Thursday, Aug 14, 2025 // (IG): BB // GITHUB // SN R&D
TETRA Encryption Flaws Expose Critical Communications to Replay, Brute-Force, and Injection Attacks
Bottom Line Up Front (BLUF): New vulnerabilities in the TETRA radio protocol—used by law enforcement, military, and critical infrastructure operators—allow attackers to replay encrypted traffic, inject arbitrary messages, and in some configurations, brute-force weakened encryption keys. Collectively dubbed 2TETRA:2BURST, the flaws were disclosed at Black Hat USA 2025 and affect end-to-end encryption (E2EE) and air interface protocols.
Analyst Comments: The replay and injection capabilities (CVE-2025-52940, -52942, -52944) present clear operational risks, especially during emergency response scenarios. The weakened AES implementation (CVE-2025-52941) is especially alarming, effectively reducing modern encryption to 56-bit strength, and making brute-force plausible with today’s computing power. Organizations using TETRA should urgently audit encryption configurations and layer additional protections, such as VPNs, over radio communications.
FROM THE MEDIA: New flaws in the TETRA communications protocol revealed by researchers from Midnight Blue at Black Hat USA. The flaws include CVE-2025-52940 to -52944, which affect TETRA’s E2EE, message integrity, and multi-algorithm key handling. One flaw reveals that TETRA radios using algorithm ID 135 employ a weakened AES-128 with only 56-bit effective entropy. Others allow replay attacks and message injection, even on encrypted networks. A separate issue (MBPH-2025-003) affects Sepura SC20 devices, allowing unauthorized code execution and key exfiltration through physical access. While some patches are forthcoming, the researchers emphasize that many flaws remain unpatched and require architectural mitigations or configuration changes.
READ THE STORY: THN
CISA Leadership Vacancy Spurs Call for Swift Senate Confirmation of Sean Plankey
Bottom Line Up Front (BLUF): Patrick D. Gaul, executive director of the National Technology Security Coalition, has urged the U.S. Senate to confirm Sean Plankey as the next Cybersecurity and Infrastructure Security Agency (CISA) director. Gaul argues the ongoing leadership gap at CISA poses a national cybersecurity risk amid rising threats and increased reliance on digital infrastructure.
Analyst Comments: Leadership continuity at CISA is critical as cyber threats become more complex and AI accelerates offensive and defensive capabilities. Sean Plankey’s nomination comes with a strong background in energy infrastructure security, national strategy, and interagency coordination. His confirmation could restore momentum to public-private cybersecurity collaboration and ensure tactical readiness for emerging national threats. Prolonged vacancy at CISA’s helm creates coordination challenges and weakens confidence among private sector stakeholders and international allies.
FROM THE MEDIA: Plankey, a former Coast Guard officer and cybersecurity official in the Department of Energy and the National Security Council, brings a blend of tactical, strategic, and interagency experience. His prior roles include co-authoring the National Maritime Cybersecurity Plan and directing cybersecurity policy for critical sectors. The op-ed emphasizes the urgent need for capable leadership as threats escalate in scale and sophistication, particularly with growing AI use and geopolitical instability. Plankey’s confirmation would ensure CISA is prepared to lead the national response to evolving cyber challenges.
READ THE STORY: CS
DARPA Awards $4M in AI Cyber Challenge to Team Atlanta for Autonomous Vulnerability Patching
Bottom Line Up Front (BLUF): The Defense Advanced Research Projects Agency (DARPA) concluded its two-year AI Cyber Challenge (AIxCC), awarding $4 million to Team Atlanta for developing an AI system capable of detecting and patching vulnerabilities in open-source software. The event showcased autonomous tools that significantly advance software security by improving on existing systems like Google’s OSS-Fuzz.
Analyst Comments: DARPA’s AIxCC signals a turning point in cybersecurity automation, potentially revolutionizing how vulnerabilities are discovered and remediated. As these tools become integrated into software development pipelines, they may drastically reduce the exposure window for zero-day exploits. The open-sourcing of these systems may also democratize access to high-performance security solutions, potentially leveling the playing field across private and public sectors. The real test will be adapting these tools to legacy systems and binary-only environments — a critical need for securing government and industrial infrastructure.
FROM THE MEDIA: DARPA announced the winners of its AI Cyber Challenge (AIxCC) during DEF CON in Las Vegas, awarding $4 million to Team Atlanta — a collaboration between Georgia Tech, Samsung Research, and Korean universities. For the challenge, finalists created cyber reasoning systems (CRSs) capable of autonomously identifying and patching bugs in open-source codebases. One notable system, “Buttercup” by Trail of Bits (second place, $3 million), found 28 vulnerabilities and patched 19 across 23 repositories. These tools advance the automated fuzzing model popularized by Google’s OSS-Fuzz by incorporating autonomous remediation capabilities. All entries are now open source, giving developers and security professionals access to cutting-edge AI vulnerability management tools. DARPA emphasized this competition as a foundational step in modernizing cybersecurity, particularly in defending legacy government systems lacking source code access.
READ THE STORY: Bloomberg
Pakistan Unveils Army Rocket Force Command (ARFC), Escalating South Asia’s Missile Race
Bottom Line Up Front (BLUF): Pakistan officially launched the Army Rocket Force Command (ARFC), a new military branch modeled on China’s PLA Rocket Force. The ARFC centralizes Pakistan’s conventional missile capabilities, including ballistic, cruise, and potentially hypersonic systems, in a move seen by Indian analysts as a significant shift in regional deterrence dynamics.
Analyst Comments: This move could significantly alter South Asia’s strategic calculus by lowering the threshold for conventional escalation and enabling faster retaliatory capabilities. India's current missile assets remain fragmented across services, creating a strong case for an Integrated Rocket Force (IRF) to match Pakistan’s posture. The ARFC, backed by Chinese technology, may also serve Beijing’s regional interests by stretching Indian resources across multiple fronts.
FROM THE MEDIA: Pakistan’s Prime Minister Shehbaz Sharif announced the creation of the Army Rocket Force Command (ARFC) during Independence Day celebrations. The force will consolidate command of Pakistan’s conventional missile systems — including Babur, Shaheen, Ghauri, and Fatah-series missiles — under one military entity, akin to China’s PLA Rocket Force. Analysts view this as Islamabad’s direct response to its underperformance during the May 2025 India-Pakistan air skirmish. The ARFC is designed for precision strikes, rapid deployment, and command centralization, improving operational readiness. Pakistan reportedly integrates Chinese technologies like the Fatah-IV and HQ-19, signaling deeper strategic ties with Beijing. The ARFC could complicate India’s Cold Start Doctrine by presenting a stronger conventional missile deterrent without crossing the nuclear threshold.
READ THE STORY: The EurAsian Times
Critical WordPress Plugin Vulnerability (CVE-2025-7384) Exposes 70,000+ Sites to Remote Code Execution
Bottom Line Up Front (BLUF): A critical vulnerability in the “Database for Contact Form 7, WPForms, Elementor Forms” WordPress plugin—used on over 70,000 sites—allows unauthenticated remote code execution due to unsafe deserialization in versions ≤1.4.3. Exploiting this flaw can lead to full site compromise, data theft, and malware deployment.
Analyst Comments: A vulnerable Property-Oriented Programming (POP) chain exacerbates the risk, making file deletion and server takeover plausible in real-world scenarios. The plugin's integration with essential user-facing forms allows attackers to exploit it at scale. Site owners must prioritize patching and monitor for post-exploitation signs such as altered wp-config.php files or new admin accounts.
FROM THE MEDIA: The flaw lies in the get_lead_detail function, which unsafely deserializes user-supplied input, allowing attackers to inject malicious PHP objects. This can lead to arbitrary code execution, particularly when combined with features from other plugins like Contact Form 7. The worst-case scenario involves deletion of wp-config.php, resulting in total site failure or allowing remote code execution, depending on server configurations. Version 1.4.4 patches the issue, and users are urged to update immediately. No authentication is needed to exploit the flaw, increasing its attractiveness to threat actors targeting mass-hosted environments.
READ THE STORY: GBhackers
Critical Erlang/OTP SSH RCE Vulnerability Actively Exploited, Targeting Global OT Firewalls
Bottom Line Up Front (BLUF): A critical Erlang/OTP SSH vulnerability (CVE-2025-32433, CVSS 10.0) is being actively exploited. Attackers primarily target operational technology (OT) firewalls in healthcare, agriculture, and tech sectors across multiple countries. The flaw, which enables remote code execution without authentication, was patched in April 2025, but widespread exploitation began as early as May.
Analyst Comments: The exploitation of CVE-2025-32433 represents a serious threat to industrial and hybrid IT/OT environments, where legacy systems often delay patching. The vulnerability's integration with SSH — a core protocol for remote command execution — amplifies its impact. The pattern of high-intensity, short-duration attacks suggests possible automation or reconnaissance for larger-scale operations. Given the vulnerability’s presence in OT firewalls, defenders should prioritize patching, reverse shell detection, and segmenting exposed services.
FROM THE MEDIA: The flaw allows unauthenticated remote code execution via exposed SSH services, especially those embedded in OT environments. Patched initially in April 2025, the issue was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in June. Researchers noted that 70% of the attacks target OT firewalls, with affected regions including the U.S., Canada, Brazil, India, and Australia. The exploit activity is characterized by burst attacks aimed at industrial and IT service ports. Successful intrusions often result in reverse shell deployments, providing attackers with persistent remote access.
READ THE STORY: THN
Russia Restricts WhatsApp and Telegram Calls, Citing Crime and Terrorism Concerns
Bottom Line Up Front (BLUF): Russia has imposed new restrictions on WhatsApp and Telegram calls, alleging the apps are widely used for scams and terrorist coordination. Both messaging platforms deny the allegations and claim the move is a response to their refusal to compromise on end-to-end encryption.
Analyst Comments: Russia's crackdown appears part of a broader push to replace Western services with domestic alternatives like the new “Max” messenger. These restrictions will likely accelerate the fragmentation of the global internet, with implications for secure communication, digital rights, and cross-border data flows. As similar pressures mount in other authoritarian regimes, encrypted platforms could face escalating legal and technical challenges.
FROM THE MEDIA: The agency claims the move was prompted by criminal misuse of the platforms, including scams and recruitment for sabotage or terrorism. WhatsApp defended its encrypted communication features, saying it would continue resisting government intrusion. Telegram emphasized its moderation efforts and privacy tools. The restrictions come as Russia promotes a state-backed alternative app, “Max,” raising censorship and surveillance concerns. This follows similar bans on Meta services and accusations from Russian lawmakers that Western apps threaten national security.
READ THE STORY: CS
House of Commons Suffers Cyberattack Exploiting Microsoft Vulnerability
Bottom Line Up Front (BLUF): The Canadian House of Commons has confirmed a cyberattack that exposed sensitive employee and device data. The breach was carried out by a "threat actor" who exploited a recent Microsoft vulnerability to access an internal device management database.
Analyst Comments: Although attribution remains unclear, the breach fits a growing trend of espionage-style intrusions aimed at gathering intelligence rather than direct disruption. Given past intrusions tied to China and Russia, Canada’s digital infrastructure remains a high-value target. The stolen data could be weaponized in phishing, impersonation, or disinformation campaigns targeting public servants and parliamentarians.
FROM THE MEDIA: Internal communications revealed that a hacker exploited a recent Microsoft vulnerability to access private employee data, including names, job titles, office locations, emails, and information about government-issued devices. While the CSE assists with the investigation, officials have not yet attributed the attack to a specific actor. The breach comes amid increased concern over foreign interference, with China, Russia, and Iran flagged in recent CSE threat assessments. Officials warned that the compromised data could be used for scams or impersonation attempts targeting lawmakers.
READ THE STORY: CBC
New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks
Bottom Line Up Front (BLUF): A new malware strain called PS1Bot is being actively distributed via malvertising and SEO poisoning. It leverages PowerShell and C# for in-memory execution of malicious modules. Cisco Talos reports the campaign began in early 2025 and is designed to steal sensitive data, capture keystrokes, and maintain persistence while evading detection.
Analyst Comments: Its overlap with tools like AHK Bot and ransomware-associated malware like Skitnet suggests a maturing threat actor ecosystem with modular toolkits and scalable attack infrastructure. Malvertising as a vector is particularly concerning, as it exploits users’ trust in web advertising and search results. Enterprises should implement strict browser controls, monitor PowerShell activity, and adopt behavior-based detection to mitigate threats like PS1Bot.
FROM THE MEDIA: These contain JavaScript downloaders that fetch and execute PowerShell payloads. The malware, PS1Bot, operates entirely in memory and features a modular design with capabilities such as antivirus detection, screen capture, wallet stealing, keylogging, and clipboard scraping. Once active, it contacts a command-and-control (C2) server to download additional modules and maintain persistence through a scheduled PowerShell script. The malware is believed to share code with AHK Bot and Skitnet/Bossnet, tools previously associated with ransomware operators. In a separate announcement, Google noted its use of LLMs to reduce malvertising by 40%, underscoring the growing role of AI in cyber defense and attack vectors.
READ THE STORY: THN
Fortinet Patches Critical FortiSIEM Vulnerability Amid Spike in SSL VPN Brute-Force Attacks
Bottom Line Up Front (BLUF): Fortinet has disclosed a critical OS command injection vulnerability (CVE-2025-25256) in its FortiSIEM product, with a CVSS score of 9.8 and publicly available exploit code. The announcement comes as security researchers observe a surge in brute-force attacks targeting Fortinet’s SSL VPNs, though no active exploitation of the vulnerability has been confirmed.
Analyst Comments: The overlap between the vulnerability disclosure and increased attack traffic raises concerns about targeted reconnaissance or early-stage probing by threat actors. With exploit code already circulating, the risk of real-world exploitation is imminent—especially given Fortinet’s prominence in enterprise networks and history of being targeted in ransomware operations. Defenders should act quickly to apply patches or mitigations, as Fortinet vulnerabilities have repeatedly served as initial access vectors in high-impact incidents. The timing suggests attackers are actively monitoring vendor ecosystems for emerging opportunities.
FROM THE MEDIA: Rated 9.8 on the CVSS scale, the vulnerability allows remote code execution and comes with “practical exploit code” available in the wild. Although no exploitation has been observed, Fortinet recommends upgrading affected versions and restricting access to port 7900 as a workaround. With the disclosure, GreyNoise Intelligence observed a spike in brute-force activity against Fortinet SSL VPNs, with more than 780 unique IPs involved. While the firm could not definitively link the activity to CVE-2025-25256, it noted the suspicious timing and precision targeting of Fortinet infrastructure. CISA’s KEV catalog currently includes 20 Fortinet vulnerabilities, five from 2025 alone—many of which have been exploited in ransomware campaigns.
READ THE STORY: CS
XZ Backdoor Still Embedded in Dozens of Docker Images, Exposing Persistent Supply Chain Threat
Bottom Line Up Front (BLUF): Researchers from Binarly have found that the XZ Utils backdoor — initially exposed in March 2024 — remains present in at least 12 Debian-based Docker images hosted on Docker Hub, with over 35 additional downstream containers inheriting the malicious code. The backdoor enables stealthy remote access via OpenSSH, presenting ongoing risks to development pipelines and cloud infrastructure.
Analyst Comments: Despite global awareness of the XZ backdoor, its presence in widely used containers underscores gaps in registry hygiene and vulnerability notification processes. Legacy builds, automated deployments, and indirect dependencies mean even well-informed organizations could be unknowingly exposed. Tools like Binarly’s IFUNC analysis and XZ.fail scanner offer essential mitigation, but a broader industry push for binary-level transparency is urgently needed.
FROM THE MEDIA: The backdoor — embedded in liblzma.so versions 5.6.0 and 5.6.1 — allowed attackers to hijack OpenSSH authentication via IFUNC-based control flow manipulation. Initially injected by a pseudonymous developer "Jia Tan" over two years, the vulnerability (CVE-2024-3094) was once present in Linux distributions like Debian, Fedora, and OpenSUSE. Binarly’s recent analysis of 15TB of Docker data identified images such as unstable-20240311 and sid-20240311, which still carry the backdoored library. These base images have infected dozens of derivative containers, including those in popular projects like buildpack-deps, makepad/opencv, and myoung34/github-runner. Despite notifications, Debian maintainers have not removed the artifacts, warning users to rely on updated builds instead. The backdoor’s stealth and persistence demonstrate the long-term risks of even brief supply chain compromises.
READ THE STORY: GBhackers
China Alleges U.S. is Secretly Embedding Trackers in AI Chip Shipments to Monitor Diversions to China
Bottom Line Up Front (BLUF): U.S. authorities are covertly placing tracking devices in shipments of advanced AI chips and servers suspected of being diverted to China in violation of export controls. The measure, revealed on August 14, 2025, targets select high-risk exports from vendors like Dell and Super Micro, including chips from Nvidia and AMD.
Analyst Comments: The use of physical trackers—some reportedly embedded directly into hardware—underscores U.S. concerns over illicit re-export and the military applications of AI chips. This enforcement tactic is both a warning to resellers and a signal of potential policy tightening, even as political rhetoric around loosening some restrictions persists. Organizations across Asia, especially in Southeast Asia and the Gulf, may increasingly be scrutinized or caught in enforcement dragnets.
FROM THE MEDIA: These trackers—hidden in packaging and in some cases inside the hardware—are intended to detect illegal diversions to restricted countries, especially China. Sources revealed that at least one 2024 shipment of Dell servers with Nvidia chips contained visible and covert tracking devices. China-based resellers acknowledged actively checking for such trackers, citing recent arrests linked to smuggling operations. While major vendors, including Dell, Super Micro, and Nvidia, denied involvement or knowledge of the trackers, the revelation demonstrates how far the U.S. is willing to enforce its AI chip export restrictions amid growing national security concerns.
READ THE STORY: ITnews
SmartLoader Malware Exploits GitHub Repositories to Deliver Rhadamanthys Infostealer
Bottom Line Up Front (BLUF): Threat actors are using fake GitHub repositories disguised as game cheats, software cracks, and automation tools to distribute SmartLoader malware, which serves as a downloader for advanced infostealers like Rhadamanthys. These repositories are crafted to appear legitimate and are indexed highly in search results, increasing the likelihood of user compromise.
Analyst Comments: Using Lua and obfuscated scripts, combined with multi-stage payload delivery, suggests a technically advanced operation aimed at persistent access and data theft. Rhadamanthys’s final payload targets high-value credentials and injects into legitimate processes, further complicating detection. Organizations should increase scrutiny of third-party repositories and implement endpoint protections capable of behavioral detection, especially on developer machines.
FROM THE MEDIA: Researchers at AhnLab uncovered a widespread malware campaign involving SmartLoader, a Lua-based dropper embedded in ZIP files hosted on malicious GitHub repositories. These repositories mimic legitimate open-source projects and are tied to high-traffic search terms like “game hack” and “VPN crack.” Once executed, SmartLoader establishes persistence and communicates with command-and-control (C2) servers using obfuscated Base64-encoded traffic. It delivers additional malware payloads, including obfuscated Lua scripts and Rhadamanthys infostealer binaries, which inject into trusted Windows processes like dllhost.exe and rundll32.exe to evade detection. Attackers exfiltrate data related to emails, FTP credentials, and financial accounts, often sending victim-specific metadata to unique C2 endpoints.
READ THE STORY: GBhackers
Items of interest
The Third Way: Why Rising Powers Reject U.S.–China Digital Models
Bottom Line Up Front (BLUF): Emerging powers like India, Brazil, Indonesia, and South Africa reject binary alignment with either the U.S. or China on digital governance. Instead, they promote a “third way” focused on digital sovereignty, developmental priorities, and multilateral engagement. This signals a fundamental shift in how global cyber norms may evolve over the next decade.
Analyst Comments: As emerging powers seek to avoid becoming pawns in U.S.-China geopolitical competition, they are increasingly shaping global cyber rules through regional cooperation, selective multilateralism, and issue-specific partnerships. This third model may accelerate internet fragmentation, foster alternative regulatory ecosystems, and dilute the influence of traditional cyber superpowers. The U.S. and China risk marginalization unless they adapt to this multipolar digital order.
FROM THE MEDIA: At the recent UN cybersecurity talks, countries like India, Indonesia, and Brazil rejected alignment with either Washington or Beijing, instead prioritizing national development goals and local governance interests. This behavior was consistent with recent G20 leadership from South Africa, Indonesia, and India, which focused on digital skills and infrastructure over ideological debates. These countries have also opposed WTO digital trade rules that limit national regulatory space. Instead of choosing between Chinese and American digital suppliers, many opt for both, leveraging their strategic autonomy to gain better investment, technology, and governance outcomes.
READ THE STORY: New America
Don't Trust China, China is Asshoe Remix (Video)
FROM THE MEDIA: C'est juste un remix un peu stupide d'une vidéo tournée à Hong Kong récemment. Il y a un climat politique très tendu dans cette région et cette music-video est juste une petite moquerie des entreprises et personnalités qui détournent le regard quand il s'agit de défendre Hong Kong.
I found the "China is asshoe" guy alive! (Video)
FROM THE MEDIA: Many people have expressed concern for the safety of that "China is asshoe!" protestor after his rise to fame for my interview in Hong Kong.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.