Daily Drop (1104)
08-07-25
Thursday, Aug 07, 2025 // (IG): BB // GITHUB // SN R&D
Nvidia Refutes Allegations of Hardware Backdoors, Kill Switches, or Spyware in GPUs
NOTE:
China's sudden concerns about backdoors in Nvidia's AI chips represent a masterclass in strategic narrative manipulation. By raising security fears precisely as U.S. export controls loosen, Beijing is executing a sophisticated influence campaign designed to make the world's most advanced AI hardware seem untrustworthy. This isn't genuine cybersecurity advocacy—it's economic warfare disguised as consumer protection.
China knows it cannot yet match Nvidia's technical superiority, so instead, it's deploying the next best strategy: convincing potential buyers that American chips are compromised surveillance tools. The timing reveals the game: these backdoor allegations emerged just as Nvidia requested to resume H20 sales, creating maximum market disruption at a critical juncture. Meanwhile, Chinese companies gain political cover by choosing inferior domestic alternatives, claiming patriotic duty rather than admitting technological inferiority.
By ignoring years of U.S. warnings about Chinese hardware, Beijing has weaponized America's security rhetoric against it. The irony is that U.S. policymakers are inadvertently feeding this narrative by considering location tracking requirements for exported chips, giving China's propaganda campaign a convenient factual foundation. This represents information warfare at its most sophisticated: exploiting legitimate security concerns to fragment global markets and create breathing room for homegrown competitors to catch up.
Bottom Line Up Front (BLUF): Nvidia has publicly denied speculation that its chips contain embedded backdoors, kill switches, or spyware, amid increasing scrutiny over hardware security. The company emphasized that such vulnerabilities would compromise global infrastructure and violate core cybersecurity principles.
Analyst Comments: Nvidia’s proactive denial highlights industry pressure to maintain user trust and reassure governments as GPUs are embedded in national critical infrastructure. The incident also revives historical debates about government-mandated access, like the Clipper Chip failure in the 1990s. Moving forward, expect hardware vendors to face greater calls for transparency, third-party auditing, and security certification as part of broader digital sovereignty efforts.
FROM THE MEDIA: Nvidia stated that such features would pose catastrophic cybersecurity risks and violate the principle of “security through design.” The company drew parallels to past failures like the NSA’s Clipper Chip and rejected comparisons between hardware-level controls and software-based remote features like remote wipe tools. The denial is especially significant given Nvidia’s critical role in powering AI systems, supercomputers, and crucial sectors such as healthcare, finance, and defense. The company reaffirmed its commitment to transparency and user control, asserting that no Nvidia hardware contains any form of embedded surveillance or remote shutdown mechanisms.
READ THE STORY: GBhackers
Chinese State-Owned Crane Supplier Poses National Security Risk to U.S. Ports, Congressional Report Warns
Bottom Line Up Front (BLUF): The U.S. House Select Committee on the Chinese Communist Party (CCP) warns that Chinese state-owned enterprise ZPMC poses serious cybersecurity and national security risks at American ports. The company’s dominance in supplying ship-to-shore cranes—many of which include undocumented hardware like cellular modems—could enable Beijing to surveil or disrupt U.S. maritime infrastructure during a geopolitical crisis.
Analyst Comments: By embedding risk into essential infrastructure components, the People’s Republic of China (PRC) has positioned itself to exert coercive influence over economic and military logistics in the U.S. The findings reveal how systemic underestimation of supply chain risks—particularly from foreign-made technologies—can lead to strategic vulnerabilities. As tensions mount in the Indo-Pacific, expect urgent calls for U.S. port modernization, decoupling from PRC suppliers, and increased investment in domestic crane manufacturing.
FROM THE MEDIA: The report, issued by the Select Committee on the CCP and Homeland Security leaders, reveals that ZPMC-built cranes now operate in over 80% of U.S. ports, some equipped with unauthorized cellular modems and lacking contractual safeguards against remote access or hardware tampering. Lawmakers warned these systems could be exploited for espionage or operational sabotage. The report also criticized firms like ABB for failing to address vulnerabilities in PRC-linked supply chains. Citing links between ZPMC, the CCP, and China's military, the committee emphasized the urgent need for federal, port authority, and private sector action to mitigate risks in maritime infrastructure.
READ THE STORY: Small Wars Journal
Ghost Calls’ Attack Exploits Web Conferencing Platforms for Stealthy Command-and-Control
Bottom Line Up Front (BLUF): A newly revealed cyber technique called “Ghost Calls” allows attackers to exploit trusted web conferencing platforms like Zoom and Microsoft Teams as covert command-and-control (C2) channels. By abusing the TURN protocol, attackers can maintain stealthy communications that bypass conventional security detection.
Analyst Comments: This attack represents a significant leap in covert C2 operations by leveraging the ubiquity and implicit trust in collaboration tools, especially in enterprise environments. These platforms are often excluded from deep inspection for performance reasons, so they offer an ideal vector for undetected communication. TURN servers, combined with persistent credentials and encrypted traffic over port 443, make mitigation complex. Defenders should expect to see more abuse of common SaaS infrastructure and must adopt detection strategies focused on endpoint behaviors and anomalous protocol use, not just network signatures.
FROM THE MEDIA: Adam Crosser from Praetorian presented a novel exploitation method called "Ghost Calls," which hijacks web conferencing infrastructure for stealthy C2 communication. The technique abuses the TURN (Traversal Using Relays around NAT) protocol, a component widely used by platforms like Zoom, Microsoft Teams, and Google Meet. Since TURN traffic often bypasses VPNs and TLS inspection for performance reasons, it provides a nearly invisible conduit for attacker communication. Praetorian demonstrated the method using their open-source tool TURNt, capable of remote port forwarding, SOCKS proxying, and more, while appearing as legitimate conferencing traffic. Because TURN credentials remain valid for days, attackers can sustain access without active sessions. Researchers advise focusing on other attack chain components, such as canary tokens or detecting lateral movement tools, rather than solely attempting to monitor web conferencing traffic.
READ THE STORY: GBhackers
NATO Condemns Russian Cyber Activity Tied to GRU and APT28
Bottom Line Up Front (BLUF): NATO has formally condemned recent Russian cyber operations linked to the GRU and its affiliated APT28 group, citing them as a significant threat to Allied nations and an extension of Russia’s hybrid warfare strategy. The Alliance expressed solidarity with multiple member states affected by these campaigns and reaffirmed its commitment to strengthening cyber defenses.
Analyst Comments: The involvement of APT28 — a GRU-linked group with a long history of offensive cyber activity — suggests continuity in Russia’s doctrine of using cyber operations for strategic disruption. NATO’s response also signals a maturing cyber posture, combining diplomatic pressure with defensive infrastructure investments such as the NATO Integrated Cyber Defence Centre. In the future, we expect closer coordination with the EU and expanding cyber response frameworks like the Tallinn Mechanism.
FROM THE MEDIA: These cyberattacks targeted NATO members, including Estonia, France, the UK, and the United States, as well as Ukraine and other critical entities like infrastructure operators in Romania. NATO emphasized that these actions form part of Russia’s broader hybrid warfare approach, aimed at destabilizing democratic societies. The Alliance affirmed continued support for Ukraine, including cyber aid through the Tallinn Mechanism and the IT capability coalition. It cited new investments in cyber defense as part of its ongoing strategic adaptation.
READ THE STORY: ukdj
HeartCrypt-Packed ‘AVKiller’ Tool Used in Widespread Ransomware Campaigns to Evade EDR
Bottom Line Up Front (BLUF): Multiple ransomware groups are actively deploying AVKiller, a heavily obfuscated tool packed with the HeartCrypt loader, to disable endpoint detection and response (EDR) systems. The malware uses expired or compromised driver certificates to bypass kernel-level protections, highlighting the growing sophistication of anti-defense techniques.
Analyst Comments: The ability to disable security agents using signed kernel drivers—despite revocation years ago—demonstrates a critical flaw in the certificate trust ecosystem. The fact that AVKiller is reused across ransomware families like RansomHub, Medusa, INC, and others suggests it’s either commoditized or shared among threat actors. Organizations must enhance memory-level detection and prioritize certificate validation enforcement at the kernel level.
FROM THE MEDIA: One tool variant injects itself into legitimate applications and leverages expired driver signatures from companies like Changsha Hengxiang and Fuzhou Dingxin to install malicious drivers like mraml.sys or noedt.sys. The tool’s functionality includes killing processes from major vendors such as SentinelOne, Microsoft, Sophos, Kaspersky, and more. Detected in attacks from ransomware groups including Blacksuit, Qilin, Crytox, and Medusa, AVKiller is proving to be a versatile component in modern ransomware toolkits. Its stealthy behavior, persistence via driver services, and deep obfuscation make it challenging to detect without behavior-based monitoring and memory analysis.
READ THE STORY: GBhackers
AI Discovers Zero-Day Flaws Before Hackers: Google and Microsoft Lead Predictive Cyber Defense
Bottom Line Up Front (BLUF): AI-driven tools from Google and Microsoft have independently identified zero-day vulnerabilities before threat actors could exploit them, marking a pivotal shift in cybersecurity. Google's Big Sleep uncovered a critical SQLite flaw (CVE-2025-6965), while Microsoft's Security Copilot revealed 11 vulnerabilities in the GRUB2 bootloader and other system software, demonstrating AI's capacity to outpace human attackers.
Analyst Comments: The success of Big Sleep and Security Copilot suggests that threat detection and remediation will increasingly rely on autonomous systems, especially as attack surfaces expand and adversaries adopt AI themselves. Organizations slow to adopt these technologies risk falling behind in a rapidly evolving threat landscape. The emergence of AI-specific bug bounty categories and real-world impact metrics (e.g., Google's 39.2M account suspensions) further validates the efficacy of AI in threat intelligence and prevention.
FROM THE MEDIA: Google's Big Sleep AI agent, developed with DeepMind and Project Zero, discovered a critical memory corruption vulnerability in SQLite (CVE-2025-6965) before exploiting it in the wild. Rated 7.2 on the CVSS scale, the flaw affected all versions before 3.50.2. Big Sleep’s detection came just as threat intelligence teams observed signs of an imminent exploit. In parallel, Microsoft's Security Copilot used AI to analyze open-source bootloader code and uncovered 11 vulnerabilities in GRUB2 and others in U-Boot and Barebox, with potential implications for Secure Boot bypasses on Linux systems. These AI discoveries represent a shift toward predictive cyber defense. Google’s updated OSS-Fuzz system—augmented with AI—has since found 26 new vulnerabilities across 160 open-source projects, some of which had gone unflagged for years by traditional methods.
READ THE STORY: TechRepublic
Critical HTTP/1.1 Flaw Enables Widespread Web Hijacking via Desync Attacks
Bottom Line Up Front (BLUF): A newly detailed HTTP/1.1 protocol vulnerability allows attackers to hijack millions of websites through advanced request smuggling techniques. Despite six years of mitigations, researchers at PortSwigger show these defenses remain ineffective against evolving HTTP desync attack classes.
Analyst Comments: The persistence of these flaws, especially in upstream server communication, makes even modern deployments vulnerable if not correctly configured. As HTTP/2 adoption lags on backend systems, attackers continue exploiting protocol ambiguities with increasing sophistication. Expect heightened scrutiny of CDN configurations and pressure on tech vendors to accelerate support for secure HTTP versions.
FROM THE MEDIA: These attacks manipulate how different servers parse HTTP requests, enabling malicious actors to inject harmful payloads that bypass security controls. The issue, rooted in HTTP/1.1’s ambiguous request handling, was first reported in 2019 but remains unresolved across many systems. While HTTP/2 and newer protocols are immune to this flaw, many organizations still rely on HTTP/1.1 for backend communication between proxies and origin servers. PortSwigger has launched a new initiative, “HTTP/1.1 Must Die: The Desync Endgame,” urging the global web community to accelerate the transition to HTTP/2 for all infrastructure layers. Open-source tools like HTTP Request Smuggler v3.0 and HTTP Hacker have been released to assist in identifying and mitigating exposure.
READ THE STORY: GBhackers // GITHUB
The ‘Cyber Gulag’: Russia’s Expanding Digital Surveillance State
Bottom Line Up Front (BLUF): A new investigation by Euronews reveals the depth of Russia’s growing surveillance and censorship apparatus, dubbed the “Cyber Gulag,” which integrates facial recognition, online censorship, and AI-driven monitoring to suppress dissent and track its citizens in real time. The system reportedly involves direct cooperation between Russia’s intelligence agencies, internet providers, and private tech companies.
Analyst Comments: Russia’s internal digital repression strategy mirrors its broader cyber doctrine—converging surveillance, coercion, and control to maintain state power. The fusion of AI surveillance, real-time monitoring, and forced data sharing by telecoms forms an advanced authoritarian tech stack. These tactics not only serve domestic suppression but also provide a model for digital authoritarianism globally. Western governments should view this system as a blueprint for emerging cyber-authoritarian regimes and prioritize counter-influence, secure tech partnerships, and support for digital civil liberties abroad.
FROM THE MEDIA: The investigation outlines how Russian authorities utilize systems like SORM (System for Operative Investigative Activities), facial recognition databases, AI-driven social media monitoring, and internet throttling tools to stifle free expression and track dissidents. Telecom companies are legally compelled to install government surveillance equipment and hand over user data. Independent platforms and messaging apps face pressure to share encryption keys or face blocking. The system was considerably expanded following the invasion of Ukraine, with heightened targeting of activists, journalists, and even everyday citizens accused of anti-state speech. Analysts suggest the Kremlin's strategy is preventative and punitive, deterring opposition while controlling the narrative.
READ THE STORY: EURnews
FDD Warns Chinese Drone Imports Pose Espionage and Infrastructure Threat to U.S.
Bottom Line Up Front (BLUF): The U.S. Department of Commerce is urging restrictions on Chinese unmanned aircraft systems (UAS), citing national security risks. The report highlights how dominant Chinese manufacturers like DJI could enable Beijing to conduct surveillance, sabotage infrastructure, and disrupt critical U.S. supply chains.
Analyst Comments: China's UAS dominance is a textbook example of dual-use technology exploitation—leveraging market access to enable potential geopolitical coercion. With legal structures in China requiring firms to cooperate with state intelligence, every Chinese-made drone flown over U.S. soil may be a possible sensor for the CCP. Integrating these devices into agriculture, emergency services, and infrastructure monitoring presents a soft underbelly vulnerability. As competition intensifies over supply chains and drone-based capabilities, expect expanded bipartisan efforts to decouple from PRC-linked drone ecosystems, especially ahead of the 2026 defense reauthorization cycle.
FROM THE MEDIA: The comment, authored by senior fellows and analysts, outlines how China—primarily through Shenzhen-based DJI and Autel—has captured up to 90% of the U.S. drone market using subsidized pricing and anti-competitive tactics. The report warns that Chinese drones pose multiple threats: espionage via surveillance near military sites, interference in agriculture and food security, and manipulation of critical infrastructure data. The analysis also reveals instances of unauthorized data collection, potential sabotage via embedded hardware, and CCP pressure campaigns targeting U.S. drone competitors like Skydio. The authors urge urgent trade and policy remedies to limit Chinese UAS access to American markets and infrastructure.
READ THE STORY: FDD
Officials Clash Over CISA’s Future as U.S. Cyber Capabilities Diminish Amid Restructuring
Bottom Line Up Front (BLUF): At Black Hat USA 2025, current and former U.S. cybersecurity officials debated the implications of scaling down the Cybersecurity and Infrastructure Security Agency (CISA). While CISA’s communications chief defended a return to “core missions,” former NSA cybersecurity lead Rob Joyce warned the drawdown risks degrading national cyber defense during a time of escalating global threats.
Analyst Comments: Reductions in workforce and capabilities—especially during a period of nation-state cyber escalation—could significantly hinder the U.S. government’s ability to respond to complex and emerging threats. This contraction and diminished federal collaboration with social media platforms and industry may leave critical gaps in national cyber resilience. Expect further scrutiny of CISA's strategic posture heading into the 2026 election cycle, especially as disinformation and infrastructure threats intensify.
FROM THE MEDIA: Nextgov/FCW reported from Black Hat USA in Las Vegas, where a panel featuring CISA public affairs official Marci McCarthy and former NSA cybersecurity lead Rob Joyce highlighted opposing perspectives on the agency’s restructuring. McCarthy defended the agency's pivot to a narrower focus and touted new funding for state, local, and tribal cybersecurity programs. However, Joyce warned that the U.S. has "lost capability" by cutting essential cyber personnel and functions, citing weakened operational readiness and reduced technical expertise across multiple agencies. CISA has seen nearly one-third of its workforce depart since 2020 due to political pressure and organizational overhauls. The discussion follows a wave of high-profile exits and controversies, including rescinding appointments for former CISA leaders. The broader concern is whether the U.S. can maintain sufficient cyber defenses under internal restructuring and external threat escalation.
READ THE STORY: NextGov
Items of interest
Russia Expands Alabuga Drone Labor Program to Latin American Migrant Women
Bottom Line Up Front (BLUF): Russia is reportedly recruiting young Latin American migrant women to work in drone production under the guise of education and cultural exchange. The Alabuga Start program, now shifting focus from Africa to Latin America, is accused of exploiting these women as low-cost labor for assembling Geran-2 drones used in Ukraine.
Analyst Comments: Targeting economically vulnerable populations reflects a broader Kremlin strategy to externalize labor costs while masking coercion as opportunity. The growing Latin American outreach may indicate both the success of earlier recruitment and a shift in geopolitical influence operations. Similar tactics could expand into other regions with limited regulatory oversight and economic hardship if left unchecked.
FROM THE MEDIA: According to a policy brief from the Foundation for Defense of Democracies (FDD), Russia’s “Alabuga Start” program is luring young Latin American women into working in drone factories under misleading pretenses. Marketed as a career development opportunity with free housing, travel, and training, the program places women in facilities within the Alabuga Special Economic Zone—Russia’s central hub for Geran-2 drone production. Satellite imagery from July 2025 confirms construction expansions likely tied to the surge in labor demand. The Associated Press previously reported similar exploitation of African recruits in the same program. Promotion of the initiative has surged across social media in Latin America, including through pro-Russian influencers and AI-generated propaganda videos on Telegram and TikTok. Despite existing U.S. sanctions on SEZ Alabuga, calls are increasing for coordinated regional action to disrupt this recruitment and counter Russian influence operations.
READ THE STORY: FDD
Mass Drone Production in Russia – Rare Look Inside Alabuga’s Geran-2 Factory (Video)
FROM THE MEDIA: Rare and revealing footage has emerged from Russia’s secretive Alabuga plant in Tatarstan, showcasing the mass production of Geran-2 kamikaze drones — loitering munitions modeled after Iran’s Shahed-136.
Who Is Making Russia's Drones? The Global Exploitation Behind Alabuga's War Industry (Video)
FROM THE MEDIA: Situated in the Republic of Tatarstan, this industrial complex plays a pivotal role in Russia's production of military drones, especially those deployed in Ukraine. Since the invasion of Ukraine, Alabuga SEZ has transformed into a critical center for the manufacture of attack and reconnaissance drones, notably the Iranian-designed Shahed drones and Russia's Albatross models. With backing from Russia's Ministry of Defence and a network of Iranian partners, production has scaled up rapidly. The facility was reportedly expanded after multinational companies withdrew due to sanctions, and leaked documents have confirmed financial transactions involving gold bars and parts smuggled from Iran..
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.