Chinese engineers at Pentagon, HazyBeacon malware, MITRE framework: AADAPT - Cybersecurity Headlines

Summary

Cyber Security Headlines – July 16, 2025

Hosted by Hadas Kasorla for the CISO Series

Pentagon’s Risky Collaboration with Chinese Engineers

[00:00]

In a controversial move, the Pentagon has integrated Chinese engineers into its operational environment, sparking significant security concerns. Hadas Kasorla highlights this arrangement as "an unfortunate case of the fox guarding the henhouse." According to a ProPublica report, these foreign engineers provide backend support while operating through digital escorts within the US. However, these escorts often "lack the technical skills to detect malicious code or misuse," posing a substantial national security risk. Despite internal warnings from Microsoft staff, the Pentagon proceeded with this collaboration, raising alarms about potential vulnerabilities in sensitive military systems.

Hazy Beacon: A Stealthy Cyber Threat

[03:45]

Hadas delves into the emergence of Hazy Beacon, a state-backed malware campaign likely linked to China, targeting Southeast Asian governments. This sophisticated malware employs stealthy techniques such as DLL sideloading, which deceives trusted programs into executing malicious code for command and control operations. Hazy Beacon cleverly masks its traffic using AWS Lambda URLs, making it appear as regular cloud activity. Once infiltrated, it exfiltrates critical trade and policy documents via platforms like Google Drive before wiping its tracks to evade detection. Unit 42 analysts identified Hazy Beacon through anomalies in cloud traffic and forensic traces left behind after a failed cleanup effort.

MITRE Introduces ADAPT Framework for Digital Assets

[08:20]

Addressing the evolving landscape of financial cyber threats, MITRE launched the Adversarial Actions in Digital Asset Payment Technologies (ADAPT) framework on July 14, 2025. Building upon the established ATT&CK architecture, ADAPT specifically targets blockchain and digital payment systems. Hadas notes that unlike traditional frameworks, ADAPT focuses on financially driven threats such as double spend exploits, flash loans, smart contract hacks, and fraud. This framework provides actionable guidance for crypto exchanges, decentralized finance (DeFi) developers, and under-resourced financial organizations, aiming to bolster their defenses against sophisticated cyberattacks.

Confetti Malware Resurfaces on Google Play

[12:10]

The Confetti strain of Android malware has made a notorious comeback on the Google Play Store. Hadas explains that the malware evades detection by manipulating the internal zip structure of APK files, allowing malicious payloads to slip through during app reviews. Once installed, Confetti silently harvests user data and inundates ad networks with fake traffic via Carmel Ads, a legitimate ad platform exploited for invisible ad fraud. Previous variants generated over 10 billion fake ad requests daily, and the latest iteration continues this trend, posing significant risks to both users and advertisers.

Wetransfer’s Controversial Terms Spark Backlash

[16:35]

Wetransfer, a widely used cloud service for transferring large files, faced backlash after updating its terms of service in July. The new language included clauses that granted Wetransfer broad rights to "use, reproduce, modify, create derivative works of, and publicly display your content," raising concerns about AI training and content usage. Artists, writers, and voice actors criticized these terms, fearing unauthorized use of their work in advertisements. Responding to the outcry, Wetransfer revised the language to remove AI-related terms and restricted content usage strictly to platform operations, aiming to assuage user concerns.

Exposed API Keys Highlight AI Credential Risks

[20:50]

A significant security lapse occurred when Marcoella, a government staffer under the Department of Government Efficiency, inadvertently posted an ActiveXAI API key to GitHub. This exposed access to over 50 Grok language models. Although the key was removed, it remained active for an unspecified period, highlighting the precarious handling of AI credentials tied to government work. Hadas emphasizes that while the immediate real-world impact may be limited—requiring additional credentials or access to sensitive systems—the incident underscores the need for stringent credential management practices to prevent potential exploitation.

Cloudflare Blocks Unprecedented DDoS Attacks in 2025

[24:15]

Cloudflare reported a surge in Distributed Denial of Service (DDoS) attacks in 2025, having blocked over 27 million attacks by mid-year, surpassing the total from the previous year. In the latest quarter alone, Cloudflare thwarted more than 6,500 major attacks, including a staggering assault peaking at 7.3 terabits per second. Industries such as telecommunications, gaming, and agriculture have been particularly targeted, with most attacks originating from Asia and aimed at countries like China, Brazil, and Germany. The increase in attack sophistication and frequency highlights the escalating threats facing global digital infrastructure.

North Korean Supply Chain Attacks Target Developers

[28:00]

North Korean hacktivists have intensified their supply chain attacks, particularly targeting software developers. Hadas outlines a five-step strategy employed in their latest campaign:

Recruitment Ploys: Posing as recruiters on LinkedIn, they offer fake jobs in fields like crypto or tech.
Malicious Coding Challenges: During interviews, candidates are sent coding challenges that require installing a compromised NPM package.
XORindex Malware Deployment: The package includes a stealthy malware loader named XORindex, found in 67 packages downloaded over 17,000 times.
Silent Operation and Data Theft: XORindex operates invisibly, connecting to command servers and deploying tools like Beavertail and Invisible Ferret to steal browser data, cryptocurrency, and establish a persistent backdoor.
Propagation Within Organizations: If compromised developers join new companies, the malware can spread through machine credentials or Git access, embedding a nation-state backdoor within corporate environments.

This sophisticated approach underscores the need for vigilant security practices among developers and organizations to mitigate supply chain vulnerabilities.

Stay Informed

For comprehensive coverage of these headlines and more, visit CISOseries.com. Stay alert, stay patched, and stay hydrated.

Transcript

Hadas Kasorla (0:00)

From the CISO series, it's Cybersecurity Headlines these are the Cybersecurity headlines for July 16, 2025. I'm Hadas Kasorla. In today's cybersecurity news, Pentagon welcomes Chinese engineers into its environment in an unfortunate case of the fox guarding the henhouse, US Military systems are receiving backend support from engineers based in China. That may sound like a security risk, and that's because it is. ProPublica reports that while these foreign engineers work through digital escorts in the US the escorts often lack the technical skills to detect malicious code or misuse. The arrangement was approved by the Pentagon despite serious internal warnings from Microsoft staff about national security risks. Hazy Beacon it's not a beer, but it leaves a bitter aftertaste A new state backed cyber campaign likely linked to China is hiding in plain sight. Called Hazy Beacon, the malware targets Southeast Asian governments using stealthy tactics. It installs via DLL sideloading, tricking trusted programs into running malicious code for command and control. It uses AWS Lambda URLs disguising traffic as normal cloud activity. Once inside, it exfiltrates trade and policy documents through services like Google Drive, then wipes its tracks to avoid detection. Analysts at Unit 42 uncovered it through cloud traffic anomalies and forensic traces left behind after a failed cleanup. What the world needs now is another framework. On July 14, 2025, MITRE launched adversarial Actions in Digital Asset Payment Technologies. This new cybersecurity framework was designed specifically for blockchain and digital payment systems. Built on the familiar ATTCK architecture, ADAPT diverges by focusing on financially driven threats such as double spend exploits, flash loans, smart contract hacks and and fraud. It offers hands on guidance to crypto exchanges, defi developers and under resourced financial organizations. All that glitters isn't gold confetti. Android malware is scattering itself across the Google Play store again. It evades detection by manipulating the internal zip structure of APK files to hide malicious payloads during app review. Once installed, it quietly harvests user data and floods ad networks with fake traffic using Carmel Ads, a legitimate ad platform exploited here for invisible ad fraud. Earlier confetti variants racked up more than 10 billion fake ad requests per day, getting all over the place just like its namesake. And now, thanks to Today's episode sponsor ThreatLocker, ThreatLocker is a global leader in zero trust endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit threatlocker.com CISO I do not think that means what you think it means. Wetransfer, a popular cloud service used to send large files, wreaked havoc when it updated its terms in July with language like you grant us a license to use, reproduce, modify, create derivative works of, and publicly display your content. These phrases, often tied to AI training, received criticism from artists, writers, and voice actors who used the service. Another clause said they could use content to promote the service. Creators pushed back, wanting to know if that gave Wetransfer the ability to use their work in ads, while denying that that's what they meant at all. Wetransfer did revise the language, removing the AI adjacent terms and limiting usage to what's strictly necessary to run the platform. Hey, whose keys are these? Marcoella's A government staffer working under the Department of Government Efficiency. Doge accidentally posted an ActiveXAI API key to GitHub, exposing access to more than 50 Grok language models. The key stayed live even after it was removed, raising red flags about how tightly AI credentials tied to government work are being handled. It's sloppy, but for now the real world impact is likely limited to actually access sensitive data or systems, an attacker would also need login credentials or access to private government deployments. And the hits just keep on coming. Cloudflare says it's already blocked more DDoS attacks in 2025 than it did in all of last year. Over 27 million so far, and we're only halfway through the year. In just the last quarter, they stopped more than 6,500 major attacks, including one that hit 7.3 terabits per second. Telecom, gaming, even agriculture got hit hard, with most attacks coming out of Asia and targeting countries like China, Brazil and Germany. These attacks are smarter, faster and hitting industries no one expected how to become a North Korean hacker in 5 easy to learn steps North Korean contagious interviews just got more viral. Here's what's new in their latest supply chain campaign targeting developers. Step one they pose as recruiters on LinkedIn and offer fake jobs, usually in crypto or Tech. Step 2 During the interview, they send a coding challenge and ask the target to install an NPM package to complete it. What's new? That package now includes a stealthy malware loader called XORindex, found in 67 packages downloaded over 17,000 times. Step 3 XOR index runs silently and connects to Command Server. Step 4 It pulls down tools like Beavertail and Invisible Ferret to steal browser data, crypto and open a persistent backdoor. And step five if that developer later joins your company and brings the same machine credentials or git access, you've now got a nation state backdoor inside your environment. Have you ever seen a cybersecurity vendor cross the line in the name of competition? We all know it's a crowded vendor landscape, so it's not surprising to see some of them occasionally behaving badly. We're digging into the best and worst vendor habits on this week's Super Cyber Friday discussion. Join us this Friday at 1pm Eastern Time for Hacking Vendor Competition. Head on over to our events page@cisoseries.com to register to join us. If you have some thoughts on the news from today or about the show in general, be sure to reach out to us@feedbackisoseries.com we'd love to hear from you. I'm Hadas Kasorla, reporting for the CISO series. Stay Alert, Stay Patched, Stay Hydrated. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.