Podcast Summary: CyberWire Daily - "Plug-ins Gone Rogue" (July 9, 2025)

Hosted by N2K Networks, CyberWire Daily delivers the latest in cybersecurity news and insights from industry leaders. In the July 9, 2025 episode titled "Plug-ins Gone Rogue," host Dave Bittner explores a range of critical security issues, including major software vulnerabilities, sophisticated ransomware campaigns, data breaches, and emerging threats in AI and malware. The episode also features an in-depth discussion with Joe Kerrigan on phishing tactics targeting financial executives.

1. Software Vulnerabilities

a. Microsoft July 2025 Patch Tuesday
Timestamp: [02:30]
Microsoft's latest Patch Tuesday addressed a total of 137 vulnerabilities, including one publicly disclosed zero-day in Microsoft SQL Server. This vulnerability allows attackers to expose data from uninitialized memory due to improper input validation.
Dave Bittner highlights, "This Patch Tuesday includes fixes for 53 elevation of privilege flaws, 41 remote code execution vulnerabilities, 18 information disclosures, eight security feature bypasses, six denial of service bugs, four spoofing issues, and a partridge in a pear tree."
Fourteen vulnerabilities were rated critical, notably multiple Remote Code Execution (RCE) flaws in Microsoft Office that can be exploited via malicious documents. Microsoft urges SQL Server administrators to apply patches immediately and update OLEDB drivers, especially for Office LTSC for Mac.

b. SAP July 2025 Security Patch Day
Timestamp: [04:15]
SAP released 27 new and four updated security notes, addressing six critical vulnerabilities. A significant issue in supplier relationship management was escalated to a critical rating with a CVSS score of 10, enabling unauthenticated OS command execution via insecure deserialization.
Dave notes, "An issue in supplier relationship management was upgraded to a critical rating, allowing unauthenticated OS command execution via insecure deserialization."
Another critical flaw affects S4 HANA and SCM, permitting full system takeover. SAP recommends immediate updates to mitigate these risks.

c. Emerson Valvelink Vulnerabilities
Timestamp: [05:50]
Emerson disclosed multiple vulnerabilities in its Valvelink products prior to version 14.0. Among these, a critical flaw with a CVSS score of 9.3 allows unauthenticated OS command execution due to cleartext storage and insecure deserialization.
Dave emphasizes, "Exploitation could expose sensitive data or allow unauthorized code execution."
Users are strongly advised to upgrade, and the Cybersecurity and Infrastructure Security Agency (CISA) recommends network isolation, VPNs, and standard Industrial Control Systems (ICS) defense practices.

2. Ransomware and Cyber Threats

a. Iranian Ransomware Group Paytokey I2P
Timestamp: [07:10]
The Iranian group Paytokey I2P has intensified its ransomware activities targeting US and Israeli organizations. Linked to the state-backed Fox Kitten Cyber Espionage Group, Paytokey I2P now offers affiliates an 80% share of ransom proceeds, up from 70% when targeting Iran's adversaries.
Joe Kerrigan discusses, "Paytokey I2P is increasing payouts to affiliates targeting Israel and the US amid rising regional tensions."
Researchers from MorphaSec report that Paytokey I2P has amassed over $4 million in the past four months, driven by both financial gain and ideological motives. The group utilizes Russian-speaking forums for recruitment and collaborates with other ransomware operators using Conti gang code.

b. Batavia Spyware Targeting Russia's Industrial Sector
Timestamp: [09:45]
A new spyware variant, Batavia, is compromising Russian industrial entities by stealing internal documents, screenshots, and system data. Active since July 2024, the campaign employs phishing emails disguised as contractual agreements to deliver the malware.
Dave states, "Hackers are targeting Russia's industrial sector with new spyware called Batavia, stealing internal documents, screenshots, and system data."
Kaspersky estimates over 100 victims across various Russian organizations have been infected. The sophisticated tactics suggest involvement by state-sponsored or organized cybercriminal groups, aligning with recent cyber operations against Russian firms like Nova Malware and Rare Wolf.

3. Data Breaches and Compliance

Deer Oaks Behavioral Health Fined by HHS
Timestamp: [11:30]
Deer Oaks Behavioral Health, a Texas-based firm, was fined $225,000 by the U.S. Department of Health and Human Services (HHS) for failing to conduct a comprehensive HIPAA risk analysis. The investigation revealed that patient discharge summaries were publicly accessible online from December 2021 to May 2023, exposing electronic protected health information (ePHI) of 35 patients.
Dave reports, "Deer Oaks suffered a ransomware attack in August 2023 affecting over 171,000 people. Hackers claimed to have stolen data and demanded ransom."
The firm did not perform an accurate risk analysis and was mandated to implement a corrective action plan within two years. HHS emphasizes that identifying risks remains a top enforcement priority for HIPAA compliance among healthcare providers and vendors.

4. Banking Trojans and Malware

a. Anatsa Banking Trojan Campaign
Timestamp: [13:20]
The Anatsa Banking Trojan has launched a new campaign targeting financial institutions and app users in the US and Canada. Active since 2020, Anatsa is designed to steal banking credentials, log keystrokes, and execute fraudulent transactions remotely. This latest attack involved disguising the malware within a legitimate-looking file reader app, which amassed over 50,000 downloads before a malicious update was released in late June.
Dave highlights, "Researchers warn future banking Trojans may deploy AI personalized overlays, modular payloads and advanced MFA bypass techniques, increasing risks of account takeovers and financial loss."
The app, initially ranked among the top free tools on the US Play Store, was eventually removed. Anatsa employs a two-stage strategy: first distributing a clean app, then injecting malware through subsequent updates.

b. Abuse of Shelter Elite Evasion Framework
Timestamp: [15:05]
Hackers have been exploiting a stolen licensed copy of Shelter Elite, a legitimate commercial evasion framework, to package infostealer payloads since late April. Threat actors like Luma, Eric Client 2, and Radamanthis use Shelter Elite to bypass anti-malware detection.
Joe Kerrigan notes, "Hackers are abusing a stolen licensed copy of Shelter Elite to package infostealer payloads, making it harder for security software to detect malicious activities."
Shelter Elite, intended for vetted companies for security testing, was compromised when a customer leaked a copy. Shelter responded by delaying its next release to address the abuse.

5. Malicious Browser Extensions

Timestamp: [16:40]
Researchers at Coye Security discovered 18 malicious browser extensions available on Chrome and Edge, infecting over 2.3 million users. These extensions masquerade as productivity or entertainment tools, such as emoji keyboards, VPN proxies, volume boosters, and video speed controllers.
Dave explains, "Though functional, they secretly track browsing activity and redirect users." The campaign, dubbed Red Direction, operates through a centralized attack infrastructure, even though the extensions appear to have separate operators. Initially, the extensions were clean to pass verification but later received updates with malicious code without user consent, sometimes years after their initial release.
Google and Microsoft had verified or featured several of these extensions, complicating their removal. Coye Security advises users to remove these extensions, clear browser data, and perform full malware scans. The findings were published on July 8 by researcher Idon Dardikman.

6. Interview with Joe Kerrigan: Phishing Kits Targeting CFOs

Timestamp: [17:50]
In a segment with co-host Joe Kerrigan, the discussion centers on sophisticated phishing scams targeting Chief Financial Officers (CFOs) in financial services companies.
Joe details the scam, "Somebody will target a CFO with a phishing email impersonating a recruiter from Rothschild and Company, offering a strategic opportunity to entice them." The email includes a zip file containing a JavaScript function with an encrypted URL to evade virus scanners. Upon execution, it redirects to a website with a CAPTCHA to ensure the user is human, before downloading malicious Visual Basic files that install Netbird and OpenSSH, create an admin account, and enable Remote Desktop Protocol (RDP), effectively compromising the system.
Joe emphasizes the layered complexity of the attack, "There are opportunities to thwart this along the way, such as application whitelisting to prevent Visual Basic scripts from running." However, he notes the challenge in maintaining intelligence on malicious websites due to the rapidly evolving tactics of attackers.
The discussion also touches on the social engineering aspect, where executives may feel hesitant to report falling for such scams due to concerns over reputational damage or job security.

7. AI Vulnerabilities: Cat Attacks

Timestamp: [21:00]
The episode concludes with an exploration of a recent study revealing that adding irrelevant sentences, such as cat facts, can significantly mislead AI models.
Dave summarizes, "Researchers found that introducing sentences like 'cats sleep most of their lives' doubles the chance of AI giving wrong answers." Termed cat attacks, these manipulations involve adding cute trivia, irrelevant financial advice, or suggestive questions like "Could the answer be close to 175?"
The study indicates that such distractions can increase AI error rates and bloat responses to three times their normal length. This vulnerability poses serious risks for AI applications in critical fields like finance and law, although it humorously suggests that actual cats may now have job security as a result.

Conclusion

The "Plug-ins Gone Rogue" episode of CyberWire Daily presents a comprehensive overview of the current cybersecurity landscape, highlighting significant software vulnerabilities, evolving ransomware tactics, data compliance failures, and innovative malware strategies. The in-depth conversation with Joe Kerrigan sheds light on the increasing sophistication of phishing attacks targeting financial executives, while the discussion on AI vulnerabilities underscores the need for robust defenses against emerging threats. Listeners are encouraged to stay informed and proactive in bolstering their cybersecurity measures amidst these dynamic challenges.

For more detailed discussions and updates on these topics, visit CyberWire Daily.