Podcast Summary: Cyber Security Headlines
Host: Steve Prentiss, CISO Series
Episode Title: Velociraptor pushes LockBit, Spain dismantles crime group, SonicWall SSL VPN breach
Air Date: October 13, 2025
Overview
This episode dives into recent high-profile incidents and trends in cybersecurity, with a focus on the malicious repurposing of legitimate forensics tools by ransomware groups, the takedown of an AI-powered cybercrime syndicate in Spain, critical vulnerabilities affecting enterprise VPNs, and a string of targeted social engineering and infrastructure attacks. Listeners are updated on the swiftly evolving threat landscape, emphasizing how both advanced tactics and social manipulation are shaping today’s security priorities.
Key Discussion Points and Insights
1. Velociraptor Forensics Tool Abused in LockBit Ransomware Attacks
[00:06 – 02:30]
- Velociraptor, an open-source digital forensics and incident response tool, is being weaponized in ransomware campaigns—this time, linked to the group Storm 2603, previously associated with Warlock and LockBit ransomware.
- Attackers exploited SharePoint (Toolshell) vulnerabilities to gain initial access, using an outdated, vulnerable version of Velociraptor for privilege escalation, thereby executing arbitrary commands and taking over endpoints.
- Cisco Talos tied this activity to earlier stories of Velociraptor being used for tunneling and remote access; the trend appears to be expanding.
- Notable Quote:
"Rapid7, which maintains Velociraptor after having acquired it in 2021, stated during the previous tunneling exploit that it's aware of the misuse of the tool and that it can also be abused when in the wrong hands, just like other security and administrative tools." — Steve Prentiss [01:40]
2. Spain Dismantles GXC Team Cybercrime Group, Arrests Ringleader
[02:30 – 03:24]
- Spanish Guardia Civil arrested the 25-year-old leader of GXC Team, an organization selling AI-driven phishing kits, Android malware, and voice scam tools via Telegram and Russian forums.
- The tools catered to credential theft, online banking fraud, e-commerce scamming, and business email compromise.
- The group aggressively marketed its wares, including offering discounts and pioneering AI-generated fraudulent invoices for wire fraud.
3. SonicWall SSL VPN Breach: Credential Compromise, Not Brute Force
[03:24 – 04:33]
- Following up from last week’s coverage, Huntress warned of widespread SonicWall SSL VPN breaches, with over 100 accounts compromised since October 4.
- The attackers used valid credentials rather than brute force, suggesting previous leaks or credential stuffing.
- Activities included network scanning, probing Windows accounts, and quick disconnects, all following a separate leak of backup files containing encrypted credentials from SonicWall’s cloud service.
4. US Cyber Leadership Shakeup: Hartman Not Nominated to Lead Cyber Command
[04:33 – 05:15]
- Army Lt. Gen. William Hartman, current acting lead for U.S. Cyber Command and the NSA, will not be nominated to the permanent role.
- The decision appears rooted in a policy shift away from "dual hat" leadership—one person running both organizations—at the federal level, adding uncertainty to leadership at the top of U.S. cyber defense.
5. Sugar Land, Texas, Suffers Cyberattack on Municipal Systems
[05:15 – 05:57]
- The Houston suburb experienced a cyber incident affecting vital online services including 311 contact, utility billing, and permit management.
- Emergency services (911) remained operational; nearly 110,000 residents affected.
6. Hackers Exploit Zero-Day in GladNet File Sharing Software
[05:57 – 06:36]
- Vulnerability (with CVE identifier) in GladNet’s CenterStack and Triofox products allows local, unauthenticated file access—exploited at least against three companies already.
- No current patch; customers are urged to implement available mitigations.
7. Microsoft Warns of ‘Payroll Pirates’ Targeting HR SaaS Platforms
[06:36 – 07:13]
- Threat group Storm2657 hijacks employee accounts in U.S. organizations to divert salaries to attacker-controlled bank accounts.
- Main vectors: social engineering and lack of MFA protections; no evidence of flaws in the SaaS platforms themselves (e.g., Workday).
- Education sector is notably targeted.
8. Smishing Scam Targets New Yorkers With Fake Inflation Refunds
[07:13 – 08:05]
- Fraudulent texts claim to originate from the Department of Taxation and Finance, promising inflation refunds and collecting personal/financial data via phishing links.
- The scam’s legitimacy is bolstered by referencing an actual state program, but the Governor’s office emphasizes no action is needed to receive the real benefit.
- Notable Quote:
"New Yorkers do not have to do anything to receive an inflation refund check outside of meeting the eligibility requirements." — Steve Prentiss [08:00]
Notable Quotes & Memorable Moments
- On tool abuse in security:
"It can also be abused when in the wrong hands, just like other security and administrative tools." — [01:40]
- On New York’s inflation refund scam rebuttal:
"New Yorkers do not have to do anything to receive an inflation refund check..." — [08:00]
Timestamps for Important Segments
- Velociraptor tool repurposed for ransomware: [00:06 – 02:30]
- Spain arrests cybercrime group leader: [02:30 – 03:24]
- SonicWall SSL VPN breach update: [03:24 – 04:33]
- US cyber command leadership change: [04:33 – 05:15]
- Sugar Land, Texas, municipal cyberattack: [05:15 – 05:57]
- GladNet zero-day exploited: [05:57 – 06:36]
- Payroll Pirates target HR SaaS: [06:36 – 07:13]
- NY Inflation Refund smishing scam: [07:13 – 08:05]
Conclusion
This episode underscores the dual-use risks of cybersecurity tools, the growing integration of AI into cybercrime, and the need for robust authentication and employee vigilance. The swift, credential-based attacks and sophisticated phishing campaigns highlight how threat actors adapt to both technological and organizational blind spots. Rapid response, patch management, and layered authentication continue to be essential defenses as organizations contend with both high-tech and traditional fraud.