Cybersecurity Today – "Lockbit Is Back"
Host: Jim Love
Date: September 29, 2025
Overview
This episode of Cybersecurity Today, hosted by Jim Love, focuses on the resurgence of the notorious Lockbit ransomware group—now boasting a formidable, cross-platform 5.0 variant. Love also covers critical vulnerabilities in Salesforce's AI agent platform and explores the growing sophistication and threat posed by China’s Ministry of State Security (MSS) in global cyber operations. The episode serves as a wake-up call for cybersecurity professionals and business leaders, emphasizing the evolving dangers in the digital landscape.
Key Discussion Points & Insights
1. Lockbit 5.0: The Next Generation of Ransomware
- [00:00–03:20]
- The new Lockbit 5.0 has emerged, targeting Windows, Linux, and VMware ESXi systems simultaneously.
- Windows variant: Utilizes advanced techniques like DLL reflection (loading malicious code directly into memory), making it harder for anti-malware tools to detect.
- Linux variant: Allows attackers to select specific directories/files for encryption.
- VMware ESXi variant: Attacks virtualization hosts at the hypervisor level, encrypting both virtual machines and backups—potentially affecting dozens or hundreds of systems at once.
- Lockbit 5.0 operates faster than older versions, aiming to complete encryption before defenders can react:
“Speed is now a weapon, shrinking the window for detection and response.” — Jim Love [01:42]
- Trend Micro researchers highlight that “heavy obfuscation and technical improvements across all variants make Lockbit 5.0 significantly more dangerous than its predecessors.”
- The revived affiliate program (under a rebranded, more secure platform) aims to recruit more operators, boosting Lockbit’s reach and resilience.
- The group’s return comes shortly after international law enforcement’s Operation Chronos, which was assumed to have dismantled Lockbit:
“But like the villain in the horror movie, they’re back with a new design: speed, backup, VM targeting, and the revived affiliate program show the group is determined to reestablish itself.” — Jim Love [02:52]
- The new Lockbit 5.0 has emerged, targeting Windows, Linux, and VMware ESXi systems simultaneously.
2. Salesforce AI Agent Vulnerabilities: Forced Leak & Prompt Injection
- [03:21–06:34]
- Noma Security researchers discovered a critical flaw in Salesforce’s “Agent Force” platform—a tool for deploying AI agents to automate CRM tasks.
- The attack, dubbed "forced leak" (CVSS 9.4), exploits prompt injection via Salesforce’s Web-to-Lead forms. Hackers can plant hidden instructions that an AI agent processes, causing data to be leaked, altered, or deleted.
- Attackers abused a whitelisted but expired Salesforce domain, redirecting trusted traffic for exfiltration.
“We were able to compromise the agent and tell it to do whatever. It could leak information if we asked, but it could also be asked to change the information in the CRM, delete databases, whatever.” — Alan Trone, CTO, Noma Security [04:47]
- This is described as “cross-scripting for the AI era.” In enterprise settings, such vulnerabilities can quietly siphon sensitive data and corrupt business-critical systems.
- The compromise wasn’t just the AI—it combined weak URL management and inherent AI agent risks:
“Whenever you give an automated AI agent live access to production data and workflows, you create a new and powerful attack surface that can help find and exploit weaknesses in your existing security.” — Jim Love [05:56]
- Takeaway: Prompt injection has moved beyond theory—it’s now an active enterprise threat. AI agents must be inventoried, their privileges restricted, and activities closely monitored.
- Noma Security researchers discovered a critical flaw in Salesforce’s “Agent Force” platform—a tool for deploying AI agents to automate CRM tasks.
3. China’s MSS: The Growing Cyber Intelligence Juggernaut
- [06:35–11:02]
- The New York Times reports China’s Ministry of State Security (MSS) has evolved into “one of the world’s most effective cyber intelligence services.”
- What was once a fragmented landscape of hackers is now a centralized, disciplined agency blending classic espionage with advanced cyber operations.
- Decades of IP theft, large-scale data exfiltration, and persistent network intrusions have Western governments alarmed.
- Salt Typhoon, a Chinese-aligned group, has breached multiple telecom networks’ core systems, potentially accessing lawful intercept systems and sensitive metadata:
“In short, they live in the backbone routers and management systems—the Internet plumbing—which makes their access stealthy and maybe durable.” — Jim Love [07:53]
- British MI6 and the CIA are concerned:
- CIA Director William J. Burns visited Beijing in 2023 to warn Chinese officials of dire consequences if attacks targeting communications, water, or power systems escalate.
“That’s a stark illustration of how high this now ranks in national security terms.” — Jim Love [08:27]
- The podcast warns about the risks posed by sloppy U.S. data practices and platform consolidation—multiplying the damage MSS could cause with the vast data likely already in their hands.
“Our data architecture and operational sloppiness have multiplied the consequences of any successful infiltration.” — Jim Love [09:15]
- Final note: Hope rests on quiet, effective US counter-operations to root out persistent Chinese access, but the risk remains “severe and unresolved.”
- The New York Times reports China’s Ministry of State Security (MSS) has evolved into “one of the world’s most effective cyber intelligence services.”
Notable Quotes & Memorable Moments
- [01:42] Jim Love: “Speed is now a weapon, shrinking the window for detection and response.”
- [02:52] Jim Love: “But like the villain in the horror movie, they’re back with a new design: speed, backup, VM targeting, and the revived affiliate program show the group is determined to reestablish itself.”
- [04:47] Alan Trone (Noma Security CTO): “We were able to compromise the agent and tell it to do whatever. It could leak information if we asked, but it could also be asked to change the information in the CRM, delete databases, whatever.”
- [05:56] Jim Love: “Whenever you give an automated AI agent live access to production data and workflows, you create a new and powerful attack surface that can help find and exploit weaknesses in your existing security.”
- [07:53] Jim Love: “In short, they live in the backbone routers and management systems—the Internet plumbing—which makes their access stealthy and maybe durable.”
- [08:27] Jim Love: “That’s a stark illustration of how high this now ranks in national security terms.”
- [09:15] Jim Love: “Our data architecture and operational sloppiness have multiplied the consequences of any successful infiltration.”
Timestamps for Important Segments
- [00:00–03:20] Lockbit 5.0 technical advances and affiliate network relaunch
- [03:21–06:34] Salesforce AI agents: forced leak vulnerability and prompt injection risk
- [06:35–11:02] China’s MSS: centralization, Salt Typhoon, Western agency reactions, and the national security stakes
Takeaways
- Lockbit 5.0 represents a major evolution in ransomware—cross-platform, faster, and harder to defend against, with an expanded affiliate model for wider reach.
- Prompt injection attacks are now an enterprise issue, not just a theoretical or consumer-level concern. AI agents must be managed like sensitive assets.
- China’s cyber threat is more organized and stealthy than ever, with entrenched access on a national and potentially systemic level—posing unprecedented risks to infrastructure and data.
Jim Love’s episode is a clarion call: the threat landscape is escalating. Defenders must raise their game, from technical controls on AI to strategic awareness of global adversaries.