This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Derek Fisher, Director of the Cyber Defense and Information Assurance Program, Temple University
Here are the stories we plan to cover TODAY, time permitting. Please join us live at 12:30pm PT/3:30pm ET by registering for the open discussion on YouTube Live
Unpatched flaw in LG surveillance cameras allows admin access
CISA is warning of an unpatched authentication bypass vulnerability in a specific model of security camera – the type often mounted on ceilings in commercial buildings. The model number (LG LNV5110R) and CVE number (CVE-2025-7742) are listed in this episode’s show notes. Approximately 1,300 cameras are active and vulnerable to full unauthenticated RCE, allowing remote takeover and network pivoting. As CISA points out, this is a critical infrastructure threat, which is not just simply a risk to isolated devices, but potentially endangers facilities that are vital to public safety and national operations. “The manufacturer, LG Innotek is aware of the vulnerability, but it will not patch it because this particular camera model is an end-of-life product.
Microsoft cannot guarantee data sovereignty
Speaking under oath in the French Senate, executives from Microsoft France said their company cannot guarantee data sovereignty to customers in France, and by extension to the wider European Union – due to the Cloud Act, a law that “gives the U.S. government authority to obtain digital data held by U.S.-based tech corporations irrespective of whether that data is stored on servers at home or on foreign soil. It is said to compel these companies, via warrant or subpoena, to accept the request.” The issue of access to data, and the enforceability of provisions of the Cloud ACT will require a great deal of litigation, especially considering, as AWS – who supported the bill, along with Microsoft and Google – stated, is that “the Cloud Act does not only apply to U.S. headquartered companies, it is applicable to all “electronic communication service or remote computing service providers” that do business stateside.
French submarine secrets surface after cyber attack
Hackers calling themselves Neferpitou have leaked 13 gigabytes of internal documents belonging to French submarine manufacturer Naval Group, everything from combat system source code and simulation software to weapons configurations and internal communications. They claim to have up to a terabyte of stolen data, and the leaked materials appear both legitimate and highly sensitive. Naval Group says it has found no evidence of a breach in its internal systems, no confirmed intrusion, no operational disruption. But somehow, its proprietary data is now circulating online. French authorities and cybersecurity experts are investigating, though the company is currently treating the event as a reputational attack rather than a verified compromise. Neferpitou hasn’t explained how they got the data, offered no ransom demand, and issued only a cryptic 72-hour ultimatum followed by the message: “ENJOY AND SEE YOU NEXT TIME.” The data is real, but the path it took to get out is still a mystery.
FBI, CISA warn about Scattered Spider’s evolving tactics
The FBI and CISA issued an updated advisory warning that Scattered Spider remains a serious threat, using sophisticated social engineering and intrusion tactics including phishing, MFA fatigue, SIM-swapping, and ransomware like Dragonforce to breach systems, including encrypting VMWare ESXi servers. Despite recent arrests tied to the gang, U.S., U.K., Canadian, and Australian authorities emphasized that Scattered Spider’s evolving techniques continue to pose a big risk to national security and critical infrastructure.
(Cybersecurity Dive) (CISA.gov)
Huge thanks to our episode sponsor, Dropzone AI
Supply Chain Attacks Spotted in GitHub Actions, Gravity Forms, npm
Researchers at Armis Labs uncovered major software supply chain attacks in GitHub Actions, the UAParser.js npm package, and the Gravity Forms WordPress plugin, all involving backdoors or poisoned code that jeopardized thousands of systems. These incidents remind us how trusted developer tools can be compromised, and how AI-driven coding practices are being exploited. Experts warn that attackers can now backdoor vast numbers of software projects in days, making early detection and code integrity checks more critical than ever.
Research shows data breach costs have reached an all-time high
IBM’s annual Cost of a Data Breach Report, released July 30, 2025, reveals a sharp split between global and U.S. trends. Worldwide, the average cost of a data breach fell 9% to $4.44 million—the first drop in five years, thanks largely to faster detection and containment. In contrast, U.S. breach costs climbed nearly 9% to a record $10.22 million, driven by rising regulatory penalties, detection and escalation costs, and increased labor expenses. The report also highlights growing AI-related risks: 13% of breaches involved AI tools or models, and 97% of those lacked proper access controls. Shadow AI alone added an average of $670,000 to breach recovery costs.
Kremlin monitors foreign embassies in Moscow at ISP level
According to researchers at Microsoft, the Russian government is “monitoring foreign embassies in Moscow by installing malware through its control of local internet service providers (ISPs).” This campaign, which has been in operation since last year, is known by Microsoft as Secret Blizzard, but this is the first time it has been able to confirm that Secret Blizzard, also tracked as Turla, has the capability to conduct espionage activities at the ISP level. “In a blog post on Thursday, Microsoft said it first saw the spies using an adversary-in-the-middle (AiTM) technique to deploy the ApolloShadow malware against foreign embassies in February 2025 — allowing them to collect intelligence from diplomatic entities and maintain access to systems.”
ATM network breached and attacked through 4G Raspberry Pi
This activity is being attributed to a financially motivated threat actor known as UNC2891. According to security firm Group-IB, this attack did require physical access in order to install the Raspberry Pi device and then connect it to the same network switch as the ATM, thus effectively joining the network. It is “currently not known how this access was obtained.” The scheme used a kernel module rootkit dubbed CAKETAP, which was “designed to hide network connections, processes, and files, as well as intercept and spoof card and PIN verification messages from hardware security modules (HSMs) to enable financial fraud.” Although the specific network, country or victim organization is not identified in the media or in the report from Group IB, the emphasis is on the physical penetration of the network which used “Linux bind mounts to hide backdoor processes from conventional detection tools.” As a consequence, “standard forensic triage failed to reveal the backdoor because the attacker leveraged a technique that had not been documented in public threat reports at the time.”
