Cyber Security Headlines – July 16, 2025

Hosted by Hadas Kasorla for the CISO Series

Pentagon’s Risky Collaboration with Chinese Engineers

[00:00]

In a controversial move, the Pentagon has integrated Chinese engineers into its operational environment, sparking significant security concerns. Hadas Kasorla highlights this arrangement as "an unfortunate case of the fox guarding the henhouse." According to a ProPublica report, these foreign engineers provide backend support while operating through digital escorts within the US. However, these escorts often "lack the technical skills to detect malicious code or misuse," posing a substantial national security risk. Despite internal warnings from Microsoft staff, the Pentagon proceeded with this collaboration, raising alarms about potential vulnerabilities in sensitive military systems.

Hazy Beacon: A Stealthy Cyber Threat

[03:45]

Hadas delves into the emergence of Hazy Beacon, a state-backed malware campaign likely linked to China, targeting Southeast Asian governments. This sophisticated malware employs stealthy techniques such as DLL sideloading, which deceives trusted programs into executing malicious code for command and control operations. Hazy Beacon cleverly masks its traffic using AWS Lambda URLs, making it appear as regular cloud activity. Once infiltrated, it exfiltrates critical trade and policy documents via platforms like Google Drive before wiping its tracks to evade detection. Unit 42 analysts identified Hazy Beacon through anomalies in cloud traffic and forensic traces left behind after a failed cleanup effort.

MITRE Introduces ADAPT Framework for Digital Assets

[08:20]

Addressing the evolving landscape of financial cyber threats, MITRE launched the Adversarial Actions in Digital Asset Payment Technologies (ADAPT) framework on July 14, 2025. Building upon the established ATT&CK architecture, ADAPT specifically targets blockchain and digital payment systems. Hadas notes that unlike traditional frameworks, ADAPT focuses on financially driven threats such as double spend exploits, flash loans, smart contract hacks, and fraud. This framework provides actionable guidance for crypto exchanges, decentralized finance (DeFi) developers, and under-resourced financial organizations, aiming to bolster their defenses against sophisticated cyberattacks.

Confetti Malware Resurfaces on Google Play

[12:10]

The Confetti strain of Android malware has made a notorious comeback on the Google Play Store. Hadas explains that the malware evades detection by manipulating the internal zip structure of APK files, allowing malicious payloads to slip through during app reviews. Once installed, Confetti silently harvests user data and inundates ad networks with fake traffic via Carmel Ads, a legitimate ad platform exploited for invisible ad fraud. Previous variants generated over 10 billion fake ad requests daily, and the latest iteration continues this trend, posing significant risks to both users and advertisers.

Wetransfer’s Controversial Terms Spark Backlash

[16:35]

Wetransfer, a widely used cloud service for transferring large files, faced backlash after updating its terms of service in July. The new language included clauses that granted Wetransfer broad rights to "use, reproduce, modify, create derivative works of, and publicly display your content," raising concerns about AI training and content usage. Artists, writers, and voice actors criticized these terms, fearing unauthorized use of their work in advertisements. Responding to the outcry, Wetransfer revised the language to remove AI-related terms and restricted content usage strictly to platform operations, aiming to assuage user concerns.

Exposed API Keys Highlight AI Credential Risks

[20:50]

A significant security lapse occurred when Marcoella, a government staffer under the Department of Government Efficiency, inadvertently posted an ActiveXAI API key to GitHub. This exposed access to over 50 Grok language models. Although the key was removed, it remained active for an unspecified period, highlighting the precarious handling of AI credentials tied to government work. Hadas emphasizes that while the immediate real-world impact may be limited—requiring additional credentials or access to sensitive systems—the incident underscores the need for stringent credential management practices to prevent potential exploitation.

Cloudflare Blocks Unprecedented DDoS Attacks in 2025

[24:15]

Cloudflare reported a surge in Distributed Denial of Service (DDoS) attacks in 2025, having blocked over 27 million attacks by mid-year, surpassing the total from the previous year. In the latest quarter alone, Cloudflare thwarted more than 6,500 major attacks, including a staggering assault peaking at 7.3 terabits per second. Industries such as telecommunications, gaming, and agriculture have been particularly targeted, with most attacks originating from Asia and aimed at countries like China, Brazil, and Germany. The increase in attack sophistication and frequency highlights the escalating threats facing global digital infrastructure.

North Korean Supply Chain Attacks Target Developers

[28:00]

North Korean hacktivists have intensified their supply chain attacks, particularly targeting software developers. Hadas outlines a five-step strategy employed in their latest campaign:

1. Recruitment Ploys: Posing as recruiters on LinkedIn, they offer fake jobs in fields like crypto or tech.
2. Malicious Coding Challenges: During interviews, candidates are sent coding challenges that require installing a compromised NPM package.
3. XORindex Malware Deployment: The package includes a stealthy malware loader named XORindex, found in 67 packages downloaded over 17,000 times.
4. Silent Operation and Data Theft: XORindex operates invisibly, connecting to command servers and deploying tools like Beavertail and Invisible Ferret to steal browser data, cryptocurrency, and establish a persistent backdoor.
5. Propagation Within Organizations: If compromised developers join new companies, the malware can spread through machine credentials or Git access, embedding a nation-state backdoor within corporate environments.

This sophisticated approach underscores the need for vigilant security practices among developers and organizations to mitigate supply chain vulnerabilities.

Stay Informed

For comprehensive coverage of these headlines and more, visit CISOseries.com. Stay alert, stay patched, and stay hydrated.