A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:06)

These are the cybersecurity headlines for Tuesday, September 23, 2025. I'm Rich Strofalino. EDR Freeze Tool suspends security Software Security researcher Zero Solarium published a proof of concept tool called EDR Freeze, which uses the Windows error reporting system to indefinitely suspend EDR and antivirus processes. It does this by using the crash dump collection component wherefaults secure to trigger the MiniDump WriteDump API, which suspends threads in a target process to generate a snapshot of memory and state. By suspending where faults secure, the targeted process is left suspended. Security researcher Steven Lim created a tool to map where FaultSecure to Microsoft Defender processes to make it easy to see any potential abuse. DeepMind updates Frontier Safety Framework the Google subsidiary added a new category to this framework now stating the risks models pose for harmful manipulation defined around AI models with powerful manipulative capabilities that could be misused to systemically and substantially change beliefs and behaviors in identified high stakes contexts. This comes after some AI models have shown the ability to deceive individual users to to achieve goals. DeepMind says it adds these new capability levels when frontier AI models pose heightened risk of severe harm without any other mitigations. Axios pointed out that this comes after OpenAI removed a persuasiveness specific risk category in its model evaluation process earlier this year. Major vendors withdraw from Mitre EDR evaluations both SentinelOne and Palo Alto Networks announced this month that they would not take part in Mitre's Ingenuity Attack evaluation following following a similar announcement from Microsoft back in June. All three companies said the move was done to better focus on product development. Last year, Microsoft topped Mitre's EDR tests with Sentinel 1 ranked 5th and Palo Alto 12th. Mitre CTO Charles Clancy told Infosecurity magazine that participating in these tests is resource intensive for vendors with the company seeking to make them harder each year, such as adding cloud environments. In the 2025 edition, Clancy said Mitre will re establish its vendor forum in 2026 to address some of these concerns. Fake repos target macOS with infostealer campaign the password manager LastPass warned about this ongoing campaign that uses SEO poisoning to serve up links to malicious GitHub sites in search claiming to offer Mac downloads for LastPass1, Password, Basecamp, Dropbox, Gemini, Hootsuite, Notion, Obsidian, Robinhood and Salesloft. These repos actually download the Atomic Infostealer, a piece of malware generally used by financially motivated threat groups. LastPass published a full list of malicious URLs and other indicators of compromise and now a huge thanks to our episode sponsor Conveyor Security reviews don't have to feel like a hurricane. Most teams are buried in back and forth emails and never ending customer requests for documentation or answers. But Conveyor takes all that chaos and turns it into calm. AI fills in the questionnaire, your trust center is always ready, and sales cycles move without stalls. Breathe easier. Check out conveyor@conveyor.com that's C O N V E-Y-O-R.com Russia steps up Misinformation in Moldova Moldova is set to elect a new parliament on September 28, with ramifications for the country's potential entry into the European Union in the coming years. The BBC reports that over the weekend, a network funded by Russia paid people in the country the equivalent of US$170 per month to post propaganda on social media. These recruits were told to use LLM systems to attack the ruling party of Action and Solidarity with claims of rigged voting and child trafficking. Bloomberg reports that leaked documents show that this is specifically part of a Russian campaign to mobilize diaspora voters from Mold Moldova and weaken Moldovan President Sandu Microsoft patches critical Entra Flaw Back in July, Microsoft patched a critical Entra ID flaw that opened the door to impersonating any user across any tenant. There was no evidence of exploitation in the wild. Security researcher Dirkjan Malema reported the flaw. This used a service to Service actor token from Entra's Access Control service to be used for cross tenant access due to a lack of adequate validation in the Azure Ad Graph API. The blast radius on this could have been nasty as threat actors with Graph API access could have made unauthorized modifications to conditional access policies. A lack of API level logging means this could have been done without much of a trace. Aside from the patch, the attack is now mostly academic as Microsoft retired Graph API on August 31, 2025. Steam game caught distributing malware the 2D platformer game Blockblaster was released on Valve's Steam store on July 30. VX Underground reports that the developer tried to increase downloads of the title by messaging cryptocurrency holders to try out the game as part of a paid promotion. On August 30, the game was updated to include malware files, collecting information on browser extensions and crypto wallets. Researchers estimate that threat actors used the information to drain funds from 261 users and including one user seeing the attack on a livestream from a fund for their cancer treatment. Researchers discovered a similar Trojan game on the Steam store called Chemia back in July. Stellantis investigating unauthorized access over the weekend, the multinational carmaker said an incident at a third party provider supporting its North American branch's customer service exposed customer data. This incident did not impact any system with financial or sensitive data and appears limited to leaking contact data. The company warned customers to be on alert for any phishing attacks using this information. Bleeping Computer sources say this breach was part of the Shiny Hunter Salesforce data breaches that we've covered extensively already on this show. Mozilla lets devs roll back add on Updates Firefox added the ability for developers to revert versions of an add on to an earlier state, while once reverted, the browser will automatically revert to the previous version within 24 hours, preventing downloads of the latest version. Up until now, developers had to get an update approved by Mozilla before it could be released, creating a lag time for addressing security vulnerabilities. Self distributing developers can revert to any version, while Those distributing on addons.mozilla.org are limited to two previous versions. If you want to help make some great content for the CISO series, we've got a great way to participate. We need our listeners to fill out a quick five question survey. They're Family Feud style questions and your responses will be used for an upcoming live event. If you've got an extra minute, head on over to cisoseries.com participate to fill it out. We'd really appreciate it. And if you have some thoughts on the news from today or about the show in general, be sure to hit us up@feedbackisoseries.com we'd love to hear from you. Reporting for the CISO series, I'm Rich Stroffelino, reminding you to have a super sparkly day.