CyberWire Daily - Plug-ins gone rogue.
Episode Date: July 9, 2025Patch Tuesday. An Iranian ransomware group puts a premium on U.S. and Israeli targets. Batavia spyware targets Russia’s industrial sector. HHS fines a Texas Behavioral Health firm for failed risk an...alysis. The Anatsa banking trojan targets financial institutions in the U.S. and Canada. Hackers abuse a legitimate commercial evasion framework to package infostealer payloads. Researchers discovered malicious browser extensions infecting over 2.3 million users. Joe Carrigan, co-host on Hacking Humans discusses phishing kits targeting CFOs. Can felines frustrate algorithms? Purr-haps… Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Joe Carrigan, a co-host of Hacking Humans, as he discusses phishing kits targeting CFOs. Selected Reading Microsoft July 2025 Patch Tuesday fixes one zero-day, 137 flaws (Bleeping Computer) SAP Patches Critical Flaws That Could Allow Remote Code Execution, Full System Takeover (SecurityWeek) CISA Releases One Industrial Control Systems Advisory (CISA) Iranian ransomware group offers bigger payouts for attacks on Israel, US (The Record) New spyware strain steals data from Russian industrial companies (The Record) Mental Health Provider Fined $225K for Lack of Risk Analysis (BankInfo Security) Anatsa mobile malware returns to victimize North American bank customers (The Record) Legitimate Shellter Pen-Testing Tool Used in Malware Attacks (SecurityWeek) Researchers Reveal 18 Malicious Chrome and Edge Extensions Disguised as Everyday Tools (Infosecurity Magazine) Cat content disturbs AI models (Computerworld) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
And now a word from our sponsor, CloudRange.
At CloudRange, they believe cybersecurity readiness starts with people, not just technology.
That's why their proactive simulation-based training helps security teams build confidence
and skill from day one.
By turning potential into performance, they empower SOC and incident response teams to
respond quickly, smartly, and in sync with evolving threats.
Learn how CloudRange is helping organizations stay ahead of cyber risks at www.cloudrange.com.
We got your patch Tuesday update.
An Iranian ransomware group puts a premium on US and Israeli targets.
Batavia spyware targets Russia's industrial sector.
HHS fines a Texas behavioral health firm for failed risk analysis.
The Anatsa banking trojan targets financial institutions in the US and Canada.
Hackers abuse a legitimate commercial evasion framework to package info stealer
payloads. Researchers discover malicious browser extensions infecting over 2.3 million users.
Joe Kerrigan, my co-host on Hacking Humans, discusses phishing kits targeting CFOs. And
can felines frustrate algorithms? Perhaps?
It's Wednesday, July 9th, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing. Microsoft's July 2025 Patch Tuesday includes fixes for 137 vulnerabilities, with one publicly disclosed zero-day in Microsoft SQL Server
that could expose data from uninitialized memory due to improper input validation.
This month's release addresses 53 elevation of privilege flaws,
41 remote code execution vulnerabilities, 18 information disclosures, 8 security feature
bypasses, 6 denial of service bugs, 4 spoofing issues, and a partridge in a pear tree.
Fourteen vulnerabilities are rated critical, including multiple RCE flaws in Microsoft
Office exploitable by opening malicious documents or using preview pane, as well as two AMD
side-channel attack flaws.
Microsoft advises SQL Server admins to patch immediately and update OLEDB drivers.
Notably, Office LTSC for Mac updates are delayed.
Critical vulnerabilities also include an RCE in SharePoint. This patch Tuesday does not include previously released fixes for Microsoft Edge and Mariner
earlier this month.
SAP's July 2025 Security Patch Day includes 27 new and four updated security notes, addressing
six critical vulnerabilities.
Notably, an issue in supplier relationship management
was upgraded to a critical rating with a CVSS score of 10,
as it allows unauthenticated OS command execution
via insecure deserialization in live auction cockpit.
Another critical flaw impacts S-4HANA and SCM,
enabling full system takeover.
Four critical insecure deserialization flaws in NetWeaver were also fixed.
SAP urges immediate updates.
Emerson disclosed multiple vulnerabilities in its ValveLink products prior to version
14.0, including critical flaws allowing remote exploitation with low complexity.
One of the issues with a CVSS of 9.3 allows unauthenticated
OS command execution due to clear text storage
and insecure deserialization. Other issues include
protection mechanism failure, uncontrolled search path, and
improper input validation.
Exploitation could expose sensitive data or allow unauthorized code execution.
Users are urged to upgrade.
CISA recommends network isolation, VPNs, and standard ICS defense-in-depth practices. Iranian ransomware group Pay2Key.i2P is increasing payouts to affiliates targeting Israel and
the U.S. amid rising regional tensions.
The group, linked to Iran's state-backed Fox Kitten cyberespionage group, now offers
affiliates an 80% cut of ransom proceeds, up from 70%, for attacks against Iran's adversaries.
Researchers at Morphosec report Pay2Key I2P has collected over $4 million in the past
four months and is motivated by both financial gain and ideology.
The group promotes attacks as retaliation for military actions against Iran. It recruits on Russian-speaking forums and reportedly collaborates with MIMIC ransomware
operators who use Conti Gang code.
Pay-to-key I2P claims over 50 successful attacks as of late June, although targets remain unconfirmed.
U.S. officials warn of possible Iranian cyber retaliation following recent
airstrikes on nuclear facilities.
Hackers are targeting Russia's industrial sector with new spyware called Batavia, stealing
internal documents, screenshots, and system data. The campaign, active since July 2024,
uses phishing emails posing as contracts to deliver
the malware, according to Kaspersky.
Over 100 victims across dozens of Russian organizations have been infected.
While the attackers remain unidentified, tactics suggest possible state-sponsored or organized
cybercriminal involvement.
This follows a wave of recent cyber operations against Russian firms, including Nova malware
in February and rare wolfs attacks on chemical and pharmaceutical companies.
In December, Red Line Steeler targeted Russian businesses using unlicensed software.
Analysts warn these attacks reflect growing cyber espionage linked to geopolitical tensions
with industrial and critical sectors in Russia and Ukraine facing heightened risk.
Dear Oaks Behavioral Health in Texas was fined $225,000 by the U.S. Department of Health and
Human Services after failing to conduct a thorough HIPAA risk analysis.
The investigation began in May 2023 following a complaint that patient discharge summaries
were publicly accessible online, exposing electronic protected health information of
35 patients from December 2021 through May 2023.
The probe expanded after Dear Oaks suffered a ransomware attack in August 2023,
affecting over 171,000 people. Hackers claimed to have stolen data and demanded ransom. Regulators
found Deer Oaks lacked an accurate risk analysis and required it to implement a corrective
action plan within two years of monitoring. HHS OCR emphasized that failing to identify risks remains a top enforcement priority for
HIPAA compliance across healthcare providers and vendors.
The Android banking Trojan Anatsa has launched a new campaign targeting financial institutions
and app users in the U.S. and Canada, Threat Fabric reports.
Active since 2020, Anatsa steals banking credentials, logs keystrokes,
and conducts fraudulent transactions via remote access.
This recent attack disguised the malware in a legitimate-looking file reader app,
which gained over 50,000 downloads before a malicious update was pushed in late June.
The app ranked among the top free tools on the U.S. Play Store before removal.
ANATSA typically uses this two-stage strategy, first distributing a clean app, then injecting
malware later.
Its targets included a wider range of U.S. banking apps. Researchers warn future banking trojans may deploy AI personalized overlays,
modular payloads, and advanced MFA bypass techniques,
increasing risks of account takeovers and financial loss.
Hackers have abused a stolen, licensed copy of Shelter Elite,
a legitimate commercial evasion framework,
to package infostealer payloads since late April of this year, Elastic Security Labs
reports.
Threat actors including Luma, Eric Client II, and Rod Amonthus used Shelter to bypass
anti-malware detection.
Shelter confirmed the copy was leaked from a customer but criticized Elastic for not
notifying them sooner.
The company delayed its next release to patch the abuse.
Shelter Elite is typically sold only to vetted companies for security testing purposes.
Researchers at Koi Security discovered 18 malicious browser extensions still available on Chrome and Edge, infecting over 2.3 million users.
These extensions pose as productivity or entertainment tools like emoji keyboards, VPN proxies, volume boosters, and video speed controllers.
Though functional, they secretly track browsing activity and redirect users.
Dubbed Red Direction, the campaign operates via a centralized attack infrastructure despite
extensions appearing to have separate operators.
Initially clean to pass verification, the extensions later updated with malicious code
without user input, sometimes years after
release. Google and Microsoft even verified or featured several. Koi Security urges users
to remove these extensions, clear browser data, and run full malware scans. The findings
were published on July 8 by researcher Edon Dardikman.
Coming up after the break, my Hacking Humans co-host Joe Kerrigan discusses fishing kits
targeting CFOs.
And can felines frustrate algorithms?
Perhaps?
Compliance regulations, third-party risk, and customer security demands are all growing and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets, screenshots,
and all those manual processes, you're right.
GRC can be so much easier, and it can strengthen your security posture while
actually driving revenue for your business. You know one of the things I
really like about Vanta is how it takes the heavy lifting out of your GRC
program. Their trust management platform automates those key areas compliance,
internal and third-party risk and even customer trust so you're not buried
under spreadsheets and endless manual tasks.
Vanta really streamlines the way you gather and manage information across your entire
business.
And this isn't just theoretical.
A recent IDC analysis found that compliance teams using Vanta are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy to focus on what actually matters, like strengthening
your security posture and scaling your business.
Vanta, GRC, just imagine how much easier trust can be.
Visit Vanta.com slash cyber to sign up today for a free demo.
That's vanta.com slash cyber.
CISOs and CIOs know machine identities now outnumber humans
by more than 80 to 1, and without securing
them trust, uptime, outages, and compliance are at risk.
CyberArk is leading the way with the only unified platform purpose-built to secure every
machine identity, certificates, secrets, and workloads across all environments, all clouds,
and all AI agents. Designed for
scale, automation, and quantum readiness, CyberArk helps modern enterprises secure
their machine future. Visit cyberark.com machines to see how.
And joining me once again is Joe Kerrigan. He is my co-host over on the Hacking Humans podcast.
Joe, welcome back.
Hi, Dave.
You had an interesting story here you wanted to share about some folks using social engineering
and other means to target CFOs.
What's going on here, Joe? Yeah, interesting.
This is an interesting story about a,
it comes from the Hacker News,
and I guess we'll put a link in the show notes,
but this is a really convoluted phishing scam going on
where somebody will target a CFO of a bank
or an insurance company or some other
financial services company with a phishing email that impersonates a recruiter
from Rothschild and company.
Okay.
They say they offer a strategic opportunity
with the company.
So it's really enticing.
I can hear that phrase being said
with a very posh British accent.
Right, a strategic opportunity.
Right, right.
But what happens when you open the attachment is
it's a zip file.
The zip file includes a JavaScript function
that has a URL that's encrypted,
presumably to get around, you know,
any kind of virus scanners that know what links are bad.
So once that URL, that encrypted data is loaded into memory,
that it is decrypted with a key that's hard-coded into the same file.
So it's not sophisticated, but it's probably good enough to get around the virus checker,
or the antivirus software. Once you execute this JavaScript,
it takes you to a website that has a CAPTCHA,
which means that they're making sure that you're not a bot
like somebody that like CloudFlare
or Google reCAPTCHA services.
So they make you go through the process of proving
that you're a human, and then this file,
this JavaScript file will download a Visual Basic file
that then goes out and downloads another Visual Basic file
that installs NetBird and OpenSSH,
as well as creating an admin account
and enabling
remote desktop protocol on this, on your system. So it really pones the person that is in,
that falls for this phishing scam.
That's a lot of steps.
I mean, it seems to me there's opportunities
to thwart this along the way.
Yep, something like application whitelisting would work,
right, because that would stop
the Visual Basic scripts from running.
It would stop the Microsoft installers
because they're MSI files for the OpenSSH
and the remote administration tool.
The problem is you probably don't have intelligence
that the website is bad because of the CAPTCHA.
The only way to get that is to actually manually add it to some system.
You just can't keep up with how fast the bad guys can outpace you there.
This CAPTCHA introduction thing is kind of a new thing that these phishing kits are offering.
Further down this page in the article, it talks about this synergy
between these two phishing groups.
One is called Tycoon and the other one,
I like this name, DadSec.
Okay.
Seems like a hacking group I should be part of, right?
DadSec, maybe Grand DadSec now.
Anyway, they're also known as Phoenix
and Microsoft tracks them as Storm 1575.
They are part of a new phishing campaign
that is phishing as a service and it's a platform.
And there is some research from TrustWave,
a couple of guys at Trustwave that say that this is
really impressive with how easy this is to set up. Bad guys pay about
$2,000 a year and there is, for this example, Chinese
language kit that has already facilitated
$280,000 worth of criminal transactions in the past five months. I'm gonna bet that money is low.
That's a low estimate.
There's probably much more than that.
But these systems are completely automated.
So I mean, when I say completely automated,
you don't even have to install anything.
They say, here's your account on the cloud service,
and you can just push a button
and start fishing and getting money.
So all you have to do is pay us $2,000 a year
and then launder the money.
Right.
And they have a dashboard and everything.
It's a high powered.
It's amazing.
Yeah.
The other thing that strikes me with this
is the social engineering aspect of it.
That, you know, because they're coming
at a chief financial officer with an offer
from a very high profile, well-respected company
that you have the notion of flattering them.
Flattering them, correct.
But then also I could imagine that they would be hesitant
to tell people that they fell for something
because they might get questioned of,
well, who are you looking around for another job?
Yeah, that would be.
But I mean, you could honestly say, I was just curious about what was in there.
I mean, be honest.
I mean, of course, you know, if you get approached
by a very prestigious company in your industry,
I don't think it's embarrassing to say,
yeah, I was curious to see what would happen.
Right.
To see what the offer was.
Use it in your next salary negotiation. Right. Exactly. Right. Yeah, I was curious to see what would happen. Right. To see what the offer was. Use it in your next salary negotiation.
Right.
Exactly.
Yeah, exactly.
Unless you're really concerned about,
I don't know, upcoming rifts or something,
reductions of, well, we should get rid of Joe
because he's already looking for a job anyway.
Right, right.
Yeah, but you're right.
This is the secondary part of this
that may not be thought about a lot
is that people, you know, once somebody realizes,
maybe I shouldn't have clicked on that,
but what do I do?
Do I call tech support and say,
I clicked on a recruiting link
and exactly what you're talking about?
I don't wanna say that to somebody.
Right. Right. Yeah, if you could slow it down. Yeah. Yep.
All right. Interesting. Well, we will have a link to that story in the show notes.
Again, Joe Kerrigan is my co-host over on the Hacking Humans podcast along with Maria Vermazes.
Joe, thanks so much for joining us. It's my pleasure, Dave. And now, a word from our sponsor, ThreatLocker, the powerful zero-trust enterprise solution
that stops ransomware in its tracks.
AllowListing is a deny-by-default software that makes application control simple and fast.
Ring Fencing is an application containment strategy, ensuring apps can only access the files,
registry keys, network resources and other applications they truly need to function.
Shut out cybercrimin criminals with world-class endpoint
protection from Threat Locker.
Prime Day is here.
With great kitchen deals, greatness is a deal away.
So if you love baking, you can get a deal on a new mixer,
transforming you into the Lord of the Loaves.
Hear ye, hear ye!
Make way for the baron of brioche,
the Sultan of sourdough,
the Lord of the Loaves,
Prime Member Dave!
Yeah, uh, hi?
Shop great Prime Day deals now.
And finally, anyone who's worked from home with a cat knows the chaos they can bring.
Knocking over coffee, walking on keyboards, or helpfully sitting on your lap mid-zoom
call.
Turns out, cats can confuse AI, too.
A recent study found that adding irrelevant sentences like,
cats sleep most of their lives, to math problems, doubles the chance of AI giving
wrong answers. Researchers call this cat attack an automated method to
systematically mislead models using cute trivia, irrelevant financial advice, or
suggestive questions like, could the answer be close to 175?
That third type, misleading questions, proved most effective
boosting error rates and bloating responses to three times their normal
length.
Essentially, AI models get as distracted by random cat facts as humans do by
actual cats.
Researchers warn this vulnerability could
have serious implications for models used
in finance or law, though your cat would
probably just call it job security. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of this summer.
There's a link in the show notes, please do check it out. N2K's
senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trang
Hester with original music by Elliot Peltsman. Our executive producer is Jennifer Iben. Peter
Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back
here tomorrow. And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate your organization.
Traditional defenses can't keep up.
Spy Cloud's Holistic Identity Threat Protection helps security teams uncover and automatically remediate hidden exposures
across your users from breaches, malware, and phishing to neutralize identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what
attackers already know.
That's spycloud.com slash cyberwire.