Daily Drop (1112)
08-17-25
Sunday, Aug 17, 2025 // (IG): BB // GITHUB // SN R&D
Russia Blocks WhatsApp and Telegram Calls Over End-to-End Encryption
Bottom Line Up Front (BLUF): Russia has begun blocking end-to-end encrypted voice calls on WhatsApp and Telegram, citing non-compliance with national data-sharing laws. This move impacts nearly 200 million users collectively, escalating the Kremlin’s long-standing efforts to tighten control over digital communications.
Analyst Comments: By targeting voice calls, the Kremlin focuses on a particularly secure mode of communication, often favored by dissidents and activists. This crackdown reflects broader geopolitical tensions and a growing global trend of authoritarian governments attempting to circumvent or outlaw strong encryption. Expect further restrictions or demands for encryption backdoors in similar regimes, as Russia sets a precedent for enforcing surveillance-first policies.
FROM THE MEDIA: The government claims the call features violate information-sharing laws because end-to-end encryption prevents access to communications. Both platforms have approximately 100 million users each in Russia. WhatsApp responded that its encrypted messaging protects users’ right to private communication, and Telegram clarified that while calls are encrypted, public channels are moderated using AI tools. This development is part of a broader censorship campaign by the Kremlin, which continues to enforce tighter restrictions under the guise of national security.
READ THE STORY: Wired
Tencent Shrugs Off U.S. GPU Export Policy, Says It Has Enough Chips for AI Ambitions
Bottom Line Up Front (BLUF): Tencent has publicly stated it doesn’t need additional U.S.-made GPUs, despite recent moves by Washington to ease export restrictions on Nvidia and AMD. The company already possesses enough chips for ongoing AI training and has optimized its infrastructure to handle inference without expanding its GPU inventory.
Analyst Comments: Tencent’s declaration marks a significant global AI hardware narrative shift. By signaling hardware self-sufficiency and emphasizing software-driven efficiency gains, Tencent is reducing its dependence on U.S. technology — a strategic advantage amid escalating geopolitical tech tensions. This may dampen Western chipmakers' expectations of renewed sales growth in China, indicating China’s deepening capabilities in AI chip utilization and optimization. If replicated by other major Chinese firms, this stance could reshape global GPU demand forecasts and accelerate the development of domestic or alternative AI hardware ecosystems.
FROM THE MEDIA: President Martin Lau said the company relies on software optimization to increase inference efficiency and reduce the need for additional hardware. He added that Tencent's AI infrastructure isn't dependent on U.S. GPU availability and is expanding cloud services using CPU and database-driven growth. Despite increasing AI-related depreciation costs, Tencent remains profitable, reporting Q2 revenue of $25.7 billion and a net profit of $9 billion. This is the third consecutive quarter Tencent has told investors it does not require more GPUs.
READ THE STORY: The Register
Hijacked npm Account Used to Spread Malware via eslint-config-prettier in Global Supply Chain Attack
Bottom Line Up Front (BLUF): Threat actors compromised the npm account of the eslint-config-prettier maintainer through a phishing attack, distributing malicious packages to thousands of developer projects. The incident, discovered on July 18, 2025, briefly weaponized post-install scripts to deliver a Windows-based remote access trojan (RAT), exposing serious vulnerabilities in automated development workflows.
Analyst Comments: By exploiting automated tools like Dependabot, attackers significantly increased their reach without requiring direct access to each project. The incident highlights how development infrastructure—often assumed secure—is now a primary target for cybercriminals. Organizations must implement stricter dependency management, enforce manual reviews, and re-evaluate the security implications of CI/CD automation to prevent similar breaches.
FROM THE MEDIA: Attackers tricked the maintainer via a phishing email mimicking npm support, leading to unauthorized access and malicious package uploads. The malware-laced packages included post-install scripts that deployed the Scavenger RAT, affecting thousands of developer environments, particularly those using automated tools like GitHub Dependabot. ReversingLabs detected the incident, noting that even Microsoft-owned open-source projects were briefly exposed. The malicious versions were removed within two hours, but the fallout revealed over 14,000 projects had misconfigured dependencies that increased their vulnerability.
READ THE STORY: GBhackers
Google Releases Gemma 3 270M: Lightweight LLM Designed for On-Device AI Tasks
Bottom Line Up Front (BLUF): Google has launched Gemma 3 270M, a compact, energy-efficient large language model designed for fast, on-device AI workloads. With just 270 million parameters and 550MB RAM requirements, it's optimized for specialized, high-volume tasks while maintaining performance that surpasses other models in its class.
Analyst Comments: Though not built for raw power, its efficiency and speed of fine-tuning make it attractive for use cases like local inference, IoT integration, and real-time AI services. However, concerns remain about the limitations of “open” models without complete transparency on training data and usage restrictions that still permit remote enforcement by Google. As lightweight LLMs grow more capable, they will likely see wider adoption in commercial and security-sensitive applications—especially if paired with privacy-preserving inference strategies.
FROM THE MEDIA: The model requires only 550MB of memory and was trained on six trillion tokens, outperforming similar small models like SmollLM2-360M and Qwen 2.5 0.5B in instruction-following tasks. While its performance is well below that of larger models in the Gemma family, Google emphasizes its energy efficiency, particularly when quantized to INT4 for mobile deployment. Despite being branded as part of the "open" Gemma lineup, the model lacks transparency on training data and includes usage restrictions that allow Google to disable access if policies are violated remotely. Gemma 3 270M is now available on Hugging Face, Kaggle, LM Studio, Docker, and fine-tuning guides.
READ THE STORY: The Register
AI Arms Race Escalates as Hackers and Defenders Integrate LLMs into Cyber Operations
Bottom Line Up Front (BLUF): State-sponsored hackers, cybercriminals, and cybersecurity companies are now actively using artificial intelligence—huge language models (LLMs)—to enhance offensive and defensive capabilities. Russian hackers were recently caught deploying an AI-driven tool in phishing campaigns targeting Ukraine, marking the first known use of LLMs in state-level malware.
Analyst Comments: While AI has not yet enabled novice hackers to launch devastating attacks, it is rapidly improving the efficiency and precision of skilled adversaries. Security vendors and government agencies are also racing to deploy AI for vulnerability discovery and threat mitigation. However, the eventual democratization of agentic AI tools—capable of autonomous exploitation—may tip the scales in favor of attackers, especially against under-resourced organizations.
FROM THE MEDIA: This marks the first public confirmation of state-backed AI malware. Other actors—including China, Iran, and cybercriminal groups—also integrate AI into reconnaissance and attack workflows. Meanwhile, cybersecurity companies like Google and CrowdStrike are leveraging LLMs to detect vulnerabilities and support incident response. Google’s Gemini model has helped identify at least 20 significant bugs in standard software. Despite the rise in AI-assisted hacking, U.S. officials believe defenders maintain an edge due partly to access to the most advanced AI technologies.
READ THE STORY: NBC News
Chinese Hackers Exploit Microsoft SharePoint Flaw to Breach U.S. Nuclear Agency
Bottom Line Up Front (BLUF): Microsoft has confirmed that Chinese state-sponsored hackers exploited a zero-day vulnerability in SharePoint to breach systems at the U.S. Department of Energy, including the National Nuclear Security Administration (NNSA). Although no classified data was stolen, the attack impacted hundreds of organizations globally.
Analyst Comments: While the Department of Energy downplayed the scope, including the NNSA — custodian of America’s nuclear arsenal — raises alarm. China’s continued targeting of strategic infrastructure highlights a shift from pure intelligence gathering to positioning for future geopolitical leverage. The breadth of the compromise, extending to over 400 entities across multiple continents, also reveals gaps in global cybersecurity readiness against sophisticated state-level adversaries.
FROM THE MEDIA: The incident reportedly began on July 18, 2025. While the Department of Energy stated the impact was limited due to its cloud-based Microsoft 365 deployment and robust security systems, some systems were compromised and are undergoing restoration. Dutch cybersecurity firm Eye Security raised its estimate of affected organizations from 60 to around 400, spanning the U.S., Jordan, South Africa, Mauritius, and the Netherlands. Microsoft has not publicly named the exploited vulnerability but confirmed it was a previously unknown (zero-day) flaw in SharePoint.
READ THE STORY: New York Post
New Elastic EDR 0-Day Turns Security Tool Into Attack Vector
Bottom Line Up Front (BLUF): Researchers at Ashes Cybersecurity disclosed a zero-day vulnerability in Elastic’s Endpoint Detection and Response (EDR) driver (elastic-endpoint-driver.sys), allowing attackers to bypass detection, execute arbitrary code, gain persistence, and crash systems via BSOD. The flaw, a NULL pointer dereference in kernel space, affects Elastic Defend and Elastic Agent solutions, with no available patch.
Analyst Comments: Exploiting a kernel driver inside a widely deployed EDR could enable EDR evasion at scale, undermining enterprise defenses and incident response workflows. Until Elastic releases a patch, adversaries—particularly ransomware operators—could use this exploit to blind defenders before deploying payloads. The trust erosion is significant: Defenders now face the possibility that their endpoint protection layers could be deliberately turned into malware. Organizations should consider immediate compensating controls, such as monitoring anomalous driver activity, restricting kernel driver loading, and isolating high-value endpoints.
FROM THE MEDIA: Researchers built a working Proof of Concept (PoC) using a C-based loader and custom driver, demonstrating a complete four-step exploit chain: bypassing EDR, executing malware, persisting with a malicious driver, and triggering a denial-of-service crash. Disclosure attempts via HackerOne (June 11) and ZDI (July 29) went unanswered, leading to independent disclosure on August 16, 2025. The issue affects at least version 8.17.6, and potentially all newer releases. Researchers stressed that until patched, Elastic’s driver can be weaponized into a persistent, privileged exploit vector across customer environments.
READ THE STORY: CSN
Fortinet FortiSIEM CVE-2025-25256 Exploited in the Wild as PoC Emerges
Bottom Line Up Front (BLUF): A critical pre-authentication command injection vulnerability (CVE-2025-25256) in Fortinet’s FortiSIEM platform has been exploited in the wild, prompting urgent patching efforts. The flaw allows remote attackers to execute arbitrary system commands without credentials, potentially compromising enterprise security monitoring systems.
Analyst Comments: This vulnerability affects FortiSIEM, software responsible for detecting threats, meaning attackers could disable or manipulate detection capabilities, effectively blinding an organization. The existence of active exploitation before public disclosure underscores a disturbing trend: threat actors are independently discovering and leveraging vulnerabilities in security tools themselves. Organizations should reevaluate their security infrastructure's patch cadence and hardening, particularly legacy deployments.
FROM THE MEDIA: The vulnerability resides in the phMonitor component, which listens on port 7900 and processes XML input without adequate sanitization. Fortinet has confirmed that the vulnerability is being exploited in the wild. Patches have been issued for versions 7.3.2, 7.2.6, 7.1.8, 7.0.4, and 6.7.10, while legacy versions (6.6 and earlier) require full migration. Exploitation involves sending crafted XML payloads to inject and execute arbitrary commands. WatchTowr Labs has released a detection Artefact Generator to help defenders identify signs of compromise.
READ THE STORY: GBhackers
Pakistani Malware Empire Exploited Pirated Software to Spread Infostealers, Earning Millions
Bottom Line Up Front (BLUF): A Pakistani-based cybercrime group ran a five-year malware distribution scheme by disguising infostealers as cracked software. The group, primarily based in Bahawalpur and Faisalabad, leveraged SEO poisoning, pirated software forums, and pay-per-install (PPI) networks to infect millions of devices and generate more than $4 million in revenue. The campaign was eventually exposed when the same malware infected the operators themselves, and they spread.
Analyst Comments: The group industrialized infostealer distribution on a massive scale by combining cracked software with affiliate-style PPI models. The accidental leak of their infrastructure highlights how fragile and sloppy these underground businesses can be, yet still highly profitable. From now on, more cybercriminal groups will be expected to exploit pirated content ecosystems as distribution channels. This case also reinforces the importance of supply-side interventions—such as disrupting PPI networks and payment channels (Payoneer, Bitcoin)—to dismantle cybercrime economies.
FROM THE MEDIA: Malware families such as Lumma Stealer, Meta Stealer, and AMOS were embedded in archives disguised as cracked Adobe After Effects and Internet Download Manager versions. Traffic was monetized through InstallBank and SpaxMedia (later Installstera) PPI networks, which paid affiliates for successful malware installation. The operation reportedly generated 449 million clicks and 1.88 million malware installs between 2020 and 2025. The scheme unraveled when the attackers were infected with an infostealer, exposing credentials, payment logs, and evidence of family ties within the operation.
READ THE STORY: TechRadar
F5 Patches HTTP/2 Vulnerability CVE-2025-54500 Exploited in DoS Attacks on BIG-IP Systems
Bottom Line Up Front (BLUF): F5 Networks has patched a medium-severity vulnerability (CVE-2025-54500) affecting its BIG-IP products’ HTTP/2 implementation. The flaw allows unauthenticated remote attackers to trigger denial-of-service (DoS) attacks by overwhelming system resources through malformed HTTP/2 control frames.
Analyst Comments: As load balancers and application delivery controllers form critical infrastructure in many enterprises, a vulnerability of this nature can have far-reaching consequences. Organizations with older or unpatched systems remain vulnerable, and reliance on HTTP/2 performance benefits must be weighed against potential attack exposure. From now on, protocol-level protections and early anomaly detection will be essential in safeguarding against similar DoS vectors.
FROM THE MEDIA: The “HTTP/2 MadeYouReset Attack” allows attackers to bypass concurrent stream limits using malformed control frames, leading to CPU exhaustion and potential DoS. F5 has released engineering hotfixes for the 16.x and 17.x branches but has not yet provided a fix for version 15.x. The issue does not affect the control plane and does not impact NGINX, F5OS, or BIG-IQ systems. The vulnerability was responsibly disclosed by researchers Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel. Mitigation options include disabling HTTP/2 and using DoS protection profiles.
READ THE STORY: GBhackers
China Denies Link to UNC3886 Cyber Espionage Group Amid Singapore Allegations
Bottom Line Up Front (BLUF): The Chinese embassy in Singapore has denied allegations that a cyber espionage group targeting Singapore’s critical infrastructure has ties to China. The denial follows remarks from a Singaporean minister about the group UNC3886, which cybersecurity firm Mandiant has previously linked to China.
Analyst Comments: While Mandiant has connected UNC3886 to Chinese state interests, public confirmation from affected states like Singapore remains cautious. Even amid mounting evidence from independent researchers, China’s consistent denial of involvement in cyberattacks is part of a broader strategy to maintain plausible deniability. The situation underscores the difficulty in assigning definitive accountability for cyber threats that impact national infrastructure.
FROM THE MEDIA: On Friday, a Singaporean minister warned that espionage group UNC3886 targets "high value strategic threat targets" within the country's critical infrastructure. While the official stopped short of directly attributing the group to any nation, Mandiant has characterized UNC3886 as a "China-nexus espionage group" active in attacks across the U.S. and Asia. In response, the Chinese embassy in Singapore issued a Facebook statement over the weekend calling such claims "groundless smears and accusations." The embassy emphasized that China opposes all forms of cyberattacks and does not support hacking activities. Singapore’s Cyber Security Agency lists sectors such as energy, healthcare, transport, and communications as part of its critical infrastructure. Beijing has routinely denied involvement in global cyber espionage campaigns, claiming to be a victim of such activities instead.
READ THE STORY: MSN (Reuters)
Items of interest
Israel’s Water Technology Positioned as Key to Middle East Stability
Bottom Line Up Front (BLUF): Iran is facing an acute water crisis, with rainfall down 40% and groundwater heavily over-exploited, threatening Tehran’s population and economy. Analysts argue that Israel’s advanced desalination, wastewater recycling, and irrigation systems could provide a pathway for regional cooperation, but deep political hostilities remain a barrier.
Analyst Comments: Water distribution networks, desalination plants, and atmospheric water generation are increasingly digitized and thus vulnerable to cyber sabotage. If Iran’s instability deepens due to resource scarcity, the risk of cyber-enabled state conflict or proxy retaliation against Israel’s water systems could grow. Conversely, regional cooperation on water technology—already underway with Jordan and the UAE—could serve as a stabilizing factor. A future "water-for-energy" deal could intertwine Middle Eastern energy and water security, making cyber resilience of these infrastructures a top strategic priority.
FROM THE MEDIA: President Masoud Pezeshkian warned that Damascus could also face shortages by autumn without consumption controls. Israel, by contrast, has transformed itself into a water-surplus nation, producing 20% more water than it consumes through desalination, wastewater recycling, and drip irrigation. Israel already exports water to Jordan under the 1994 peace treaty and has ongoing cooperation with the Palestinian Authority and UAE. Analysts suggest Iran’s long-term survival depends less on military buildup and more on water infrastructure reform, potentially with Israeli expertise.
READ THE STORY: The Jerusalem Post
Netanyahu Promises Iran Water Aid In Exchange For Regime Change (Video)
FROM THE MEDIA: Prime Minister Benjamin Netanyahu called on the Iranian people to oppose their regime in exchange for help with the country's water crisis. “The moment your country is free, Israel’s top water experts will flood into every Iranian city, bringing cutting-edge technology and know-how. We will help Iran recycle water, we’ll help Iran desalinate water,” Netanyahu said.
Iranian President Is In A Very Difficult Situation "We Have No Water Left" (Video)
FROM THE MEDIA: Iran's water crisis has reached critical levels as President Pezeshkian warned Tehran that it could run dry by October. With rainfall down 45% during the worst drought in sixty years, decades of mismanagement have transformed a natural disaster into a national catastrophe. Dam reserves are just 42% capacity nationwide, while the capital faces imminent shortages.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.