In today’s cybersecurity news…
Chinese hackers use Cobalt Strike on Taiwan’s semiconductor sector
According to a report published on Tuesday by Proof Point, “organizations involved in the manufacturing, design, and testing of semiconductors…equipment and services supply chain entities within this sector, as well as financial investment analysts specializing in the Taiwanese semiconductor market,” were all targets of spear-phishing campaigns undertaken by three Chinese state-sponsored threat actors. The activity is said to have taken place between March and June 2025, and are being attributed to three China-aligned clusters, named UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp. The spear phishing emails involved emails appearing to come from graduate students appealing to recruitment and human resources personnel for job opportunities and which delivered the of Cobalt Strike or C-based custom backdoor, Voldemort.
Salt Typhoon breached National Guard and steal network configurations
The Chinese state-sponsored hacking group “breached and remained undetected in a U.S. Army National Guard network for nine months in 2024, stealing network configuration files and administrator credentials.” These could be used to compromise other government networks. The method by which the group penetrated the National Guard network was not disclosed, but BleepingComputer states that “Salt Typhoon is known for targeting old vulnerabilities in networking devices, such as Cisco routers.”
Congress to investigate Stuxnet to confront OT cyberthreats
The House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection is planning to investigate whether Stuxnet, the malware severely impacted Iran’s nuclear program 15 years ago could guide today’s critical infrastructure policy debate. This according to Cyberscoop. The hearing will happen next Tuesday, July 22. Among the witnesses listed for the hearing is Kim Zetter, cybersecurity journalist and author of the book Countdown to Zero Day which provides an excellent narrative of the Stuxnet malware attack, which is estimated to have caused the damage and removal of more than 1,000 centrifuges, or approximately 10% of Iran’s total enrichment capacity at the time.
Hackers exploit a blind spot hiding malware inside DNS records
According to researchers at DomainTools, hackers are hiding malware inside DNS records, specifically in the form of TXT records, which make it difficult for traditional security tools to detect. By encoding malware in hexadecimal and spreading it across hundreds of subdomains, attackers bypass email and web filters, since DNS traffic is rarely monitored. Once inside a network, an attacker can use standard DNS queries to retrieve and reassemble the malicious code. The researchers stated, as encrypted DNS methods like DOH (DNS over HTTPS) and DOT (DNS over TLS) become more common, spotting such threats will become even harder for cybersecurity defenses.
Huge thanks to our sponsor, ThreatLocker
The 1.1.1.1 outage not a cyberattack, says Cloudflare
The recent 1.1.1.1 Resolver service outage that occurred on July 14 was caused by an internal misconfiguration, said Cloudflare in an announcement following a postmortem of the incident. The outage and “impacted most users of the service all over the world, rendering internet services unavailable in many cases.” The announcement was made as a follow-up to the attack as would be expected, but was also to refute rumors of the event having been a cyberattack or a BGP Border Gateway Protocol hijack. Instead, the company explained, “the outage was a configuration change for a future Data Localization Suite performed on June 6, which mistakenly linked 1.1.1.1 Resolver IP prefixes to a non-production DLS service.”
Cisco warns of another high severity vulnerability in ISE
This new maximum-severity security vulnerability impacting Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) “could permit an attacker to execute arbitrary code on the underlying operating system with elevated privileges.” This vulnerability has a CVSS score of 10.0 and a different CVE number (CVE-2025-20337) than the one we reported on June 27. It is similar that earlier vulnerability, which was patched last month. Just like last month’s flaw, this one affects ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration.
Thai officials restore hacked Ministry of Labor website
Thailand’s Ministry of Labor website was restored after having been defaced by hackers from the Devman group, who claim to have stolen 300 GB of data and are demanding a $15 million ransom. While Permanent Secretary Boonsong Tapchaiyut insisted only the site’s appearance was altered and no sensitive servers were accessed, Devman claims to have spent over 43 days inside the ministry’s systems, encrypting 2,000 laptops and several servers. Allegedly stolen data includes citizen records, information on foreign visitors, and classified documents.
Arizona’s North Country HealthCare suffers cyberattack
Based in northern Arizona, North Country HealthCare is a nonprofit, federally qualified health center that provides primary healthcare services through 14 locations in 11 communities. It is also now one of the most recent healthcare facilities to have suffered a cyberattack, this one from the Stormous ransomware group, who claim to have stolen personal and health data belonging to 600,000 patients. Stormous is known as a pro-Russia ransomware group and has been active since early 2022. The group claims that the data of 100,000 patients will be listed for sale, and the data of 500,000 patients will be listed on the leak site for free,” this according to the HIPAA Journal. An update to this article, published July 15, says the files have been published.”
