Cybersecurity Today: DNS Malware, SonicWall Backdoor, Military Breach, and BigONE Crypto Hack

Fri Jul 18 2025

In today's episode, host Jim Love covers recent cybersecurity threats, including malware hidden in DNS records, a custom backdoor targeting SonicWall SMA devices, the US military assuming a network compromise after Chinese hackers targeted VPNs and...

Summary

Cybersecurity Today: DNS Malware, SonicWall Backdoor, Military Breach, and BigONE Crypto Hack

Podcast Information:

Title: Cybersecurity Today
Host: Jim Love
Episode: DNS Malware, SonicWall Backdoor, Military Breach, and BigONE Crypto Hack
Release Date: July 18, 2025

1. Stealthy DNS-Based Malware Delivery

Overview: The episode begins with an exploration of a novel method attackers are using to deliver malware by exploiting DNS records. This approach marks a significant evolution in malware distribution tactics, making detection increasingly challenging.

Key Points:

Hexadecimal Encoding: Attackers convert malware into hexadecimal fragments, a compact text format using characters 0-9 and A-F.
DNS Text Records: These encoded fragments are embedded within DNS text records tied to malicious domains. Each DNS query retrieves a small portion of the malware.
Reconstruction Process: A script on the compromised system stitches these fragments together to reconstruct the full PowerShell malware without downloading traditional binaries, thereby evading common endpoint defenses.
Volume of Queries: The malware necessitates approximately 56,000 DNS queries to assemble the complete payload.

Notable Quote: “[02:15] Jim Love: ‘This tactic bypasses most firewalls and antivirus tools because DNS traffic is often overlooked and text records are typically used for harmless metadata like email authentication.’”

Insights:

Living Off the Land: This method reflects a broader trend where attackers exploit legitimate infrastructure to remain undetected.
Security Recommendations: Jim emphasizes the need for security teams to monitor outbound DNS requests more rigorously, especially those involving text records from unknown or suspicious domains.

2. Overstep: SonicWall's SMA Devices Compromised

Overview: The discussion shifts to a sophisticated backdoor named Overstep, which has successfully infiltrated SonicWall’s SMA 100 series devices, including those that were fully patched.

Key Points:

Targeted Devices: SMA 200, 210, 400, 410, and 500V models are affected. These devices are now designated end-of-sale but continue to receive patches.
Attack Vector: The threat group UNC6148 exploited both known vulnerabilities (e.g., CVE-2021-20038 with a CVSS score of 9.8) and possibly zero-day vulnerabilities, coupled with long-term credential theft.
Malware Functionality: Overstep installs a rootkit that persists through firmware upgrades by hijacking the system bootloader. It creates new admin accounts, suppresses logs, and filters outbound traffic to avoid detection.
Operational Tactics: The precision of the malware suggests the attackers have intimate knowledge of SonicWall’s internal processes.

Notable Quote: “[10:45] Jim Love: ‘The payload was disguised to match legitimate binaries in both name and file size, allowing it to seamlessly integrate and evade detection.’”

Insights:

Response Measures: SonicWall has moved the SMA100 series to end-of-support by December 31, 2025, urging organizations to conduct immediate audits of user accounts and system configurations.
Long-Term Implications: Even patched devices remain at risk if credentials were compromised prior to the deployment of security patches.

3. US Military Networks Breached by Chinese Hackers

Overview: A significant breach has been identified within the U.S. military networks, attributed to a suspected Chinese threat group known as Salt Typhoon or APT40. This incident has led the U.S. military to adopt an "Assume Breach" stance across all branches.

Key Points:

Attack Methodology: Exploitation of vulnerabilities in Evanti Connect secure VPNs allowed attackers to access sensitive systems and internal military email servers.
Scope of the Breach: Over 100 organizations globally, including defense contractors, educational institutions, and critical infrastructure providers, were targeted using the same vulnerable devices.
Stealth Techniques: The attackers utilized living off the land strategies such as PowerShell, remote desktops, and scheduled tasks to remain undetected, avoiding the use of malware that could trigger security alerts.
Credential Theft: Investigators believe that some credentials were stolen months, or even up to a year, before detection, indicating a prolonged access period.

Notable Quote: “[19:30] Jim Love: ‘Salt Typhoon avoided malware and instead used living off the land techniques like PowerShell and remote desktops, making them nearly invisible to traditional security tools.’”

Insights:

Assume Breach Directive: On July 9, the Pentagon issued directives for all branches to conduct internal audits, rotate credentials, and investigate any lateral movement within their networks.
Wider Implications: The breach underscores the deep penetration of foreign cybercriminal groups into essential defense and security networks, raising concerns about the extent of information exfiltration and the vulnerability of U.S. infrastructure.

4. BigONE Crypto Exchange Faces $27 Million Theft

Overview: The episode covers a significant cryptocurrency theft where hackers stole $27 million in Ethereum from BigONE, a Singapore-based exchange, by compromising hot wallet operator keys.

Key Points:

Attack Vector: The breach did not exploit software vulnerabilities but relied on the compromise of operational keys, allowing attackers to authorize unauthorized transfers directly from an Internet-connected wallet.
Detection and Response: Blockchain analysts from Cybers detected the illicit activity in real-time, observing the rapid dispersion of funds across multiple wallets to obscure the trail.
Impact and Coverage: BigONE reports that no customer funds were lost and commits to covering the damage internally.
Trend Analysis: This incident is part of a larger trend where over $430 million has been stolen from crypto platforms in the year, primarily through compromised hot wallets linked to groups like North Korea's Lazarus Group.

Notable Quote: “[25:10] Jim Love: ‘In this environment, one leaked key can cost millions, and the stolen funds could significantly support rogue regimes like North Korea’s nuclear program.’”

Insights:

Security Recommendations: The breach highlights the urgent need for crypto exchanges to enhance key management practices, including proactive credential rotations and segmentation of critical wallet infrastructure.
Broader Implications: Such attacks not only result in substantial financial losses but also contribute to funding illicit activities and state-sponsored programs.

Conclusion

Jim Love wraps up the episode by emphasizing the evolving sophistication of cyber threats and the necessity for robust, proactive security measures. From stealthy DNS-based malware delivery and targeted backdoors in critical network devices to extensive breaches in military networks and significant crypto thefts, the landscape of cybersecurity threats continues to grow more complex and pervasive.

Final Quote: “[38:50] Jim Love: ‘Assume you have been breached.’”

Actionable Takeaways:

Enhanced Monitoring: Increased vigilance in monitoring DNS requests and outbound traffic.
Credential Management: Regular audits and rotation of credentials to mitigate the risk of long-term undetected access.
Infrastructure Security: Immediate reviews and updates of network devices and wallet management systems.
Proactive Defense: Adopting an "Assume Breach" mindset to prepare for and respond to potential security incidents effectively.

For more insights and updates on the latest cybersecurity threats, stay tuned to Cybersecurity Today with Jim Love.

Loading summary...

Transcript

Jim Love (0:00)

Hackers hide malware and DNS records using hex encoded fragments. Custom backdoor hits, sonic wall, SMA devices, even fully patched units. US Military assumes that they've been breached after Chinese hackers target VPNs and global email servers and $27 million was stolen in the big one crypto hack this is cybersecurity today. I'm your host Jim Love. Malware delivery just got sneakier Researchers from Domain Tools recently spotted attackers using DNS records normally reserved for routine network tasks to smuggle in a piece of nuisance malware called Joke Screenmate, a strain of malware that interferes with normal and safe functions of a computer. Instead of delivering the malware as a single file, attackers converted it into hexadecimal, a compact text format using 0 to 9 and a to fix to encode messages, and embedded those fragments in DNS text records tied to malicious domains. Each time the infected system looked up one of those domains, it pulled down another sliver of the payload text format using 0 to 9 and a to F as its characters and embedded those fragments in DNS text records tied to malicious domains. Each time the infected system looked at one of those domains, it pulled down another sliver of the payload. In total, the malware made 56D DNS queries, each returning a small block of code. A script on the compromised system quietly stitched the blocks together and decoded them, reconstructing the full PowerShell malware, all without downloading a traditional binary or triggering endpoint defenses. Because DNS traffic is often overlooked and text records are typically used for harmless metadata like email authentication, this tactic bypasses most firewalls and antivirus tools. Infoblox, which also analyzed the campaign, said it reflects a growing shift towards living off the land attackers exploiting legitimate infrastructure like DNS to stay under the radar. Security teams are urged to monitor outbound DNS requests more closely, especially when they involve text records from unknown or suspicious domains. Even background protocols like DNS are no longer safe to ignore. Google has uncovered a STEALTH backdoor targeting SonicWall's SMA 100 series devices and even fully patched appliances weren't safe. The malware, dubbed Overstep, was installed by a threat group tracked as UNC6148, which exploited vulnerabilities and reused stolen credentials to maintain deep access. In some cases, credentials were harvested months before the implants were deployed, suggesting a long term staging operation. Google researchers said the attackers may have intimate knowledge of Sonicwall internals based on how precisely the malware mimicked the legitimate processes and avoided detection. The backdoor targeted SMA 200, 210, 400, 410 and 500V models, all currently end of sale but still receiving patches. The attackers deployed a rootkit that persisted across firmware upgrades by hijacking the system bootloader. As noted, the attack revealed a strong knowledge of SonicWall devices. The payload was disguised to match legitimate binaries in both name and file size. Once active, it created new admin accounts, suppressed logs, and filtered outbound traffic to avoid triggering alerts. One of The Exploited Flaws, CVE2021 20038, is a remote code execution bug rated CVSS 9.8. But Overstep didn't rely just on known bugs it likely leveraged zero day and long term credential theft. This meant even patch devices were at risk if threat actors had already gained a foothold. SonicWall has since moved the SMA100 series to end of support by December 31, 2025, and urges immediate audits of user accounts, log integrity, and bootloader configs for organizations still running these devices. Migration plans should start now. The U.S. military has ordered every branch to assume its networks are compromised after a stealth campaign by suspected Chinese hackers breached internal email servers and likely much more. The group known as Salt Typhoon or APT40, exploited vulnerabilities in Evanti Connect secure VPNs to gain access to sensitive systems. But this wasn't just a military operation, according to researchers. The same campaign targeted over 100 organizations worldwide, including defense contractors and educational institutions and critical infrastructure providers, all using the same vulnerable devices Inside the Department of Defense, Attackers moved laterally to access internal military email servers, using valid credentials and built in admin tools to stay hidden. Investigators believe some compromised accounts and credentials may have been stolen months, perhaps even as much as a year before detection, meaning the attackers were already inside when patches were finally applied. What triggered a full scale response wasn't just the intrusion, it was the methodical precision. Salt Typhoon avoided malware and instead used living off the land techniques like PowerShell, remote desktops and scheduled tasks, making them nearly invisible to traditional security tools. But on July 9, the Pentagon issued an Assume Breach directive, instructing all branches to conduct internal audits, rotate credentials and investigate for lateral movement. This warning applies even to patched systems. The breach highlights just how deep foreign cybercriminal gangs may be in networks that are essential to the defense and security of the United States and other countries. Not only defense, but telecommunications and infrastructure and others have been massively invaded over the past few years. The fact that these attacks have remained undetected for so long is also a huge cause for for concern. So just how much of the defense and critical infrastructure is still affected? It will take a massive effort to detect, expunge and protect for the future. But without such an effort, there will always be the question of how much information has been exfiltrated and how vulnerable the US Is in a world increasingly filled with global and regional conflicts. Until then, the advice is valid for most areas of US infrastructure and perhaps for the world. Assume you have been breached. Another major crypto theft has hit the books. On July 15, hackers drained $27 million in Ethereum from Big One, a Singapore based exchange, by gaining access to Hot Wallet operator keys. The attackers used the stolen credentials to authorize transfers directly from one of Big One's Internet connected wallets. Blockchain analysts from cybersecurity detected the activity in real time, watching as the stolen funds were quickly dispersed across multiple wallets, a classic laundering move to obscure the trail. The attack didn't exploit a vulnerability in smart contracts or exchange software. Instead, it was a case of key compromise. The attackers likely obtained a valid operational key or private credential with transaction authority. And that's what makes it especially dangerous, as no alarms go off until the funds are already gone. Big One says no customer funds were lost, and it will cover the damage internally. But the incident is part of a much larger trend. According to cybers, over $430 million has been stolen from crypto platforms so far this year, largely by compromising Hot Wallets, the very systems designed to enable fast, flexible transactions. Many of these attacks, they say, originate from infrastructure linked to the North Korean Lazarus Group. The Big One breach adds to the growing pressure on crypto exchanges to harden key management, rotate credentials proactively, and segment critical wallet infrastructure. Because in this environment, one leaked key can cost millions. And as an added downside leak, the funds could be a big part of supporting the rogue North Korean regime and its nuclear program. And that's our show. Love to hear your thoughts. You can reach us@technewsday.com or ca. Take your pick. Just go to the Contact Us form. Drop us a note if you're on YouTube watching this, you know what to do. Put it under the video. Thanks again to all of our listeners and supporters as we prepare to turn the dial for our 10 millionth download over the weekend. I'm your host Jim Love, and if I've said it once, I've said it a million times. Actually, several million times. Thanks for listening.

Cybersecurity Today: DNS Malware, SonicWall Backdoor, Military Breach, and BigONE Crypto Hack

Podcast Information:

Title: Cybersecurity Today
Host: Jim Love
Episode: DNS Malware, SonicWall Backdoor, Military Breach, and BigONE Crypto Hack
Release Date: July 18, 2025

1. Stealthy DNS-Based Malware Delivery

Key Points:

Hexadecimal Encoding: Attackers convert malware into hexadecimal fragments, a compact text format using characters 0-9 and A-F.
DNS Text Records: These encoded fragments are embedded within DNS text records tied to malicious domains. Each DNS query retrieves a small portion of the malware.
Reconstruction Process: A script on the compromised system stitches these fragments together to reconstruct the full PowerShell malware without downloading traditional binaries, thereby evading common endpoint defenses.
Volume of Queries: The malware necessitates approximately 56,000 DNS queries to assemble the complete payload.

Insights:

Living Off the Land: This method reflects a broader trend where attackers exploit legitimate infrastructure to remain undetected.
Security Recommendations: Jim emphasizes the need for security teams to monitor outbound DNS requests more rigorously, especially those involving text records from unknown or suspicious domains.

2. Overstep: SonicWall's SMA Devices Compromised

Overview: The discussion shifts to a sophisticated backdoor named Overstep, which has successfully infiltrated SonicWall’s SMA 100 series devices, including those that were fully patched.

Key Points:

Targeted Devices: SMA 200, 210, 400, 410, and 500V models are affected. These devices are now designated end-of-sale but continue to receive patches.
Attack Vector: The threat group UNC6148 exploited both known vulnerabilities (e.g., CVE-2021-20038 with a CVSS score of 9.8) and possibly zero-day vulnerabilities, coupled with long-term credential theft.
Malware Functionality: Overstep installs a rootkit that persists through firmware upgrades by hijacking the system bootloader. It creates new admin accounts, suppresses logs, and filters outbound traffic to avoid detection.
Operational Tactics: The precision of the malware suggests the attackers have intimate knowledge of SonicWall’s internal processes.

Notable Quote: “[10:45] Jim Love: ‘The payload was disguised to match legitimate binaries in both name and file size, allowing it to seamlessly integrate and evade detection.’”

Insights:

Response Measures: SonicWall has moved the SMA100 series to end-of-support by December 31, 2025, urging organizations to conduct immediate audits of user accounts and system configurations.
Long-Term Implications: Even patched devices remain at risk if credentials were compromised prior to the deployment of security patches.

3. US Military Networks Breached by Chinese Hackers

Key Points:

Attack Methodology: Exploitation of vulnerabilities in Evanti Connect secure VPNs allowed attackers to access sensitive systems and internal military email servers.
Scope of the Breach: Over 100 organizations globally, including defense contractors, educational institutions, and critical infrastructure providers, were targeted using the same vulnerable devices.
Stealth Techniques: The attackers utilized living off the land strategies such as PowerShell, remote desktops, and scheduled tasks to remain undetected, avoiding the use of malware that could trigger security alerts.
Credential Theft: Investigators believe that some credentials were stolen months, or even up to a year, before detection, indicating a prolonged access period.

Insights:

Assume Breach Directive: On July 9, the Pentagon issued directives for all branches to conduct internal audits, rotate credentials, and investigate any lateral movement within their networks.
Wider Implications: The breach underscores the deep penetration of foreign cybercriminal groups into essential defense and security networks, raising concerns about the extent of information exfiltration and the vulnerability of U.S. infrastructure.

4. BigONE Crypto Exchange Faces $27 Million Theft

Overview: The episode covers a significant cryptocurrency theft where hackers stole $27 million in Ethereum from BigONE, a Singapore-based exchange, by compromising hot wallet operator keys.

Key Points:

Attack Vector: The breach did not exploit software vulnerabilities but relied on the compromise of operational keys, allowing attackers to authorize unauthorized transfers directly from an Internet-connected wallet.
Detection and Response: Blockchain analysts from Cybers detected the illicit activity in real-time, observing the rapid dispersion of funds across multiple wallets to obscure the trail.
Impact and Coverage: BigONE reports that no customer funds were lost and commits to covering the damage internally.
Trend Analysis: This incident is part of a larger trend where over $430 million has been stolen from crypto platforms in the year, primarily through compromised hot wallets linked to groups like North Korea's Lazarus Group.

Insights:

Security Recommendations: The breach highlights the urgent need for crypto exchanges to enhance key management practices, including proactive credential rotations and segmentation of critical wallet infrastructure.
Broader Implications: Such attacks not only result in substantial financial losses but also contribute to funding illicit activities and state-sponsored programs.

Conclusion

Final Quote: “[38:50] Jim Love: ‘Assume you have been breached.’”

Actionable Takeaways:

Enhanced Monitoring: Increased vigilance in monitoring DNS requests and outbound traffic.
Credential Management: Regular audits and rotation of credentials to mitigate the risk of long-term undetected access.
Infrastructure Security: Immediate reviews and updates of network devices and wallet management systems.
Proactive Defense: Adopting an "Assume Breach" mindset to prepare for and respond to potential security incidents effectively.

For more insights and updates on the latest cybersecurity threats, stay tuned to Cybersecurity Today with Jim Love.