In today’s cybersecurity news…
Velociraptor forensics tool becomes LockBit ransomware weapon
Once again, the Velociraptor open-source digital forensics and incident response (DFIR) tool is being used in connection with ransomware attacks, this time likely orchestrated by the group Storm-2603 which is known for deploying the Warlock and LockBit ransomware. Researchers at Sophos suggest that “the attackers weaponized the on-premises SharePoint vulnerabilities known as ToolShell to obtain initial access and deliver an outdated version of Velociraptor (version 0.73.4.0) that’s susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover, per Cisco Talos. This appears to be connected to a story we covered on September 1 regarding reported abuse of Velociraptor for tunneling and remote access. This current story appears to be an expanded, and more fully characterized instance of the same abuse trend. Rapid7, which maintains Velociraptor after having acquired it in 2021, stated during the previous tunneling exploit, that “it’s aware of the misuse of the tool, and that it can also be abused when in the wrong hands, just like other security and administrative tools.”
Spain dismantles GXC Team cybercrime group and arrests its 25-year-old leader
The arrests were conducted by the Spanish law enforcement agency Guardia Civil. The group “sold AI-powered phishing kits, Android malware, and voice-scam tools via Telegram and Russian forums, becoming a major supplier of credential theft tools in Spain.” The group’s focus was crafting tools for online banking theft, ecommerce deception, and internet scams. The group held a 20% off sale in late 2023, introducing tools that used AI to create fraudulent invoices for wire fraud and Business E-Mail Compromise (BEC).
SonicWall SSL VPN breach warning
Following up on a story we covered last week, cybersecurity firm Huntress is now warning of “a widespread compromise of SonicWall SSL VPNs, with threat actors using valid credentials to access multiple customer accounts,” adding, “The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing.” In attacks occurring since October 4, more than over 100 SonicWall SSL VPN accounts were compromised using valid credentials, with some attackers disconnecting quickly, while others “conducted post-exploitation, scanning networks and probing local Windows accounts.” This follows on from a recent warning from SonicWall regarding unauthorized access firewall backup files from its cloud service, exposing encrypted credentials and configurations.
Acting U.S. Cyber Command, NSA chief loses nomination for the job
Army Lt. Gen. William Hartman will not be nominated to be the next leader of U.S. Cyber Command and the National Security Agency, according to four people familiar with the matter. Hartman has been leading both entities in an acting capacity since April. The reasons for the non-nomination include a lack of desire within the current administration to continue the “dual-hat” leadership arrangement at Cyber Command and the NSA. This decision to not nominate Hartman “further scrambles what has already been a prolonged leadership shakeup atop the military’s top digital warfighting outfit and the country’s largest spy agency.”
Huge thanks to our sponsor, Vanta
Is it “Do I have the right controls in place?”
Or “Are my vendors secure?”
….or the really scary one: “how do I get out from under these old tools and manual processes?
Enter Vanta.
Vanta automates manual work, so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires.
Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale.
Vanta also fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit-ready—ALL…THE…TIME.
With Vanta, you get everything you need to move faster, scale confidently—and get back to sleep.
Get started at vanta.com/headlines
Houston suburb suffers cyberattack
Sugar Land, Texas becomes one of the latest municipalities to have its online services impacted by what is being called a breach of its internal network infrastructure. The outages occurred on Thursday morning and affected online services, such as the 311 contact center, utility billing, permit and inspection scheduling, permit payments, and building applications, although they stated police, fire and medical services are still available at 911. Sugar Land is a suburb of Houston and is home to nearly 110,000 people.
Hackers exploiting zero-day in Gladinet file sharing software
The zero-day vulnerability has a CVE number (CVE-2025-11371) and is found in Gladinet CentreStack and Triofox products. The vulnerability allows a local attacker to access system files without authentication. According to BleepingComputer, at least three companies have been targeted so far, and although a patch is not yet available, customers can apply mitigations. CentreStack and Triofox are business solutions created by Gladinet for file sharing and remote access. They enable a company to use its own storage as a cloud.
Microsoft warns of ‘payroll pirates’ attacking HR SaaS accounts
Athreat actor named Storm-2657 has been observed “hijacking employee accounts with the end goal of diverting salary payments to attacker-controlled accounts.” These attacks have focused on U.S.-based organizations, “particularly employees in sectors like higher education, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday,” said the Microsoft Threat Intelligence team in a report. These attacks do not exploit any security flaw in the services themselves but instead turn to social engineering tactics and a lack of multi-factor authentication (MFA) protections to seize control of employee accounts and ultimately modify payment information to route them to accounts managed by the threat actors.
Fake ‘inflation refund’ scam targets New Yorkers
A smishing campaign is sending text messages posing as the Department of Taxation and Finance and claiming to offer “Inflation Refunds” in order to steal victims’ personal and financial data. It is based on an actual, legitimate program, the Inflation Refund from the State of New York, that “automatically sends refund checks to eligible residents to help offset the effects of inflation. The smishing attack announces that a victim has been approved and provides a link to provide further information for the refund to be processed. The deadline was September 29 2025, but the smishing campaign is still active. The New York Governor’s office reminded the public that “”New Yorkers do not have to do anything to receive an inflation refund check outside of meeting the eligibility requirements.”