Sunday, Jul 13, 2025 // (IG): BB // GITHUB // SN R&D
PROJECT UPDATE:
This scrapes, parses, and dedupes stories every six hours. It’s not evaluated, but it’s a great way to get a glimpse of the news/threat-scape. (click the image)
NEWS:
China's "Bohai Sea Monster" Revives Cold War Ekranoplan Tech with Military Implications
Bottom Line Up Front (BLUF): A newly spotted Chinese jet-powered ekranoplan—dubbed the "Bohai Sea Monster"—suggests a strategic pivot in Beijing's maritime capabilities. Resembling Cold War-era Soviet designs, this ground-effect vehicle is likely intended for stealthy, high-speed sea-level transport in contested areas like the South China Sea. The aircraft’s large size, military-style features, and amphibious design signal potential use in rapid troop deployment, island resupply, or surveillance operations.
Analyst Comments: Its ability to fly below radar and avoid conventional naval defenses poses new operational challenges in littoral zones, particularly in a Taiwan Strait conflict. While the U.S. is unlikely to counter with similar platforms, its integrated air-sea defense architecture, unmanned systems, and long-range precision weapons are well-positioned to neutralize such threats. However, this development highlights China's ongoing efforts to diversify its amphibious and logistical warfare options, signaling broader innovation in military transport.
FROM THE MEDIA: Satellite imagery and ground-level photos reveal China has developed and docked a large ekranoplan on the Bohai Sea coast, sparking speculation about its strategic role. Likely inspired by the Soviet Lun-class and Caspian Sea Monster, this aircraft uses ground-effect lift to skim just above water, reducing radar visibility and improving fuel efficiency. Key features include four elevated jet engines, a T-tail structure, naval camouflage, a flying boat-style hull, and a cargo side-door—suggesting logistics or rapid response roles. Experts believe it may support PLA operations in the Taiwan Strait or disputed islands, functioning as a stealthy troop/cargo mover or SAR asset. While exact specifications remain unknown, analysts note it resembles the U.S. DARPA Liberty Lifter concept, underscoring the global resurgence of WIG (Wing-In-Ground) interest.
READ THE STORY: MSN
Taiwan Deploys U.S.-Made HIMARS in War Drills Amid Rising China Tensions
Bottom Line Up Front (BLUF): Taiwan has integrated U.S.-supplied HIMARS (High Mobility Artillery Rocket Systems) into its largest annual military exercise, Han Kuang, as tensions with China escalate. The drills simulate full-scale invasion scenarios and reflect a shift toward asymmetric warfare, with HIMARS offering long-range, precision strike capabilities critical for Taiwan’s defense strategy.
Analyst Comments: Taiwan's public demonstration of HIMARS in urban operations is a deliberate signal to Beijing and the international community. It highlights the island’s growing reliance on mobile, high-impact weaponry designed to outmaneuver a superior force. This deployment also reflects deeper U.S.-Taiwan security cooperation, though Washington’s long-term commitment remains strategically ambiguous. As HIMARS becomes central to Taiwan’s deterrence posture, expect Beijing to escalate military exercises or cyber operations in response.
FROM THE MEDIA: During the 2025 Han Kuang exercises, Taiwan showcased HIMARS systems maneuvering through Taichung's streets, highlighting their role in urban defense and precision strike scenarios. These drills simulate cyberattacks, amphibious landings, and surprise invasions, with HIMARS providing the ability to target Chinese military assets up to 300 km away. Taiwanese military leaders emphasized mobility and concealment to preserve operational surprise. The U.S. has delivered 11 of 29 HIMARS units to Taiwan, with field integration now complete. Beijing condemned the drills, accusing Taiwan of stoking tensions, but Taipei maintains the exercises are purely defensive and vital for sovereignty preservation.
READ THE STORY: VOCAL
Ukraine’s Cross-Border Strikes Disrupt Russian Energy Infrastructure, Trigger Cyber and Defense Sector Shifts
Bottom Line Up Front (BLUF): Ukraine’s ongoing cross-border attacks on Russian energy facilities have inflicted an estimated $9.5 billion in economic losses and significantly impacted Russia's refining and logistics capabilities. These strikes accelerate global investment in energy resilience, cybersecurity, and drone defense, while heightening geopolitical risk in critical infrastructure sectors.
Analyst Comments: This trend will likely increase demand for cybersecurity firms, decentralized energy systems, and infrastructure hardening tools. Investors should anticipate heightened government and private-sector spending on cyber-resilient logistics, drone defense, and energy storage. Simultaneously, the reputational and operational risk of holding Russian energy assets is nearing an inflection point, potentially rendering companies like Gazprom and Rosneft untouchable to Western capital markets.
FROM THE MEDIA: Ukraine has increased cross-border operations targeting critical Russian energy infrastructure, including multiple attacks on the Rostov Atlas fuel depot. These strikes have disrupted 10–15% of Russia’s refining output, prompted domestic fuel price spikes, and extended export restrictions. Concurrently, cybersecurity firms such as Palo Alto Networks and CrowdStrike are seeing increased attention for defending energy and defense sectors from retaliatory or opportunistic cyberattacks. In parallel, companies like Lockheed Martin, Tesla, and Dedrone stand to benefit from the global pivot toward energy decentralization, drone defense, and grid resilience. The conflict also threatens global energy supply chains and forces European nations to diversify away from Russian-transited energy rapidly.
READ THE STORY: ainvest
APT29 Exploits Notion, Trello, and Slack for Stealthy C2 in European Commission Cyberattack
Bottom Line Up Front (BLUF): Russia-linked APT29 (Cozy Bear), attributed to the SVR intelligence service, is leveraging legitimate cloud services—including Notion, Trello, Slack, and GitHub—for stealthy command and control (C2) operations. In its latest campaign, APT29 targeted the European Commission using spear-phishing, HTML smuggling, and a custom downloader called VaporRage, which establishes persistence and downloads Cobalt Strike beacons via Notion’s API. The attack illustrates a growing trend of using trusted cloud platforms to evade detection and prolong access to high-value government networks.
Analyst Comments: Their use of business collaboration tools (e.g., Notion, Trello, Slack) for encrypted communication exemplifies a strategic shift toward "living-off-the-cloud" techniques. This not only undermines conventional detection systems but also complicates attribution and incident response. The campaign’s focus on EU institutions during the Russia-Ukraine conflict highlights ongoing geopolitical cyber espionage objectives—especially targeting diplomatic, defense, and policy-making entities. Future attacks may leverage similar TTPs in other NATO-aligned regions.
FROM THE MEDIA: Beginning in February 2023, the group sent spear-phishing emails mimicking administrative messages from the secure document platform eTrustEx. Victims were redirected via HTML smuggling to download an ISO file containing a malicious DLL and LNK shortcut. Once executed, VaporRage established persistence, generated a host ID, and communicated with the Notion C2 endpoint using HTTPS. The malware retrieved stage-two payloads like Cobalt Strike beacons through Notion’s cloud infrastructure. This operation builds upon prior APT29 campaigns using Slack, Trello, and Twitter as covert C2 channels, underscoring their focus on stealth and long-term espionage access.
READ THE STORY: RedHotCyber
US Senators Warn Nvidia CEO Jensen Huang Over China Trip Amid AI Chip Export Concerns
Bottom Line Up Front (BLUF): US Senators Elizabeth Warren and Jim Banks have issued a bipartisan letter warning Nvidia CEO Jensen Huang against meeting with Chinese companies suspected of violating export control laws during his upcoming visit to China. The senators emphasized national security risks tied to AI chip exports, particularly their potential use in modernizing China's military capabilities.
Analyst Comments: With Nvidia's GPUs being central to training large AI models, the US government sees chip exports as a high-risk vector for enabling adversarial technological advancements. The warning to Huang also sends a signal to other tech CEOs: business diplomacy must now align closely with national security policy. Tensions like this may accelerate the decoupling of US-China tech supply chains and drive investments in domestic chip manufacturing and stricter export enforcement.
FROM THE MEDIA: Senators Warren and Banks urged Nvidia CEO Jensen Huang to avoid meetings with any Chinese firms listed on the US Entity List or suspected of aiding the Chinese military. The letter specifically raised concerns about DeepSeek, a company allegedly involved in smuggling US chips and holding restricted hardware stockpiles. The senators argued that Nvidia’s AI chips, if exported freely, could assist China's military AI initiatives. The letter reflects bipartisan consensus on the strategic value of advanced GPUs and their role in safeguarding national interests amid the ongoing US-China technology rivalry. New US export regulations already require Nvidia to obtain licenses for AI chip sales to China.
READ THE STORY: CyberNews
Three Breaches in Three Weeks Expose Gaps in Enterprise Cybersecurity Discipline
Bottom Line Up Front (BLUF): In July 2025, Ingram Micro, United Natural Foods Inc. (UNFI), and McDonald’s experienced major cybersecurity breaches within a three-week span. Each incident stemmed from preventable lapses in basic cyber hygiene—such as default credentials, poor access control, and insufficient endpoint defenses—rather than advanced nation-state tactics..
Analyst Comments: Ingram Micro’s ransomware breach is especially concerning, given its role as a cybersecurity distributor. The broader implication is clear—toolsets alone are not enough. Organizations must enforce security discipline, adopt zero-trust frameworks, and implement robust internal practices. As ransomware actors like SafePay and geopolitically-aligned Pay2Key escalate attacks, we may see growing regulatory demands for cyber accountability across supply chains.
FROM THE MEDIA: Despite selling top-tier security tools like Okta and ESET, the company failed to prevent the attack internally—a failure attributed to policy enforcement gaps rather than technical limitations. Just days earlier, UNFI was breached, disrupting food logistics and exposing vulnerabilities in critical supply chains. McDonald’s also came under scrutiny after researchers found its AI-driven hiring tool, McHire, was accessible using a default password (“123456”), exposing personal data for up to 64 million job seekers. The threat actor behind the Ingram breach, SafePay, is known for VPN-based intrusions and double-extortion tactics. Meanwhile, Pay2Key—linked to Iranian APT Fox Kitten—has ramped up targeting of U.S. companies with Linux ransomware variants and anonymous communications.
READ THE STORY: Forbes
Scattered Spider Cyberattacks Expose Retail Supply Chain Weaknesses
Bottom Line Up Front (BLUF): UK retailers M&S, Co-op, and Harrods were hit by coordinated cyberattacks earlier this year, exposing serious supply chain vulnerabilities. The UK’s National Crime Agency (NCA) arrested four believed to be linked to the cybercrime group Scattered Spider, which disrupted critical retail infrastructure and caused hundreds of millions in damages.
Analyst Comments: Scattered Spider’s decentralized, loosely organized model complicates law enforcement response despite the group's geographic proximity. The breach underscores the urgent need for retail organizations to reassess their cybersecurity defenses and the digital resilience of their logistics and vendor ecosystems.
FROM THE MEDIA: Co-op experienced a breach affecting millions of records and core warehouse systems, while Harrods preemptively restricted digital access following intrusion attempts. Authorities suspect Scattered Spider, a loosely affiliated group of UK and U.S.-based hackers, as responsible. Despite international coordination efforts, the group’s lack of centralized leadership has made it difficult to disrupt. Businesses have since pledged tighter cybersecurity practices and stronger collaboration with law enforcement.
READ THE STORY: SupplyChain
U.S. Port Operators Scramble as Tariffs Threaten Chinese Crane Imports
Bottom Line Up Front (BLUF): U.S. seaport operators request delays and exemptions from proposed tariffs of up to 100% on Chinese-manufactured ship-to-shore cranes, citing operational and financial risks. The move follows the Trump administration's aggressive stance against China’s dominance in port equipment, citing national security concerns.
Analyst Comments: With Chinese-made cranes embedded in U.S. port infrastructure, concerns about embedded modems and software enabling espionage or sabotage are not unfounded. However, sudden tariff enforcement could create operational bottlenecks, cost billions, and slow down critical infrastructure upgrades, especially as ports remain vulnerable to cyber threats. A phased approach with secure procurement standards might be more pragmatic than outright bans.
FROM THE MEDIA: China’s ZPMC supplies 80% of U.S. port cranes, with over 200 deployed across major terminals. Despite the previous 25% tariffs enacted by President Biden in 2024 due to cybersecurity warnings from the NSA and CISA, ports continued purchasing lower-cost Chinese models. The Trump administration now seeks a complete phase-out, but operators—represented by the National Association of Waterfront Employers—are lobbying for transition periods and exemptions for pre-ordered cranes. Officials argue these machines pose cyber and espionage risks, while operators stress the financial burden and urge measured implementation.
READ THE STORY: gcaptain
New vulnerabilities have been found in AMD chips, but they can't be exploited yet
Bottom Line Up Front (BLUF): A newly disclosed set of vulnerabilities in AMD processors—dubbed Transient Scheduler Attack (TSA)—has the potential to leak sensitive data through side-channel techniques. Although AMD rates the vulnerability low to medium severity due to its local access requirement, external researchers at Trend Micro and CrowdStrike consider the risk “critical” in targeted environments.
Analyst Comments: While TSA poses no immediate threat due to its complexity and requirement for local code execution, it underscores an ongoing challenge in securing modern CPU architectures. The attack conceptually resembles Spectre and Meltdown, exploiting speculative execution flaws. Organizations running AMD EPYC chips in virtualized or multi-tenant data center environments should note that future proof-of-concept development could significantly increase the risk profile. I would strongly suggest monitoring for future mitigations or firmware updates from AMD.
FROM THE MEDIA: AMD has confirmed the existence of four new vulnerabilities affecting various desktop, mobile, and data center processors, including the 3rd and 4th Gen EPYC chips. These flaws, collectively called the Transient Scheduler Attack (TSA), include two specific variants: TSA-SQ and TSA-L1. Both exploit processor scheduling behaviors that allow residual or speculative data to influence execution timing and leakage that attackers can potentially observe. While no active exploits or proof-of-concept code have surfaced, Microsoft and AMD emphasize that executing the attack requires substantial local access and repeated probing, limiting real-world applicability.
READ THE STORY: MEZHA
Meta’s Llama Firewall Bypassed by Prompt Injection and Unicode Evasion
Bottom Line Up Front (BLUF): Security researchers from Trendyol discovered multiple ways to bypass Meta's open-source Llama Firewall using prompt injection, language obfuscation, and invisible Unicode characters. Tests revealed that half of 100 crafted payloads evaded detection, raising serious concerns about the firewall’s reliability for securing large language model (LLM) applications.
Analyst Comments: While Llama Firewall is an essential step toward LLM safety, its dependency on English-language patterns and lack of robust code analysis make it vulnerable to multilingual and stealthy inputs. These shortcomings are especially risky in enterprise environments where LLMs are integrated into production systems. Expect increased focus on LLM red teaming, multilingual threat modeling, and character encoding inspection in future AI security practices.
FROM THE MEDIA: The PROMPT_GUARD module, designed to prevent malicious instructions, allowed several manipulative prompts and a code generation example with an SQL injection flaw to pass unflagged. Even more concerning, invisible Unicode characters were used to embed hidden commands inside benign-looking text. These inputs triggered unintended model behaviors while bypassing Llama’s filters entirely. Despite detailed May 5, 2025 reporting, Meta closed the case as “informative” without offering a bug bounty. Trendyol now calls for more rigorous testing and layered security defenses in AI deployments.
READ THE STORY: CSN
Hackers Exploiting Critical CVE-2025-47812 in Wing FTP Server for Remote Code Execution
Bottom Line Up Front (BLUF): Hackers are actively exploiting CVE-2025-47812, a critical remote code execution (RCE) vulnerability in Wing FTP Server, days after its technical details were disclosed. The flaw allows unauthenticated attackers to execute arbitrary Lua code as root or SYSTEM, threatening enterprise file transfer environments. Organizations are urged to upgrade to version 7.4.4 immediately.
Analyst Comments: Attackers use null byte injection combined with Lua code to bypass authentication and gain system-level control. Multiple vulnerable endpoints and observed scanning activity suggest potential for mass exploitation. Organizations should patch immediately, monitor session directories, and harden access controls.
FROM THE MEDIA: CVE-2025-47812 enables unauthenticated RCE via a null byte and Lua injection flaw in Wing FTP versions ≤ 7.4.3. Security researcher Julien Ahrens publicly disclosed the bug on June 30, 2025, followed by PoC code and detailed exploit paths. Huntress Labs observed exploitation in the wild by July 1. Attackers sent malformed login requests targeting the loginok.html endpoint to inject malicious .lua session files, which the server executed with system privileges. The injected scripts used tools like certutil and curl for malware retrieval and exfiltration. Additional vulnerabilities (CVE-2025-27889, -47811, -47813) were also disclosed, making the server a high-priority target—Wing FTP Server version 7.4.4, released May 14, patches all but one of the identified flaws.
READ THE STORY: Bleepingcomputer
Suspected Chinese Hackers Breach DC Law Firm Wiley Rein in Espionage Operation
Bottom Line Up Front (BLUF): Chinese state-linked hackers have reportedly breached the Microsoft 365 email accounts of attorneys and advisors at Wiley Rein, a prominent Washington, DC law firm deeply involved in U.S. trade policy. The breach appears part of a broader intelligence-gathering campaign amid escalating U.S.-China trade tensions.
Analyst Comments: It also demonstrates the ongoing risk posed by cloud-based infrastructure (like Microsoft 365) as attackers shift toward infiltrating soft targets in the legal and consulting sectors to gain insights into U.S. policy. The breach further underscores China's long-term cyber doctrine, which focuses on immediate data theft and establishing sustained leverage over geopolitical rivals.
FROM THE MEDIA: DC-based law firm Wiley Rein disclosed to clients that hackers, possibly affiliated with the Chinese government, accessed Microsoft 365 accounts belonging to some of its personnel. Wiley Rein advises Fortune 500 firms and federal agencies on international trade and regulatory matters, making it a high-value espionage target. The suspected breach occurred as U.S.-China trade hostilities escalated, including newly imposed tariffs and blocked acquisitions of U.S. companies by Chinese firms. Google-owned Mandiant is managing the incident response, and law enforcement is involved. The FBI confirmed ongoing investigations into multiple Chinese espionage campaigns, including prior hacks of telecom providers and foreign investment review offices. Beijing’s embassy denies the allegations, maintaining its stance against cyberattacks.
READ THE STORY: CNN
DoNot APT Deploys LoptikMod Malware in Espionage Attack on European Foreign Ministry
Bottom Line Up Front (BLUF): India-linked threat group DoNot APT has been implicated in a targeted cyber-espionage campaign against a European foreign affairs ministry, using a custom malware strain called LoptikMod. The attack, uncovered by Trellix, involved sophisticated spear-phishing tactics and showcases the group’s expanding geographic reach beyond South Asia.
Analyst Comments: The DoNot APT group’s shift to targeting European diplomatic entities signals a strategic pivot, possibly aligned with broader intelligence objectives. Using LoptikMod, persistent scheduling, and deceptive phishing tactics underscores the need for robust email filtering, endpoint detection, and threat hunting in high-value diplomatic and governmental networks.
FROM THE MEDIA: The phishing emails impersonated European defense officials and referenced a diplomatic visit to Bangladesh. Victims were lured to a Google Drive link hosting a malicious RAR file that extracted an executable disguised as a PDF. Once executed, the malware established persistence and deployed LoptikMod, a custom implant used by DoNot APT since 2018. The malware collects system data and communicates with a command-and-control server. Trellix analysts traced the malware's behavior and coding patterns to the group, confirming its link. The campaign is a textbook example of cyber espionage against diplomatic infrastructure.
READ THE STORY: HR
Iranian APTs Ramp Up Attacks on U.S. Transportation and Manufacturing Sectors
Bottom Line Up Front (BLUF): Iranian state-backed hacking groups have intensified cyberattacks on critical U.S. infrastructure, with a 133% spike in incidents observed between May and June 2025. Six Iranian APT groups—MuddyWater and APT33—target operational technology (OT) and industrial control systems (ICS) in the transportation and manufacturing sectors.
Analyst Comments: The reuse of infrastructure by groups like CyberAv3ngers shows operational confidence and signals a persistent threat to U.S. industrial networks. These campaigns may be probing for vulnerabilities that could later be weaponized for sabotage, and they highlight the urgent need for enhanced monitoring of ICS environments and OT-specific threat intelligence.
FROM THE MEDIA: Nozomi Networks reported 28 Iranian-attributed cyber incidents in May–June 2025, up from 12 in the previous quarter. The attacks predominantly targeted U.S. companies in transportation and manufacturing. Key threat actors include MuddyWater, APT33, OilRig, CyberAv3ngers, FoxKitten, and Homeland Justice. The groups used advanced tactics to compromise ICS environments, with MuddyWater breaching at least five organizations. CyberAv3ngers was noted for reusing infrastructure linked to its 2024 OrpaCrab/IOCONTROL malware campaigns. CISA and DHS have issued alerts, and organizations are urged to watch for malicious IPs such as 159.100.6[.]69, 169.150.227[.]230, and 95.181.161[.]50.
READ THE STORY: CSN
Over 600 Laravel Apps Exposed to RCE via Leaked APP_KEYs on GitHub
Bottom Line Up Front (BLUF): Security researchers from GitGuardian and Synacktiv have discovered over 600 Laravel applications vulnerable to remote code execution (RCE) due to publicly exposed APP_KEYs on GitHub. Attackers can exploit Laravel’s deserialization logic, especially when misconfigured with SESSION_DRIVER=cookie, to execute arbitrary code on servers.
Analyst Comments: Laravel’s reliance on the APP_KEY for encryption and deserialization makes it a critical asset. Its exposure creates a fast path for attackers, even in newer Laravel versions. As modern development increasingly relies on open-source frameworks and cloud-native pipelines, secret rotation, secure configuration, and automated scanning are no longer optional—they are table stakes for enterprise resilience.
FROM THE MEDIA: The vulnerability echoes CVE-2018-15133 but remains exploitable via CVE-2024-55556 when Laravel uses cookie-based session drivers. If attackers have both the APP_KEY and APP_URL, they can decrypt session cookies, exploit deserialization, and execute malicious PHP code remotely. The majority of leaked keys stemmed from .env files stored in public repositories, many also containing other sensitive data. GitGuardian emphasizes that deleting exposed secrets isn’t enough: immediate key rotation and continuous monitoring are critical to stopping long-term compromise.
READ THE STORY: THN
Items of interest
Critical Flaw in U.S. Rail System Allows Remote Hijacking of Train Brakes
Bottom Line Up Front (BLUF): A newly disclosed vulnerability, CVE-2025-1727, affects wireless braking systems across the U.S. railway network, enabling remote attackers to send spoofed brake commands using inexpensive radio gear. The flaw, discovered in 2012, remains unpatched in most systems and will not be replaced until at least 2027.
Analyst Comments: The fact that such a vulnerability remained unaddressed for over a decade underscores a systemic failure in ICS risk prioritization and legacy system decommissioning. Attackers exploiting this flaw could cause catastrophic accidents, logistics paralysis, or targeted disruption of critical supply chains. The industry must accelerate modernization and adopt encryption standards suitable for safety-critical systems.
FROM THE MEDIA: Despite early reports to ICS-CERT, the Association of American Railroads (AAR) dismissed the issue until 2025, when mounting pressure from CISA led to an industry acknowledgment. The flaw, rated CVSS 8.1, enables attackers with <$500 of software-defined radio gear to remotely issue brake commands, risking derailments and operational shutdowns. The affected systems remain active in freight and passenger rail, with replacements not expected until 2027.
READ THE STORY: Cyber Kendra
The TRUTH about the US Rail Network (Video)
FROM THE MEDIA: The freight-to-passenger ratio is the percentage of rail traffic that is dedicated to moving goods versus moving people. In the US, this ratio is about 84% freight and 16% passenger, while in Europe it’s about 20% freight and 80% passenger. This means that in the US, most of the rail network is used for transporting cargo, while in Europe, most of it is used for transporting people.
Nullcon Berlin 2024 | Hacking Trains (Video)
FROM THE MEDIA: This started as a joke when a colleague shared an article about railways getting hacked. As an exercise in OSINT, I tried to find everything I could on the railways, for a laugh. From the interactions I’ve had, “It can’t happen to us because we’ve met compliance. That’s just the way things are!” is the way executives usually approach cybersecurity issues in this industry.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.