Podcast Summary: Cyber Security Headlines

Host: Steve Prentiss, CISO Series
Episode Title: Velociraptor pushes LockBit, Spain dismantles crime group, SonicWall SSL VPN breach
Air Date: October 13, 2025

Overview

This episode dives into recent high-profile incidents and trends in cybersecurity, with a focus on the malicious repurposing of legitimate forensics tools by ransomware groups, the takedown of an AI-powered cybercrime syndicate in Spain, critical vulnerabilities affecting enterprise VPNs, and a string of targeted social engineering and infrastructure attacks. Listeners are updated on the swiftly evolving threat landscape, emphasizing how both advanced tactics and social manipulation are shaping today’s security priorities.

Key Discussion Points and Insights

1. Velociraptor Forensics Tool Abused in LockBit Ransomware Attacks

[00:06 – 02:30]

Velociraptor, an open-source digital forensics and incident response tool, is being weaponized in ransomware campaigns—this time, linked to the group Storm 2603, previously associated with Warlock and LockBit ransomware.
Attackers exploited SharePoint (Toolshell) vulnerabilities to gain initial access, using an outdated, vulnerable version of Velociraptor for privilege escalation, thereby executing arbitrary commands and taking over endpoints.
Cisco Talos tied this activity to earlier stories of Velociraptor being used for tunneling and remote access; the trend appears to be expanding.
Notable Quote:

"Rapid7, which maintains Velociraptor after having acquired it in 2021, stated during the previous tunneling exploit that it's aware of the misuse of the tool and that it can also be abused when in the wrong hands, just like other security and administrative tools." — Steve Prentiss [01:40]

2. Spain Dismantles GXC Team Cybercrime Group, Arrests Ringleader

[02:30 – 03:24]

Spanish Guardia Civil arrested the 25-year-old leader of GXC Team, an organization selling AI-driven phishing kits, Android malware, and voice scam tools via Telegram and Russian forums.
The tools catered to credential theft, online banking fraud, e-commerce scamming, and business email compromise.
The group aggressively marketed its wares, including offering discounts and pioneering AI-generated fraudulent invoices for wire fraud.

3. SonicWall SSL VPN Breach: Credential Compromise, Not Brute Force

[03:24 – 04:33]

Following up from last week’s coverage, Huntress warned of widespread SonicWall SSL VPN breaches, with over 100 accounts compromised since October 4.
The attackers used valid credentials rather than brute force, suggesting previous leaks or credential stuffing.
Activities included network scanning, probing Windows accounts, and quick disconnects, all following a separate leak of backup files containing encrypted credentials from SonicWall’s cloud service.

4. US Cyber Leadership Shakeup: Hartman Not Nominated to Lead Cyber Command

[04:33 – 05:15]

Army Lt. Gen. William Hartman, current acting lead for U.S. Cyber Command and the NSA, will not be nominated to the permanent role.
The decision appears rooted in a policy shift away from "dual hat" leadership—one person running both organizations—at the federal level, adding uncertainty to leadership at the top of U.S. cyber defense.

5. Sugar Land, Texas, Suffers Cyberattack on Municipal Systems

[05:15 – 05:57]

The Houston suburb experienced a cyber incident affecting vital online services including 311 contact, utility billing, and permit management.
Emergency services (911) remained operational; nearly 110,000 residents affected.

6. Hackers Exploit Zero-Day in GladNet File Sharing Software

[05:57 – 06:36]

Vulnerability (with CVE identifier) in GladNet’s CenterStack and Triofox products allows local, unauthenticated file access—exploited at least against three companies already.
No current patch; customers are urged to implement available mitigations.

7. Microsoft Warns of ‘Payroll Pirates’ Targeting HR SaaS Platforms

[06:36 – 07:13]

Threat group Storm2657 hijacks employee accounts in U.S. organizations to divert salaries to attacker-controlled bank accounts.
Main vectors: social engineering and lack of MFA protections; no evidence of flaws in the SaaS platforms themselves (e.g., Workday).
Education sector is notably targeted.

8. Smishing Scam Targets New Yorkers With Fake Inflation Refunds

[07:13 – 08:05]

Fraudulent texts claim to originate from the Department of Taxation and Finance, promising inflation refunds and collecting personal/financial data via phishing links.
The scam’s legitimacy is bolstered by referencing an actual state program, but the Governor’s office emphasizes no action is needed to receive the real benefit.
Notable Quote:

"New Yorkers do not have to do anything to receive an inflation refund check outside of meeting the eligibility requirements." — Steve Prentiss [08:00]

Notable Quotes & Memorable Moments

On tool abuse in security:

"It can also be abused when in the wrong hands, just like other security and administrative tools." — [01:40]
On New York’s inflation refund scam rebuttal:

"New Yorkers do not have to do anything to receive an inflation refund check..." — [08:00]

Timestamps for Important Segments

Velociraptor tool repurposed for ransomware: [00:06 – 02:30]
Spain arrests cybercrime group leader: [02:30 – 03:24]
SonicWall SSL VPN breach update: [03:24 – 04:33]
US cyber command leadership change: [04:33 – 05:15]
Sugar Land, Texas, municipal cyberattack: [05:15 – 05:57]
GladNet zero-day exploited: [05:57 – 06:36]
Payroll Pirates target HR SaaS: [06:36 – 07:13]
NY Inflation Refund smishing scam: [07:13 – 08:05]

Conclusion

This episode underscores the dual-use risks of cybersecurity tools, the growing integration of AI into cybercrime, and the need for robust authentication and employee vigilance. The swift, credential-based attacks and sophisticated phishing campaigns highlight how threat actors adapt to both technological and organizational blind spots. Rapid response, patch management, and layered authentication continue to be essential defenses as organizations contend with both high-tech and traditional fraud.

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines.

B (0:06)

These are the cybersecurity headlines for Monday, October 13, 2025. I'm Steve Prentiss. Velociraptor Forensics tool becomes Lockbit ransomware weapon once again the Velociraptor open source digital forensics and incident response tool is being used in connection with ransomware attacks, this time likely orchestrated by the group Storm 2603, which is known for deploying the Warlock and Lockbit ransomware. Researchers at Sophos suggest that the attackers weaponized the on premises SharePoint vulnerabilities known as Toolshell to obtain initial access and deliver an outdated version of Velociraptor that's susceptible to a privilege escalation vulnerability. This allowed them to enable arbitrary command execution and endpoint takeover. This According to Cisco Talos, this attack appears to be connected to a story we covered on September 1 regarding reported abuse of Velociraptor for tunneling and remote access. This current story appears to be an expanded and more fully characterized instance of the same abuse trend. Rapid7, which maintains Velociraptor after having acquired it in 2021, stated during the previous tunneling exploit that it's aware of the misuse of the tool and that it can also be abused when in the wrong hands, just like other security and administrative tools. End quote Spain dismantles GXC Team cybercrime group and arrests its 25 year old leader the arrests were conducted by the Spanish law enforcement agency Guardia Seville. The group sold AI powered phishing kits, Android malware and voice scam tools via Telegram and Russian forums, becoming a major supplier of credential theft tools in Spain. The group's focus was crafting tools for online banking, theft, e commerce, deception and Internet scams. The group also held a 20% off sale in late 2023, introducing tools that used AI to create fraudulent invoices for wire fraud and Business email compromise SonicWall SSL VPN breach warning following up on a story we covered last week, cybersecurity firm Huntress is now warning of a widespread compromise of SonicWall SSL VPN' with threat actors using valid credentials to access multiple customer accounts. They added. The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute forcing. In attacks occurring since October 4th, more than 100 SonicWall SSL VPN accounts were compromised using these valid credentials, with some attackers disconnecting quickly while others conducted post exploitation, scanning networks and probing local Windows accounts This all follows on from a recent warning from Sonicwall regarding unauthorized access to firewall backup files from its cloud service, exposing encrypted credentials and configurations the acting US Cyber Command and NSA Chief Loses Nomination for the job Army Lt. Gen. William Hartman will not be nominated to be the next leader of the U.S. cyber Command and the National Security Agency, according to four people familiar the matter. Hartmann has been leading both entities in an acting capacity since April. The reasons for the non nomination include a lack of desire within the current administration to continue the dual HAT leadership arrangement at Cyber Command and the nsa. The decision to not nominate Hartmann further scrambles what has already been a prolonged leadership shakeup atop the military's top digital war fighting outfit and the country's largest spy agency. End quote. Huge thanks to our sponsor Vanta what's your 2am security worry? Is it do I have the right controls in place or are my vendors secure? Or the really scary one? How do I get out from under these old tools and manual processes? Enter Vanta. Vanta automates manual work so you can stop sweating over spreadsheets, chasing ordered evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. Vanta also fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and get back to sleep. Get started at vanta.com headlines that is V A N T A dot com headlines Houston suburb suffers cyberattack Sugarland, Texas becomes one of the latest municipalities to have its online services impacted by what is being called a breach of its internal network infrastructure. The outages occurred on Thursday morning and affected online services such as the 311 contact center, utility, billing, permit and inspection, scheduling, permit payments and building applications, although they stated clearly that police, fire and medical services are still available at 911. Sugar Land is a suburb of Houston and is home to nearly 110,000 people hackers exploiting Zero Day in Gladnet file sharing software. The Zero Day vulnerability has a CVE number and is found in Gladinet, CenterStack and Triofox products. The vulnerability allows a local attacker to access system files without authentication, according to Bleeping Computer. At least three companies have been targeted so far, and although a patch is not yet available, customers can apply mitigations. CenterStack and TrioFox are business solutions created by GladNet for file sharing and remote access they enable the company to use its own storage as a cloud. Microsoft warns of Payroll Pirates attacking HR SaaS accounts A threat actor named Storm2657 has been observed hijacking employee accounts with the end goal of diverting salary payments to attacker controlled accounts. These attacks have focused on US based organizations, particularly employees in sectors like higher education, to gain access to third party human resources software as a service platforms like Workday. These attacks do not exploit any security flaw in the services themselves, but instead turn to social engineering tactics and a lack of multi factor authentication protections to seize control of employee accounts and ultimately modify payment information to route them to accounts managed by the threat actors Fake Inflation Refund Scam Targets New Yorkers A smishing campaign is sending text messages posing as the Department of Taxation and Finance and claiming to offer inflation refunds in order to steal victims personal and financial data. It is based on an actual legitimate program, the Inflation Refund from the State of New York that automatically sends refund checks to eligible residents to help offset the effects of inflation. The smishing attack announces that a victim has been approved and provides a link requesting further information for the refund to be processed. The deadline was September 29th of this year, but the smishing campaign is still active. The New York Governor's Office reminds the public that New Yorkers do not have to do anything to receive an inflation refund check outside of meeting the eligibility requirements. End Quote if you get value out of cybersecurity headlines every day, remember to tell a friend to check out the show. And if you share the show with colleagues or your team, let us know how you do that and why. @feedbacksocies.com I'm Steve Prentiss reporting for the CISO series.