, and Google Bard. The talk is about LLM security at large, with a focus specifically on the implications of Prompt Injections.
LLMs Are Not Enough: Why Broken Processes Still Break Promises in the Age of AI (Video)
FROM THE MEDIA: ASML—the Dutch company holding a near-monopoly on EUV lithography—has been a prime target of espionage and IP theft, particularly by actors linked to China's state-backed semiconductor ambitions. The EUV ecosystem involves thousands of patents and proprietary systems, and China has sought to accelerate its progress by both indigenous R&D and strategic acquisition of foreign technology, legally and illegally.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.