FEHBlog

From the cybersecurity policy and law enforcement front,

• Cybersecurity Dive tells us,
  • “The Trump administration should slash cybersecurity regulations and double down on winning the trust of the private sector, the U.S. tech industry’s largest trade group said in a paper published Tuesday [August 12, 2025].
  • “In a report laying out recommendations for the White House’s Office of the National Cyber Director — now helmed by newly confirmed Trump appointee Sean Cairncross — the Information Technology Industry Council said the government should focus on “results-driven action.”
  • “There is a need to prioritize impactful security outcomes, slash red tape, rethink legacy network architectures, invest in secure modern systems, and strengthen trusted partnerships between the public and private sectors,” ITI said.
  • “Achieving results, the group argued, “means empowering defenders with what they need to win: efficiency, appropriate resourcing, and the freedom to focus on real threats, not on navigating a web of regulatory regimes.”

• Cyberscoop observes,
  • “Two executive orders President Donald Trump has signed in recent months could prove to have a more dramatic impact on cybersecurity than first thought, for better or for worse.
  • Overall, some of Trump’s executive orders have been more about sending a message than spurring lasting change, as there are limits to their powers. Specifically, some of the provisions of the two executive orders with cyber ramifications — one from March on state and local preparedness generally, and one from June explicitly on cybersecurity — are more puzzling to cyber experts than anything else, while others preserve policies of the prior administration which Trump has criticized in harsh terms. Yet others might fall short of the orders’ intentions, in practice.
  • But amid the flurry of personnel changes, budget cuts and other executive branch activity in the first half of 2025 under Trump, the full scope of the two cyber-related executive orders might have been somewhat overlooked. And the effects of some of those orders could soon begin coming to fruition as key top Trump cyber officials assume their posts.

• Federal News Network reports,
  • “The Cybersecurity and Infrastructure Security Agency has rolled out new guidance to help deal with what some cyber experts say is a rising concern: a lack of visibility into threats to operational technology.
  • CISA on Wednesday [August 13, 2025] published “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators.” CISA developed the guidance in conjunction with other agencies, including the Environmental Protection Agency, the National Security Agency, the FBI and several international partners.
  • The guidance focuses on operational technology, which refers to hardware and software that monitor and control physical processes in industrial settings.
  • “OT systems are essential to the daily lives of all Americans and to national security,” Acting CISA Director Madhu Gottumukkala said in a press release. “They power everything from water systems and energy grids to manufacturing and transportation networks. As cyber threats continue to evolve, CISA through this guidance provides deeper visibility into OT assets as a critical first step in reducing risk and ensuring operational resilience.”

• Federal News Network also interviews Steve Shirley, Executive director, National Defense Information Sharing and Analysis Center, and J.R. Williamson, “Vice president and chief information security officer, Leidos, about the evolution of zero trust. “Federal agencies are learning that implementing Zero Trust means more than deploying new tools. It requires rethinking how users, devices and data interact across every layer of the enterprise.”

• The American Hospital Association News informs us,
  • “The Department of Justice Aug. 11 announced a series of actions taken against the BlackSuit ransomware group, also known as “Royal,” including the disruption of four servers and nine domains July 24. BlackSuit attacks have targeted health care and other critical infrastructure sectors, DOJ said. 
  • “There is no doubt that the private sector also contributed information to facilitate this disruption, once again highlighting the value of public private operational engagement,” said John Riggi, AHA national advisor for cybersecurity and risk. “The BlackSuit/Royal ransomware group is directly responsible for multiple disruptive attacks against hospitals and health systems, posing a direct risk to patient and community safety. We hope these aggressive law enforcement operations continue at a pace that will meaningfully degrade foreign cyber adversaries’ abilities to harm the American public.”  

From the cybersecurity vulnerabilities and breaches front,

• Cybersecurity Dive reports,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft on Tuesday [August 12, 2025,] updated their mitigation guidance for a high-severity flaw in Exchange Server.
  • The flaw, tracked as CVE-2025-53786, could allow an attacker with administrative privileges for on-premises versions of Exchange to escalate privileges by exploiting vulnerable hybrid joined configurations, Microsoft and CISA said last week. 
  • In an update on Tuesday, CISA said it still saw no evidence of hackers exploiting the flaw, but it urged organizations to review Microsoft’s updated guidance on identifying Exchange Servers on a network and running the Microsoft Exchange Health Checker.
  • “In its updated security bulletin, Microsoft said an attacker could potentially escalate privileges from an on-premises server to a connected cloud environment without leaving an “easily detectable and auditable trace.” 

• Bloomberg Law reports,
  • “Russian government hackers lurked in the records system of the US courts for years and stole sensitive documents that judges had ordered sealed from public view, according to two people familiar with the matter and a report seen by Bloomberg News.
  • “The attackers had access to what was supposed to be protected information for multiple years, the report on the breach shows. They gained access by exploiting stolen user credentials and a cybersecurity vulnerability in an outdated server used by the federal judiciary, according to the report, which says the hackers specifically searched for sealed records. 
  • “The report, which was reviewed in part by Bloomberg, doesn’t identify the attackers. But investigators found evidence that they were a Russian state-sponsored hacking group, according to the people, who spoke on condition that they not be named because they were not authorized to discuss the matter.
  • “It’s unclear exactly when the hackers first penetrated the system and when the courts became aware of the breach. Last fall, the judiciary hired a cybersecurity firm to help address it, said one of the people.” * * *
  • “The intrusion was previously reported by Politico, while the New York Times earlier reported that Russia was at least in part behind the cyberattack.
  • “The hackers targeted sealed documents in espionage and other sensitive cases, including ones involving fraud, money laundering and agents of foreign governments, Bloomberg Law reported on Tuesday [August 12, 2025]. Such records often include sensitive information that, in the wrong hands, could be used to compromise criminal and national security investigations, or to identify people who provide information to law enforcement.”

• Per Cybersecurity Dive,
  • “Xerox has issued a security upgrade for critical and high-severity vulnerabilities in its FreeFlow Core product that researchers said could have allowed an attacker to remotely execute code.”
• and
  • Virtually all companies have experienced some type of intrusion due to vulnerable code, application security firm Checkmarx said in a report released Thursday [August 14, 2025.
  • Nearly eight in 10 firms reported experiencing such breaches in 2023, but that figure climbed more than 90% last year and reached 98% this year.
  • At the same time, eight in 10 companies said they sometimes or often released software with code they knew was vulnerable, up from two-thirds in 2024. “This isn’t oversight,” Checkmarx said. “It’s strategy.”

• CISA added five known exploited vulnerabilities to its catalog this week.
  • August 12, 2025
    • CVE-2013-3893 Microsoft Internet Explorer Resource Management Errors Vulnerability
    • CVE-2007-0671 Microsoft Office Excel Remote Code Execution Vulnerability
    • CVE-2025-8088 RARLAB WinRAR Path Traversal Vulnerability
      • Security Affairs discusses these KVEs here.
  • August 13, 2025
    • CVE-2025-8875 N-able N-central Insecure Deserialization Vulnerability
    • CVE-2025-8876 N-able N-central Command Injection Vulnerability
      • Dark Reading discusses these KVEs here.
        
• Per Bleeping Computer,
  • “Security researchers have created a new FIDO downgrade attack against Microsoft Entra ID that tricks users into authenticating with weaker login methods, making them susceptible to phishing and session hijacking.
  • “These weaker login channels are vulnerable to adversary-in-the-middle phishing attacks that employ tools like Evilginx, enabling attackers to snatch valid session cookies and hijack the accounts.
  • “Although the attack doesn’t prove a vulnerability in FIDO itself, it shows that the system can be bypassed, which is a crucial weakness.
  • “This is especially worrying considering the increased adoption of FIDO-based authentication in critical environments, a consequence of the technology being touted as extremely phishing-resistant.”
• and
  • “Cisco is warning about a critical remote code execution (RCE) vulnerability in the RADIUS subsystem of its Secure Firewall Management Center (FMC) software.
  • “Cisco FCM is a management platform for the vendor’s Secure Firewall products, which provides a centralized web or SSH-based interface to allow administrators to configure, monitor, and update Cisco firewalls.
  • ‘RADIUS in FMC is an optional external authentication method that permits connecting to a Remote Authentication Dial-In User Service server instead of local accounts.”

From the ransomware front,

• Halcyon informs us,
  • “Black Hat 2025 had plenty of shiny new toys and buzzword-heavy sessions, but the real story was hiding in plain sight. No ransomware track. No packed panel on the threat that has cost organizations billions and taken down some of the most secure environments on the planet. The only time it truly took center stage was when Mikko Hyppönen made it impossible to ignore. 
  • “For those paying attention, three truths stood out. Agentic AI will accelerate ransomware campaigns to speeds that will overwhelm unprepared defenders. Ransomware is the next stage in the evolution of malware, and it will only become more capable. Modern security stacks, no matter how mature or expensive, are still being bypassed with troubling ease.” 

• Bleeping Computer adds,
  • Ransomware and infostealer threats are evolving faster than most organizations can adapt. While security teams have invested heavily in ransomware resilience, particularly through backup and recovery systems, Picus Security’s Blue Report 2025 shows that today’s most damaging attacks aren’t always about encryption.
  • Instead, both ransomware operators and infostealer campaigns often focus on credential theft, data exfiltration, and lateral movement, leveraging old-school stealth and persistence to achieve their objectives with minimal disruption.
  • The evolving adversary tactics are clearly visible when comparing the findings from the Blue Report 2025, based on over 160 million real-world attack simulations, and the Red Report 2025, which analyzes the latest trends in malware, threat actors, and exploitation techniques.
  • The overlap between the two reports reveals a clear and concerning signal: defenders are falling behind on detecting the very tactics that adversaries now favor the most.

• InfoSecurity Magazine reports,
  • “An ongoing data extortion campaign targeting Salesforce customers could soon turn its attention to financial services firms, security experts have warned.
  • “The notorious ShinyHunters group has been blamed for a series of data breaches impacting big names in the fashion (LVMH, Chanel, Pandora, Adidas) and aviation (Qantas, Air France-KLM) sectors. These victims are typically targeted with vishing for logins to their Salesforce accounts and are sometimes also tricked into downloading a malicious app for similar purposes.”

• Per Dark Reading,
  • “An emerging ransomware actor is using sophisticated techniques in the style of an advanced persistent threat group (APT) to target organizations with customized ransom demands, posing a significant risk to businesses.
  • “Charon is a new ransomware family (named for the ferryman from Greek mythology who carried souls across the River Styx to Hades); Trend Micro observed it being deployed in a targeted attack in the Middle East’s public sector and aviation industry — the first such record of Charon observed in the wild, according to new research from the firm.
  • “The ransomware leverages techniques such as DLL sideloading, process injection, and anti-EDR capabilities, which are typically the hallmark of advanced threat actors and — in this case — reminiscent of campaigns by the group Earth Baxia, according to a Trend Micro blog post published today.
  • “The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named cookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which subsequently deployed the Charon ransomware payload,” Trend Micro threat researchers wrote in the post.”
• and
  • “Researchers spotted a new Crypto24 ransomware campaign that they say marks a “dangerous evolution” in the threat landscape.
  • “According to Trend Micro researchers, recent attacks by Crypto24 actors display a combination of advanced evasion techniques and custom tools that can disable EDR solutions — including Trend Micro’s own Vision One platform. Crypto24 was first spotted in 2024 but hadn’t made much of impact until recently, when it became the latest ransomware gang to bypass EDR platforms and security solutions.
  • Trend Micro’s report, published Thursday, details how Crypto24 has demonstrated a high level of skill that sets it apart from other ransomware gangs. For example, researchers noted how “Crypto24 actors deftly deploy a broad range of tools that include legitimate programs like PSExec and AnyDesk for remote access and lateral movement, as well as Google Drive for data exfiltration.
  • “More importantly, Crypto24’s successful deployment of a customized RealBlindingEDR (an open source tool for disabling security solutions) variant that neutralized our security controls shows their capability to maneuver around modern defenses,” the report said. “The threat actor’s customized version employs advanced evasion, likely via unknown vulnerable drivers, showcasing deep technical expertise and ongoing tool refinement.”

From the cybersecurity business and defenses front,

• Cyberscoop names its Cyberscoop 50 award winners for 2025.
  • “The CyberScoop 50 Awards recognize those who have been honored for their work in protecting vital networks, information and critical infrastructure. Through their hard work, ingenuity, and creativity, they aim to fend off hackers, stay ahead of adversaries and protect American networks.”

• HelpNet Security lets us know,
  • “Security leaders are rethinking their approach to cybersecurity as digital supply chains expand and generative AI becomes embedded in critical systems. A recent survey of 225 security leaders conducted by Emerald Research found that 68% are concerned about the risks posed by third-party software and components. While most say they are meeting regulatory requirements, 60% admit attackers are evolving too fast to maintain resilience.” * * *
  • “Penetration testing is no longer treated as a box to check. It has become a core element of enterprise security programs. Eighty-eight percent of security leaders now consider it vital. Over half say they use pentests to validate their own software. More than half also require third-party pentests before releasing software to customers.
  • “The survey found that 49% plan to use pentesting to identify software supply chain vulnerabilities, and 44% intend to use it to uncover insider threats. The practice is being integrated across the development life cycle and procurement workflows.
  • “Generative AI is emerging as a new and unpredictable risk. Sixty-six percent of respondents say GenAI helps attackers analyze data and evade defenses. More than half worry that AI can automate the entire attack lifecycle, and 62% are concerned that AI development tools may introduce hidden vulnerabilities into codebases.”

• Dark Reading discusses cybersecurity budgeting here and here.

• Following the Blackhat Conference, Dark Reading’s CISO Corner is back.

From the cybersecurity policy and law enforcement front,

• NextGov/FCW tells us,
  • “The Senate confirmed Sean Cairncross to serve as national cyber director in a 59-35 vote on Saturday night [August 2], making him the first Senate-approved cybersecurity official of President Donald Trump’s second term.
  • “Cairncross is a former Republican National Committee official and was CEO of the Millennium Challenge Corporation agency during Trump’s first term. As national cyber director, he will be tasked with overseeing an office first stood up under the Biden administration, which serves as the key White House cyber policy interlocutor across federal agencies and Capitol Hill.” 

• Cyberscoop adds,
  • “Sean Cairncross took his post this week as national cyber director at what many agree is a “pivotal” time for the office, giving him a chance to shape its future role in the bureaucracy, tackle difficult policy issues, shore up industry relations and take on key threats.
  • “The former White House official, Republican National Committee leader and head of a federal foreign aid agency became just the third Senate-confirmed national cyber director at an office (ONCD) that’s only four years old. He’s the first person President Donald Trump has assigned to the position after the legislation establishing it became law at the end of his first term.”

• Cybersecurity Dive informs us,
  • “The Cybersecurity and Infrastructure Security Agency [CISA] has continued its work to protect federal networks and support critical infrastructure providers despite massive job cuts and resource constraints, two senior CISA officials said during the Black Hat USA cybersecurity conference here Thursday.
  • “We are not retreating, we’re advancing in a new direction,” CISA CIO Robert Costello said during a panel discussion.
  • “Chris Butera, the acting head of CISA’s Cybersecurity Division, added that, while the agency “did lose people” to the Trump administration’s downsizing program — roughly a third of its employees — CISA still has “a very talented workforce.” He cited the agency’s around-the-clock response to major vulnerabilities in Microsoft SharePoint as an example of CISA’s continued capacity.”
• and
  • “The U.S. government is still pushing agencies to adopt zero-trust network designs, continuing a project that gained steam during the Biden administration, a senior cybersecurity policy official said on Wednesday.
  • “It must continue to move forward,” Michael Duffy, the acting federal chief information security officer, said during a panel at the Black Hat cybersecurity conference. “That architectural side of it is very important for us to get right as we integrate new technologies [like] artificial intelligence into the ways we operate.”
  • “Zero-trust networking emphasizes the concept of throwing up hurdles to hackers who penetrate a computer system, limiting the damage they can do by sealing off parts of the network and requiring strict user authentication.”

• Per Dark Reading,
  • “As the Department of Defense (DoD) continues to make deeper strides in implementing its Cybersecurity Maturity Model Certification (currently CMMC 2.0), we find ourselves at the cusp of what feels like its next iteration, CMMC 3.0, marking the next evolution in its efforts to strengthen cybersecurity across the defense industrial base (DIB). While the updated framework builds on the structure of CMMC 2.0, this new update would include clearer expectations and stricter enforcement, particularly for organizations handling controlled unclassified information (CUI). The DoD’s message is clear: Reducing risk and enhancing resilience are now mission-critical for any company supporting national defense.”

• Cybersecurity Dive adds,
  • “The Chinese government has such vast hacking resources that it’s targeting tiny companies in the U.S. defense industrial base that never imagined they would end up on Beijing’s radar, a National Security Agency official said here Wednesday.
  • “China’s hacking resources outnumber those of the U.S. and [its] allies combined, and China has stolen more corporate data from the United States than any other nation in the world,” Bailey Bickley, chief of DIB defense at the NSA’s Cybersecurity Collaboration Center, said during a session at the Black Hat USA cybersecurity conference.
  • “Although best known for its intelligence-collection role, the NSA is also responsible for helping defense contractors safeguard their systems. Recently, the agency has been doing that through free security services — including classified information sharing and a protective DNS offering — from the Cybersecurity Collaboration Center.
  • “When we engage with small companies” in the defense industrial base, “they often think that what they do is not important enough to be targeted” by China, Bickley said. “But when you have the significant resources like that to conduct mass scanning and mass exploitation, there is no company and no target too small.”
• and
  • “The Defense Advanced Research Projects Agency on Friday [August 8] unveiled the winners of a competition to spur the development of artificial intelligence tools designed to autonomously find and fix software vulnerabilities.
  • “Team Atlanta, Trail of Bits and Theori claimed the top three spots in DARPA’s AI Cyber Challenge, agency officials said at the DEF CON cybersecurity conference here. They will receive prizes of $4 million, $3 million and $1.5 million, respectively.
  • “All seven finalist teams will open source their AI tools so that the entire world can use them. Four of the tools debuted on Friday, while the remaining three will be released in the next few weeks.’

• Cyberscoop reports,
  • “BlackSuit’s technical infrastructure was seized in a globally coordinated takedown operation last month that authorities touted as a significant blow in the fight against cybercrime. The ransomware group’s leak site has displayed a seizure notice since July 24.
  • “The takedown followed a long investigation, which allowed authorities to confiscate “considerable amounts of data,” and identify 184 victims, German officials said in a news release last week. The group’s total extortion demands surpassed $500 million by August 2024, with demands typically in the range of $1 million to $10 million, the Cybersecurity and Infrastructure Security Agency said in an advisory last year. 
  • “U.S. authorities were heavily involved in the operation, but have yet to share details about the investigation or its results. BlackSuit’s extortion site was seized by the Department of Homeland Security’s Homeland Security Investigation department, a unit of U.S. Immigration and Customs Enforcement. 
  • “A spokesperson for ICE told CyberScoop the Justice Department has been waiting for court documents to be unsealed before releasing any information about the law enforcement action dubbed “Operation Checkmate.” The FBI, Secret Service, Europol and cyber authorities from the United Kingdom, Germany, France, Ireland, Ukraine, Lithuania and Romania-based cybersecurity firm Bitdefender were also involved in the operation.” 

• Dark Reading relates,
  • “Two senior executives and founders of the Samourai Wallet cryptocurrency mixer have pleaded guilty to charges involving washing more than $200 million for cybercriminals and other nefarious types.
  • “CEO Keonne Rodriguez and chief technology officer William Lonergan Hill admitted to operating a money-transmitting business that handled criminal proceeds. They have pleaded guilty to conspiracy and face a maximum sentence of five years in prison in addition to the fine.
  • “The US Department of Justice first arrested Rodriguez and Hill in April of last year on two counts of conspiracy: operating an unlicensed money-transmitting business and money laundering, the latter of which carries a maximum sentence of 20 years.”

From the cybersecurity breaches and vulnerabilities front,

• FedScoop reports,
  • “The U.S. judiciary announced plans to increase security for sensitive information on its case management system following what it described as “recent escalated cyberattacks of a sophisticated and persistent nature.”
  • “In a Thursday [August 7] statement, the federal judiciary said it’s “taking additional steps to strengthen protections for” that information. It also said it’s “further enhancing security of the system and to block future attacks, and it is prioritizing working with courts to mitigate the impact on litigants.”
  • “The statement from the third branch comes one day after a Politico report revealed that its case filing system had recently been breached. That report cited unnamed sources who were concerned that the identities of confidential court informants may have been compromised.”

• Cyberscoop tells us,
  • “Federal cyber authorities issued an alert Wednesday evening about a high-severity vulnerability affecting on-premises Microsoft Exchange servers shortly after a researcher presented findings of the defect at Black Hat. 
  • “Microsoft also issued an advisory about the vulnerability — CVE-2025-53786 — and said it’s not aware of exploitation in the wild. 
  • “While the public disclosure and advisories about the defect came late in the day amid one of the largest cybersecurity conferences, Tom Gallagher, VP of engineering at Microsoft Security Response Center, told CyberScoop the timing was coordinated for release following Mollema’s presentation.
  • “Gallagher stressed that exploitation requires an attacker to achieve administrative access to an on-premises Exchange server in a hybrid environment.” 
• and
  • “SonicWall warned customers to disable encryption services on Gen 7 firewalls in the wake of an active attack spree targeting a yet-to-be identified vulnerability affecting a critical firewall service. Attacks have increased notably since Friday, the company said in a blog post.
  • “Threat hunters and incident responders from Arctic Wolf, Google and Huntress have observed a wave of ransomware attacks beginning as early as July 15. Mounting evidence points to a zero-day vulnerability affecting the secure sockets layer (SSL) VPN protocol as the initial attack vector.
  • “A financially motivated threat actor is actively compromising victim environments and deploying Akira ransomware,” Charles Carmakal, CTO at Mandiant Consulting, said in a LinkedIn post Tuesday. “The speed and scale of the compromises suggests a potential zero-day vulnerability in SonicWall Gen 7 firewalls.”
  • “SonicWall said an ongoing investigation has yet to determine if the attacks involve a previously disclosed vulnerability or a zero-day. “If a new vulnerability is confirmed, we will release updated firmware and guidance as quickly as possible,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop.”

• Per Bleeping Computer,
  • “Trend Micro has warned customers to immediately secure their systems against an actively exploited remote code execution vulnerability in its Apex One endpoint security platform.
  • “Apex One is an endpoint security platform designed to automatically detect and respond to threats, including malicious tools, malware, and vulnerabilities.
  • “This critical security flaw (tracked as CVE-2025-54948 and CVE-2025-54987 depending on the CPU architecture) is due to a command injection weakness in the Apex One Management Console (on-premise) that enables pre-authenticated attackers to execute arbitrary code remotely on systems running unpatched software.
  • “Trend Micro has yet to issue security updates to patch this actively exploited vulnerability, but it has released a mitigation tool that provides short-term mitigation against exploitation attempts.”
• and
  • “A recently fixed WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing attacks to install the RomCom malware.
  • “The flaw is a directory traversal vulnerability that was fixed in WinRAR 7.13, which allows specially crafted archives to extract files into a file path selected by the attacker.
  • “When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path,” reads the WinRAR 7.13 changelog.”
    
• CISA added three known exploited vulnerabilities to its catalog this week.
  • August 5, 2025
    • “CVE-2020-25078 D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability
    • “CVE-2020-25079 D-Link DCS-2530L and DCS-2670L Command Injection Vulnerability
    • “CVE-2022-40799 D-Link DNR-322L Download of Code Without Integrity Check Vulnerability”
      • The Hacker News discusses these KVEs.

• Per SC Media,
  • “Dormant service accounts with privileges were found in more than 70% of enterprise environments according to new research released by BeyondTrust on Aug. 4 at BlackHat in Las Vegas.
  • “The researchers also reported that overly permissive Entra Service Principals create direct pathways to Global Admin privileges, exposing entire Microsoft 365 environments to potential takeover.
  • “According to BeyondTrust, credentials reused across multiple service accounts by human administrators can also let a single compromised password hack numerous non-human accounts.”
  • “Our data shows that many organizations lack the complete story when it comes to their identity attack surface,” said Marc Maiffret, chief technology officer at BeyondTrust. “For many, overlooked hygiene issues silently open the door to attackers. And with the rise of Agentic AI, the stakes have never been higher, especially as most organizations lack visibility into how compromised accounts can be leveraged to seize control of application secrets, which often carry elevated privileges.”

• Security Week points out,
  • “Five vulnerabilities in the ControlVault3 firmware and the associated Windows APIs expose millions of Dell laptops to persistent implants and Windows login bypasses via physical access, Cisco Talos reports.
  • “The issues, tracked as CVE-2025-24311, CVE-2025-25215, CVE-2025-24922, CVE-2025-25050, and CVE-2025-24919, were initially disclosed on June 13, when Dell announced that patches for them were rolled out for over 100 Dell Pro, Latitude, and Precision models.
  • “The affected component, ControlVault3 (and the ControlVault3+ iteration), is a hardware-based system meant to securely store passwords, biometric information, and security codes.”

From the ransomware front,

• Bleeping Computer reports,
  • “Ransomware gangs have recently joined ongoing attacks targeting a Microsoft SharePoint vulnerability chain, part of a broader exploitation campaign that has already led to the breach of at least 148 organizations worldwide.
  • “Security researchers at Palo Alto Networks’ Unit 42 have discovered a 4L4MD4R ransomware variant, based on open-source Mauri870 code, while analyzing incidents involving this SharePoint exploit chain (dubbed “ToolShell”).
  • “The ransomware was detected on July 27 after discovering a malware loader that downloads and executes the ransomware from theinnovationfactory[.]it (145.239.97[.]206).
  • “The loader was spotted following a failed exploitation attempt that revealed malicious PowerShell commands designed to disable security monitoring on the targeted device.
  • “Analysis of the 4L4MD4R payload revealed that it is UPX-packed and written in GoLang. Upon execution, the sample decrypts an AES-encrypted payload in memory, allocates memory to load the decrypted PE file, and creates a new thread to execute it,” Unit 42 said.”
• and
  • “A new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of ‘EDRKillShifter,’ developed by RansomHub, has been observed in attacks by eight different ransomware gangs.
  • “Such tools help ransomware operators turn off security products on breached systems so they can deploy payloads, escalate privileges, attempt lateral movement, and ultimately encrypt devices on the network without being detected. 
  • “According to Sophos security researchers, the new tool, which wasn’t given a specific name, is used by RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC.”

• CISA issued an Analysis report about Exploitation of SharePoint Vulnerabilities on August 6.

• InfoSecurity Magazine explains how ransomware actors have expanded tactics beyond encryption and exfiltration.

• Halcyon warns us,
  • “Ransomware remains one of the most destructive and expensive threats facing organizations today. With average ransom demands hitting $3.5M, victims are forced into high-stakes decisions under intense pressure: pay up or risk catastrophic disruption. 
  • “Nearly half of all targeted organizations end up paying, even after negotiations. The impact doesn’t end with encryption: recovery takes weeks, services stall, regulators circle, and trust erodes. Ransomware isn’t just a cybersecurity problem; it’s a full-blown operational crisis.  
  • “The Halcyon team of ransomware experts has put together this extortion group power rankings guide as a quick reference for the extortion threat landscape based on data from throughout Q2-2025, which can be reviewed along with earlier reports here: Power Rankings: Ransomware Malicious Quartile.”

• MSPP Alert adds,
  • “Ransomware doesn’t play fair—and now, neither are the defenders. Sophos and Halcyon are teaming up with a direct integration that goes far beyond traditional intel feeds or industry sharing forums. This partnership isn’t about exchanging threat data after the fact. It’s about coordinating active defenses in real time, within live customer environments.
  • “What makes this different? According to Simon Reed, Chief Research and Scientific Officer at Sophos, it’s not just another “threat feed” dropped into a dashboard. “Sophos and Halcyon’s approach to threat intelligence sharing shifts the status quo from out-of-context threat intelligence (which is still hugely useful as an industry standard approach) to sharing coordinated, real-time defense that meets attackers head-on,” he told MSSP Alert.
  • “Instead of piecing together siloed signals, both companies are now synchronizing responses against a common adversary.”

From the cybersecurity business and reporting front,

• Dark Reading reports,
  • “It was a memorable Black Hat 2025 USA for the founders of Prime Security, the winners of this year’s Startup Spotlight competition.
  • “The Startup Spotlight Competition is a pitch competition for cybersecurity startup companies to present their products and solutions in front of a live audience at Black Hat. In the first phase of the competition, startups of all stripes submitted a pitch describing the company and the products and solutions. A panel of judges reviewed submissions for the competition, looking for companies that fit the bill of “most innovative emerging companies in cybersecurity,” before narrowing down to four: FireTail, Keep Aware, Prime Security, and Twine Security. 
  • “Representatives from each of the four companies pitched their companies and products for the final time to a panel of judges at the Black Hat USA conference in Las Vegas, in a Shark Tank-style competition. While the judges deliberated on the winner, the audience also voted on their favorite. Prime Security won both the judges’ votes as well as the audience’s.”

• Here is a link to Dark Reading’s round up of Black Hat conference news.

• Also per Dark Reading,
  • “Investing in building a human-centric defense involves a combination of adaptive security awareness training, a vigilant and skeptical culture, and the deployment of layered technical controls.”
• and
  • “Data Dump from APT Actor Yields Clues to Attacker Capabilities. The tranche of information includes data on recent campaigns, attack tools, compromised credentials, and command files used by a threat actor believed to be acting on behalf of China or North Korea.”

Door prize from the artificial intelligence front

• Per Security Week,
  • “Red Teams Jailbreak GPT-5 With Ease, Warn It’s ‘Nearly Unusable’ for Enterprise
  • “Researchers demonstrate how multi-turn “storytelling” attacks bypass prompt-level filters, exposing systemic weaknesses in GPT-5’s defenses.”