In today’s cybersecurity news…
Velociraptor forensic tool used for C2 tunneling
Researchers at the Sophos Counter Threat Unit Research Team are warning of a new variation of the living-off-the-land (LotL) technique which takes advantage of open source forensic software as an entry point. In this case, per the researchers’ report, “unknown threat actors deployed the endpoint monitoring and digital forensic tool Velociraptor…to download and execute Visual Studio Code with the likely intention of creating a tunnel to an attacker-controlled command-and-control (C2) server.” The researchers added that this “signals a tactical evolution, where incident response programs are being used [by threat actors] to obtain a foothold and minimize the need for having to deploy their own malware.”
City of Baltimore gets socially engineered to the tune of $1.5 million
The City of Baltimore admits it has fallen victim to a con in which an individual “spoofed a vendor and tricked city employees into changing the contractor’s bank account information,” according to the city’s inspector general Isabel Mercedes Cumming, who also said “the city’s accounts payable department had failed to implement corrective measures after previous incidents of fraud and did not have proper protections in place to verify supplier details.” The fraudster relieved the city of $1.5 million in two payments, only one of which has been successfully recovered.
Ransomware gang takedowns create more smaller gangs
Cybersecurity observers are warning that the success that law enforcement agencies globally have enjoyed in taking down large operations such as LockBit, BlackCat/AlphV and Hive; the results – which have focused largely on impounding or destroying the gangs’ infrastructures, but not arresting the operators, has allowed the gang members to reform in greater variety. MalwareBytes tracked 60 new ransomware gangs operating this year. Researchers are attributing this growth to “a mix of domain experience, commoditized malware, and abundant AI, [which is] is lowering the barrier to entry.”
Recent Windows update didn’t kill peoples’ SSDs, says Microsoft
Following up on a story we covered on August 22, Microsoft says it has “found no link between the August 2025 security update and customer reports of failure and data corruption issues affecting solid-state drives (SSDs) and hard disk drives (HDDs). At the time, Microsoft had solicited input from users because it had been unable to reproduce the problem. Now, after thorough investigation, the company says it “has found no connection between the August 2025 Windows security update and the types of hard drive failures reported on social media.”
Huge thanks to our sponsor, ThreatLocker
One FBI official says Chinese use of private companies is a weakness, another admits you have been pwned
In response to the alert published last week about the expanding cyberespionage campaign being run by Salt Typhoon, Jason Bilnoski, Section Chief of the FBI’s Cyber Division, told Cyberscoop that these types of campaigns, in which the Chinese Communist Party uses private companies to carry out the hacking, are actually failures. Bilnoski cites a lack of hands-on control, which has allowed investigators to gain advantage by observing the mistakes these companies make. At the same time, Michael Machtinger, also a Section Chief of the FBI’s Cyber Division but with a different portfolio from Bilnoski, told The Register that Salt Typhoon’s actions, “there’s a good chance this espionage campaign has stolen information from nearly every American.”
(Cyberscoop and The Register)
Amazon halts Russia-linked hijacking of Microsoft device code authentication
Amazon has announced that it disrupted a watering hole campaign run by Russia-linked group APT29 (aka Cozy Bear). The attack used compromised websites that redirected users to spoofed popups made to resemble the Cloudflare “Verify you are a human” captcha, in order to capture Microsoft device code authentication data. Amazon uncovered the watering hole campaign through custom analytics, including finding actor domains that typosquatted cloudflare.com.
WhatsApp fixes iOS flaw
WhatsApp has now “addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks.” The vulnerability, which has a CVE number (CVE-2025-55177) and a CVSS of 8.0, “relates to a case of insufficient authorization of linked device synchronization messages…which could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.” A link to the CVE numbers involved as well as the versions of WhatsApp affected is available in the show notes to this episode.
TamperedChef infostealer delivered through fraudulent PDF Editor
According to BleepingComputer, “threat actors have been using multiple websites promoted through Google ads to distribute a convincing PDF editing app that delivers an info-stealing malware called TamperedChef.” This forms part of a larger operation that uses multiple apps that “can download each other, some of them tricking users into enrolling their system into residential proxies.” According to researchers at Truesec, “the campaign appears to be widespread and well-orchestrated as the operators waited for the ads to run their course before activating the malicious components in the applications.”