Cyber Security Headlines – Episode Summary

Episode Title: Velociraptor C2 tunnel, Baltimore’s expensive con, ransomware gangs multiply
Host: Steve Prentiss
Podcast: CISO Series: Cyber Security Headlines
Date: September 1, 2025

Episode Overview

This episode covers several critical developments in cybersecurity, including the innovative misuse of Velociraptor forensic software for command-and-control (C2) tunneling, a costly social engineering con that targeted the City of Baltimore, the fragmentation and multiplication of ransomware gangs following high-profile law enforcement takedowns, and updates on vulnerabilities, cyberespionage campaigns, and malware distribution tactics. Steve Prentiss swiftly dissects these stories, highlighting operational risks, attacker trends, and defensive insights relevant to the modern threat landscape.

Key Discussion Points & Insights

1. Velociraptor Forensic Tool Repurposed for C2 Tunneling

• [00:07–01:22]
  • Researchers at SOFAS Counter Threat Unit warn of a “living off the land” technique leveraging open-source forensic software as an attack vector.
  • Attack Method: Threat actors deployed Velociraptor (typically an endpoint monitoring and forensic tool) to download and execute Visual Studio Code, likely using it to create a covert tunnel to a command-and-control server.
  • Insight:
    • “This signals a tactical evolution where incident response programs are being used by threat actors to obtain a foothold and minimize the need for having to deploy their own malware.” ([00:54])
  • Significance: Demonstrates adversaries’ increasing sophistication in repurposing legitimate security tools for malicious aims.

2. Baltimore's $1.5 Million Social Engineering Fraud

• [01:23–02:13]
  • A scammer spoofed a legitimate vendor and asked Baltimore’s Accounts Payable department to update banking details, resulting in the city transferring $1.5 million to fraudsters through two payments (only one of which has been recovered).
  • City Auditor’s Comments:
    • “The city’s Accounts Payable department had failed to implement corrective measures after previous incidents of fraud and did not have proper protections in place to verify supplier details.” – Isabel Mercedes Cumming, Inspector General ([01:48])
  • Lesson: Highlights the urgent need for robust verification processes and internal controls to combat business email compromise (BEC).

3. Ransomware Gangs Fragment and Multiply

• [02:14–02:59]
  • Recent law enforcement actions have primarily dismantled infrastructure of large ransomware groups (e.g., Lockbit, Black Cat, Alf V, Hive), without consistently capturing operators.
  • Consequence: Disbanded gang members regroup into smaller, more numerous ransomware crews; Malwarebytes counted 60 new groups this year.
  • Industry Insight:
    • Growth attributed to domain expertise, commoditized malware kits, and “abundant AI,” which collectively “lowers the barrier to entry.” ([02:51])
  • Key Takeaway: Ransomware remains resilient and evolves rapidly even as major groups are targeted.

4. Microsoft Denies SSD/HDD Failures Linked to August Windows Update

• [03:00–03:45]
  • Reports surfaced of drive failures after the August 2025 security update; Microsoft now asserts no connection was found after thorough investigation.
  • Company’s Statement: Microsoft solicited incident reports and, after research, “found no connection between the August 2025 Windows Security Update and the types of hard drive failures reported on social media.” ([03:39])
  • Impact: Reassures customers; highlights the rapid spread of unverified claims in social media-driven tech discourse.

5. FBI Officials on Chinese Cyber Espionage & “Salt Typhoon”

• [04:30–05:20]
  • The FBI commented on China’s use of private companies for hacking operations—seen as a strategic weakness.
  • Perspective:
    • Jason Bilnoski (FBI Cyber Division): “These types of campaigns... are actually failures” due to reduced operational discipline: “Investigators gain advantage by observing the mistakes these companies make.” ([04:44])
    • Michael Mactinger (FBI Cyber Division): On Salt Typhoon, “there’s a good chance this espionage campaign has stolen information from nearly every American.” ([05:10])
  • Significance: Operational security lapses among outsourced threat actors create investigative opportunities.

6. Amazon Disrupts Russian APT29 “Watering Hole” Attack

• [05:21–05:49]
  • Amazon identified and blocked a watering hole campaign by APT29 (Cozy Bear), who used fake Cloudflare “Verify you are a human” CAPTCHAs to steal Microsoft device authentication codes.
  • Detection: Employing custom analytics, Amazon discovered multiple typo-squatting actor domains imitating cloudflare.com ([05:41])

7. WhatsApp iOS/macOS Vulnerability Patched

• [05:50–06:18]
  • WhatsApp patched a serious flaw (CVSS 8.0), potentially used in zero-day attacks alongside an Apple vulnerability.
  • Exploit Details: Insufficient authorization for device sync messages could “allow an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.” ([06:07])
  • Actionable: Users urged to update; affected CVEs and versions linked in show notes.

8. “Tampered Chef” Infostealer Spread via Fake PDF Editor Ads

• [06:19–06:50]
  • Threat actors use Google Ads to promote fraudulent PDF apps, delivering “Tampered Chef” info-stealer malware.
  • Operation Tactics: Apps can install additional malware or enroll systems into proxy networks. Researchers from Trusec noted the operators “waited for ads to run their course before activating the malicious components.” ([06:44])
  • Takeaway: Highlights the continuous misuse of digital ad platforms in malware distribution.

Notable Quotes & Memorable Moments

• “This signals a tactical evolution where incident response programs are being used by threat actors to obtain a foothold…” – SOFAS Counter Threat Unit researchers ([00:54])
• “The city... had failed to implement corrective measures after previous incidents of fraud and did not have proper protections in place to verify supplier details.” – Isabel Mercedes Cumming, Baltimore IG ([01:48])
• “Ransomware gang takedowns... focused largely on impounding or destroying the gang's infrastructures but not arresting the operators, has allowed the gang members to reform in greater variety.” – Steve Prentiss ([02:27])
• “These types of [Chinese] campaigns... are actually failures... Investigators gain advantage by observing the mistakes these companies make.” – Jason Bilnoski, FBI ([04:44])
• “There’s a good chance this espionage campaign has stolen information from nearly every American.” – Michael Mactinger, FBI ([05:10])

Timestamps for Key Segments

• [00:07] Velociraptor Forensic Tool Used for C2 Tunneling
• [01:23] Baltimore Social Engineering Scam Costs $1.5M
• [02:14] Ransomware Gangs Fragment and Multiply
• [03:00] Microsoft Denies Update Caused SSD Failures
• [04:30] FBI on Chinese Cyber Espionage (“Salt Typhoon”)
• [05:21] Amazon Nabs Russian APT29 Watering Hole Attack
• [05:50] WhatsApp Patches iOS/macOS Zero-Day Vulnerability
• [06:19] Tampered Chef Infostealer via Fake PDF Editor Apps

Conclusion

This episode underscores the dynamic threat landscape where attackers exploit legitimate tools, leverage social engineering, and persist despite takedowns. Organizations are cautioned to improve their detection and response capabilities, ensure robust internal controls, and stay alert for evolving attack techniques.

For in-depth coverage and resources, listeners are encouraged to visit CISOseries.com.