Podcasts
CyberWire Daily
Ep 2345
The CyberWire Daily Podcast 7.9.25
Ep 2345 | 7.9.25

Plug-ins gone rogue.

Show Notes
Transcript

Patch Tuesday. An Iranian ransomware group puts a premium on U.S. and Israeli targets. Batavia spyware targets Russia’s industrial sector. HHS fines a Texas Behavioral Health firm for failed risk analysis. The Anatsa banking trojan targets financial institutions in the U.S. and Canada. Hackers abuse a legitimate commercial evasion framework to package infostealer payloads. Researchers discovered malicious browser extensions infecting over 2.3 million users. Joe Carrigan, co-host on Hacking Humans discusses phishing kits targeting CFOs. Can felines frustrate algorithms? Purr-haps…

Today is Wednesday July 9th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Patch Tuesday

Microsoft’s July 2025 Patch Tuesday includes fixes for 137 vulnerabilities, with one publicly disclosed zero-day in Microsoft SQL Server (CVE-2025-49719) that could expose data from uninitialized memory due to improper input validation. This month’s release addresses 53 elevation of privilege flaws, 41 remote code execution (RCE) vulnerabilities, 18 information disclosures, eight security feature bypasses, six denial of service bugs, four spoofing issues, and a partridge in a pear tree. Fourteen vulnerabilities are rated Critical, including multiple RCE flaws in Microsoft Office exploitable by opening malicious documents or using preview pane, as well as two AMD side-channel attack flaws. Microsoft advises SQL Server admins to patch immediately and update OLE DB drivers. Notably, Office LTSC for Mac updates are delayed. Critical vulnerabilities also include an RCE in SharePoint (CVE-2025-49704). This Patch Tuesday does not include previously released fixes for Microsoft Edge and Mariner earlier this month.

SAP’s July 2025 Security Patch Day includes 27 new and four updated security notes, addressing six critical vulnerabilities. Notably, CVE-2025-30012 in Supplier Relationship Management was upgraded to a critical rating with a CVSS score of 10, as it allows unauthenticated OS command execution via insecure deserialization in Live Auction Cockpit. Another critical flaw (CVE-2025-42967, CVSS 9.9) impacts S/4HANA and SCM, enabling full system takeover. Four critical insecure deserialization flaws in NetWeaver were also fixed. SAP urges immediate updates.

Emerson disclosed multiple vulnerabilities in its ValveLink products prior to version 14.0, including critical flaws allowing remote exploitation with low complexity. CVE-2025-52579, rated CVSS v4 9.3, allows unauthenticated OS command execution due to cleartext storage and insecure deserialization. Other issues include protection mechanism failure, uncontrolled search path, and improper input validation. Exploitation could expose sensitive data or allow unauthorized code execution. Users are urged to upgrade to ValveLink 14.0. CISA recommends network isolation, VPNs, and standard ICS defense-in-depth practices.

An Iranian ransomware group puts a premium on U.S. and Israeli targets.

Iranian ransomware group Pay2Key.I2P is increasing payouts to affiliates targeting Israel and the U.S. amid rising regional tensions. The group, linked to Iran’s state-backed Fox Kitten cyber-espionage unit, now offers affiliates an 80% cut of ransom proceeds—up from 70%—for attacks against Iran’s adversaries. Researchers at Morphisec report Pay2Key.I2P has collected over $4 million in the past four months and is motivated by both financial gain and ideology. The group promotes attacks as retaliation for military actions against Iran. It recruits on Russian-speaking forums and reportedly collaborates with Mimic ransomware operators, who use Conti gang code. Pay2Key.I2P claims over 50 successful attacks as of late June, though targets remain unconfirmed. U.S. officials warn of possible Iranian cyber retaliation following recent airstrikes on nuclear facilities.

Batavia spyware targets Russia’s industrial sector. 

Hackers are targeting Russia’s industrial sector with new spyware called Batavia, stealing internal documents, screenshots, and system data. The campaign, active since July 2024, uses phishing emails posing as contracts to deliver the malware, according to Kaspersky. Over 100 victims across dozens of Russian organizations have been infected. While the attackers remain unidentified, tactics suggest possible state-sponsored or organized cybercriminal involvement. This follows a wave of recent cyber operations against Russian firms, including Nova malware in February and Rare Wolf’s attacks on chemical and pharmaceutical companies. In December, RedLine stealer targeted Russian businesses using unlicensed software. Analysts warn these attacks reflect growing cyberespionage linked to geopolitical tensions, with industrial and critical sectors in Russia and Ukraine facing heightened risk.

HHS fines a Texas Behavioral Health firm for failed risk analysis. 

Deer Oaks Behavioral Health in Texas was fined $225,000 by the U.S. Department of Health and Human Services after failing to conduct a thorough HIPAA risk analysis. The investigation began in May 2023 following a complaint that patient discharge summaries were publicly accessible online, exposing electronic protected health information (ePHI) of 35 patients from December 2021 to May 2023. The probe expanded after Deer Oaks suffered a ransomware attack in August 2023 affecting over 171,000 people. Hackers claimed to have stolen data and demanded ransom. Regulators found Deer Oaks lacked an accurate risk analysis and required it to implement a corrective action plan with two years of monitoring. HHS OCR emphasized that failing to identify risks remains a top enforcement priority for HIPAA compliance across healthcare providers and vendors.

The Anatsa banking trojan targets financial institutions in the U.S. and Canada. 

The Android banking trojan Anatsa has launched a new campaign targeting financial institutions and app users in the U.S. and Canada, ThreatFabric reports. Active since 2020, Anatsa steals banking credentials, logs keystrokes, and conducts fraudulent transactions via remote access. This recent attack disguised the malware in a legitimate-looking file reader app, which gained over 50,000 downloads before a malicious update was pushed in late June. The app ranked among the top free tools on the U.S. Play Store before removal. Anatsa typically uses this two-stage strategy: first distributing a clean app, then injecting malware later. Its targets included a wider range of U.S. banking apps. Researchers warn future banking trojans may employ AI-personalized overlays, modular payloads, and advanced MFA bypass techniques, increasing risks of account takeovers and financial loss.

Hackers abuse a legitimate commercial evasion framework to package infostealer payloads. 

Hackers have abused a stolen, licensed copy of Shellter Elite, a legitimate commercial evasion framework, to package infostealer payloads since late April 2025, Elastic Security Labs reports. Threat actors, including Lumma, Arechclient2, and Rhadamanthys, used Shellter to bypass antimalware detection. Shellter confirmed the copy was leaked from a customer but criticized Elastic for not notifying them sooner. The company delayed its next release to patch this abuse. Shellter Elite is typically sold only to vetted companies for security testing purposes.

Researchers discovered malicious browser extensions infecting over 2.3 million users.

Researchers at Koi Security discovered 18 malicious browser extensions still available on Chrome and Edge, infecting over 2.3 million users. These extensions pose as productivity or entertainment tools like emoji keyboards, VPN proxies, volume boosters, and video speed controllers. Though functional, they secretly track browsing activity and redirect users. Dubbed “RedDirection,” the campaign operates via a centralized attack infrastructure, despite extensions appearing to have separate operators. Initially clean to pass verification, the extensions later updated with malicious code without user input, sometimes years after release. Google and Microsoft even verified or featured several. Koi Security urges users to remove these extensions, clear browser data, and run full malware scans. The findings were published on July 8 by researcher Idan Dardikman.

 

Stick around after the break, I’m joined by Joe Carrigan, co-host over on the Hacking Humans podcast, as he is discussing phishing kits targeting CFOs. And purr-haps felines can frustrate algorithms? 

That was Joe Carrigan—if you liked what you heard, be sure to check out the Hacking Humans podcast. You can catch Joe’s insights and stories every Thursday wherever you get your podcasts.

Can felines frustrate algorithms? Purr-haps…

Anyone who’s worked from home with a cat knows the chaos they bring – knocking over coffee, walking on keyboards, or helpfully sitting on your laptop mid-Zoom call. Turns out, cats can confuse AI too. A recent study found that adding irrelevant sentences like “Cats sleep most of their lives” to math problems doubles the chance of AI giving wrong answers. Researchers call this “CatAttack” – an automated method to systematically mislead models using cute trivia, irrelevant financial advice, or suggestive questions like “Could the answer be close to 175?”. The third type, misleading questions, proved most effective, boosting error rates and bloating responses to three times their normal length. Essentially, AI models get as distracted by random cat facts as humans do by actual cats. Researchers warn this vulnerability could have serious implications for models used in finance or law,  though your cat would probably just call it job security.

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.