Saturday, Mar 03, 2025 // (IG): BB // GITHUB // SN R&D
Farm and Food Cybersecurity Act Reintroduced to Protect U.S. Food Supply Chain
Bottom Line Up Front (BLUF): U.S. lawmakers have reintroduced the Farm and Food Cybersecurity Act, aimed at addressing cybersecurity vulnerabilities within the agricultural sector. The bipartisan legislation mandates biennial cybersecurity threat assessments and annual cross-sector crisis simulations involving the Departments of Agriculture, Homeland Security, Health and Human Services, and the intelligence community. The bill seeks to bolster cybersecurity defenses across farms, food processing facilities, and supply chains, recognizing that food security is a matter of national security.
Analyst Comments: The increasing digitization of agriculture—through precision farming, automated supply chains, and IoT-enabled infrastructure—has made the sector a growing target for cyber threats. Attacks such as the 2021 Russian cyberattack on JBS Foods, which disrupted U.S. meat processing, highlight the urgency of these protections. The bill represents a crucial step toward public-private collaboration in securing the nation's food supply. Still, its success will depend on sustained funding, regulatory enforcement, and industry-wide adoption of cybersecurity best practices. Given the role of China, Russia, and other adversarial nations in cyber-enabled economic espionage, the legislation also serves as a strategic countermeasure to foreign cyber influence in critical infrastructure.
FROM THE MEDIA: The Farm and Food Cybersecurity Act is supported by industry groups, including the U.S. Chamber of Commerce, the National Cattlemen’s Beef Association, and the American Farm Bureau Federation. The bill is spearheaded by Representatives Brad Finstad (R-MN), Jill Tokuda (D-HI), Don Bacon (R-NE), and Sharice Davids (D-KS), with companion legislation introduced in the Senate by Tom Cotton (R-AR) and Elissa Slotkin (D-MI). Lawmakers stress the growing cyber threats to food production and distribution networks, with Senator Slotkin specifically citing concerns over Chinese cyber activities. The legislation mandates a national-level approach to food sector cybersecurity, including developing predictive threat intelligence models and joint resiliency exercises between government agencies and private entities. Industry stakeholders have primarily praised the bill, emphasizing its role in strengthening critical infrastructure resilience.
READ THE STORY: Industrial
Chinese Hackers Exploit Check Point VPN Vulnerability to Deploy ShadowPad Malware
Bottom Line Up Front (BLUF): Chinese state-sponsored hackers have exploited a previously patched Check Point VPN vulnerability (CVE-2024-24919) to infiltrate organizations across multiple continents. The attackers used stolen VPN credentials to gain access, later deploying the ShadowPad malware and, in some cases, NailaoLocker ransomware. The campaign, active between June 2024 and January 2025, primarily targeted the manufacturing sector. Organizations that have not applied Check Point’s May 2024 security patch remain at risk.
Analyst Comments: ShadowPad, a sophisticated modular malware linked to Chinese threat actors, has been used in multiple cyber espionage operations. The attackers’ focus on manufacturing suggests a strategic interest in intellectual property and supply chain disruption. The incidental use of NailaoLocker ransomware raises concerns that cybercriminal groups may leverage state-sponsored intrusions for financial gain. Organizations should prioritize patch management, enhance VPN security with multi-factor authentication (MFA), and monitor for indicators of compromise (IOCs).
FROM THE MEDIA: Cybersecurity researchers revealed that Chinese hackers exploited CVE-2024-24919, a vulnerability in Check Point’s security gateways, to steal VPN credentials and access corporate networks. Once inside, they conducted reconnaissance and lateral movement using Remote Desktop Protocol (RDP) and Server Message Block (SMB). The attackers used DLL sideloading techniques with executables like FXSSVC.exe to deploy ShadowPad malware, a backdoor with advanced stealth capabilities. Some infections also resulted in the deployment of NailaoLocker ransomware. The attacks were primarily observed in manufacturing companies across Germany, Brazil, South Africa, and India, aligning with previous Chinese cyber espionage patterns. Check Point has urged customers to apply the May 2024 security update and implement additional security measures such as MFA and VPN monitoring.
READ THE STORY: GBhackers
Ransomware Criminals Exploit CISA's KEV List to Enhance Attack Strategies
Bottom Line Up Front (BLUF): GreyNoise reveals that 28% of vulnerabilities listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog were actively used in ransomware attacks in 2024. While the KEV list aims to improve patching efforts, it has inadvertently become a resource for cybercriminals, offering a roadmap for targeting critical weaknesses. Older vulnerabilities—some dating back to the 1990s—are still being exploited, particularly in home routers and enterprise security products.
Analyst Comments: The KEV list serves as an essential public database for cybersecurity defenders, but its unintended utility for attackers underscores the risks of making exploit intelligence widely accessible. Cybercriminals and state-sponsored threat actors can use this list to prioritize targets and develop ransomware campaigns. The continued exploitation of legacy vulnerabilities highlights the failure of organizations to enforce rigorous patching policies, exposing critical infrastructure. Ivanti, D-Link, and VMware were identified as vulnerable vendors due to delayed patching and security lapses. Given these findings, organizations should move beyond reactive patching and adopt proactive threat-hunting, network segmentation, and zero-trust principles to mitigate ransomware risks.
FROM THE MEDIA: While the KEV list is intended to help organizations prioritize patching, it has also become a roadmap for cybercriminals, enabling them to refine their attack strategies. Relating to the 1990s, older vulnerabilities remain heavily exploited, particularly in home routers and enterprise security solutions. Attackers have leveraged KEV-listed flaws like CVE-2024-50623 (RCE in Cleo Harmony) and CVE-2024-1212 (Command Execution in Kemp LoadMaster), sometimes exploiting them months before their inclusion in the KEV catalog. Other long-standing issues, such as CVE-2018-10561 (Dasan GPON routers) and CVE-2014-8361 (Realtek SDK SOAP Service), continue facilitating DDoS attacks and cryptojacking. The report also criticizes Ivanti, D-Link, and VMware for delayed patching and poor security response, urging organizations to reconsider their reliance on these vendors due to their history of slow mitigation efforts.
READ THE STORY: The Register
Trump Administration Curtails U.S. Cyber Operations Against Russia
Bottom Line Up Front (BLUF): Defense Secretary Pete Hegseth has ordered U.S. Cyber Command to halt all planning and operations against Russia, signaling a dramatic shift in U.S. cyber policy. The move aligns with broader efforts by the Trump administration to normalize relations with Moscow, raising concerns about national security and protecting U.S. and allied networks from Russian cyber threats.
Analyst Comments: This shift marks a significant departure from previous U.S. policy, which identified Russia as a top-tier cyber threat alongside China and Iran. By sidelining Cyber Command’s efforts against Russian cyber actors, the administration risks exposing critical infrastructure, government networks, and private-sector entities to increased cyber threats. Additionally, this decision could weaken U.S. support for Ukraine, where Cyber Command had been assisting in digital defense efforts. The long-term consequences of this policy change remain uncertain. Still, adversaries like Russia may perceive it as a sign of reduced deterrence, potentially emboldening further cyber operations against the West.
FROM THE MEDIA: According to multiple sources, Hegseth issued the directive to Cyber Command chief Gen. Timothy Haugh, who then relayed it to Marine Corps Maj. Gen. Ryan Heritage, the outgoing director of operations. While the full extent of the stand-down remains unclear, the order does not impact the NSA’s signals intelligence work targeting Russia. This move is part of a broader administration effort to improve ties with Moscow, which has included controversial rhetoric from President Trump that aligns with Russian President Vladimir Putin’s narratives. Cyber Command is now compiling a risk assessment detailing halted operations and potential threats still emanating from Russia. Meanwhile, concerns grow over the impact on Ukraine and global cybersecurity, as Russia remains a hub for state-linked cybercriminal groups. The Pentagon declined to provide further details, citing operational security.
READ THE STORY: The Guardian // The Record
Microsoft Warns AI Export Restrictions Could Benefit China
Bottom Line Up Front (BLUF): Microsoft is urging the Trump administration to ease AI export restrictions imposed under Biden, arguing that the rules hinder U.S. companies from expanding AI infrastructure in allied nations. Microsoft President Brad Smith warns that the restrictions could drive countries toward Chinese AI providers, undermining U.S. technological leadership. Other tech giants, including Amazon and Nvidia, have echoed similar concerns, arguing that these limitations weaken American competitiveness.
Analyst Comments: The core issue here is balancing national security with economic and technological leadership. The AI Diffusion Rule aims to limit the spread of advanced AI technology to potentially adversarial nations, but its broad restrictions also affect key U.S. allies like Israel, Singapore, and Saudi Arabia. If these countries cannot access American AI infrastructure, they may turn to Chinese alternatives, accelerating Beijing’s influence in global AI markets. While safeguarding AI advancements is critical, a more refined policy—distinguishing between strategic competitors like China and trusted allies—could prevent unnecessary economic losses while maintaining security objectives. If the U.S. does not supply AI technology to its partners, will China fill the gap?
FROM THE MEDIA: Microsoft’s Brad Smith criticized the Biden-era AI Diffusion Rule for restricting AI chip exports and data center expansion in key international markets. The rule, set to take effect in May 2025, places strict caps on AI-related exports to various nations, entirely blocking China, Russia, and Iran while limiting access to countries such as Singapore, Israel, and the UAE. Smith argues that these measures put American firms at a disadvantage, particularly in cloud computing, by pushing customers toward alternative AI providers, likely from China. Amazon CEO Andy Jassy and Nvidia VP Ned Finkle have also spoken out, warning that the restrictions could “weaken America’s global competitiveness” without meaningfully addressing security risks. The U.S. Department of Commerce has not indicated whether the rule will be revised.
READ THE STORY: The Register
Cellebrite’s Zero-Day Exploit Used to Unlock Serbian Activist’s Android Device
Bottom Line Up Front (BLUF): Amnesty International has reported that a 23-year-old Serbian activist’s Android phone was compromised using a zero-day exploit developed by Cellebrite. The exploit, which targeted USB drivers in the Linux kernel, enabled authorities to bypass the device’s lock screen. The vulnerability (CVE-2024-53104) was patched in December 2024, but related flaws (CVE-2024-53197 and CVE-2024-50302) remain unaddressed in Android. Cellebrite has since announced it will stop providing its software to Serbia amid concerns about misuse.
Analyst Comments: While Cellebrite markets its technology as a law enforcement aid, incidents like this demonstrate the risks of misusing such tools by authoritarian-leaning regimes. The exploitation of Android’s USB attack surface underscores the need for stronger device security measures, including limiting the scope of legacy drivers and enhancing physical access protections. Cellebrite’s decision to halt sales to Serbia is notable but raises questions about how the company ensures ethical use of its tools worldwide.
FROM THE MEDIA: According to Amnesty International, Serbian authorities used Cellebrite’s exploit chain to unlock and access data from a Samsung Galaxy A32 owned by a student protester in Belgrade on December 25, 2024. The exploit leveraged CVE-2024-53104, a privilege escalation flaw in the USB Video Class (UVC) driver, along with two additional vulnerabilities in the Linux kernel. Authorities allegedly attempted to install an unidentified Android application, raising concerns that spyware similar to NoviSpy may have been deployed. Amnesty first discovered traces of this exploit in mid-2024, suggesting broader use beyond this case. In response, Cellebrite denied facilitating offensive cyber activities and announced it would suspend sales to Serbia. However, the company did not specify what measures it would take to prevent similar misuse in other countries.
READ THE STORY: THN
Elon Musk’s DOGE Initiative Gains Unprecedented Access to U.S. Government Systems
Bottom Line Up Front (BLUF): Elon Musk’s Department of Government Efficiency (DOGE) has rapidly taken control of key U.S. government systems, including those at the Office of Personnel Management (OPM), USAID, and the Treasury Department. DOGE programmers have accessed sensitive employee and financial records while overseeing mass layoffs across federal agencies. The initiative, backed by the Trump administration, has sparked controversy, with critics warning of security risks and a lack of oversight.
Analyst Comments: The scale and speed of DOGE’s actions raise serious cybersecurity and governance concerns. The sudden incursion into federal systems without traditional vetting or oversight leaves critical government data vulnerable to misuse or cyber threats. While Musk and the Trump administration argue this is necessary to eliminate inefficiencies, critics warn of potential legal challenges and national security risks. Additionally, DOGE’s ability to operate with little transparency could lead to long-term structural disruptions in federal operations. Organizations reliant on government contracts or partnerships should prepare for potential instability.
FROM THE MEDIA: DOGE programmers—some with ties to Musk’s companies—gained access to OPM’s personnel database with the help of newly appointed acting director Chuck Ezell. DOGE had infiltrated additional agencies within hours, including USAID, the IRS, and Medicare/Medicaid systems. Federal workers in diversity and clean-energy programs were among the first to be dismissed. At USAID, DOGE officials demanded real-time access to financial management systems, resulting in employees being locked out. The initiative has triggered widespread fear among government employees, with some alleging surveillance and unauthorized system modifications. While DOGE claims its mission is to root out waste and fraud, critics argue the lack of transparency and accountability seriously threatens national security and governance.
READ THE STORY: WSJ
Hacktivist Groups Evolve into Powerful Tools for State-Sponsored Cyber Operations
Bottom Line Up Front (BLUF): Hacktivist groups, once known for defacing websites and launching DDoS attacks, have evolved into sophisticated cyber warfare tools. Recent research reveals that nation-states are increasingly using these groups as proxies to conduct large-scale cyber campaigns, blurring the line between grassroots activism and government-directed operations. By leveraging advanced attribution techniques, researchers have uncovered hidden connections between hacktivist groups and state-sponsored threat actors, particularly in conflicts involving Russia, Ukraine, and the Middle East.
Analyst Comments: The growing state involvement in hacktivism presents new challenges for cybersecurity professionals, governments, and intelligence agencies. Unlike traditional cyber warfare, hacktivist operations provide plausible deniability for states while still allowing them to disrupt adversaries and influence global narratives. Advanced techniques such as topic modeling and stylometric analysis have been crucial in attributing these campaigns to nation-state actors. However, the rapid adaptability of hacktivist groups—creating new personas, reactivating dormant ones, and leveraging social media—makes it increasingly difficult to track their activities. As this trend continues, governments and private-sector cybersecurity teams must enhance their threat intelligence capabilities to counteract state-backed hacktivist influence operations.
FROM THE MEDIA: These groups have been involved in cyberattacks on critical infrastructure and the spread of propaganda tied to geopolitical conflicts, such as the Russian invasion of Ukraine and the Israel-Hamas war. CPR analyzed over 20,000 social media messages using BERTopic frameworks, revealing that these groups strategically timed their attacks to coincide with key geopolitical events. Further linguistic analysis uncovered stylistic overlaps between hacktivist groups and known Advanced Persistent Threat (APT) units, such as APT44, suggesting direct state involvement. As these groups continue to evolve, cybersecurity researchers are working to refine attribution techniques and improve detection methods to mitigate their impact.
READ THE STORY: GBhackers
Silver Fox APT Deploys Winos 4.0 Malware in Cyber Attacks Against Taiwanese Organizations
Bottom Line Up Front (BLUF): The Silver Fox APT group has launched a phishing campaign targeting Taiwanese organizations with the Winos 4.0 malware disguised as official tax documents. This malware, a variant of Gh0st RAT, is used for surveillance, keylogging, and data exfiltration. Researchers note overlaps with ValleyRAT, another Chinese-origin remote access trojan (RAT). The campaign highlights China-linked cyber espionage activity against Taiwan amid ongoing geopolitical tensions.
Analyst Comments: Using tax-related phishing lures suggests an effort to exploit financial and corporate networks. The reliance on Gh0st RAT derivatives indicates that Chinese state-sponsored actors continue to evolve their malware while leveraging proven cyber espionage tactics. Given its strategic significance in semiconductors, defense, and global trade, Taiwan remains a key target for Chinese cyber operations. Organizations in the region must prioritize advanced endpoint detection, email security measures, and threat-hunting capabilities to counter these intrusions.
FROM THE MEDIA: Researchers at Fortinet FortiGuard Labs discovered that Silver Fox APT is using phishing emails posing as Taiwan’s National Taxation Bureau, urging recipients to download fake tax inspection lists. The malicious attachment contains a ZIP file with a DLL payload ("lastbld2Base.dll"), which executes shellcode to fetch Winos 4.0 from a command-and-control (C2) server (206.238.221[.]60). A second attack vector targeted WeChat and online banking users, indicating a broader financial cyber espionage effort. The malware also employs Nidhogg rootkit for stealth and leverages CleverSoar installers to restrict infections to Chinese and Vietnamese-language systems, suggesting China-focused threat actor intent.
READ THE STORY: THN
Items of interest
Rethinking Cyber Strategy: Does Standing Down on Russia Benefit the U.S.
Defense Secretary Pete Hegseth’s order for U.S. Cyber Command (CYBERCOM) to halt offensive cyber planning against Russia is a bold shift in strategy. The Trump administration argues that this move could de-escalate tensions with Moscow, free up resources for more pressing cyber threats, and even create room for potential cooperation. However, this raises critical questions: Why extend this approach to Russia, not China? Can this strategy enhance U.S. cybersecurity, or does it simply weaken deterrence? And with the U.S. reducing its cyber posture against Russia, what does this signal to Ukraine and European allies?
Analyst Comments: This decision appears to be about prioritization at face value. Given its extensive espionage campaigns, intellectual property theft, and influence operations, the administration sees China as a more strategic cyber adversary. Redirecting CYBERCOM’s focus could allow the U.S. to concentrate its cyber resources where they are most needed. However, this approach assumes that Russia will not take advantage of the reduced U.S. cyber posture—an assumption that contradicts historical precedent. Russian state-linked hackers have repeatedly engaged in cyber espionage, ransomware attacks, and election interference. This strategy could backfire if de-escalation with Moscow does not lead to restraint but emboldens Russian cyber actors. The geopolitical optics of this move are concerning. Standing down against Russia while simultaneously reducing military and cyber support for Ukraine may signal a broader realignment that could erode U.S. influence in Eastern Europe. While some argue this could push European allies to take greater responsibility for countering Russian cyber threats, history suggests that NATO and the EU have primarily relied on U.S. cyber leadership. If European allies do not fill the gap, the result could be greater vulnerability to Russian cyber operations, not just for the U.S. but for its partners.
FROM THE MEDIA: Last week, Hegseth instructed CYBERCOM to halt cyber operations targeting Russia, which reportedly intended to support broader diplomatic efforts to normalize relations with Moscow. The NSA will continue intelligence-gathering, but the stand-down removes an active deterrent against Russian cyber threats. The administration maintains that this decision aligns with its strategic priorities, allowing CYBERCOM to focus on other threats, such as China and Mexican drug cartels. However, critics warn that this could embolden Russian cyber actors, expose U.S. infrastructure to more significant risks, and weaken the U.S. position in Eastern Europe, particularly in Ukraine. The Pentagon has not provided details on how long this policy will remain in effect or what criteria would trigger a reassessment.
READ THE STORY: CEPA
How Russian Hackers Stole $100M from US Banks | Cyberwar (Video)
FROM THE MEDIA: Russian cybercrime is big business – and some say hackers get a pass when they work double duty for Putin and his geopolitical ambitions.
Trump’s Dangerous Tango with Putin (Video)
FROM THE MEDIA: The Tango is a complicated dance often associated with passion, with no room for missteps. U.S. President Donald Trump’s engagement with Russian President Vladimir Putin is also complicated on multiple levels, and missteps here could be deadly. Will Trump’s efforts to court the Russian leader with charm lead to the result the U.S. is looking for after Putin’s deadly war in Ukraine? The Cipher Brief asked former senior CIA Officer and former Station Chief Dan Hoffman for his take on the risks of dancing with Putin.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.