Saturday, Oct 04, 2025 // (IG): BB // GITHUB // SN R&D
China’s Chip Gambit Reshapes Global Tech: Silicon Sovereignty Drives Fragmentation and AI Power Shift
Bottom Line Up Front (BLUF): China’s accelerated push for semiconductor self-reliance is rapidly altering the global chipmaking and AI landscape. With 7nm-class chips now in production using Deep Ultraviolet (DUV) lithography and indigenous AI accelerators gaining market share, China is closing critical gaps in its semiconductor supply chain despite Western export restrictions. This marks a strategic shift toward technological decoupling, with long-term implications for national security, supply chain integrity, and AI competitiveness.
Analyst Comments: This is the most significant realignment in global semiconductor geopolitics since the U.S.-Japan chip tensions of the 1980s. China’s progress—particularly in advanced DUV-based 7nm manufacturing, memory innovation, and AI-specific silicon—demonstrates not just technical ingenuity, but strategic resilience under sanctions. Efforts by SMIC, Huawei, CXMT, and domestic equipment manufacturers are clearly coordinated to reduce dependency on U.S. and allied technologies. For security professionals and policymakers, the emergence of a parallel Chinese chip ecosystem raises critical questions: how resilient is the global supply chain to bifurcation? What happens when adversaries can deploy advanced AI hardware independent of Western fabs? This isn’t just about performance—it’s about sovereignty, survivability, and control over AI infrastructure.
READ THE STORY: Financial Content
U.S. Treasury Floats Trump $1 Coin for Semiquincentennial, Raising Legal Red Flags
Bottom Line Up Front (BLUF): U.S. Treasurer Brandon Beach has shared early designs for a proposed $1 coin featuring President Donald Trump on both sides — intended to commemorate America’s 250th anniversary in 2026. While the coin is framed as part of semiquincentennial celebrations, the move faces immediate legal obstacles: federal law prohibits the depiction of living individuals on U.S. currency.
Analyst Comments: While authorized under a 2020 law allowing commemorative $1 coins for the semiquincentennial, any depiction of a living person on U.S. legal tender violates longstanding Treasury and congressional policy. The decision to release drafts showing Trump’s likeness, including the phrase “FIGHT, FIGHT, FIGHT” referencing his post-assassination attempt rallying cry, will likely provoke political and legal backlash. Even if minted as non-circulating collectibles, the optics are provocative and unprecedented. From a cybersecurity and fraud prevention standpoint, any surge in politically charged collectibles also raises concerns around counterfeit commemoratives, scam fundraising, and misrepresentation in online marketplaces.
READ THE STORY: Forbes
Huawei Linked to Smuggling of TSMC AI Chip Dies via Intermediary, Raising Supply Chain Red Flags
Bottom Line Up Front (BLUF): Investigations by TechInsights, SemiAnalysis, and media outlets reveal Huawei acquired ~2.9 million advanced TSMC dies through an intermediary company, Sophgo, despite U.S. restrictions. The dies are powering Huawei’s Ascend 910C AI accelerators, which also integrate Samsung and SK Hynix high-bandwidth memory (HBM2E). While TSMC and Korean firms insist they cut ties years ago, Huawei’s stockpiles and covert sourcing highlight loopholes in semiconductor export controls.
Analyst Comments: Despite U.S. sanctions and restrictions dating back to 2019 (and expanded in 2024 to cover AI accelerators and HBM), Huawei continues shipping competitive AI hardware with foreign dies and memory. The intermediary channel through Sophgo illustrates how enforcement gaps enable indirect supply. For policymakers, this will intensify debates on tightening secondary export routes, scrutinizing resellers, and monitoring gray-market transfers. For competitors, Huawei’s continued access to pre-ban dies may narrow Nvidia’s and AMD’s near-term advantage in China’s AI accelerator market. However, reliance on stockpiles and outdated HBM2E suggests longer-term constraints as supply dries up and local fabs remain years behind on advanced nodes.
READ THE STORY: Crypto Rank
India’s Tech Graduate Crisis: AI, GCCs, and Offshoring Reshape IT Hiring Landscape
Bottom Line Up Front (BLUF): India’s top tech universities — including the IITs — are seeing a sharp decline in graduate placements as AI automation and a shift toward specialization hollow out traditional entry-level IT roles. Hiring of freshers by Indian tech companies has plummeted nearly 75% since FY21, while roles in AI/ML and niche product development surge. The rise of Global Capability Centers (GCCs) further accelerates the move from mass recruitment to high-skill, low-volume hiring.
Analyst Comments: This is a structural rebalancing, not a temporary slump. The high-volume campus-to-corporate IT pipeline that defined India’s tech story for two decades is breaking down under the weight of automation and skill mismatch. AI tools now perform much of the work that once justified hiring armies of freshers. GCCs and startups want specialists — not trainees. Universities are scrambling to adapt with AI-focused curricula, but the pace of change isn’t uniform. Consequently, many graduates, even from elite institutions, are jobless or underemployed. For cyber talent pipelines, this could create a longer-term scarcity of generalists, even as deep-tech and AI roles fill up fast. Expect increased reliance on bootcamps, edtech upskilling, and hybrid hiring models.
READ THE STORY: The Register
Apple Removes ICE Tracking App Amid Federal Pressure Following Violent Incident
Bottom Line Up Front (BLUF): Apple has pulled the ICEBlock app — which notified users of nearby Immigration and Customs Enforcement (ICE) agents — after U.S. Attorney General Pam Bondi cited safety risks and national security concerns. The decision follows a fatal shooting at an ICE center in Dallas, where the gunman reportedly used the app. The move has sparked renewed scrutiny over app store gatekeeping, privacy rights, and the tech sector’s role in law enforcement transparency.
Analyst Comments: The removal of ICEBlock reflects increasing government influence over private app ecosystems, especially when law enforcement safety is at stake. For cybersecurity and privacy professionals, the broader question is whether this sets a precedent for preemptive content takedowns — especially apps that crowdsource law enforcement or surveillance data. If Apple complied under political pressure without legal compulsion, it raises concerns about due process and potential overreach. The fact that the app may have been tied to a fatal attack only complicates the optics, even if causality remains unproven.
READ THE STORY: The Register
China-Linked BRICKSTORM Campaign Hits Law Firms in Covert, Long-Term Espionage Operation
Bottom Line Up Front (BLUF): Google’s Threat Intelligence Group and Mandiant have uncovered a prolonged cyber espionage campaign by a suspected China-linked group, UNC5221, targeting law firms, with potential downstream exposure to clients in insurance and finance. The attackers used a custom malware called BRICKSTORM to persist within networks for over a year, exfiltrating sensitive legal documents, emails, and access credentials — often without detection.
Analyst Comments: BRICKSTORM’s use of long dwell times, stealthy persistence, and targeting of edge devices (like VPNs and firewalls) speaks to a patient, resource-backed adversary. Law firms are attractive soft targets because of their broad access to client data and often outdated infrastructure. For the insurance industry, the implications are sharp: privileged case files, claims strategies, and confidential regulatory interactions could already be compromised. Cyber underwriters should also clock the aggregation risk — one compromised law firm may expose dozens of policyholders in a single event.
READ THE STORY: Insurance Businessman
ICE Seeks Contractors to Monitor Social Media for Immigration Enforcement Leads
Bottom Line Up Front (BLUF): U.S. Immigration and Customs Enforcement (ICE) has solicited nearly 30 contractors to mine social media and other open-source platforms for immigration enforcement leads. The effort is part of a broader push to integrate publicly available information — including from platforms like Facebook, TikTok, Reddit, and even the defunct Google+ — into investigative workflows. The program could run through 2031 and is framed to counter digital countermeasures that individuals use to evade enforcement.
Analyst Comments: This signals a renewed expansion of ICE’s open-source intelligence (OSINT) capabilities — blending commercial surveillance tools with traditional immigration enforcement. While leveraging OSINT is not new, the scale and scope of this contract suggest ICE is formalizing long-term domestic surveillance infrastructure. The continued inclusion of outdated platforms (like Google+) in solicitation documents raises concerns about technological literacy at the procurement level — but the real issue lies in the program’s potential for mission creep. Without rigorous oversight, systems built for immigration tracking could easily extend into monitoring protests, journalists, or civil society actors, as past ICE initiatives have shown. This kind of broad dragnet risks catching more than its intended targets.
READ THE STORY: The Register
1 Billion Records Allegedly Leaked in Salesforce Breach: Hackers Demand Negotiation Before Oct 10
Bottom Line Up Front (BLUF): A group calling itself Scattered LAPSUS$ Hunters claims to have breached Salesforce and exfiltrated nearly 1 billion user records containing sensitive data (SSNs, driver’s license numbers, DOBs, etc.). The attackers threaten full public release unless Salesforce negotiates by October 10, 2025. Data allegedly includes information from 39 organizations, with some leak samples posted. Salesforce denies any confirmed breach, citing social engineering attempts and no platform compromise.
Analyst Comments: Hackers allege they exploited over 100 OAuth-enabled Salesforce instances and that Salesforce failed to respond to outreach in July 2025. They reportedly provide a contact via Tuta.io email with strict validation rules to initiate negotiation. A screenshot shared on Telegram suggests Salesforce issued a security advisory citing social engineering threats, but this has not been independently verified. The group is leveraging GDPR, CCPA, and HIPAA as pressure points, claiming Salesforce has committed regulatory violations and promising forensic evidence of the attack.
READ THE STORY: Gray World (Freebuf)
Japan faces Asahi beer shortage after cyber-attack
Bottom Line Up Front (BLUF): A ransomware attack has disrupted operations at Asahi Group Holdings, Japan’s largest brewer, halting domestic distribution and call center services for over a week. While brewing continues, order fulfillment and customer service remain largely offline, forcing manual workarounds. The company has confirmed unauthorized data access but withheld details pending an ongoing investigation.
Analyst Comments: Asahi’s brewing operations survived, but the distribution chain — often heavily digitized — did not. These attacks are increasingly hitting logistics and fulfillment layers, where business continuity depends on centralized ERP, order, and communications systems. For critical supply sectors like food and beverage, cyber resilience must now include production and the “last mile” systems that deliver to market. The broader concern here is timing: Asahi is a global icon, and the attack comes amid a wave of ransomware targeting brand-heavy consumer goods firms. Retailers like 7-Eleven and FamilyMart have already reported shortages. Expect cascading impacts if restoration lags further.
READ THE STORY: BBC // The Register
Threat Group ‘Cavalry Werewolf’ Impersonates Government Officials in StallionRAT and FoalShell Campaign
Bottom Line Up Front (BLUF): A threat cluster tracked as Cavalry Werewolf is conducting a targeted phishing campaign impersonating Kyrgyz government officials to deploy StallionRAT and FoalShell malware. Using compromised or spoofed email accounts from legitimate ministries, the attackers deliver RAR-packed payloads disguised as official documents. StallionRAT leverages Telegram for C2, while FoalShell is a multi-language reverse shell with stealth execution features. The campaign reflects an advanced social engineering approach and a growing trend of RAT operators using messaging platforms for resilient C2 infrastructure.
Analyst Comments: These campaigns should be a wake-up call for orgs still lacking email authentication controls like SPF/DKIM/DMARC or automated RAR detonation. Outlook’s INetCache as a staging point and document-themed file names provide defenders with reliable hunting opportunities—but only if those paths are being monitored. Sandboxing, reputation scoring, and PowerShell telemetry must be baseline controls. Using/go, /upload, and persistent SOCKS5 agents indicates StallionRAT is intended for long-term access and lateral movement.
READ THE STORY: GBhackers // THN
SideWinder APT Targets South Asian Governments with Sophisticated Phishing Infrastructure
Bottom Line Up Front (BLUF): The SideWinder APT group actively targets South Asian government, defense, and maritime sectors using a sprawling credential-harvesting campaign built on fake Outlook and Zimbra webmail portals. Over 100 phishing domains—hosted on platforms like Netlify and Cloudflare Pages—have been uncovered. Victims span Pakistan, Nepal, Bangladesh, Sri Lanka, Myanmar, and potentially Singapore. The operation demonstrates high persistence and infrastructure reuse, with JavaScript-based phishing kits, multi-stage redirects, and CSRF-based session tracking.
Analyst Comments: SideWinder remains one of South Asia’s most prolific and regionally aggressive APTs. Their playbook—weaponizing free hosting platforms, spoofing government infrastructure, and rotating domains frequently—is cheap, fast, and effective. This latest operation goes beyond basic phishing: it incorporates open directories hosting malware, maritime-targeted lures, and infrastructure overlap that links campaigns across at least five countries. The campaign is likely state-aligned given its focus on defense procurement, naval operations, and strategic ministries.
READ THE STORY: GBhackers
Command Injection in B-Link X26 Router Enables Remote Code Execution via Web Interface (CVE-2025-9580)
Bottom Line Up Front (BLUF): Researchers from Yijing Technology discovered a command injection vulnerability (CVE-2025-9580) in the B-Link X26 router (firmware v1.2.8). The flaw allows authenticated remote attackers to execute arbitrary commands on the device by exploiting unsafe parameter handling in a web service endpoint. Attackers gaining access could fully compromise the router and pivot into the internal network. Exploitation is straightforward and confirmed on real hardware.
Analyst Comments: The vulnerability resides in the /set_hidessid_cfg handler within the goahead binary. User-supplied values for type and enable parameters are passed unchecked into the bs_SetSSIDHide function, ultimately used in unsafe command execution. The core web interface logic is embedded in goahead, with command execution logic found in the linked libshare.so.0 library. Researchers confirmed exploitation by sending a crafted HTTP POST request and observing successful payload execution on a physical B-Link X26 router. The issue has been reported and assigned CVE-2025-9580, but the vendor issued no fix at the time of publication.
READ THE STORY: Yijing Tech (Freebuf)
Grafana CVE-2021-43798 Exploited in Coordinated Global Scan Targeting U.S., Slovakia, and Taiwan
Bottom Line Up Front (BLUF): On September 28, a surge in exploitation attempts against Grafana’s path traversal vulnerability (CVE-2021-43798) was detected. Over 100 unique IPs—primarily from Bangladesh—targeted servers in the U.S., Slovakia, and Taiwan. The attacks show strong signs of coordination, including uniform traffic ratios and shared tool fingerprints. This renewed interest in a known flaw underscores the persistent threat posed by unpatched enterprise software.
Analyst Comments: Old bugs don’t die—they just come back with better tooling. CVE-2021-43798 is a three-year-old directory traversal bug, yet it remains a go-to exploit for mass scans and recon phases in multi-stage intrusions. What makes this incident stand out isn’t the vulnerability itself, but the campaign’s structure: 110 IPs spun up and deployed in a single day, with precise targeting ratios and matching tooling across disparate regions. That’s not random noise—that’s orchestration.
READ THE STORY: GBhackers
CVE-2025-38352: Linux/Android Kernel TOCTOU Race Condition Exploited in the Wild
Bottom Line Up Front (BLUF): A newly disclosed zero-day vulnerability in the Linux and Android kernel (CVE-2025-38352) exposes systems to potential privilege escalation and kernel crashes. Rooted in a Time-of-Check to Time-of-Use (TOCTOU) race condition within the posix-cpu-timers.c file, the flaw affects systems using POSIX CPU timers — a critical component for performance tracking and resource control. Google disclosed the issue in its September 2025 Android security bulletin, with indicators of active exploitation in targeted attacks.
Analyst Comments: CVE-2025-38352 exemplifies the persistent risk of subtle race conditions in kernel-level code — especially in multi-threaded environments like Android and Linux. The vulnerability lies in how two threads can simultaneously interact with CPU timers: one attempting to delete a timer, while another processes it. This opens a window for use-after-free conditions, potentially allowing attackers to corrupt memory or escalate privileges. Notably, even with CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y enabled, researchers could trigger crashes — highlighting that traditional mitigations are insufficiently reliable. With active exploitation reported, patching should be prioritized, especially for Android OEMs and Linux distributions supporting containerized or multi-user workloads.
READ THE STORY: Bai6 (Freebuf)
Goldman Sachs Warns AI May Hit Data Wall Without Enterprise Access
Bottom Line Up Front (BLUF): Goldman Sachs analysts say AI development is running out of quality training data, with some models now relying on synthetic or AI-generated content. This risky move could lead to “model collapse.” The subsequent growth phase hinges on unlocking proprietary enterprise data hidden behind firewalls. Without this, the quality of generative AI outputs could stagnate or degrade.
Analyst Comments: Models trained on internet-scale data are bumping into limits of quality and redundancy, and using AI-generated content to train new models introduces feedback-loop risks that degrade accuracy and utility over time. The enterprise sector holds the last central untapped reserve of high-signal data — but it’s messy, siloed, and often poorly labeled. The challenge isn’t just access, it’s normalization, governance, and trust. Enterprises that can clean, structure, and ethically operationalize their proprietary data will be best positioned to define the next generation of AI capabilities. For security and compliance teams, the push to unlock internal data also demands a reevaluation of privacy, consent, and data lineage — especially as more LLMs are embedded into workflows.
READ THE STORY: The Register
China-Linked Threat Actors Target Cisco Firewalls in UK Corporate Networks
Bottom Line Up Front (BLUF): The UK’s National Cyber Security Centre (NCSC) has issued urgent alerts to major businesses regarding active exploitation of vulnerabilities in Cisco firewall devices, with strong indicators pointing to a China-linked APT group. The attackers are deploying stealthy bootkits to maintain persistent access, prompting some organizations — including a confirmed case — to remove devices physically. Cisco has released patches and attributes the activity to the same state-sponsored group behind the 2024 “Arcane Door” campaign.
Analyst Comments: Firewalls, VPNs, and routers remain ideal entry points for state-aligned actors due to their privileged network position and often-poor visibility from EDR solutions. Using bootkits signals a high level of sophistication, granting long-term, low-detection access — suitable for espionage or staging future attacks. With multiple high-profile UK firms already impacted (Marks & Spencer, JLR), defenders should assume compromise if running unpatched Cisco ASA or Firepower appliances. The NHS warning underscores the potential impact on critical infrastructure, even if no breaches are confirmed yet.
READ THE STORY: The Times
China-Linked Threat Actors Target Cisco Firewalls in UK Corporate Networks
Bottom Line Up Front (BLUF): The UK’s National Cyber Security Centre (NCSC) has issued urgent alerts to major businesses regarding active exploitation of vulnerabilities in Cisco firewall devices, with strong indicators pointing to a China-linked APT group. The attackers are deploying stealthy bootkits to maintain persistent access, prompting some organizations — including a confirmed case — to remove devices physically. Cisco has released patches and attributes the activity to the same state-sponsored group behind the 2024 “Arcane Door” campaign.
Analyst Comments: Firewalls, VPNs, and routers remain ideal entry points for state-aligned actors due to their privileged network position and often-poor visibility from EDR solutions. Using bootkits signals a high level of sophistication, granting long-term, low-detection access — suitable for espionage or staging future attacks. With multiple high-profile UK firms already impacted (Marks & Spencer, JLR), defenders should assume compromise if running unpatched Cisco ASA or Firepower appliances. The NHS warning underscores the potential impact on critical infrastructure, even if no breaches are confirmed yet.
READ THE STORY: The Times
Items of interest
ChkUp Reveals Widespread Firmware Update Flaws Across 12,000 Embedded Devices
Bottom Line Up Front (BLUF): Researchers from Washington University, Tsinghua University, and George Mason have developed ChkUp, a novel static-dynamic analysis framework that exposes firmware update vulnerabilities across embedded systems. Analyzing over 12,000 firmware images, ChkUp uncovered dozens of critical and previously unknown flaws—leading to 25 CVEs and 1 PSV ID. Most issues stemmed from missing or improperly implemented verification of firmware authenticity, integrity, freshness, and compatibility.
Analyst Comments: ChkUp fills a long-standing blind spot in firmware security: the update logic. Most firmware security tools focus on memory safety or static code bugs, ignoring the sprawling and often undocumented update paths involving web UIs, shell scripts, binaries, and IPC mechanisms. his research shows how widespread and dangerous weak update flows are in real-world devices—particularly the use of MD5 for integrity checks, missing signature verification, or incorrectly validating version strings. These aren’t just minor oversights; they’re systemic security design failures that enable rollback attacks, malicious firmware injection, and device hijacking.
READ THE STORY: The Record
USENIX Security ‘24 - Your Firmware Has Arrived: A Study of Firmware Update Vulnerabilities (Video)
FROM THE MEDIA: Ransomware, espionage, and nation-state cyber threats are colliding in dangerous new ways. In this episode of Cyber Focus, host Frank Cilluffo sits down with Cynthia Kaiser, senior vice president at Halcyon and former deputy assistant director for cyber at the FBI.
Finding Vulnerabilities in IoT Firmware (Video)
FROM THE MEDIA: Heath Adams (The Cyber Mentor) demonstrates practical firmware analysis for IoT devices using a deliberately vulnerable OpenWrt image (OWASP IoTGoat). He shows manual techniques (binwalk → dd → unsquashfs → filesystem review) and automated analysis with the BugProve/BugProof platform (free tier available), including zero-day hunting on extracted binaries.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.