Daily Drop (1135)

09-14-25

Sunday, Sep 14, 2025 // (IG): BB // GITHUB // SN R&D

Projects:

News:

China Mandates AI Content Labeling and Standardizes Cybersecurity Reporting

Bottom Line Up Front (BLUF): China has enacted new national standards effective September 1, 2025, including mandatory labeling of AI-generated content (GB 45438-2025) and new frameworks for cyberattack classification (GB/T 37027-2025). These measures aim to combat disinformation, strengthen cybersecurity governance, and improve consumer product safety across multiple industries.

Analyst Comments: While this could mitigate disinformation and fraud, it also centralizes state oversight of online content. The cyberattack classification standard reflects Beijing’s push for systematic incident reporting and greater control over cyber defense narratives. These measures signal rising compliance requirements for global businesses, especially in AI deployment, consumer tech, and security reporting. The broader rollout of product safety standards shows China’s intent to align industrial policy with global competitiveness and security priorities.

FROM THE MEDIA: The State Administration for Market Regulation implemented new national standards. Among them, GB 45438-2025 requires service providers and distribution platforms to apply identifiers to all AI-generated content to prevent disinformation and fraud while building public trust in AI. Another key measure, GB/T 37027-2025, introduces standardized cyberattack definitions and reporting methods, targeting incident response teams and regulators to improve situational awareness. In addition, GB/T 45354.1-2025 sets privacy and usability requirements for voice interactions in smart home devices. The regulatory package also includes updated safety and efficiency standards for furniture, electric bicycles, kitchen appliances, and industrial motors, reinforcing China’s focus on consumer protection, emissions reduction, and global competitiveness.

READ THE STORY: RHC

FBI Issues IOCs After Cybercriminals Target Salesforce for Data Exfiltration and Extortion

Bottom Line Up Front (BLUF): The FBI has released a flash alert warning that cybercriminal groups UNC6040 and UNC6395 exploit Salesforce instances to steal sensitive data for extortion. Attackers use social engineering (vishing), malicious connected apps, or compromised third-party OAuth tokens to gain persistent access. The FBI provided extensive Indicators of Compromise (IOCs) and urged organizations to tighten Salesforce access controls and third-party integrations.

Analyst Comments: Vishing against IT help desks reflects a trend of blending human and technical attack vectors. Organizations dependent on Salesforce should adopt phishing-resistant MFA, continuously audit third-party integrations, and monitor API calls for anomalies. The link to extortion groups such as ShinyHunters suggests stolen data is being weaponized quickly, raising both reputational and regulatory risks.

FROM THE MEDIA: Group UNC6040, active since October 2024, uses voice phishing to impersonate IT staff, persuading employees to authorize a malicious connected app—a modified Salesforce Data Loader tool—that issues OAuth tokens and provides persistent access. Group UNC6395, active in August 2025, exploited compromised OAuth tokens from the Salesloft Drift chatbot integration to exfiltrate Salesforce data. Salesforce and Salesloft revoked Drift-related tokens on August 20, cutting off that vector. Both groups use API queries for large-scale data theft, with some victims receiving follow-on extortion emails from the ShinyHunters cybercrime group. The FBI released a long list of IOCs, including IP addresses, URLs, and user-agent strings, and urged organizations to enforce phishing-resistant MFA, train call center staff to spot vishing, restrict IP-based access, and rotate API keys regularly.

READ THE STORY: CSN

Hong Kong’s Cyberport Tests Chinese GPUs to Reduce Dependence on Nvidia Amid US-China Tensions

NOTE:

China is actively promoting domestic GPUs to reduce its critical dependence on American semiconductor technology, particularly Nvidia's dominant position in AI computing. With the US imposing export restrictions on advanced chips to China (including limiting access to Nvidia's most advanced GPUs), China faces a strategic vulnerability that could hamstring its AI development ambitions.

Bottom Line Up Front (BLUF): Hong Kong’s Cyberport AI Supercomputing Centre is testing GPUs from four mainland Chinese vendors as alternatives to Nvidia’s H800 chips. The move reflects geopolitical risks and supply chain diversification strategies, as Hong Kong positions itself as an AI innovation hub and bridge for Chinese technology firms expanding globally.

Analyst Comments: Vishing against IT help desks reflects a trend of blending human and technical attack vectors. Organizations dependent on Salesforce should adopt phishing-resistant MFA, continuously audit third-party integrations, and monitor API calls for anomalies. The link to extortion groups such as ShinyHunters suggests stolen data is being weaponized quickly, raising both reputational and regulatory risks.

FROM THE MEDIA: Group UNC6040, active since October 2024, uses voice phishing to impersonate IT staff, persuading employees to authorize a malicious connected app—a modified Salesforce Data Loader tool—that issues OAuth tokens and provides persistent access. Group UNC6395, active in August 2025, exploited compromised OAuth tokens from the Salesloft Drift chatbot integration to exfiltrate Salesforce data. Salesforce and Salesloft revoked Drift-related tokens on August 20, cutting off that vector. Both groups use API queries for large-scale data theft, with some victims receiving follow-on extortion emails from the ShinyHunters cybercrime group. The FBI released a long list of IOCs, including IP addresses, URLs, and user-agent strings, and urged organizations to enforce phishing-resistant MFA, train call center staff to spot vishing, restrict IP-based access, and rotate API keys regularly.

READ THE STORY: Yahoo Finance

China’s Great Firewall Source Code Leaks: 500GB Archive Reveals Export of Censorship Tech Abroad

Bottom Line Up Front (BLUF): On September 11, researchers confirmed the leak of over 500GB of source code, internal documents, and build systems related to China’s Great Firewall, providing unprecedented visibility into its deep packet inspection (DPI) infrastructure. The data links Chinese censorship technology to deployments in Myanmar, Pakistan, Ethiopia, and Kazakhstan, revealing how Beijing’s surveillance tools are exported and commercialized abroad.

Analyst Comments: Beyond domestic implications, the confirmation that Geedge Networks’ “Tiangou” system has been sold abroad highlights how China uses censorship tech as an instrument of digital influence and authoritarian alignment. For defenders, the presence of build logs, developer notes, and DPI configurations may enable circumvention tool developers to craft more resilient anti-censorship techniques. However, the archive’s availability also raises risks of repurposing by other authoritarian regimes.

FROM THE MEDIA: The files originate from Geedge Networks, a company tied to Fang Binxing (“the father of the Great Firewall”), and the MESA Lab at the Chinese Academy of Sciences’ Institute of Information Engineering. Researchers verified that the documents outline a turnkey DPI solution known as “Tiangou”, capable of VPN detection, SSL fingerprinting, and full-session logging. Deployment sheets show it was rolled out across 26 data centers in Myanmar, monitoring up to 81 million concurrent TCP connections. Partner reporting from WIRED and Amnesty International confirmed exports to Pakistan, Ethiopia, and Kazakhstan, where it is integrated with lawful intercept systems for blanket surveillance. Analysts warn the archive could reveal protocol-level weaknesses exploitable by circumvention tools. The dataset is now mirrored by Enlace Hacktivista and others, with researchers urging examination only in air-gapped or sandboxed environments.

READ THE STORY: tom's HARDWARE

Japan to Probe Undersea Cable Supply Chains Over Chinese Components Amid Security Concerns

Bottom Line Up Front (BLUF): Japan will investigate whether its domestic firms source critical undersea cable components—such as repeaters, control systems, and cables—from China, to reduce reliance on Chinese suppliers like HMN Technologies. The move follows U.S. efforts to exclude Chinese equipment from subsea networks amid rising fears of sabotage and espionage.

Analyst Comments: This initiative signals Japan’s alignment with the U.S.-led effort to secure global undersea cable infrastructure, reflecting heightened geopolitical tensions with China and Russia. Undersea cables carry 99% of Japan’s international communications, making them both a strategic asset and a national vulnerability. Potential policy measures—like subsidies for domestic shipbuilding and component production—point to a trend toward supply chain localization and national security-driven industrial policy. Japan could move toward a NATO-like cable defense doctrine if paired with closer military coordination, reshaping regional maritime security.

FROM THE MEDIA: Companies found to be sourcing from China may be asked to switch to domestic or allied suppliers, with subsidies offered to offset costs. The undersea cable industry is currently dominated by NEC (Japan), SubCom (U.S.), and Alcatel Submarine Networks (France), though China’s HMN Technologies, formerly tied to Huawei, is gaining ground. The review also covers Japan’s operational capacity, including cable-laying vessels owned by KDDI and NTT. This comes after suspected sabotage incidents near Taiwan and the Baltic Sea from late 2024 to early 2025, and a 2023 case where a Chinese-made wiretap device was discovered near Okinawa. Japan is also considering amending its Economic Security Promotion Act to designate undersea cable services as “critical,” enabling government funding. Unlike the U.S., Japan has yet to define the role of the Self-Defense Force or Coast Guard in cable protection, leaving contingency planning incomplete.

READ THE STORY: Nikkei Asia

Researchers Warn of “Living off AI” Attacks Exploiting Atlassian’s Model Context Protocol

Bottom Line Up Front (BLUF): Security researchers have demonstrated that malicious support tickets can be weaponized to exploit Atlassian’s Model Context Protocol (MCP), allowing attackers to exfiltrate sensitive data from Jira Service Management (JSM) without directly breaching internal systems. The vulnerability arises when AI-driven workflows process untrusted external input with elevated internal privileges.

Analyst Comments: As organizations increasingly embed AI assistants into IT and security operations, the lack of input isolation creates opportunities for attackers to hijack trusted processes indirectly. While Atlassian’s MCP is the current example, any AI-enabled business platform that processes external requests could be vulnerable. Mitigation requires sandboxing, least privilege on AI actions, and continuous monitoring of AI outputs—practices not yet widely standardized.

FROM THE MEDIA: If an internal support engineer invokes an MCP-linked AI (e.g., for ticket summarization), the AI executes the injected payload with the engineer’s internal privileges. This allows attackers to exfiltrate data via API calls or modify internal records without directly accessing backend systems. Researchers demonstrated a proof-of-concept where an MCP action leaked tenant data into a ticket, retrievable by the attacker. Experts stress the threat extends beyond Atlassian, warning that AI tools connected to external-facing systems are at risk. Recommended defenses include enforcing least privilege on AI-driven actions, monitoring for anomalous prompt patterns, sandboxing AI processing, and maintaining detailed audit logs of MCP activity.

READ THE STORY: GBhackers

Mustang Panda Deploys SnakeDisk USB Worm and Toneshell9 Backdoor Against Air-Gapped Systems

Bottom Line Up Front (BLUF): IBM X-Force has identified new campaigns by the China-linked threat actor Mustang Panda (Hive0154). These campaigns feature a Toneshell9 backdoor with proxy-aware evasion capabilities and a SnakeDisk USB worm targeting Thai government networks. These tools demonstrate a calculated push to compromise air-gapped systems during regional tensions.

Analyst Comments: Threat actors use trusted software like Velociraptor and VS Code to evade traditional detection and bypass application whitelisting. This tactic could be a precursor to ransomware, particularly if combined with credential theft or lateral pivoting. SOC teams must begin treating unusual use of administrative or incident response tools as high-risk indicators rather than benign anomalies.

FROM THE MEDIA: Toneshell9 introduces dual reverse shells, proxy-aware communication, and obfuscation techniques such as junk code injection using ChatGPT-generated strings. It communicates via disguised TLS 1.2 Application Data packets, evading inspection. Meanwhile, SnakeDisk is engineered to execute only on Thai IP ranges, propagating via USB drives and dropping the Yokai backdoor, a tool previously used in campaigns against Thai officials. IBM researchers note that SnakeDisk’s timing aligns with Thailand-Cambodia border disputes in 2025, suggesting geopolitical motivations. Mustang Panda continues leveraging weaponized archives uploaded from Singapore and Thailand, impersonating official government communications hosted on platforms like Box and Google Drive. The campaign reflects a sustained and evolving Chinese cyberespionage effort in Southeast Asia.

READ THE STORY: GBhackers

Rise of Cyber Armies: U.S., China, Russia, and Emerging Powers Shape the Digital Battlefield

Bottom Line Up Front (BLUF): As cyber operations become central to state power, countries like the U.S., China, Russia, and Israel leverage offensive and defensive cyber capabilities to pursue geopolitical goals. Meanwhile, North Korea, Iran, and India are expanding their digital arsenals, reflecting how cyber warfare is reshaping global security strategies and military doctrines.

Analyst Comments: From AI-driven intelligence in U.S. operations to Russia’s disinformation-heavy tactics and China’s emphasis on IP theft, national cyber doctrines mirror broader strategic priorities. The emergence of India as a rising cyber power also signals a shift in Asia’s cyber balance, where rivalries increasingly play out in digital rather than physical domains. The diffusion of advanced offensive tools to mid-tier states could further destabilize regional security environments, forcing alliances like NATO and ASEAN to adopt more integrated cyber defense postures.

FROM THE MEDIA: China focuses on large-scale espionage and intellectual property theft through PLA cyber units. Russia blends cyberattacks with disinformation campaigns, targeting elections and critical infrastructure. Israel leverages its technological edge with dual offensive and defensive capabilities. Among emerging players, the UK’s National Cyber Force integrates intelligence and defense, North Korea weaponizes cybercrime through groups like Lazarus, and Iran disrupts regional rivals by striking banks and utilities. Meanwhile, India is quickly scaling cyber defense and offense via its Defence Cyber Agency, reflecting ambitions to protect critical infrastructure and counter threats from neighboring powers. Collectively, these cyber armies demonstrate how digital operations are now central to geopolitical influence and global security calculations.

READ THE STORY: The 420

Kim Yo Jong Warns US, South Korea, Japan of “Negative Consequences” Ahead of Joint Drills

Bottom Line Up Front (BLUF): North Korean leader Kim Jong Un’s sister Kim Yo Jong warned that upcoming US-South Korea-Japan military drills, beginning September 15 under Freedom Edge, could trigger “negative consequences” for the participating nations. Pyongyang framed the exercises as provocative, vowing stronger countermeasures if such shows of force continue.

Analyst Comments: North Korea’s rhetoric underscores its ongoing strategy of portraying allied exercises as pretexts for invasion, a narrative used to justify weapons tests and nuclear posture changes. The mention of “cyber-operational capabilities” in Freedom Edge is notable, as it suggests the drills extend beyond conventional deterrence into digital domains. With the Iron Mace tabletop exercise planned next week to simulate integration of conventional and nuclear responses, Pyongyang may respond with escalatory steps—potentially missile launches, cyber disruptions, or both—to reinforce deterrence and gain leverage in regional security negotiations.

FROM THE MEDIA: The exercises, beginning September 15, focus on aerial, naval, and cyber defense against North Korea’s nuclear and missile threats. Kim described the drills as a “reckless display of power” around the DPRK and warned of “negative consequences” for the participants. Separately, Pak Jong Chon, a senior party official, stated that if “hostile forces” continue their exercises, North Korea will respond “more clearly and strongly.” South Korean media also reported that Washington and Seoul will hold the Iron Mace tabletop drills next week, simulating joint nuclear and conventional responses. While Seoul and Washington emphasize that these operations are defensive, Pyongyang has historically answered such maneuvers with weapons testing and escalatory actions.

READ THE STORY: The Straits Times

Iran–China Strategic Partnership Deepens Through SCO Cooperation

Bottom Line Up Front (BLUF): Iran’s full membership in the Shanghai Cooperation Organization (SCO) has expanded its strategic cooperation with China, integrating military, economic, and infrastructure initiatives under a multilateral framework. This partnership, supported by joint exercises and technology transfers, strengthens both nations’ positions in a multipolar world order while countering Western influence.

Analyst Comments: The Iran–China alignment within the SCO represents more than bilateral cooperation—it embeds Tehran’s pivot to the East into an institutionalized Eurasian framework. Joint military programs and infrastructure projects signal a long-term strategic convergence, with implications for maritime security in the Persian Gulf and broader supply chain resilience. The integration of emerging technologies such as AI, drones, and hypersonic systems suggests that the SCO could evolve into a counterweight to Western-led alliances. However, this trajectory may intensify regional rivalries, particularly with the U.S. and its Gulf partners, raising the risk of proxy cyber and hybrid conflicts.

FROM THE MEDIA: Originally a border-security forum, the SCO now includes China, Russia, India, Pakistan, and Iran, among others, and coordinates on counterterrorism, trade, and infrastructure. For Iran, membership provides access to collective security mechanisms, energy and transportation projects, and a platform for Eastern-oriented diplomacy. Military collaboration with China has expanded from arms sales to joint training, naval drills in the Indian Ocean, and cooperation on missile systems, drones, and electronic warfare. The partnership is further enhanced through SCO joint exercises and connectivity projects aligned with China’s Belt and Road Initiative. Analysts note that technology transfers—such as cruise missiles, surveillance drones, and cyber defense tools—are central to the partnership. At the same time, future cooperation may include AI-based weapons and joint production of drones and missiles. Collectively, these moves reinforce both nations’ capacity to challenge Western military and economic dominance in Eurasia.

READ THE STORY: PRESSTV

CISA Mismanaged $138M Cybersecurity Retention Program, Paid Incentives to Ineligible Staff

Bottom Line Up Front (BLUF): The U.S. Office of the Inspector General (OIG) found that the Cybersecurity and Infrastructure Security Agency (CISA) wasted federal funds and mismanaged its Cybersecurity Retention Incentive program, distributing payments to employees not directly engaged in cybersecurity. The audit identified $1.41 million in unallowable back payments and warned that CISA’s failures could worsen talent attrition and undermine U.S. cyber defense readiness.

Analyst Comments: The OIG’s findings reveal structural weaknesses in how the U.S. government retains cyber talent, highlighting risks in managing incentive-based retention at scale. With demand for skilled professionals outpacing supply, misallocating retention funds threatens to erode trust in federal cyber workforce programs. If unresolved, this mismanagement could weaken the U.S.’s ability to defend against nation-state and criminal cyberattacks. While CISA concurred with recommendations, the incident could fuel calls for greater oversight, program restructuring, and performance-based retention strategies.

FROM THE MEDIA: The OIG accused CISA of mishandling the Cybersecurity Retention Incentive program, which distributed more than $138 million between 2020 and 2024. Instead of targeting “mission-critical” cybersecurity staff, incentive payments of $21,000–$25,000 per year went to ineligible employees, including 240 individuals unrelated to cybersecurity. In 2024, 1,401 of CISA’s 3,220 employees received payments. CISA’s Office of the Chief Human Capital Officer also failed to maintain adequate records, leading to $1.41 million in improper back payments to 348 employees. A hotline complaint 2023 triggered the investigation, confirming “widespread waste, fraud, and abuse.” The OIG issued eight recommendations—including stricter eligibility guidelines and recovery of improper payments—all of which CISA accepted.

READ THE STORY: CyberNews

Items of interest

Record 1.5Bpps DDoS Attack Mitigated After Hijacking IoT Devices and MikroTik Routers

Bottom Line Up Front (BLUF): FastNetMon reported mitigating a record-setting 1.5 billion packets per second (Bpps) DDoS attack that targeted a DDoS scrubbing provider in Western Europe. The attack leveraged compromised IoT devices and MikroTik routers spread across more than 11,000 networks worldwide, highlighting the growing scale and sophistication of distributed denial-of-service operations.

Analyst Comments: Combined with recent volumetric attacks reaching 11.5 Tbps and 5.1Bpps, the threat landscape suggests hybrid DDoS attacks—mixing bandwidth and packet-rate floods—are becoming the new norm. Proactive filtering and securing vulnerable CPE hardware are now critical to maintaining global network resilience.

FROM THE MEDIA: The attack peaked at 1.5 billion packets per second, primarily using UDP floods sourced from hijacked IoT devices and MikroTik routers. The victim, unnamed but described as a DDoS mitigation vendor in Western Europe, was protected through real-time detection, ACL deployments, and on-site scrubbing. Founder Pavel Odintsov warned that the scale of such attacks illustrates the exponential risk posed by hijacked CPE devices, calling for ISP-level detection and filtering to prevent mass exploitation. The incident follows recent disclosures by Cloudflare of even larger volumetric attacks, reflecting a trend toward increasingly massive, distributed, and automated DDoS campaigns.

READ THE STORY: TechRadar

What is MikroTik? (Video)

FROM THE MEDIA: MikroTik is a Latvia-based company that develops networking hardware and software, best known for its RouterOS operating system and RouterBOARD hardware devices.

Botnet Attacks Explained: How They Work & How to Stop Them (Video)

FROM THE MEDIA: Bot attacks are a growing cyber threat, leveraging compromised IoT devices, smart TVs, and even connected cars to launch massive DDoS attacks. These botnets, controlled by cybercriminals, can disrupt networks, overwhelm systems, and take businesses offline—all without device owners even realizing it.

The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.