CyberWire Daily: "Deadlines in the Cloud" – August 11, 2025

Hosted by N2K Networks

Top Cybersecurity News

1. CISA Issues Emergency Directive for Microsoft Exchange On August 7, the Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent directive mandating federal agencies to patch a critical vulnerability in Microsoft Exchange hybrid configurations by August 11, 2025. This flaw allows attackers with administrative access to on-premises Exchange servers to escalate their privileges into Microsoft 365 cloud environments. Agencies are required to:

• Assess Servers: Utilize Microsoft's Health Checkers script.
• Disconnect Unsupported Systems: Update to Exchange 2019 or Exchange 2016.
• Apply Hotfixes: Transition from legacy shared services to dedicated hybrid applications in Entra ID.
• Prepare for Microsoft Graph API Adoption: As EWS deprecation begins in October.

Dave Bittner highlights: “Agencies must act by August 11, including assessing servers with Microsoft's Health Checkers script” (00:48).

2. Emergence of Soup Dealer Malware Researchers have identified "Soup Dealer," a highly evasive malware targeting Windows systems in Turkey through geo-specific phishing campaigns. This malware employs a three-stage loader with heavy obfuscation, AES and RC4 encryption, and Tor-based command and control to evade detection. Capabilities include:

• Data exfiltration
• Remote access
• Email account propagation
• Privilege escalation
• DDoS attacks

Steve Dietz comments: “Soup Dealer underscores the weakness of cloud sandboxes” (00:48).

3. Google Patches Gemini AI Assistant Flaw Google has patched a significant vulnerability in its Gemini AI assistant integrated into Android and other services. The flaw allowed malicious Google Calendar invites to execute prompt injections, enabling attackers to:

• Wipe events
• Extract emails
• Track locations
• Control smart devices
• Join Zoom calls

The exploit required no special model access and could be executed with as few as six malicious invites. SafeBreach researchers discovered the bug, which Google promptly fixed.

Dietz notes: “Google credited responsible disclosure for accelerating new defenses against such adversarial AI attacks” (00:48).

4. North Korean Espionage Group Shifts to Financial Crime The North Korean hacking group ScarCruft has pivoted from espionage to financial crimes by deploying VCD ransomware targeting South Korea. Their Chinopunk subgroup utilized phishing emails disguised as postal code updates, delivering multiple malware types, including:

• Chile Chino variants
• Data stealers
• NubSpy backdoors

This strategy reflects a trend of nation-state actors blending espionage with cybercrime to generate revenue amidst economic sanctions.

5. Russian Romcom Exploits WinRAR Zero-Day The Russian threat group Romcom (Storm 0978) exploited a WinRAR zero-day vulnerability to conduct cyber espionage attacks on organizations in Europe and Canada. The flaw allowed attackers to craft malicious archives that extract files to attacker-defined locations, facilitating the deployment of backdoors like Snipbot and Mythic Agent. The vulnerability was patched by ESET on July 30.

6. Linux Webcams Turned into Persistent Threats Eclipsium researchers demonstrated "Badcam," a variant of the BadUSB attack, which exploits a missing firmware signature validation flaw in Linux-based webcams. This method allows attackers with remote code execution on a host to reflash the webcam's firmware without physical access, enabling persistent system reinfection even after OS reinstalls. Lenovo has released a firmware update to address this vulnerability.

7. The Franklin Project Enhances Cybersecurity for US Water Utilities Launched at DEFCON 2023 by Jake Braun, The Franklin Project leverages volunteer hackers to bolster cybersecurity in US water utilities. With 350 volunteers aiding five utilities across Indiana, Oregon, Utah, and Vermont, the project focuses on:

• Changing default passwords
• Enabling multi-factor authentication (MFA)
• Conducting asset inventories
• Performing operational technology (OT) assessments
• Network mapping

Supported by partners like Dragos and funded by Craig Newmark Philanthropies, the initiative aims to protect critical infrastructure against increasing threats from nation-states like China and Iran.

8. DARPA’s AI Cyber Challenge Winner Announced The Department of Defense (DoD) revealed that Team Atlanta, a collaboration between Georgia Tech, Samsung Research, KAIST, and PostTech, won DARPA’s two-year AI Cyber Challenge with a $4 million prize. The competition required teams to develop AI systems capable of automatically detecting and patching vulnerabilities in extensive codebases. Team Atlanta's success marks a significant advancement in AI-powered vulnerability management, with implications for safeguarding critical infrastructure, including healthcare systems.

9. Extradition of Ghanaian Nationals for Massive Fraud Ring Three Ghanaian nationals have been extradited to the US and charged for orchestrating a fraud ring that defrauded over $100 million through romance scams and business email compromise (BEC) attacks between 2016 and May 2023. Operating from Ghana, they targeted vulnerable older Americans and US businesses, laundering stolen funds via domestic middlemen. Charges include conspiracy to commit wire fraud, money laundering, and receiving stolen money, carrying potential sentences of up to 20 years per major count.

Guest Interview: Steve Dietz on Cell-Based Security Operations Centers

Steve Dietz, President of ManTech's Federal Civilian Sector, discusses the innovative "cell-based SOC" model aimed at transforming traditional Security Operations Centers (SOCs).

Challenges in Traditional SOCs:

• Data Overload: SOC analysts manage enormous volumes of real-time network data, leading to high pressure and potential oversight.
• Tiered Structure Issues: Traditional tiered SOCs often suffer from delayed handoffs between tiers, inadequate decision-making by less experienced analysts, and high turnover rates.

Dietz explains: “SOC analysts have to deal with every day. Missing one could mean the impact of finding a threat… it's very key that these SOC analysts are on their toes” (17:13).

Cell-Based SOC Model: ManTech’s cell-based approach integrates tier one, two, and three analysts into cohesive units or "cells." Each cell manages the entire lifecycle of a security ticket, enhancing efficiency and reducing resolution times.

Key Benefits:

• Improved Workflow Efficiency: Eliminates delays between tiers, reducing backlogs.
• Enhanced Situational Awareness: Comprehensive oversight of each security incident.
• Career Development: Analysts receive accelerated training and professional growth opportunities.
• Cost Reduction: Lower operational costs while improving security outcomes.

Dietz emphasizes: “The cell-based model is much more radically more efficient than the traditional tiered model” (22:32).

Transitioning to a Cell-Based SOC: Implementing this model involves a cultural shift, including retraining staff, reorganizing SOC structures, and aligning tools with cell functions. The transition period can range from one to six months, depending on organizational complexity.

Dietz advises: “We focus on developing that whole employee and get them up the value chain so that they become more valuable” (26:04).

This transformative approach by ManTech promises to enhance national security by providing more efficient and reliable federal cybersecurity operations.

Additional Highlights

AI-Driven Medical Mishap: A 60-year-old man developed bromism after following dietary advice from ChatGPT, mistakenly substituting table salt with sodium bromide. This case underscores the importance of ensuring AI-generated advice is accurate and safe.

Dave Bittner concludes: “OpenAI now promises safe completions to prevent such culinary chemistry experiences from ending in 19th century diseases” (28:05).

Key Takeaways

• Urgent Patching Required: Federal agencies must address critical vulnerabilities in Microsoft Exchange to secure cloud environments.
• Evolving Threats: Malware like Soup Dealer and advanced exploits by state-sponsored groups highlight the dynamic nature of cyber threats.
• AI in Cybersecurity: Innovations from DARPA’s challenges and Google's responses indicate a growing role for AI in enhancing cybersecurity defenses.
• Community Efforts: Initiatives like The Franklin Project demonstrate the power of volunteerism in protecting critical infrastructure.
• Transformative SOC Models: ManTech’s cell-based approach offers a promising alternative to traditional SOC structures, improving efficiency and security outcomes.

For more detailed insights and the latest updates in cybersecurity, stay tuned to CyberWire Daily.

This summary was crafted based on the transcript provided from the podcast episode "Deadlines in the Cloud" of CyberWire Daily, hosted by N2K Networks.