A (0:01)

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST a mage cart skimming campaign active since 2022 CISA flags HPE OneView with a CVSS score of 10, Valleyrat malware silently STE data, a potential WhatsApp exploit claiming to attack without user interaction, and US National Labs quietly deploy AI to simulate cyber attacks. This is Cybersecurity Today. I'm your host Jim Love. A vast network of domains tied to a long running and still active credit card skimming campaign has been uncovered dating back to at least early 2022, according to new research. The operation targets multiple global payment networks including American Express, Diners Club, Discover and even MasterCard. The discovery comes from Silent Push, which published its findings after mapping infrastructure linked to what's broadly known as Magecart style web skimming. Magecart isn't a single group. It's a label used for a class of attacks that inject malicious JavaScript known as web skimmers into online checkout pages. These techniques first gained attention through attacks against Magento based stores, but the campaigns now target any e commerce site that processes card payments. The skimmer runs in the customer's browser, copying payment details in real time and sending them to attacker controlled servers. Because this happens on the client side, server logs and perimeter security tools often might not see the theft. In some cases, the only visible sign for users is a subtle friction during checkout. The skimmer may cause a page to ask for payment details to be re entered or for a step to be repeated that normally completes cleanly. Even if the transaction ultimately fails, card data may have already been captured. For consumers, this makes monitoring statements critical at any time a checkout behaves unexpectedly for site operators. Silent Push's findings underline the need for proactive code inspection, not just patching servers, but continuously validating the scripts actually running in production checkout flows. A maximum severity bug in HPE OneView has landed on CISA's known exploited vulnerabilities list, which is the US government's way of saying there's evidence it's being used in real world attacks. The vulnerability is CVE2025 37164, rated with a CVSS score of 10. It's an unauthenticated remote code execution issue in HPE OneView, a platform that is used to manage servers, storage and networking from a central control plane. Now a key nuance Dark reading reports that HPE's advisory does not say the bug is under active exploitation, and an HPE spokesperson told Dark Reading that they haven't received customer reports of it being exploited. Rapid7, another company monitoring this, also said it hasn't observed exploitation, but CISA's Kev addition still raises the urgency level because that list is based on evidence of exploitation. Either way, the remediation is straightforward and urgent. Patch immediately HPE has released a hotfix and Rapid7's guidance is to treat this like an assumed breach scenario because oneview sits in a highly privileged position in the network Security researchers are warning about an active malware campaign known as Valley Rat, designed to quietly compromise organizations and steal financial and credential data while maintaining long term access to affected systems. Valirat is a remote access Trojan, or rat, which gives attackers ongoing control of infected machines. According to the researchers, its primary goal is data theft, including financial information and credentials that can later be monetized or used for deeper access. The malware is typically delivered through phishing or malicious downloads. Once installed, it can execute commands remotely, collect system and user data, and deploy additional payloads. Researchers say it relies heavily on legitimate Windows tools, so living off the land techniques allow it to blend in with normal system activity. Persistence is also a key feature. Valley Rat establishes multiple footholds on a system, making it difficult to fully remove and allowing it to survive reboots and partial cleanup efforts. Traditional antivirus alone is unlikely to catch this type of threat. Detection depends on behavioral monitoring, watching for unusual use of PowerShell or other native tools, unexpected outbound connections to unfamiliar hosts, and persistent mechanisms that reappear after the removal. Attempts on remediation organizations should assume credentials on infected systems are compromised. Rebuilding affected endpoints may be safer than attempting piecemeal cleanup. Valleyrat isn't dangerous because it's loud. It's dangerous because it's patient. For security teams, the absence of alerts doesn't mean the absence of attackers, especially when the malware is designed to look like normal activity and wait quietly for its moment to attack. Security researchers are warning about a suspected, and I emphasize suspected zero day vulnerability in WhatsApp. This vulnerability could allow attackers to compromise smartphones through a voice call without the user even having to answer. The attack was reported by the 420in, which says that the exploit has been observed in targeted attacks which may already be in use. According to the report, the attack abuses how WhatsApp processes incoming voice call data. A specially crafted call can trigger code execution on the target device simply by being received. No click, tap or interaction is required and that puts it in the category of so called zero click attacks, which are especially dangerous because they bypass user awareness entirely. The reporting suggests that Both Android and iOS devices may be affected, though technical details remain limited, there is no indication of mass exploitation and meta that owns WhatsApp has not publicly confirmed the vulnerability or released patch details. That lack of confirmation matters, but the attack pattern itself is familiar. So far no independent security lab or national cert has published corroborating technical analysis and some authorities have said they have not confirmed any such cases. But WhatsApp has been targeted before with call based zero click exploits often linked to high end surveillance operations where stealth and persistence are more important than scale. So until more details are available, mitigation options are limited. Users should ensure WhatsApp is fully updated and restrict who can call them where possible. For organizations, unexplained crashes, overheating or battery drain following missed calls should be treated as potential indicators worth investigating and finally, some of the most important advances in cyber defenses are happening quietly inside US national laboratories, and the fact that we're hearing about one of them might be the most telling detail of all. According to reporting by Axios, national labs such as Los Alamos National Laboratory, Sandia National Laboratories and Lawrence Livermore National Laboratory are behind major, largely unseen advances in cybersecurity and AI defense. At Pacific Northwest National Laboratory in Washington State, scientists have reportedly built a generative AI powered system that allows defenders to rapidly simulate cyber attacks against their own organizations. The idea is to model how real adversaries might probe, adapt and escalate before they do it for real. Instead of reacting to incidents after the fact, defenders can stress test their environments against AI driven attack scenarios and identify weak points much earlier. Now there's an old rule in national security if you're hearing about a classified capability, it's probably already been surpassed internally. And the same logic applies here. Publicly disclosed AI defense projects may signal that the US Government believes it's making real progress in keeping pace with adversarial AI, even if most of that race remains deliberately out of view. And that's our show. We'd like to thank Meter for their continuing support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises and working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity into a space. They design the hardware, the first firmware, build the software, manage deployments and run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses all the way to data centers. Book a demo@meter.com CST I'm your host, Jim Love. Thanks for listening.