Daily Drop (1091)
07-23-25
Tuesday, Jul 23, 2025 // (IG): BB // GITHUB // SN R&D
PROJECT UPDATE:
This scrapes, parses, and dedupes stories every six hours. It’s not evaluated, but it’s a great way to get a glimpse of the news/threat-scape. (click the image)
NEWS:
New York Proposes Cybersecurity Rules and $2.5M Grant for Water Systems Amid Nation-State Threats
Bottom Line Up Front (BLUF): New York State has proposed comprehensive cybersecurity regulations for water and wastewater systems, alongside a $2.5 million grant program to help with compliance costs. The rules target community water systems serving over 3,300 people and mandate incident reporting, risk assessments, staff training, and recovery plans.
Analyst Comments: By aligning with federal CISA and EPA guidance, New York is taking a proactive approach, despite facing resistance from federal mandates. However, the limited grant funding may not adequately offset the high compliance costs, potentially pushing financial pressure onto ratepayers or municipalities. Other states may follow suit, especially in light of recent state-level attacks and a shifting federal posture on infrastructure cybersecurity.
FROM THE MEDIA: The proposed rules—open for public comment until September—apply to 318 water systems statewide and include stricter requirements for systems serving more than 50,000 residents. These include 24-hour breach reporting, annual vulnerability assessments, staff training, and incident response plans. Larger utilities must also appoint a cybersecurity executive. While the state has engaged industry stakeholders and aligned its standards with EPA and CISA frameworks, officials acknowledged that full implementation costs could exceed $5 million annually for large systems. The program comes in response to growing cyber threats, including previous Iranian-linked attacks on U.S. water infrastructure.
READ THE STORY: The Record
U.S. Critical Infrastructure Still at Risk as Congress Grapples with OT Cybersecurity Gaps Post-Stuxnet
Bottom Line Up Front (BLUF): Fifteen years after Stuxnet exposed the vulnerabilities in industrial control systems (ICS), U.S. critical infrastructure remains inadequately protected against modern operational technology (OT) cyber threats. Congressional hearings this week highlighted ongoing policy, funding, and capability gaps, even as adversaries develop increasingly sophisticated malware like PIPEDREAM to disrupt essential services.
Analyst Comments: Despite years of warnings, OT security continues to lag behind IT security, with inconsistent regulations and underfunded operators struggling to secure legacy systems. Testimony emphasized that attacks like Volt Typhoon and Industroyer are no longer theoretical. The growing threat from state-backed actors—notably Iran and China—demands immediate federal investment, streamlined incident response frameworks, and renewed information sharing legislation. The U.S. must recognize OT cyber resilience as a national security priority and fund it accordingly.
FROM THE MEDIA: Zetter noted that while Stuxnet in 2010 exposed the destructive potential of cyber-physical attacks, follow-up threats like Industroyer and Volt Typhoon show these risks are accelerating. Tatyana Bolton of the OT Cybersecurity Coalition stressed the importance of funding and regulatory clarity, urging Congress to reauthorize the Cybersecurity Information Sharing Act before its September 30 expiration. Lee identified nine families of ICS-specific malware in circulation, warning that adversaries now possess reusable frameworks capable of disrupting broad swaths of infrastructure. Federal response remains fragmented, and experts said a unified OT/ICS incident response plan is still lacking.
READ THE STORY: Industrial
Iran’s Digital Economy Paralyzed by Cyber Attacks and Internet Shutdown Amid 12-Day Conflict
Bottom Line Up Front (BLUF): Iran’s digital infrastructure has suffered widespread disruption due to cyberattacks and government-imposed internet shutdowns during the ongoing 12-day war with Israel. The combined effects have crippled e-commerce, banking, and communication networks, severely impacting the country’s digital economy.
Analyst Comments: This situation illustrates how cyber operations are now central components of modern warfare, capable of inflicting economic damage beyond the battlefield. Iran’s limited cyber resilience and centralized internet controls have made it more vulnerable to external cyberattacks and self-imposed connectivity restrictions' unintended consequences. These events may pressure Tehran to accelerate its long-standing push for a more sovereign national internet, while adversaries will see validation of offensive cyber tactics as strategic tools.
FROM THE MEDIA: At the same time, Iranian authorities have implemented widespread internet shutdowns, further hampering civilian access to services and throttling economic activity. E-commerce platforms, mobile banking apps, and logistics networks have all been rendered inoperable or severely degraded. Citizens report difficulties accessing basic services, and businesses have lost millions in revenue. The government has not officially attributed the attacks, but Iranian officials have hinted at foreign involvement, possibly including Israeli cyber units. Analysts suggest the combination of external attacks and internal censorship has significantly weakened public trust and disrupted daily life.
READ THE STORY: Iran News
Dark Web Travel Agencies Exploit Airline Systems to Offer Illicit Discounted Flights
Bottom Line Up Front (BLUF): Cybercriminal groups are operating “dark web travel agencies” offering heavily discounted flights using stolen frequent flyer miles, compromised credentials, and illicitly booked tickets. These underground marketplaces exploit vulnerabilities in airline loyalty programs and booking systems, affecting travelers and airlines globally.
Analyst Comments: This development underscores a growing trend in cybercrime-as-a-service, where fraudsters professionalize operations and mimic legitimate platforms. Exploiting airline IT systems reflects broader weaknesses in identity verification and loyalty point security across the travel sector. As these services evolve with customer support, refund policies, and user ratings, they blur the line between traditional fraud and black-market e-commerce. Airlines and OTAs (online travel agencies) must reinforce multi-factor authentication and invest in anomaly detection to prevent loyalty program abuse.
FROM THE MEDIA: Researchers uncovered a network of dark web travel agencies offering flights from reputable carriers at up to 70% off, booked using stolen credentials or exploited reward point systems. These vendors operate on forums and encrypted chat apps, offering support in multiple languages and accepting cryptocurrency. Some services even include refund options and “VIP status upgrades.” Airlines such as Lufthansa, Emirates, and Turkish Airlines have been listed, although their direct involvement stems from compromised accounts rather than system breaches. The operations are difficult to trace, and synthetic IDs and proxy networks are often used to evade fraud detection mechanisms.
READ THE STORY: GBhackers
NATO Warns Maritime Ports Face Rising Cyber Threats from State and Non-State Actors
Bottom Line Up Front (BLUF): Ports responsible for 80% of global trade face intensified cyber attacks from Russia, China, Iran, and cybercriminals. A NATO CCDCOE policy brief highlights that critical maritime infrastructure lacks adequate cyber defense coordination, particularly due to the civilian-military divide in cybersecurity responsibilities.
Analyst Comments: This assessment reinforces the growing trend of hybrid warfare targeting logistics and supply chain chokepoints. Ports are increasingly vulnerable due to their reliance on IT and OT systems, yet most remain outside formal military cyber defense planning. Exploiting uncoordinated civilian systems by state-backed actors like APT28 and Mustang Panda underscores a critical policy and operational gap. NATO’s outdated maritime strategy must evolve to include structured cybersecurity partnerships with private-sector port operators.
FROM THE MEDIA: The report cites targeting by state-aligned groups such as APT28 (Russia), APT35 (Iran), and Mustang Panda (China), often focusing on access control and vessel traffic systems. High-impact attacks, including the NotPetya incident in 2017 and ransomware campaigns in 2022, illustrate the potential for disruption. Hacktivist groups like NoName057 have used botnets such as DDoSia to launch DDoS attacks across European ports. Despite these threats, NATO’s maritime strategy lacks a cyber component, and most ports remain civilian-run. CCDCOE recommends updating NATO policy, creating liaison roles, and developing port-specific cyber intelligence sharing.
READ THE STORY: Help Net Security
CISA Orders Emergency Patching as China-Linked Groups Exploit Critical Microsoft SharePoint Flaws
Bottom Line Up Front (BLUF): The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four Microsoft SharePoint vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation by China-linked threat actors. CISA has mandated urgent remediation by July 23, 2025, for federal agencies using vulnerable on-premise SharePoint systems.
Analyst Comments: The SharePoint vulnerabilities—now grouped under the exploit chain "ToolShell"—underscore the persistent risk posed by state-sponsored actors leveraging enterprise software flaws. The attack's patch timeline and technical complexity indicate high-level coordination and a strong likelihood of data exfiltration. Bypasses of mitigation techniques like AMSI suggest that relying on surface-level defenses is inadequate. This campaign reinforces the urgency of shifting to cloud-hosted and fully managed collaboration platforms where possible.
FROM THE MEDIA: China's Ministry of State Security used a recently disclosed flaw in Microsoft SharePoint to access sensitive systems across multiple countries. The flaw affects self-hosted versions of SharePoint, not cloud-hosted instances. Google’s Mandiant Consulting and Eye Security identified the threat actors as Chinese, noting similarities to previous espionage campaigns involving Citrix NetScaler and Microsoft Exchange. Compromised systems were observed connecting to Chinese IP addresses, and cryptographic keys were extracted, allowing for persistent access. Microsoft issued a final patch by Monday, but defenders say multiple threat actors still exploit the flaw to steal data or deploy ransomware.
READ THE STORY: The Washington Post // THN
FBI Warns of Interlock Ransomware Threat Following Healthcare Sector Attacks
Bottom Line Up Front (BLUF): The FBI has issued an alert urging increased vigilance against the Interlock ransomware group, which has recently targeted U.S. healthcare organizations. The agency warns that the group uses double extortion tactics and may continue escalating attacks on critical sectors.
Analyst Comments: FBI’s signals that Interlock may ramp up operations or refine its tactics. Healthcare providers should expect more frequent targeting and ensure robust incident response capabilities, offline backups, and vulnerability management practices. Given Interlock's extortion model, data exfiltration will likely become a key threat even if encryption is prevented.
FROM THE MEDIA: The group employs a double extortion strategy, encrypting data while threatening to publish stolen files if ransoms are not paid. Officials did not specify the number of affected organizations but noted increased activity and sophistication. Interlock reportedly uses phishing emails and exploits unpatched vulnerabilities to gain access. The FBI collaborates with CISA and private-sector partners to gather intelligence and support affected entities.
READ THE STORY: The Record
Critical Vulnerabilities in Synology BeeDrive Allow Code Execution and Remote File Deletion on Windows
Bottom Line Up Front (BLUF): Synology has patched three critical vulnerabilities in BeeDrive for Windows that enable local and remote attackers to execute arbitrary code or delete files without authorization. The flaws affect all versions before 1.4.2-13960, posing serious risks to system integrity for both consumers and enterprises.
Analyst Comments: This cluster of vulnerabilities reflects persistent weaknesses in endpoint backup software—particularly around input validation and authorization controls. CVE-2025-54159 is especially dangerous due to its unauthenticated remote attack vector, posing a threat outside corporate perimeters. These bugs demonstrate that even trusted local utilities can be exploited for lateral movement or destructive actions if security boundaries are weak. Organizations should prioritize this patch and monitor for exploitation attempts in environments where BeeDrive was installed.
FROM THE MEDIA: Security researcher Zhao Runzi discovered all three vulnerabilities. Exploitation could allow attackers to gain elevated privileges or delete arbitrary files. Synology issued version 1.4.2-13960 to patch the issues and warned users that no workarounds exist. The flaws affect a widely used file synchronization tool, making prompt updates essential for enterprise and personal systems.
READ THE STORY: GBhackers
Items of interest
Special Forces as Strategists: Philosophical Foundations of Unconventional Warfare
Bottom Line Up Front (BLUF): U.S. Army Special Forces (SF) operate not just as tacticians but as strategic agents of political warfare, deeply rooted in Enlightenment ideals, moral philosophy, and the ethics of resistance. The SF soldier embodies a principled approach to empowering legitimate movements against tyranny, acting as a facilitator of self-determination rather than an enforcer of foreign ideologies.
Analyst Comments: Blending Locke’s social contract theory, Kantian ethics, and the just war tradition provides a strategic framework for resisting authoritarian regimes while maintaining respect for sovereignty. In modern irregular warfare environments—particularly in contested regions like Ukraine, Taiwan, or Africa—this model could guide allied forces in countering adversarial influence without triggering overt escalation.
FROM THE MEDIA: David Maxwell, a retired U.S. Army Special Forces Colonel, outlines the philosophical underpinnings of SF doctrine in an essay for Small Wars Journal. Citing Enlightenment thinkers such as Locke and Kant and classical strategists like Cicero and Augustine, Maxwell positions the SF soldier as a modern statesman and moral actor. He argues that Special Forces operations must be rooted in self-determination, cultural fluency, and the just application of power—principles reflected in De Oppresso Liber’s motto ("To Free the Oppressed"). The essay critiques simplistic kinetic intervention models, advocating for deep ethical engagement, strategic clarity, and restraint in complex political environments. SF’s legacy, from the Sons of Liberty to Cold War resistance support, is portrayed as a living tradition guiding 21st-century unconventional warfare.
READ THE STORY: Small Wars Journal
Irregular Warfare: U.S. Army’s IW Doctrine (Video)
FROM THE MEDIA: IW Reality: Conventional forces have, and always will have, a role in IW across a variety of missions, and a range of military activities
Irregular Warfare, Hybrid Threats, and the Future Role of Ground Forces: Keynote (Video)
FROM THE MEDIA: As today’s conflicts unfold in ambiguous gray zones—blending cyber, proxy, and political elements—forces that empower small, high-performing units with autonomous decision-making are gaining a decisive edge. Reflecting Mattis’s foresight, the U.S. military has invested heavily in simulation-based training, hybrid-capable advisors, and psychological and cultural readiness over traditional hardware. Concepts like Mission Command, Multi-Domain Task Forces (MDTFs), and the Capstone Concept for Joint Operations (CCJO) have since been institutionalized to address these modern complexities.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.