DARPA code prize, ScarCruft adds ransomware, Columbia breach tally - Cybersecurity Headlines

Summary

Cyber Security Headlines - August 11, 2025

Hosted by Steve Prentiss from the CISO Series

1. DARPA Awards $4 Million Prize for AI Code Review

At the DEFCON conference, the U.S. Department of Defense announced the winner of DARPA's two-year competition aimed at developing advanced artificial intelligence systems for identifying and rectifying software vulnerabilities.

Team Atlanta, comprising experts from Georgia Tech, Samsung Research, the Korea Advanced Institute of Science and Technology, and the Pohang University of Science and Technology, emerged victorious. The competition involved scrutinizing 54 million lines of synthetic code for vulnerabilities and generating effective patches.

Steve Prentiss highlighted the achievement, stating, “[00:00] The final competition saw teams attempt to find and generate patches for synthetic vulnerabilities buried in 54 million lines of code.”

2. North Korea’s ScarCruft Group Expands to Ransomware Operations

North Korea’s notorious ScarCruft group has escalated its cyber activities by incorporating ransomware into its arsenal. According to analysts from South Korean cybersecurity firm S2W, ScarCruft is now deploying a ransomware variant named VCD, identifiable by the file extension it adds to encrypted files.

The group primarily uses phishing emails to distribute their ransomware payloads. A recent phishing attempt involved misleading recipients with a message about postal code updates related to street address changes.

Prentiss elaborated on this development, noting, “ScarCruft... is now deploying a ransomware variant known as vcd, after the extension it adds to the names of encrypted files.”

3. Columbia University Data Breach Affects 869,000 Individuals

The cyberattack on Columbia University has now impacted 869,000 people, up from the previously reported 860,000. The compromised data includes Social Security numbers, demographic information, academic histories, financial aid details, and health insurance information. Notably, patient records from Columbia University's Irving Medical Center were not accessed.

Authorities describe the breach as the work of highly sophisticated hackers with a political agenda. The perpetrator has publicly shared samples of the stolen data with prominent media outlets such as The New York Times and Bloomberg.

Prentiss provided an overview of the incident, stating, “The tally of victims in the Columbia University attack is now at 869,000 and data accessed includes Social Security numbers...”

4. Franklin Project Grows in Defending Critical Infrastructure

A year after its inception at DEFCON, the Franklin Project continues to expand, now supported by more volunteers than can be accommodated. Led by former White House official Jake Braun, the project offers free cybersecurity services to critical infrastructure sectors, assisting with tasks like setting passwords, activating multi-factor authentication, conducting asset inventories, and performing network assessments.

Despite the growing number of volunteers, the demand from infrastructure sectors across the country remains high. Braun shared insights during DEFCON, mentioning, “...one of the volunteers first challenges was convincing the water utilities that despite being located in small towns that they were still a target for Chinese and Iranian cybercruise.”

5. WinRAR Zero-Day Exploited to Deploy Malware

A recently patched vulnerability in the Windows WinRAR compression tool was exploited as a zero-day in phishing campaigns to install the ROM COM malware. This directory traversal vulnerability, addressed in WinRAR version 7.13, allowed attackers to craft archives that could extract executables into autorun paths like the Windows startup folder.

Due to WinRAR’s lack of an auto-update feature, Microsoft has advised all users to manually download and install the latest version to mitigate this risk.

6. Microsoft Warns on Cyber Attack Preparedness

Microsoft’s threat intelligence leaders emphasized the critical need for robust incident response plans at Black Hat. They revealed that only 25% of organizations have an incident response plan and have practiced it.

Sherrod de Grippo, Director of Threat Intelligence Strategy at Microsoft, explained the disparity between attacker and defender mindsets: “Attackers and threat actors think in graphs. They see the pathways that they can take to pivot around inside of a network, while defenders think in lists.” She also stressed the importance of fundamental security practices, such as keeping software updated and properly configured. De Grippo added, “If you do experience a breach, missing logs really contribute to a nightmare scenario for both intel and incident responders.”

7. Lenovo Webcams Vulnerable to Bad USB Attacks

Researchers at Eclipsium discovered vulnerabilities in certain Lenovo webcams, collectively termed BadCam, which were demonstrated at DEFCON 33. These flaws enable attackers to transform webcams into malicious USB devices capable of injecting keystrokes and initiating operating system-independent attacks.

The vulnerabilities stem from specific Lenovo webcam models running Linux without proper firmware validation, allowing weaponization without the need for physical access.

8. Windows EPM Poisoning Facilitates Domain Privilege Escalation

Safe Breach researchers reported a newly identified security issue in Microsoft's Windows Remote Procedure Call (RPC) communication protocol, known as the Windows storage spoofing bug. Although patched in the July update, the vulnerability allowed attackers to manipulate a core RPC component, enabling endpoint mapper poisoning attacks. This could permit unprivileged users to masquerade as legitimate built-in services, coercing protected processes to authenticate against malicious servers.

The researchers warned that this exploit could facilitate significant domain privilege escalation if not addressed promptly.

For more detailed insights and continuous updates on cybersecurity, visit CISOseries.com. If you have thoughts or feedback on today’s headlines or the show in general, reach out to us at feedback@cisoseries.com.

Reported by Steve Prentiss for the CISO Series.

Transcript

Steve Prentiss (0:00)

From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Monday, August 11th, 2025. I'm Steve Prentiss. DARPA awards 4 million dollar prize for AI code review at DEFCON the winner of this two year competition to create the best artificial intelligence systems that can find and fix vulnerabilities was announced at DEF by the competition's sponsor, the U.S. defense Department. Team Atlanta, as is the name of the winner is composed of technology experts from Georgia Tech, Samsung Research, the Korea Advanced Institute of Science and Technology and the Pohang University of Science and Technology. The final competition saw teams attempt to find and generate patches for synthetic vulnerabilities buried in 54 million lines of code. Teams were judged on the ability of their systems to create patches for the bugs that were found. North Korea's Scarcroft Group adds ransomware to its activities According to analysts at South Korean cybersecurity firm S2W, Scarcruft, best known for espionage against high profile individuals and government entities, is now deploying a ransomware variant known as vcd, after the extension it adds to the names of encrypted files. The group uses phishing emails to deliver its payloads, a recent example of which was a message about postal code updates tied to changes in street addresses. Columbia University hack affects over 860,000 people following up on a story we covered last month, the tally of victims in the Columbia University attack is now at 869,000 and data accessed includes Social Security numbers, demographic information, academic history, financial aid information, health insurance information and more. This hack was and still is being described as having been performed by highly sophisticated hackers with a political agenda. The hacker has presented samples of the stolen data to the New York Times and Bloomberg. No patient records were taken from Columbia University's Irving Medical center, the Franklin volunteer hackers who defend the water system A year after launching the program at last year's defcon, former White House official and executive director at the University of Chicago's Cyber Policy Initiative, Jake Braun says his Franklin Project continues to grow with more volunteers than they can handle. The Franklin project focuses on providing free cybersecurity services to critical infrastructure to help them with activities such as setting passwords, activating multi factor authentication, conducting asset inventories, operational technology assessments and network mapping and scanning. In addition to an excess of volunteers, there is also an excess of need on part of infrastructure across the country, according to Braun. Speaking to the Register during this year's defcon, he stated that one of the volunteers first challenges was convincing the water utilities that despite being located in small towns that they were still a target for Chinese and Iranian cybercruise. End quote Huge thanks to our sponsor Vanta. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and help you get security questions done five times faster with AI. Now that's a new way to GRC. Get started at vanta.com headlines that is V A N T A WinRAR 0 Day Exploited to Plant malware on archive Extraction as published in Bleeping Computer, A recently fixed vulnerability in the Windows WinRAR compression tool was exploited as a zero day in phishing attacks to install the ROM COM malware. This flaw is a directory traversal vulnerability, which was Fixed in WinRAR 7.13, but which allows specially crafted ARC archives to extract files into a file path selected by the attacker, end quote. This vulnerability allows attackers to create archives that extract executables into autorun paths such as the Windows startup folder. Since WinRAR does not include an auto update feature, Microsoft advises that all users manually download and install the latest version so that they are protected from this vulnerability. Microsoft delivers warning about cyber attack preparedness in a message that has been delivered and heard many times before, but seemingly bears repeating. Microsoft threat intelligence hunting and response leaders spoke last Thursday at Black Hat, saying that, quote, only one in four organizations have an incident response plan and have rehearsed it, end quote Sherrod de Grippo, director of threat intelligence strategy at Microsoft, described the issue by saying, quote, attackers and threat actors think in graphs. They see the pathways that they can take to pivot around inside of a network, while defenders think in lists, end quote she also repeated the significance of security fundamentals such as keeping software up to date and configuring it properly. She said, quote if you do experience a breach, missing logs really contribute to a nightmare scenario for both intel and incident responders, end quote Flaws in Lenovo webcams turn them into bad USB devices Researchers at Eclipsium have discovered vulnerabilities in some Lenovo webcams, which they collectively call badcam. These flaws, demonstrated at DEFCON 33, could let attackers turn them into bad USB devices that can inject keystrokes and launch OS independent attacks. The researchers stated. The problem stems from select model webcams from Lenovo that run Linux and do not validate firmware. These, they say, can be weaponized without requiring physical access. Windows EPM poisoning leads to domain privilege escalation Researchers at Safe Breach have described new findings related to a now patched security issue in Microsoft's Windows Remote procedure call RPC communication protocol. The vulnerability is being described as a Windows storage spoofing bug. Although fixed last month as part of July patch Tuesday, the researchers warn that the vulnerability makes it possible to manipulate a core component of the RPC protocol and stage an endpoint mapper poisoning attack that allows unprivileged users to pose as legitimate built in service with the goal of coercing a protected process to authenticate against an arbitrary server of an attacker's choosing. End quote. If you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentice reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines. It.