When spies get spied on.

Patch Tuesday. The Matrix Foundation patches high-severity vulnerabilities in its open-source communications protocol. The “Curly COMrades” Russian-aligned APT targets critical infrastructure. Microsoft tells users to ignore new CertificateServicesClient (CertEnroll) errors. Researchers uncover a malware campaign hiding the NjRat Remote Access Trojan in a fake Minecraft clone. Motorcycle manufacturer Royal Enfield suffers a ransomware attack. The DOJ details a major operation against the BlackSuit ransomware group. Our guest is Jack Jones, father of Factor Analysis of Information Risk (FAIR) and the FAIR Controls Analytics Model (FAIR-CAM), sharing insights on cyber risk quantification. Data Brokers’ digital hide-and-seek. 

Today is Wednesday August 13th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Patch Tuesday

August 2025’s Patch Tuesday brought a major wave of security updates across the tech stack. Microsoft patched over 100 vulnerabilities spanning Windows, Office, Hyper‑V—and flagged a publicly disclosed privilege escalation bug (CVE‑2025‑53779). Twelve are rated critical, with the most severe being a GDI+ remote code execution issue (CVSS 9.8)—though none appear actively exploited and overall exploitability is judged “unlikely.”  

Intel, AMD, and Nvidia released dozens of advisories: Intel patched high-severity flaws affecting Xeon, drivers, firmware, and networking—many enabling privilege escalation, DoS, or info disclosure; AMD fixed issues tied to research on stacking engine attacks and an EDK2 SMM code-execution bug; Nvidia resolved several high-severity flaws in its NeMo, ISAAC GROOT, Apex, and deep-learning tools that could lead to remote code execution or data tampering.  

In the industrial and control systems space, vendors including Schneider Electric, Honeywell, ABB, Phoenix Contact, and Aveva fixed code‑execution, privilege‑escalation, and DoS vulnerabilities across SCADA, controllers, analytics, and management tools. Several were high‑severity.  

Adobe issued updates for 60+ vulnerabilities across 13 products—including Commerce, Photoshop, InDesign, FrameMaker, and Substance 3D tools. Many were critical code-execution flaws, though none are known to be exploited in the wild.  

Finally, Fortinet released 14 advisories including a critical FortiSIEM bug (CVE‑2025‑25256) allowing unauthenticated remote code execution—with a PoC public. A high‑severity authentication bypass in FortiWeb (CVE‑2025‑52970) and other important fixes in FortiManager, FortiMail, and more were also addressed. Ivanti patched two high‑severity authenticated RCE issues in Avalanche. 

The Matrix Foundation patches high-severity vulnerabilities in its open-source communications protocol. 

The Matrix Foundation has patched two high-severity vulnerabilities in its open-source, federated communications protocol, used by governments and enterprises for sensitive discussions. The flaws could have allowed attackers to seize control of classified channels or predict room IDs, enabling them to infiltrate or redirect communications. One bug (CVE-2025-49090) let malicious admins override a channel creator’s permissions, potentially disrupting crisis coordination. The other allowed prediction of room IDs, risking unauthorized access. Fixes elevate room creators’ privileges and switch to cryptographic hashing for IDs. The off-cycle, embargoed update required complex coordination and delayed full disclosure to allow testing. Room upgrades may cause user disruption, and testing before deployment is advised.

The “Curly COMrades” Russian-aligned APT targets critical infrastructure. 

Bitdefender Labs has detailed “Curly COMrades,” a Russian-aligned APT active since mid-2024, targeting critical infrastructure in Georgia and Moldova. The group infiltrates judicial, government, and energy entities to steal credentials, maintain persistence, and exfiltrate sensitive data. Key tools include the custom MucorAgent backdoor, which bypasses AMSI to run encrypted PowerShell scripts, and techniques like COM hijacking of disabled NGEN tasks for SYSTEM-level re-entry. Operations blend legitimate utilities with custom malware, using proxy relays, SOCKS5 servers, and compromised websites for covert C2. Credential theft exploits NTDS database copies, LSASS dumps, and adapted open-source tools. Data is staged, encrypted, disguised as PNGs, and uploaded via curl.exe. This stealthy, redundant infrastructure underscores resilience and geopolitical intent. Bitdefender urges XDR deployment, LOLBin monitoring, and managed detection to counter this persistent espionage threat.

Microsoft tells users to ignore new CertificateServicesClient (CertEnroll) errors.  

Microsoft is asking Windows 11 24H2 users to ignore new CertificateServicesClient (CertEnroll) errors appearing after the July 2025 preview and later updates. The Event Viewer logs Error ID 57, citing a failed “Microsoft Pluton Cryptographic Provider” load, but Microsoft says it’s harmless, linked to an unfinished feature. Similar false warnings have surfaced in recent months, including Windows Firewall, BitLocker, and WinRE update errors, all without functional impact. The company confirms no action is needed, as these events don’t affect system performance or security.

Researchers uncover a malware campaign hiding the NjRat Remote Access Trojan in a fake Minecraft clone. 

Point Wild’s Lat61 Threat Intelligence Team has uncovered a malware campaign hiding the NjRat Remote Access Trojan in a fake Minecraft clone, Eaglercraft 1.12 Offline. Popular in schools and restricted environments, the game distracts players while NjRat silently steals passwords, keystrokes, and personal data, and spies via webcam and microphone. The malware installs WindowsServices.exe for persistence, spawning hidden processes for command execution and payload handling. It can crash systems if security tools like Wireshark are detected. The RAT connects to a remote server in India hosted on Amazon’s cloud for attacker control. Given Minecraft’s long history as a malware target, experts warn players to download only from official sources and avoid unofficial mods or installers to prevent spyware infections and data theft.

Motorcycle manufacturer Royal Enfield suffers a ransomware attack. 

Motorcycle manufacturer Royal Enfield has reportedly suffered a ransomware attack, with hackers claiming to have encrypted all servers and wiped backups, crippling operations. Posted on an underground forum as a “Complete Breach Notice,” the attack prompted temporary suspension of online ordering and some workshop services. The Chennai-based company confirmed a cybersecurity incident and launched an internal investigation but disclosed no details on affected data. The breach risks regulatory fines, reputational damage, and loss of trust among dealers, suppliers, and customers in the motorcycle community.

The DOJ details a major operation against the BlackSuit ransomware group. 

The US Department of Justice has detailed a major operation against the BlackSuit ransomware group, formerly known as Royal. Authorities seized four servers, nine domains, and $1.1 million in cryptocurrency stolen from a victim who paid a $1.4 million ransom in April 2023. The funds, repeatedly moved through a crypto exchange, were frozen in January 2024. This covert seizure preceded Operation Checkmate, a multinational effort involving US agencies, the UK’s NCA, and partners from Europe and Canada, disrupting the gang’s infrastructure and seizing digital assets. Active since 2022 and linked to Conti, BlackSuit has demanded over $500 million from victims, targeting manufacturing, government, healthcare, and commercial sectors. Officials say the action reflects a “disruption-first” strategy to protect critical infrastructure and US businesses from ransomware threats.

Data Brokers’ digital hide-and-seek. 

In theory, California law gives you the right to tell data brokers to delete your personal information. In practice, you’ll need the patience of a monk and the detective skills of Sherlock Holmes to find where to do it.

A review by The Markup and CalMatters found 35 out of 499 registered brokers had buried their opt-out pages so deep even Google couldn’t find them—thanks to deliberate code that hides those pages from search engines. Officially, the pages exist; practically, they’re as accessible as Atlantis.

After reporters came knocking, some companies blamed “oversights” and hastily removed the code. Others stood firm, citing spam prevention. Meanwhile, a few opt-out links were tucked at the bottom of homepages, hidden behind pop-ups, tiny fonts, and enough scrolling to count as cardio.

It’s all legal, of course—just not particularly findable. Which, one suspects, might be the point.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.