Friday, Sep 26, 2025 // (IG): BB // GITHUB // SN R&D
Microsoft Cuts Off Israeli Defense Ministry from Azure and AI Services Amid Gaza Surveillance Allegations
Bottom Line Up Front (BLUF): Microsoft has disabled cloud and AI services used by Israel’s Ministry of Defense (IMOD) after an internal review confirmed elements of reporting that Israeli Unit 8200 leveraged Azure to intercept Palestinian communications at scale. The system allegedly stored millions of phone calls daily, feeding intelligence used for targeting, detentions, and surveillance in Gaza and the West Bank. The decision follows months of employee protests and activist campaigns under the banner “No Azure for Apartheid.”
Analyst Comments: This move signals a rare corporate pushback against a state defense customer—one of Microsoft’s most politically sensitive decisions since suspending sales to Russia in 2022. By cutting off IMOD’s access mid-conflict, Microsoft draws a red line around the use of its cloud services for mass civilian surveillance and lethal targeting. However, the timing also reflects sustained reputational pressure: internal employee dissent, global activist encampments, and investigative reporting forced the company’s hand. For Israel, losing access to Azure-hosted AI and scalable storage could impact real-time signals intelligence workflows, though alternative sovereign infrastructure is likely in place. For Microsoft, this sets a precedent—other governments and militaries may now face stricter AI/cloud usage audits to ensure compliance with corporate human rights policies.
READ THE STORY: TRT
Unsecured AI Agents Pose Growing Cyber Risk as Identity Sprawl Accelerates
Bottom Line Up Front (BLUF): With AI agents rapidly deployed across enterprise functions, organizations are facing a surge in non-human identities—many of which lack proper security controls. A recent piece from the World Economic Forum highlights that only 10% of surveyed companies have a mature strategy for managing agentic and non-human identities, despite these agents often holding privileged access and making autonomous decisions. This gap creates a growing attack surface ripe for exploitation via prompt injection, over-permissioning, and token abuse.
Analyst Comments: Agentic AI systems represent a shift from static automation to dynamic decision-making entities with persistent access to sensitive data and systems. Unlike human users, these agents can’t be authenticated using conventional MFA or SSO—they rely on API tokens, certificates, and ephemeral containers, many of which are poorly rotated or overly permissive. Worse, their actions are harder to trace, increasing post-incident complexity.
This isn’t just a theoretical risk. Prompt injection, credential misuse, and model manipulation are all live vectors in the wild. The speed of AI adoption has outpaced security governance, and many orgs are sleepwalking into identity chaos. Treat every AI agent as a privileged identity—and start enforcing least privilege, visibility, and lifecycle controls now.
READ THE STORY: WEF
Drone Warfare in Ukraine Forces Pentagon Reckoning: U.S. Struggles to Match Russian and Ukrainian Innovation
Bottom Line Up Front (BLUF): The Russia-Ukraine war has fundamentally transformed modern warfare, with both sides deploying millions of small drones for reconnaissance, artillery guidance, and direct attack. While Ukraine has become a world leader in tactical drone warfare, Russia has scaled domestic production to industrial levels—shifting from reliance on Iranian imports to mass deployment of FPV and loitering munitions. Long focused on high-end systems like the MQ-9 Reaper, the U.S. military is now scrambling to adapt—training soldiers on quadcopters, racing to mass-produce small drones, and rewriting doctrine for drone-saturated battlefields. Drones are no longer a niche capability—they’re now central to how modern wars are fought and won.
Analyst Comments: This isn’t theory anymore—it’s war at scale, with drones treated like ammunition. The U.S. is behind, not in technology, but in mindset and manufacturing. The real revelation from Ukraine isn’t the drone tech itself, but how fast Ukraine and Russia have adapted—shortening innovation cycles from years to weeks. Every NATO planner should ask: Can we build, field, and iterate like that? Right now, the answer is no. Meanwhile, Russia’s drone strategy—cheap, overwhelming, and persistent—is designed to wear down not just Ukraine, but Western resolve. And while Ukraine’s drone prowess has earned it a place as NATO’s unofficial drone training hub, the U.S. and its allies must move beyond admiration and start operationalizing these lessons because the next peer fight won’t give them two years to catch up.
READ THE STORY: TS2 Tech
China-Linked Brickstorm and RedNovember Campaigns Breach Global Critical Infrastructure and U.S. Defense Contractors
Bottom Line Up Front (BLUF): Two China-backed APT groups—Brickstorm and RedNovember (tracked by Microsoft as Storm-2077)—have been linked to prolonged espionage campaigns targeting critical infrastructure, including breaches at U.S. defense contractors, European aerospace firms, and government ministries worldwide. Brickstorm maintained access in victim environments for nearly 400 days, stealing proprietary source code and strategic communications. RedNovember leveraged edge device exploits (e.g., SonicWall, Cisco ASA, Fortinet) and Cobalt Strike to move laterally through high-profile networks. Both groups appear aligned with China’s Five-Year Plan priorities and suggest a long-term effort to stockpile zero-days and disrupt supply chains.
Analyst Comments: This is not just intelligence gathering—it’s pre-operational positioning. China’s cyber strategy increasingly revolves around patient, layered access to edge infrastructure and source code repositories, allowing them to craft zero-day vulnerabilities tailored for future crises. Brickstorm’s dwell time—393 days—is a red flag for how far behind detection capabilities are for stealthy implants in enterprise environments. Meanwhile, RedNovember’s broad targeting of VPNs, firewalls, and email gateways reflects a playbook similar to the SolarWinds model: get in once, fan out widely.
Both groups represent the evolution of MSS-linked tradecraft: blending stealthy long-term access (Brickstorm) with faster, scalable intrusions (RedNovember), coordinated via distinct backdoors (e.g., Pantegana, written in Go) and familiar tools like Cobalt Strike. Lauren Rucker noted that this is supply chain warfare with strategic patience, not smash-and-grab tactics. Source code theft isn’t just for cloning tech—it’s to reverse-engineer flaws at scale, creating a bespoke zero-day arsenal.
READ THE STORY: SC MEDIA
Cisco ASA and FTD Zero-Days Under Active Exploitation: Remote Code Execution and Auth Bypass
Bottom Line Up Front (BLUF): Cisco has confirmed active exploitation of two zero-day vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The flaws—CVE-2025-20333 and CVE-2025-20362—enable authenticated remote code execution and unauthenticated access to restricted endpoints, respectively. A third critical bug (CVE-2025-20363), while not explicitly linked to active attacks, was patched concurrently.
Analyst Comments: This is a high-risk cluster of bugs. The RCE zero-day (CVE-2025-20333) is particularly dangerous for enterprises exposing ASA/FTD portals to the Internet, while CVE-2025-20362 expands the attack surface by opening restricted endpoints to anyone with network access. Coupled with reconnaissance activity reported by GreyNoise—25,000 unique IPs probing ASA and IOS services in August—the exploitation window is already wide open.
Expect these flaws to become staples in ransomware and state-sponsored intrusion playbooks. Cisco firewalls are pervasive in government, telecom, and finance networks. Even organizations relying on multi-layer defenses are at risk, as a firewall compromise provides deep internal access. This cluster underscores a recurring theme: edge appliances remain prime targets for APTs due to patching delays and critical placement in the network stack.
READ THE STORY: Bleeping Computer
China’s Salt Typhoon Embedded in U.S. Telecoms: Firmware-Level Espionage Hits AT&T, Verizon, and National Guard Networks
Bottom Line Up Front (BLUF): Chinese state-sponsored APT group Salt Typhoon, aligned with China’s Ministry of State Security (MSS), has executed a long-running cyberespionage campaign targeting global telecommunications infrastructure. Using firmware rootkits, fabricated U.S. personas, and domain infrastructure supplied by pseudo-private contractors, the group has breached U.S. carriers (including AT&T and Verizon) and National Guard networks, exfiltrating sensitive metadata, lawful intercept logs, and telecom routing configurations. This campaign supports China’s long-term SIGINT and wartime disruption planning.
Analyst Comments: Salt Typhoon exemplifies the new face of Chinese cyber espionage—semi-privatized, deeply embedded, and built for persistence. Using firmware implants that survive routine updates is a significant evolution, creating near-invisible footholds in telecom environments. Unlike smash-and-grab APTs, Salt Typhoon operates with patient, signals intelligence (SIGINT)-grade tradecraft, embedding C2 channels within legitimate HTTPS management protocols and beaconing irregularly to blend in. Despite this sophistication, their reuse of ProtonMail-registered domains, commercial DV certs (GoDaddy, Sectigo), and name servers like irdns.mars.orderbox-dns.com gives defenders clear infrastructure signatures to pivot on. Targeting lawful intercept and SS7 data suggests battlefield prep—not just surveillance. This is not espionage for espionage’s sake—it’s strategic groundwork for real-world disruption in a conflict scenario.
READ THE STORY: Cyber Press
Telegram-Based Bqtlock Ransomware Deploys Anti-Recovery & Admin Account Tactics
Bottom Line Up Front (BLUF): A new ransomware strain dubbed Bqtlock is being distributed under a Ransomware-as-a-Service (RaaS) model and actively encrypting Windows systems. Tied to the alleged hacktivist leader “ZerodayX” of Liwaa Mohammed, Bqtlock uses Telegram for victim communication and Discord webhooks for exfiltration. It features hybrid AES-256/RSA-4096 encryption, persistence via scheduled tasks, and creates a rogue admin account—significantly increasing risk for small to mid-sized organizations.
Analyst Comments: Bqtlock shows how low-friction tooling lowers the ransomware deployment barrier. While it mimics well-known tactics (e.g., process hollowing, anti-VM, UAC bypass), its integration of Discord for exfiltration and Telegram for negotiation suggests a focus on operational speed and anonymity. Creating a local admin account with a static credential (“Password123!”) is crude but effective against poorly segmented networks. The RaaS model—with customizable options and marketing exaggerations—indicates this is less about APT-style persistence and more about monetizing quick hits. Defenders should treat any endpoint with new scheduled tasks or suspicious admin accounts as potentially compromised.
READ THE STORY: Cyber Press
China Tests World’s Largest Submarine Drones in South China Sea, Challenging U.S. Naval Edge
Bottom Line Up Front (BLUF): China is testing two extra-large uncrewed underwater vehicles (XLUUVs) in the South China Sea, each reportedly over 130 feet long—making them the largest submarine drones ever seen. Open-source analysis suggests the vessels could exceed the payload capacity of crewed submarines, potentially carrying heavyweight torpedoes and advanced sonar systems. With these tests, Beijing signals rapid progress in autonomous naval warfare and further blurs the line between surveillance and strike capabilities.
Analyst Comments: This is a significant escalation in unmanned maritime systems—not just in size, but in strategic implication. China’s XLUUVs could alter the balance of naval power in the Indo-Pacific, especially in contested waters like the South China Sea. Unlike the U.S. Navy’s still-unfinished Orca XLUUV, China’s models are already in trials, shielded from foreign surveillance in floating dry docks off Hainan. The platforms’ AI-based autonomy and potential to operate undetected for extended missions raise concerns about covert surveillance, undersea mining, and future torpedo delivery without human oversight. As with aerial drone warfare, the U.S. now risks being outpaced in a domain it helped pioneer.
READ THE STORY: Newsweek
NVIDIA Megatron‑LM: Multiple high‑severity code‑injection flaws — patch immediately
Bottom Line Up Front (BLUF): NVIDIA patched four high‑severity code‑injection vulnerabilities in the Megatron‑LM framework (CVE-2025-23348, CVE-2025-23349, CVE-2025-23353, CVE-2025-23354; CVSS ≈ 7.8). All Megatron‑LM releases before 0.13.1 and 0.12.3 are affected. An attacker who can supply or influence training/preprocessing inputs may achieve remote code execution, data tampering, or leak sensitive model/training data — a critical risk for research and production AI workflows, especially in shared HPC/container environments.
Analyst Comments: Code‑injection bugs in ML tooling are high‑impact because ML pipelines routinely accept third‑party datasets, user‑supplied scripts, and chained preprocessors that run with elevated privileges on compute nodes. Megatron‑LM commonly runs in multi‑tenant HPC clusters and cloud instances where a single exploited job can compromise datasets, models, and credentials (container images, mounted NFS, and token files). The attack surface is not just model code but the ingestion/preprocess scripts — treat data inputs as untrusted. Quick vendor patches are available; however, operational controls (isolation, least privilege, input validation) must be applied to prevent lateral damage even after patching.
READ THE STORY: FB
Germany Unveils CA-1 Europa Combat Drone: AI-Piloted UCAV Aims to Join NATO’s Frontline by 2029
Bottom Line Up Front (BLUF): China is testing two extra-large uncrewed underwater vehicles (XLUUVs) in the South China Sea, each reportedly over 130 feet long—making them the largest submarine drones ever seen. Open-source analysis suggests the vessels could exceed the payload capacity of crewed submarines, potentially carrying heavyweight torpedoes and advanced sonar systems. With these tests, Beijing signals rapid progress in autonomous naval warfare and further blurs the line between surveillance and strike capabilities.
Analyst Comments: Helsing’s CA-1 Europa is more than a prototype—it’s a political statement. Germany is signaling its intent to reduce dependency on U.S. and Chinese drone tech by emphasizing scalability, swarming capability, and a resilient European supply chain. Integrating an AI “pilot” with high-subsonic multi-role capability pushes Europe into the fast-moving CCA arena alongside U.S. projects like the Air Force’s loyal wingman and DARPA’s AI dogfight tests. Whether the CA-1 can match the maturity of U.S. or Chinese equivalents remains to be seen, but the ambitions are clear: autonomous mass, NATO interoperability, and strategic tech sovereignty. Expect interest from France, the UK, and potentially Poland, which are all seeking drone solutions untethered from U.S. export controls.
READ THE STORY: Breaking Defense // Reuters
LangFlow Container Privilege Escalation — CVE-2025-57760
Bottom Line Up Front (BLUF): A privilege-escalation vulnerability in LangFlow’s containerized deployments (tracked as CVE-2025-57760) allows an attacker with remote code execution (RCE) inside a LangFlow container to create an administrative superuser via an internal CLI command (lаnɡflоԝ ѕuреruѕеr — note the article used homoglyphs). Affected versions: langflow ≤ 1.5.0. Exposed or poorly hardened container deployments (default creds, open ports) are at the highest risk.
Analyst Comments: This is a classic container-escape/privilege-creation issue in a dev-oriented AI tooling stack. LangFlow is often deployed quickly in labs and research clusters with minimal hardening (default credentials, host mounts, root containers, open port 7860). This makes exploitation low-effort once an attacker gains RCE. The impact is a complete application- and tenant-level takeover inside the environment and potential lateral abuse of integrated data sources and model access because the superuser can manage workflows. Treat any RCE in LangFlow as a high-priority incident and assume attacker persistence if not remediated.
READ THE STORY: FB
Ukrainian Intelligence Disrupts Russia’s National Payment System in $30M Cyberattack
Bottom Line Up Front (BLUF): Ukraine’s military intelligence agency (GUR) executed a successful DDoS attack on Russia’s SBP instant payment platform and its telecom provider TransTeleCom, paralyzing financial transactions and cutting internet access across multiple Russian regions. The attack disrupted online payments—including fuel purchases and transit fares—and caused an estimated $30 million loss.
Analyst Comments: This is the most impactful Ukrainian cyber strike against Russian civilian infrastructure since the start of the war, and it’s a strategic shot across the bow. By targeting SBP, the digital spine of peer-to-peer financial transfers in Russia, GUR hit not only a technical node, but also a key channel for funneling donations to Kremlin-aligned militias and “volunteer” war support groups. The collateral disruption to ISPs and TV services widens the psychological and economic impact. Russia’s overreliance on centralized systems like TransTeleCom makes these DDoS attacks relatively low-cost, high-payoff options for Ukrainian cyber units. Expect more pressure campaigns like this as Ukraine adapts hybrid warfare to hit the Russian home front.
READ THE STORY: Babel
Cisco Patches Actively Exploited IOS/IOS XE Zero-Day Allowing RCE via SNMP
Bottom Line Up Front (BLUF): Cisco has released urgent fixes for CVE-2025-20352, a high-severity stack overflow vulnerability in the SNMP subsystem of IOS and IOS XE. The flaw is already exploited in the wild, allowing attackers with valid SNMP credentials to trigger DoS conditions or achieve remote code execution (RCE) as root on affected routers and switches. All IOS/IOS XE devices with SNMP enabled are vulnerable, including Meraki MS390 and Catalyst 9300 models.
Analyst Comments: This is a serious but credential-dependent bug. Attackers need either SNMPv1/v2c community strings, valid SNMPv3 creds, and admin/privilege 15 access to elevate to RCE. Reports indicate exploitation has already occurred in environments where admin accounts were compromised, making credential hygiene and monitoring critical. Because SNMP is still widely enabled for device management and monitoring, many organizations are at risk of DoS at a minimum. Expect to see this vulnerability weaponized for lateral movement in enterprise and telco networks, especially if paired with stolen creds from phishing or third-party compromises.
Short-term defenders should patch immediately, restrict SNMP access to trusted management networks, and monitor device logs (show snmp host) for suspicious activity. Long-term, organizations should reevaluate whether SNMPv1/v2c is still necessary and move toward more secure management protocols.
READ THE STORY: THN
Items of interest
SIM Box Operation in NYC Signals Evolving Hybrid Warfare Tactics
BOTTOM LINE UP FRONT (BLUF): A massive cache of 300 servers and over 100,000 SIM cards discovered in New York City may represent a new form of hybrid warfare—merging cyber operations, espionage, and organized crime. Though some speculate the infrastructure was meant to disrupt UN proceedings via mass SMS-based attacks, the more plausible use case is a long-term phishing and espionage campaign, potentially operated by a state-linked but criminally integrated threat actor.
ANALYST COMMENTS: This isn’t just about SMS spam—it’s about control over an alternative communications infrastructure deep inside U.S. soil. The sophistication of the setup (30M texts per minute), combined with the presence of illegal firearms, narcotics, and burner phones, points to a state-actor-enabled criminal proxy model. This blends cyber-enabled espionage with physical operational capability.
The most plausible scenario is that the SIM box was being used for targeted phishing campaigns, impersonation, or credential harvesting, possibly aimed at U.S. officials and executives. This closely mirrors the Salt Typhoon and Brass Typhoon operations linked to China, which blur the lines between espionage and financially motivated activity.
But the fact that this kit was not dormant—that it was live and discoverable—suggests either a breakdown in operational security, a freelance criminal effort gone too far, or a deliberate probe to gauge detection thresholds during the UN General Assembly.
READ THE STORY: Geopolitical Monitor
SIM BOX fraud: new arena of cyber warfare (Video)
FROM THE MEDIA: The speaker frames SIM-box fraud as a major, evolving cyber threat — not just a simple scam — with operations spanning from local to global scale. He cites recent crackdowns in India (e.g. Telangana, Chandigarh, Madhya Pradesh, Bengaluru) where police seized SIM cards and SIM boxes used in fraudulent calling schemes.
Sim Box fraud: All you need to know (Video)
FROM THE MEDIA: We alert you about a new fraud that could trick you into divulging sensitive information. Scammers are now using a more sophisticated way to deceive you. We will provide you with more details in this report.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.