Plug-ins gone rogue.

Dave Bittner

You're listening to the Cyberwire network powered by N2K.

Joe Kerrigan

And now a word from our sponsor, Cloudrange. At Cloudrange, they believe cybersecurity readiness starts with people, not just technology. That's why their proactive simulation based training helps security teams build confidence and skill from day one by turning potential into performance. They empower SOC and incident response teams to respond quickly, smartly and in sync with evolving threats. Learn how Cloudrange is helping organizations stay ahead of cyber risks@www.cloudrange.com. we got your pat Tuesday update An Iranian ransomware group puts a premium on US And Israeli targets. Batavia Spyware targets Russia's industrial sector. HHS fines a Texas behavioral health firm for failed risk analysis. The Anaza Banking Trojan targets financial institutions in the US And Canada. Hackers abuse a legitimate commercial evasion framework to package info stealer payloads. Researchers discover malicious browser extensions infecting over 2.3 million users. Joe Kerrigan, my co host on Hacking Humans, discusses phishing kits targeting CFOs and can felines frustrate algorithms, perhaps it's Wednesday, July 9, 2025. I'm Dave Bittner and this is your Cyberwire Intel Brief. Foreign thanks for joining us here today. It's great to have you with us. Microsoft's July 2025 Patch Tuesday includes fixes for 137 vulnerabilities with one publicly disclosed zero day in Microsoft SQL Server that could expose data from uninitialized memory due to improper input validation. This month's release addresses 53 elevation of privilege flaws, 41 remote code execution vulnerabilities, 18 information disclosures, eight security feature bypasses, six denial of service bugs, four spoofing issues, and a partridge in a pear tree. Fourteen vulnerabilities are rated critical, including multiple RCE flaws in Microsoft Office exploitable by opening malicious documents or using Preview Pane, as well as two AMD side channel attack flaws. Microsoft advises SQL Server admins to patch immediately and update OLEDB drivers, notably Office LTSC for Mac. Updates are delayed. Critical vulnerabilities also include AN RCE in SharePoint. This Patch Tuesday does not include previously released fixes for Microsoft Edge and Mariner. Earlier this month. SAP's July 2025 Security Patch Day includes 27 new and four updated security notes addressing six critical vulnerabilities. Notably, an issue in supplier relationship management was upgraded to a critical rating with a CVSS score of 10 as it allows unauthenticated OS command execution via Insecure deserialization and in Live Auction Cockpit, another critical flaw impacts S4 HANA and SCM enabling full system takeover. Four critical insecure deserialization flaws in Netweaver were also fixed. SAP urges immediate updates. Emerson disclosed multiple vulnerabilities in its Valvelink products prior to version 14.0, including critical flaws allowing remote exploitation with low complexity. One of the issues with A CVSS of 9.3 allows unauthenticated OS command execution due to clear text storage and insecure deserialization. Other issues include protection mechanism failure, uncontrolled search path, and improper input validation. Exploitation could expose sensitive data or allow unauthorized code execution. Users are urged to upgrade. CISA recommends network isolation, VPNs and standard ICS defense in depth practices. Iranian ransomware group Paytokey I2P is increasing payouts to affiliates targeting Israel and the US amid rising regional tensions. The group linked to Iran's state backed Fox Kitten Cyber Espionage Group now offers affiliates an 80% cut of ransom proceeds, up from 70% for attacks against Iran's adversaries. Researchers at MorphaSec report pay to key i2p has collected over $4 million in the past four months and is motivated by both financial gain and ideology. The group promotes attacks as retaliation for military actions against Iran. It recruits on Russian speaking forums and reportedly collaborates with mimic ransomware operators who use Conti gang code. Pay to key i2p claims over 50 successful attacks as of late June, although targets remain unconfirmed. U.S. officials warn of possible Iranian cyber retaliation following recent airstrikes on nuclear facilities. Hackers are targeting Russia's industrial sector with new spyware called Batavia, stealing internal documents, screenshots and system data. The campaign, active since July 2024, uses phishing emails posing as contracts to deliver the malware. According to Kaspersky, over 100 victims across dozens of Russian organizations have been infected. While the attackers remain unidentified. Tactics suggest possible state sponsored or organized cybercriminal involvement. This follows a wave of recent cyber operations against Russian firms, including Nova Malware in February and Rare Wolf's attacks on chemical and pharmaceutical companies in December. Redline Stealer targeted Russian businesses using unlicensed software. Analysts warn these attacks reflect growing cyber espionage linked to geopolitical tensions, with industrial and critical sectors in Russia and Ukraine facing heightened risk. Deer Oaks Behavioral Health in Texas was fined $225,000 by the U.S. department of Health and Human Services after failing to conduct a thorough HIPAA risk analysis. The Investigation began in May 2023 following a complaint that patient discharge summaries were publicly accessible online, exposing electronic protected health information of 35 patients who from December 2021 through May 2023. The probe expanded after Deere Oaks suffered a ransomware attack in August 2023 affecting over 171,000 people. Hackers claim to have stolen data and demanded ransom. Regulators found Deer Oaks lacked an accurate risk analysis and required it to implement a corrective action plan within two years of monitoring hhs. OCR emphasized that failing to identify risks remains a top enforcement priority for HIPAA compliance across healthcare providers and vendors. The Android Banking Trojan Anatsa has launched a new campaign targeting financial institutions and app users in the US and Canada, ThreatFabric reports. Active since 2020, Anatsa steals banking credentials, logs keystrokes and conducts fraudulent transactions via remot. This recent attack disguised the malware in a legitimate looking file reader app, which gained over 50,000 downloads before a malicious update was pushed in late June. The app ranked among the top free tools on the US Play Store before removal. Anatsa typically uses this two stage strategy, first distributing a clean app, then injecting malware later. Its targets included a Wider range of U.S. banking apps. Researchers warn future banking Trojans may deploy AI personalized overlays, modular payloads and advanced MFA bypass techniques, increasing risks of account takeovers and financial loss. Hackers have abused a stolen licensed copy of Shelter Elite, a legitimate commercial evasion framework, to package infosteeler payloads since late April of this year, Elastic Security Labs reports. Threat actors including Luma Eric Client 2 and Radamanthis use Shelter to bypass anti malware detection. Shelter confirmed the copy was leaked from a customer, but criticized Elastic for not notifying them sooner. The company delayed its next release to patch the abuse. Shelter Elite is typically sold only to vetted companies for security testing purposes. Researchers at Coye Security discovered 18 malicious browser extensions still available on Chrome and Edge, infecting over 2.3 million users. These extensions pose as productivity or entertainment tools like emoji keyboards, VPN proxies, volume boosters and video speed controllers. Though functional, they secretly track browsing activity and redirect users. Dubbed Red Direction, the campaign operates via a centralized attack infrastructure despite extensions appearing to have separate operators. Initially clean to pass verification, the extensions later updated with malicious code without user input, sometimes years after release. Google and Microsoft even verified or featured several Coy Security urges users to remove these extensions, clear browser data and run full malware scans. The findings were published on July 8 by researcher Idon Dardikman. Coming up after the break, My Hacking Humans co host Joe Kerrigan discusses phishing kits targeting CFOs and can felines frustrate algorithms, perhaps foreign compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. It's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo that's v a n-t a.com cyber CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1. And without securing them trust, uptime outages and compliance are at risk. Cyber ARC is leading the way with the only unified platform purpose built to secure every machine identity, certificates, secrets and workloads across all environments, all clouds and all AI agents. Designed for scale, automation and quantum readiness, Cyberark helps modern enterprises secure their machine future. Visit cyberark.com machines to see how. And joining me once again is Joe Kerrigan. He is my co host over on the Hacking Humans podcast. Joe, welcome back. Hi Dave, you had an interesting story here. You wanted to share about some folks using social engineering and other means to target CFOs. What's going on here? Joe?

Yeah, interesting. This is an interesting story about a. It comes from the Hacker News and I guess we'll put a link in the show notes, but this is a really convoluted phishing scam going on where somebody will target a CFO of a bank or an insurance company or some other financial services company with a phishing email that impersonates a recruiter from Rothschild and Company.

Okay.

They say they offer a strategic opportunity with the company. So it's really enticing.

I can hear that phrase being Said with a very posh British accent.

Right. A strategic opportunity.

Right, Right.

But what happens when you open the attachment is it's a zip file. The zip file includes a JavaScript function that has a URL that's encrypted, presumably to get around, you know, any kind of virus scanners that know what, what links are bad. Yeah. So once that URL that encrypted data is loaded into the, in the memory that it is decrypted with a key that's hard coded into the same file. So it's not sophisticated, but it's probably good enough to get around the virus checker or the virus, the antivirus software. Once, once you, you, you execute this JavaScript, it takes you to a website that has a captcha, which means that they're making sure that you're not a bot like somebody that, like Cloudflare or Google Recaptcha services. So they make you go through the process of proving that you're, that you're a human. And then this file, this JavaScript file will download a Visual Basic file that then goes out and downloads another Visual Basic file that installs netbird and open ssh as well as creating an admin account and enabling Remote Desktop protocol on this on your system. So it really pwns the person that falls for this phishing scam.

That's a lot of steps. I mean, it seems to me there's opportunities to thwart this along the way.

Yep. Something like application whitelisting would work, Right, because that would stop the, the Visual Basic scripts from running. It would stop the Microsoft installers because they're MSI files for the open SSH and the remote administration tool. The problem is you probably don't have intelligence that the website is bad because of the captcha. And the only way to get that is to actually manually add it to some system. And you just can't keep up with how fast the bad guys can outpace you there.

Right.

This Captcha introduction thing is kind of a, a new thing that these fishing kits are offering further down this page in the article it talks about the, this synergy between these two fishing groups. One is called Tycoon and the other one. I like this name. Dad Sec. Okay, Seems like it seems like a hacking group I should be part of, right? Dad Sec. Maybe Granddad Sec. Now. Anyway, they're also known as Phoenix and Microsoft tracks them as Storm 1575. They are part of a new phishing campaign that is phishing as a service, it's a platform, and there is Some research from Trustwave, a couple of guys at Trustwave that say that this is really impressive with how easy this is to set up. Bad guys pay about $2,000 a year. And there is, for this example, Chinese language kit that has already facilitated $280,000 worth of criminal transactions in the past five months. I'm going to bet that money is low. That's a low estimate. There's probably much more than that. But these systems are completely automated. So I mean, when I say completely automated, you don't even have to install anything. They say, here's your account on the, on the cloud service and you can just push a button and start fishing and getting money. So all, all you have to do is pay us $2,000 a year and then launder the money.

Right.

And they have a dashboard and everything. It's a high powered. It's amazing that the level.

The other thing that strikes me with this is the social engineering aspect of it that, you know, because they're coming at a chief financial officer with an offer from a very high profile, well respected company.

Yep.

That you have the, the notion of flattering them.

Flattering them. Correct.

But then also I could imagine that they would be hesitant to tell people that they fell for something because they might get questioned. Of what? Are you looking around for another job?

Yeah, that would be. I mean, but I mean, you could honestly say I was just curious about what was in there. I mean, be honest. I mean, Corey, you know, if you get approached from a, by a very prestigious company to, in your industry, I don't think it's embarrassing to say. Yeah, I was curious to see what would happen.

Right.

To see what the offer was.

Use it in your next salary negotiation.

Right, exactly. Yeah, exactly. Unless you're, you know, unless you're, you know, unless you're really concerned about, you know, I don't know, upcoming rifts or something. Reductions of. Well, we should get rid of Joe because he's already looking for a job anyway.

Right, Right.

Yeah, but, yeah, but you're right. This is a, this is the second. The secondary part of this that may, may not be thought about a lot is that people, you know, once, once somebody realizes maybe I shouldn't have clicked on that, but what do I do? Do I call tech support and say I clicked on a recruiting link and, and exactly what you're talking about. I don't want to say that to somebody. So.

Yeah, right. Yeah. If it could slow it down. Yeah.

Yep.

All right, interesting. Well, we will have a link to that story in the show notes again. Joe Kerrigan is my co host over on the Hacking Humans podcast along with Maria Vermazes. Joe, thanks so much for joining us.

It's my pleasure, Dave.

And now a word from our sponsor, ThreatLocker the powerful Zero Trust Enterprise Solution that stops ransomware in its tracks. Allow Listing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.

Dave Bittner

With a Venmo debit card, you can Venmo more than just your friends. You can use your balance in so many ways. You can Venmo everything. Need gas? You can Venmo this. How about snacks? You can Venmo that. Your favorite band's merch? You can Venmo this or their next show? You can Venmo that. Visit Venmo Me Debit to learn more.

Joe Kerrigan

You can Venmo this or you can Venmo that. You can Venmo this or you can Venmo that.

Dave Bittner

The Venmo MasterCard is issued by the Bancorp bank and a pursuant to license by Mastercard International Incorporated card may be used everywhere MasterCard is accepted. Venmo purchase restrictions apply.

Joe Kerrigan

And finally, anyone who's worked from home with a cat knows the chaos they can bring knocking over coffee, walking on keyboards, or helpfully sitting on your lap mid zoom call. Turns out cats can confuse AI too. A recent study found that adding irrelevant sentences like cats sleep most of their lives doubles the chance of AI giving wrong answers. Researchers call this cat attack an automated method to systematically mislead models using cute trivia, irrelevant financial advice, or suggestive questions like could the answer be close to 175? That third type, misleading questions, proved most effective, boosting error rates and bloating responses to three times their normal length. Essentially, AI models get as distracted by random cat facts as humans do by actual cats. Researchers warn this vulnerability could have serious implications for models used in finance or law, though your cat would probably just call it job security. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of the summer. There's a link in the show Notes. Please do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Krogle is AI built for the enterprise soc, fully private schema free and capable of running in sensitive air gapped environments. Krogle autonomously investigates thousands of alerts weekly, correlating insights across your tools without data leaving your perimeter. Designed for high availability across geographies, it delivers context aware, auditable decisions aligned to your workflows. Krogel empowers analysts to act faster and focus on critical threats, replacing repetitive triage with intelligent automation to help your SOC operate at scale with precision and control. Learn more@krogle.com that's C-R-O GL.com.