Daily Drop (1110)
08-15-25
Friday, Aug 15, 2025 // (IG): BB // GITHUB // SN R&D
Russia Blocks WhatsApp and Telegram Calls, Citing Cybercrime Prevention and Security Concerns
Bottom Line Up Front (BLUF): Russia’s Roskomnadzor has restricted voice and video calls on WhatsApp and Telegram, claiming the move will curb cyber fraud, sabotage, and terrorism organized via foreign messaging apps. The decision coincides with Moscow’s push for domestic platforms like “Max,” a WeChat-style state-backed messenger that will be pre-installed on new smartphones from September.
Analyst Comments: While framed as a counter-cybercrime measure, the restriction appears aligned with broader Russian efforts to consolidate control over digital communications and promote state-surveilled alternatives. Limiting encrypted calls on popular foreign apps could drive users toward platforms with mandatory data retention and easier government access, reducing communication security for citizens. The timing—alongside the rollout of Max—suggests both a political and commercial motivation, with potential impacts on dissent, independent journalism, and international business communications in Russia.
FROM THE MEDIA: Roskomnadzor confirmed it had implemented the restrictions, keeping text and file-sharing features available but demanding compliance from the companies, including sharing data requested by law enforcement. WhatsApp criticized the move as an attempt to erode secure, end-to-end encrypted communications. At the same time, Telegram refrained from direct criticism but reaffirmed its efforts to combat fraud and calls for violence on its platform. Telecom operators reported a 25% increase in traditional phone traffic following the ban. Russian law requires telecoms to store call recordings for six months and metadata for three years, enabling security service access. Critics argue the measure undermines net neutrality and pressures users into less secure, state-controlled services.
READ THE STORY: The Record
CISA Warns of Active Exploitation of N-able N-central Vulnerabilities (CVE-2025-8875, CVE-2025-8876)
Bottom Line Up Front (BLUF): Two critical flaws in N-able’s N-central remote monitoring and management (RMM) software—CVE-2025-8875 (CVSS 9.4) and CVE-2025-8876—are under active exploitation, prompting CISA to add them to its Known Exploited Vulnerabilities (KEV) catalog. While exploitation requires authentication, attackers could achieve local code execution or OS command injection if successful. Affected on-premises systems must be updated to version 2025.3.1 immediately.
Analyst Comments: Although these vulnerabilities are not exploitable without valid credentials, they are already being used in real-world attacks, which means they could be chained with credential theft or other foothold techniques. RMM tools like N-central are high-value targets because they can grant broad access across managed networks, making post-authentication flaws particularly dangerous. Organizations should patch without delay, review RMM access controls, monitor for suspicious authenticated activity, and apply MFA to limit abuse.
FROM THE MEDIA: CISA issued an alert about two actively exploited vulnerabilities in N-able N-central. CVE-2025-8875 is a deserialization of untrusted data flaw that can enable local code execution, and CVE-2025-8876 is an improper input validation flaw that can allow OS command injection. Both affect versions before 2025.3.1. N-able confirmed exploitation in a limited number of on-premises environments, but none in its hosted cloud service. The vulnerabilities require authentication, reducing the likelihood of opportunistic attacks but posing a serious risk if an attacker already has valid credentials. CISA has set an August 20 deadline for U.S. federal agencies to remediate the flaws.
READ THE STORY: DR
Rockwell Identifies Six Industry Shifts Making OT Cybersecurity a Core Manufacturing Priority
Bottom Line Up Front (BLUF): Rockwell Automation’s latest findings highlight six forces pushing operational technology (OT) cybersecurity to the forefront of manufacturing strategy: universal platform adoption, alignment with automation budgets, board-level risk oversight, secure-by-design hardware, a cyber-literate workforce, and integration of safety with security culture. With 96% of manufacturers planning OT security investments within five years, resilience is now viewed as a performance driver, not just compliance.
Analyst Comments: This pivot reflects a broader industrial trend: security spending is increasingly tied to operational ROI and digital transformation objectives. Manufacturers are embedding cybersecurity into performance metrics, linking it to predictive maintenance, AI-driven quality control, and energy optimization. By quantifying risk reduction in financial terms—such as downtime avoided and audit hours saved—security teams can win greater budget share and influence at the board level. However, cultural resistance and leadership awareness gaps remain significant barriers, requiring change management as much as technical controls.
FROM THE MEDIA: Survey data shows 64% of manufacturers already run OT security platforms, with another 32% planning adoption. More than half have scaled security across operations, driven by regulatory mandates like NIS2 and U.S. CISA directives. Key trends include embedding security metrics into production dashboards, pairing investments with automation ROI, and involving insurers early in control planning. Hardware-based defenses—such as controller-level access rules and signed firmware—are gaining traction, as are workforce initiatives like micro-training, certification funding, and performance-linked patch compliance. Rockwell concludes that integrating security with safety culture and executive oversight will define competitive manufacturing resilience in 2026.
READ THE STORY: Industrial
Norway Blames Pro-Russian Hackers for Dam Cyberattack That Opened Floodgate for Four Hours
Bottom Line Up Front (BLUF): Norway’s Police Security Service (PST) has formally attributed an April 2025 cyberattack on the Bremanger hydropower dam to pro-Russian hackers. The attackers remotely opened a floodgate, releasing 500 liters of water per second for four hours before detection, in what officials describe as an attempt to cause fear and chaos rather than physical damage.
Analyst Comments: The use of visible, reversible disruption—accompanied by publicized video evidence—suggests an influence operation as much as a technical one, aligning with broader Russian hybrid warfare tactics. While the attack caused no injuries or damage due to favorable water levels, it highlights vulnerabilities in dam control systems and the potential for more dangerous outcomes if exploited under less benign conditions. Expect an uptick in OT-focused threat hunting and cross-border intelligence cooperation in the Nordic region.
FROM THE MEDIA: PST head Beate Gangås confirmed pro-Russian hackers had seized remote control of the Bremanger dam’s floodgate in April. The gate remained open for four hours, releasing large volumes of water until operators detected and halted the breach. A pro-Russian cybercriminal group posted a three-minute Telegram video of the attack on the same day. Norwegian authorities say the perpetrators are part of a network linked to multiple past cyber incidents in Western countries. Although there was no flooding due to low water levels, the PST warned that such operations aim to sow fear and disrupt civilian confidence in national infrastructure. Russia’s embassy in Oslo denied the allegations, calling them “politically motivated.” Norway, which generates most of its electricity from hydropower, has long been aware of risks to its energy infrastructure from hostile cyber activity.
READ THE STORY: The Guardian // Industrial
Critical Cisco Secure Firewall Snort 3 Vulnerability (CVE-2025-20217) Enables Remote DoS Attacks
Bottom Line Up Front (BLUF): Cisco has disclosed CVE-2025-20217, a high-severity vulnerability (CVSS 8.6) in the Snort 3 Detection Engine used by its Secure Firewall Threat Defense Software. The flaw allows unauthenticated remote attackers to trigger a denial of service (DoS) by sending specially crafted traffic, disrupting packet inspection, and rendering devices temporarily unresponsive. No workarounds exist; Cisco has released patches that should be applied immediately.
Analyst Comments: While the Snort watchdog process can restore service, the downtime can still create exploitable windows for further attacks or disrupt critical operations. The vulnerability’s loop-with-unreachable-exit condition (CWE-835) reflects a typical class of logic flaws in packet inspection engines, underscoring the importance of robust input validation. Threat actors could weaponize this bug in coordinated DoS campaigns against enterprises and service providers, making rapid patch deployment essential.
FROM THE MEDIA: The flaw arises from improper traffic processing, which can force the Snort process into an infinite loop during packet inspection. Attackers can exploit this remotely without authentication by sending specially crafted network traffic. Although a system watchdog will restart the Snort process, temporary service outages may disrupt network defenses. Cisco confirmed that the bug does not impact ASA Software, Secure Firewall Management Center, Meraki products, Umbrella, or open-source Snort. The company advises immediate application of newly released security updates, as no temporary mitigations are available.
READ THE STORY: GBhackers
Chinese Cybercriminal Syndicates Expand Global Retail Fraud via Ghost-Tapping NFC Relay Attacks
Bottom Line Up Front (BLUF): Chinese-speaking cybercriminal syndicates use “ghost-tapping” — NFC relay fraud with stolen payment cards linked to mobile wallets — to commit large-scale retail fraud and launder funds. Operations rely on Telegram-based marketplaces such as Xinbi Guarantee and Tudou Guarantee to coordinate between cybercriminal developers, mule networks, and resellers, targeting global luxury goods, gold, and electronics.
Analyst Comments: The model is highly scalable: developers like @webu8 provide proprietary NFC relay tools and preloaded burner phones, while syndicates handle mule recruitment and goods resale. The pivot from the shuttered Huione Guarantee to alternate escrow platforms demonstrates operational resilience and adaptability. Given the attack’s low detection rate in-store and potential for integration with other payment card fraud techniques, global expansion beyond Southeast Asia is likely unless mobile wallet provisioning and NFC transaction verification processes are hardened.
FROM THE MEDIA: These credentials are loaded onto burner phones or sold with proprietary NFC relay software, enabling mules to conduct in-person fraudulent purchases. Telegram marketplaces like Xinbi Guarantee and Tudou Guarantee facilitate transactions between developers, syndicates, and mule controllers, handling escrow in USDT. Cases in Singapore have revealed syndicates sending foreign nationals to purchase luxury goods and gold using ghost-tapping, later reselling them for cash. Developers automate linking stolen cards to wallets like Apple Pay and Google Pay, bypassing OTP protections. The ecosystem includes specialized mule roles — from “ghost-tapping mules” to transportation and reseller mules — with syndicates funding logistics and laundering proceeds. Authorities warn that the attack vector is global in scope and challenging to detect without enhanced bank and merchant-side security controls.
READ THE STORY: Phayul
New HTTP/2 “MadeYouReset” Vulnerability (CVE-2025-8671) Could Trigger Massive DDoS Attacks
Bottom Line Up Front (BLUF): Security researchers have disclosed CVE-2025-8671, a critical HTTP/2 protocol flaw dubbed “MadeYouReset” that bypasses concurrency safeguards to enable highly efficient distributed denial-of-service (DDoS) attacks. Affecting most HTTP/2-compliant servers, the bug could cause widespread outages with minimal attacker resources, surpassing the impact of the 2023 “Rapid Reset” attacks.
Analyst Comments: Unlike Rapid Reset, which relied on client-initiated cancellations, this new method tricks servers into canceling requests themselves—completely evading mitigations deployed after 2023. Because the vulnerability is present in multiple major implementations (Netty, Apache Tomcat, F5 BIG-IP, H2O, Swift-NIO), exploitation at scale could be swift. Organizations should treat vendor advisories as urgent, apply available patches, and consider temporarily HTTP/2 disabling or rate-limiting for high-risk endpoints.
FROM THE MEDIA: The vulnerability exploits six methods to trigger server-initiated RST_STREAM frames while maintaining active backend workloads. The flaw impacts virtually all HTTP/2 server stacks, with testing showing many can be driven to out-of-memory crashes. Projects affected include general HTTP/2 (CVE-2025-8671), Netty (CVE-2025-55163), Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), and H2O (CVE-2025-8671), with Swift-NIO-HTTP2 pending. Security teams are urged to patch immediately, as there are no known effective workarounds beyond disabling HTTP/2.
READ THE STORY: GBhackers
Items of interest
Scattered Spider Launches Telegram Channel Linking Major Breaches and Issuing Extortion Demands
Bottom Line Up Front (BLUF): A new Telegram channel jointly branded with the names of threat groups Scattered Spider, Shiny Hunters, and Lapsus$ has surfaced. The channel leaks sensitive corporate and government data while issuing high-profile extortion threats. The channel attributes past and ongoing breaches to Scattered Spider, including incidents involving Victoria’s Secret, Gucci, Neiman Marcus, and multiple government agencies.
Analyst Comments: By linking past breaches to their operations and threatening Fortune 500 firms, the group appears to be consolidating its brand reputation in the criminal underground. The addition of ransomware-as-a-service (RaaS) offerings and references to “Snowflake 3.0” suggest upcoming coordinated campaigns with more advanced tooling. Retail, finance, aviation, and government organizations should anticipate targeted intrusion attempts and preemptively strengthen incident response playbooks.
FROM THE MEDIA: Within 24 hours, the group published legal documents, breach evidence, and partial datasets linked to major brands, such as a confirmed Victoria’s Secret May breach and new Gucci PII leaks. They advertised a complete Neiman Marcus database from the 2024 Snowflake campaign for 1 BTC and breach references to Chanel, Disney, AirFrance, S&P Global, T-Mobile, Nvidia, Coinbase, Adidas, and Cisco. Government victims include agencies in England, France, Brazil, India, and the U.S. DHS. The group threatened to release all U.K. Legal Aid Agency data unless an arrested member was freed. In addition, they teased a kernel-level ESXi locker as part of a new “ShinySp1d3r” RaaS platform and issued a 20 BTC ransom demand to Salesforce’s CEO over leaks impacting 91 organizations.
READ THE STORY: GBhackers
Inside Scattered Spider: Who They Are and How to Stay Safe (Video)
FROM THE MEDIA: This decentralised, English-speaking cybercrime collective has breached Twilio, DoorDash, and significant financial institutions, relying not on brute force, but highly believable social engineering.
Inside Scattered Spider: Evolving Threats and Defenses (Video)
FROM THE MEDIA: Scattered Spider has evolved from a newly identified social engineering crew in 2022 into one of the most aggressive ransomware and extortion outfits on today’s threat landscape. William Altman, Head of Cyber Threat Intelligence Services, explains to Yvette Essen, Head of Communications & Market Engagement, how Scattered Spider uses sophisticated social engineering tactics to infiltrate high-value corporate networks. He discusses how cyber risk exposure managers can leverage CyberCube's Portfolio Threat Actor Intelligence (PTI) solution to pinpoint organizations in their portfolios that are most at risk of being targeted by Scattered Spider, and unveils the findings of CyberCube's analysis of a portfolio comprising approximately 15,000 companies.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.