Daily Drop (1109)
08-13-25
Wednesday, Aug 13, 2025 // (IG): BB // GITHUB // SN R&D
DEF CON Franklin Mobilizes Veteran Hackers to Protect U.S. Water Utilities from China and Iran Cyber Threats
Bottom Line Up Front (BLUF): DEF CON Franklin, a volunteer-led cybersecurity initiative, has completed a nine-month pilot securing water utilities in four U.S. states against escalating cyber threats from China and Iran. Founded by former White House cyber official Jake Braun, the program pairs experienced security professionals with under-resourced utilities to provide free operational technology (OT) mapping, password security, and vulnerability assessments. Organizers now aim to scale nationwide to cover over 50,000 utilities.
Analyst Comments: While the initiative offers immediate protective value—especially against campaigns like China’s Volt Typhoon and Iranian post-2023 attacks—it also exposes the fragility of national security when critical sectors rely on ad hoc, donation-driven defenses. Rapid scaling will require volunteers, sustainable funding, and technology deployment, ideally with eventual federal adoption to ensure long-term resilience.
FROM THE MEDIA: The program originated after Braun, inspired by rising nation-state attacks on U.S. utilities, recruited 350 vetted volunteers—many with over a decade of experience and government clearances—to perform no-cost security assessments. Backed by Craig Newmark Philanthropies and partners like the National Rural Water Association and Dragos, volunteers deployed free OT security tools, addressed default password issues, and implemented MFA. Despite skepticism from some utility operators about being targeted by foreign powers, the pilot documented Chinese phishing activity against a Utah utility employee. Braun stresses urgency due to declining federal cyber support and warns that volunteer efforts, while valuable, cannot replace comprehensive government-backed protection.
READ THE STORY: The Record
Huawei Unveils Memory Management Algorithm to Reduce China’s Dependence on Foreign Chips
Bottom Line Up Front (BLUF): Huawei has introduced a new memory management algorithm to boost performance and efficiency in AI and cloud computing systems while reducing China’s reliance on foreign-made DRAM and NAND chips. The technology, announced in August 2025, aims to optimize how hardware utilizes memory, potentially lowering the need for high-capacity imported components. This move aligns with Beijing’s broader semiconductor self-sufficiency strategy amid ongoing U.S. export controls.
Analyst Comments: While it doesn’t eliminate the need for advanced memory chips, it could extend the life and capability of domestically produced components, easing supply chain vulnerabilities. If adopted widely in China’s AI and cloud sectors, it may blunt the impact of U.S. restrictions on advanced memory technology exports. However, as software and hardware increasingly co-depend in performance, foreign restrictions could shift toward AI optimization tools themselves.
FROM THE MEDIA: This breakthrough comes as the U.S. maintains strict export controls on cutting-edge semiconductor technologies to China, particularly in advanced DRAM and NAND. Huawei claims the software can deliver performance gains of up to 30% in AI training and inference workloads by reallocating memory resources dynamically. Industry analysts view this as a significant step in China’s multi-pronged approach to achieving semiconductor resilience, including domestic chip fabrication and strategic stockpiling.
READ THE STORY: Sri Lanka Guardian
Russian-Linked “Curly COMrades” Target Eastern Europe with Stealthy MucorAgent Backdoor
Bottom Line Up Front (BLUF): Bitdefender has identified a Russian-linked hacking group, “Curly COMrades,” that is conducting cyber-espionage against government and energy sector targets in Georgia and Moldova. The group uses a novel persistence method for its MucorAgent malware by hijacking a dormant Windows NGEN scheduled task, enabling stealthy long-term access. Their tactics blend credential theft tools like Mimikatz with encrypted proxy channels, challenging detection and attribution.
Analyst Comments: The Curly COMrades campaign reflects a trend of Russian state-linked groups innovating on persistence and evasion techniques to bypass traditional defenses. Leveraging CLSID hijacking within a core Windows component is particularly concerning, as it abuses trusted system behavior to hide in plain sight. The targeting of Georgia and Moldova aligns with Moscow’s broader geopolitical interests in Eastern Europe, suggesting that MucorAgent could be deployed in other politically sensitive regions. Defenders should monitor for abnormal NGEN task activity and implement behavioral detection capable of flagging COM object abuse.
FROM THE MEDIA: The group compromised government agencies and an energy distributor in Georgia and Moldova, focusing on intelligence collection. MucorAgent’s persistence relies on hijacking a dormant Windows NGEN scheduled task, triggering reactivation during idle periods or after software installation. This technique, unprecedented in Bitdefender’s observations, is paired with Resocks and Stunnel proxies for covert communication, plus Mimikatz and DCSync for credential theft. Stolen data is exfiltrated via compromised websites acting as decoys. Bitdefender named the group to “de-glamorize” cybercrime and avoid romanticizing advanced threat actors.
READ THE STORY: Foreign Affairs
Foreign Affairs Warns: China’s “Salt Typhoon” Cyber Campaign Exposes U.S. Critical Infrastructure Weaknesses
Bottom Line Up Front (BLUF): A Foreign Affairs article by former U.S. Deputy National Security Adviser Anne Neuberger warns that China has gained unprecedented access to U.S. telecommunications and embedded malware across critical infrastructure, enabling potential sabotage of power grids, water systems, and transportation. The “Salt Typhoon” campaign exemplifies China’s broader “active deterrence” strategy in cyberspace, leveraging both espionage and pre-positioned attack capabilities. Neuberger argues the U.S. must adopt AI-powered “digital twins” to model, test, and harden key infrastructure while building credible offensive cyber capabilities to deter Beijing.
Analyst Comments: Neuberger’s proposed AI-driven digital twin initiative would give Washington a scalable method for vulnerability assessment, though it requires unprecedented public-private collaboration and data sharing. Her deterrence framework blends improved defense with selective offensive targeting, aiming to counter China’s structural advantages without mirroring its surveillance-heavy model. However, implementation will demand political will and sustained funding beyond current incremental measures.
FROM THE MEDIA: She warns that Chinese malware has been discovered dormant in U.S. energy, water, and transport systems, positioned for potential disruption during crises. Structural differences between China’s centralized, monitored infrastructure and America’s fragmented, privately run systems have allowed Beijing to operate offensively without fear of retaliation. Neuberger proposes a national program to build AI-powered digital twins for hundreds of critical infrastructure assets, enabling safe simulation of attack scenarios and prioritization of fixes. She stresses that deterrence also requires credible offensive capabilities, clear redlines targeting civilian infrastructure, and strategic messaging to convince China of U.S. resilience and willingness to retaliate.
READ THE STORY: HackRead
Sam Altman-Backed Merge Labs to Compete With Elon Musk’s Neuralink in Brain-Computer Interfaces
Bottom Line Up Front (BLUF): OpenAI CEO Sam Altman is co-founding Merge Labs, a brain-computer interface (BCI) startup valued at $850M, set to rival Elon Musk’s Neuralink. The venture aims to raise $250M—primarily from OpenAI’s venture arm—and leverage AI advances to create “high-bandwidth” brain-computer links. While Altman won’t manage day-to-day operations, his involvement escalates the rivalry with Musk, who left OpenAI’s board in 2018. Merge joins other BCI contenders like Precision Neuroscience and Synchron in a market where AI, neural implants, and medical tech converge.
Analyst Comments: While positioned as a competitor to Neuralink, the underlying market drivers (medical use cases, disability assistance, enhanced computing interaction) will likely be overshadowed by ethical and regulatory debates over privacy, security, and cognitive autonomy. If successful, Merge Labs could give OpenAI a hardware foothold analogous to how Microsoft uses Surface devices to shape Windows’ ecosystem—but here, the stakes are literal human minds.
FROM THE MEDIA: Merge Labs’ name references “the merge”—a concept Altman predicted in 2017 as the point when human and machine intelligence integrate. Neuralink, valued at $9B, has a head start but faces regulatory scrutiny over safety and ethics. Advances in AI signal processing and miniaturized electronics make BCIs more viable, but societal acceptance remains uncertain.
READ THE STORY: FT
Data Brokers Hide Opt-Out Pages From Google, Hindering Privacy Requests
Bottom Line Up Front (BLUF): At least 35 California-registered data brokers have intentionally or inadvertently hidden their opt-out and deletion request pages from search engine indexing, making it harder for consumers to exercise privacy rights under the California Consumer Privacy Act (CCPA). While some companies claim it was accidental, others cited spam prevention as justification. The practice may constitute a “dark pattern” under California law, potentially triggering enforcement actions.
Analyst Comments: While some companies removed the blocking code after media inquiries, others remain noncompliant. This is part of a broader pattern of firms technically meeting legal obligations while designing interfaces or processes to discourage use — a tactic regulators have increasingly fined. The upcoming California “Delete Act” and its centralized Delete Request and Opt-Out Platform (DROP) may render these tactics less effective by allowing bulk deletion requests across all registered brokers.
FROM THE MEDIA: The CCPA requires data brokers to provide clear instructions for data deletion and “Do Not Sell” requests, but the hidden pages often require extensive site navigation through small, buried links. Some brokers, such as FourthWall and Kloudend (ipapi), removed the code after being contacted, while two admitted adding it deliberately. Others did not respond. California’s Privacy Protection Agency confirmed the findings, noting such tactics may violate anti–dark pattern rules. The state’s new Delete Act, launching next year, aims to simplify deletion requests by allowing one centralized submission to all brokers in the registry.
READ THE STORY: Wired
Nvidia Rejects China’s “Backdoor Kill Switch” Allegations in H20 AI Chips
Bottom Line Up Front (BLUF): Nvidia has publicly denied Chinese government claims that its H20 AI chips, designed for the Chinese market under U.S. export controls, contain a backdoor “kill switch” capable of remote shutdown or location tracking. The Cyberspace Administration of China demanded documentation after alleging the chip could be remotely disabled. Still, Nvidia’s Chief Security Officer David Reber called such features a “gift to hackers” and reaffirmed the company’s opposition to backdoor designs. The dispute emerges amid U.S. legislative proposals for mandatory tracking in export-restricted chips.
Analyst Comments: For Beijing, the claims reinforce narratives about U.S. tech products as national security risks; for Washington, the controversy highlights tensions between export control compliance and customer trust abroad. If tracking or remote-disabling features were mandated, it could damage U.S. chipmakers’ competitiveness in foreign markets while offering potential exploitation points for adversaries. The comparison to the NSA’s failed “Clipper Chip” program underscores industry fears of repeating past security and public relations mistakes.
FROM THE MEDIA: The H20 line was developed in 2022 to meet U.S. export restrictions that bar more advanced models like the A100 and H100 from sale in China. China’s cyberspace regulator claims unnamed U.S. security experts confirmed the chips could be disabled remotely and tracked physically. Nvidia rejected this, citing policy and security risks, and likened the concept to the 1990s NSA “Clipper Chip,” failing due to weak cryptographic design and public backlash. The allegations follow a temporary U.S. export halt in 2025 during a House investigation into Nvidia’s role in the Chinese AI sector. The controversy also overlaps with U.S. legislative proposals that could mandate location tracking and other undisclosed mechanisms in export-restricted chips.
READ THE STORY: CPOMAG
U.S. and China Trade Accusations at U.N. Over Panama Canal Control
Bottom Line Up Front (BLUF): At a U.N. Security Council meeting on maritime security, the U.S. accused China of exerting “outsized influence” over the Panama Canal, framing it as a potential threat to global trade and security. China dismissed the allegations as a U.S. pretext to take control of the canal, affirming its support for Panama’s sovereignty and canal neutrality. Panama’s president reaffirmed ownership and neutrality as the canal’s best defense.
Analyst Comments: The U.S. is signaling concern over Beijing’s role in managing port operations at either end of the canal, tying it to broader maritime disputes like the South China Sea. China’s rebuttal aligns with its narrative of opposing “economic coercion” while positioning itself as a defender of sovereignty. The tension could push Panama into a delicate balancing act between two major powers, potentially affecting foreign investment, port security arrangements, and cyber risk to critical maritime infrastructure.
FROM THE MEDIA: She linked China’s role in the canal to its “unlawful” maritime claims and aggressive behavior elsewhere. China’s U.N. Ambassador Fu Cong countered that the U.S. was fabricating accusations as a pretext to seek canal control, accusing Washington of being the true disruptor of peace in the region. The dispute comes after the Trump administration pressed for the Hong Kong-based operator of key canal ports to sell to a U.S. consortium. U.S. Defense Secretary Pete Hegseth secured expanded security cooperation with Panama in April, granting U.S. forces access to strategic facilities. Panama’s President José Raúl Mulino reaffirmed the canal’s neutrality under international treaty, calling it the best safeguard against threats.
READ THE STORY: NPR
SAP Patch Tuesday Addresses Critical S/4HANA Code Injection Flaws
Bottom Line Up Front (BLUF): SAP’s August 2025 Patch Tuesday fixes 15 new vulnerabilities (plus 4 updates), including critical code injection flaws (CVE-2025-42950, CVE-2025-42957) affecting both legacy ERP Central Component (ECC) and S/4HANA systems. Successful exploitation could allow arbitrary code execution and full system compromise. Additional high-priority fixes include privilege escalation in SAP Business One (CVE-2025-42951) and memory corruption in NetWeaver AS ABAP (CVE-2025-42976). Given active exploitation of past SAP flaws, rapid patching is essential.
Analyst Comments: The fact that similar flaws exist across both current and legacy systems increases the attack surface, especially in hybrid environments. Historical exploitation of NetWeaver vulnerabilities by ransomware groups and nation-state actors shows that SAP flaws have a short window before weaponization. Immediate patch application, validation of authorization configurations, and compensating controls (e.g., WAF rules, network segmentation) are recommended to reduce exposure.
FROM THE MEDIA: Onapsis identified four “Hot News” items, with the two critical code injection CVEs tied to ERP and S/4HANA being the most severe. These flaws could lead to complete compromise of affected systems. Past incidents, such as a NetWeaver zero-day exploited for months before patching, underscore the risk of delayed remediation.
READ THE STORY: SecurityWeek
Canada Warns of Chinese State-Sponsored Recon Scans Targeting Government, Critical Infrastructure
Bottom Line Up Front (BLUF): The Canadian Centre for Cyber Security has reported ongoing reconnaissance scanning by a “sophisticated state-sponsored threat actor” from China against high-value national targets. The scans observed throughout 2025 focused on government institutions, political parties, critical infrastructure, defense, media, and think tanks. Officials stress that while no breaches have been confirmed, such activity often precedes malicious operations.
Analyst Comments: The targeting breadth—from political entities to infrastructure—suggests intelligence-gathering and potential disruption objectives. The activity underscores a coordinated, multi-nation campaign amid Canada’s ongoing inquiry into Chinese election interference and similar UK concerns about PRC cyber operations. Organizations in affected sectors should prioritize attack surface reduction, logging, and anomaly detection.
FROM THE MEDIA: Canada’s cyber defense agency attributed a wave of network scanning to a Chinese state-sponsored threat actor. The activity targeted federal government departments, political parties, Parliament, defense networks, critical infrastructure providers, media outlets, and policy think tanks. The agency likened the behavior to “walking around a building to see if there is an alarm,” emphasizing that while scanning does not equate to compromise, it is a key precursor to intrusions. The warning follows a public inquiry confirming Chinese attempts to meddle in Canada’s past two federal elections. It comes as UK intelligence officials raise alarms over suspected PRC compromises in British infrastructure networks.
READ THE STORY: MSN
Charon Ransomware Hits Middle East Public Sector and Aviation Targets with APT-Level Tactics
Bottom Line Up Front (BLUF): A newly identified ransomware strain, “Charon,” has been used in targeted attacks against Middle Eastern public sector agencies and aviation companies. Trend Micro researchers say the malware exhibits advanced persistent threat (APT)-style capabilities, such as disabling security tools, deleting backups, and tailoring ransom notes to each victim. Its methods resemble the China-linked Earth Baxia group, though definitive attribution remains uncertain.
Analyst Comments: The overlap with Earth Baxia’s tactics could signal a hybrid threat model where criminal groups, or direct cooperation between the two adopt nation-state techniques. The focus on aviation and government entities in the Middle East suggests strategically targeting high-value sectors where operational downtime has a disproportionate impact. If this trend continues, organizations may need to prepare for ransomware incidents with the same rigor applied to nation-state intrusion response.
FROM THE MEDIA: Trend Micro discovered the “Charon” ransomware actively deployed against Middle Eastern public sector and aviation organizations. The malware disables antivirus programs, deletes backups, and empties recycle bins before encrypting files, making recovery difficult. Each ransom note is customized, listing the victim organization’s name and encrypted files. While no delivery method was confirmed, similarities with the China-linked Earth Baxia group — known for spear-phishing government and infrastructure targets in the Asia-Pacific — suggest a possible phishing-based infection vector. Trend Micro cautioned that Charon’s sophistication raises the business risk of ransomware to levels previously associated with state-backed cyberattacks.
READ THE STORY: The Record
Items of interest
Dark Web “Access Economy” Thrives as Brokers Sell Corporate Network Entry Points
Bottom Line Up Front (BLUF): Rapid7’s review of underground forums shows a mature cybercrime market where Initial Access Brokers (IABs) sell pre-obtained entry points into corporate networks. VPN credentials, domain user accounts, and RDP access dominate the offerings, often due to poor or absent MFA. While law enforcement takedowns (e.g., XSS forum, IntelBroker’s arrest) have disrupted some operations, new variants of these markets quickly reappear, though with growing distrust among criminals.
Analyst Comments: The high prevalence of VPN and domain user access highlights persistent MFA adoption gaps. Law enforcement’s takedowns are eroding trust in major dark web forums, but unless corporate detection of these illicit footholds improves, demand will sustain the trade in compromised network access. Even victims who detect an intruder may have already been “sold” multiple times before discovery.
FROM THE MEDIA: Rapid7’s analysis of IAB activity across XSS, BreachForums, and Exploit between July and December 2024. Nearly 75% of sales offered multiple access methods, with VPN access making up 23.5% of listings, domain accounts 19.9%, and RDP 16.7%. Pricing did not appear to increase for access to high-value supply chain partners, likely because such breaches still require additional work to reach ultimate targets. The forums studied have faced major disruptions — XSS remains offline, and BreachForums has been repeatedly shut down and revived — but new versions face distrust among cybercriminals, complicating their ability to operate at previous scales.
READ THE STORY: SecurityWeek
BlackRock: The Hidden Power Behind the Internet and Billions (Video)
FROM THE MEDIA: Are you curious about the forces that shape our world behind the scenes? In our latest video, "BlackRock: The Hidden Power Behind the Internet and Billions," we dive deep into how this financial giant influences global markets, technology, and even the internet itself.
Alibaba Chapter-5 🇨🇳China Wasn’t Ready for the Internet – But Jack Ma Was (Video)
FROM THE MEDIA: When infrastructure was weak, trust in e-commerce was nonexistent, and investors were skeptical, Jack Ma kept pushing forward. This episode reveals his resilience, vision, and the silent battle against a system that wasn’t ready.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.