In today’s cybersecurity news…
ATM network breached and attacked through 4G Raspberry Pi
This activity is being attributed to a financially motivated threat actor known as UNC2891. According to security firm Group-IB, this attack did require physical access in order to install the Raspberry Pi device and then connect it to the same network switch as the ATM, thus effectively joining the network. It is “currently not known how this access was obtained.” The scheme used a kernel module rootkit dubbed CAKETAP, which was “designed to hide network connections, processes, and files, as well as intercept and spoof card and PIN verification messages from hardware security modules (HSMs) to enable financial fraud.” Although the specific network, country or victim organization is not identified in the media or in the report from Group IB, the emphasis is on the physical penetration of the network which used “Linux bind mounts to hide backdoor processes from conventional detection tools.” As a consequence, “standard forensic triage failed to reveal the backdoor because the attacker leveraged a technique that had not been documented in public threat reports at the time.”
(The Hacker News and Group IB report)
Easterly’s appointment to West Point rescinded
The former Director of CISA has had her appointment to a high-profile academic position in West Point’s Department of Social Sciences swiftly removed. On Tuesday the United States Military Academy announced that she was named to the Robert F. McDermott Distinguished Chair, which, since 1943 has brought “a leading scholar, practitioner, or expert in the fields of social sciences — such as economics, political science, or international relations to West Point.” Shortly afterwards, according to Cyberscoop, far-right activist Laura Loomer suggested on X that Easterly should not be named to the position, due to her work under the Biden administration, and on Wednesday, Secretary of the Army Dan Driscoll announced, also on X, that the position would be rescinded, and a full review of the academy’s hiring practices would be conducted.
Report links Chinese companies to tools used by state-sponsored hackers
According to Sentinel Labs, information gained from the recently unsealed indictment against two Chinese nationals accused of being members of Silk Typhoon revealed the connections to a number of Chinese firms that build offensive technology. These companies have names like Shanghai Heiying Information Technology Company, and Shanghai Firetech Information Science and Technology Company. The report shows that the relations between the hackers, their companies, and the Chinese government, is not one way, implying deeper connections between the companies and ministries within the Chinese government.
Honeywell Experion PKS flaws warning
Following an advisory published last week by CISA, Honeywell has now patched six vulnerabilities in its Experion Process Knowledge System (PKS), which is an industrial process control and automation solution. They impact the Control Data Access (CDA) component, and they can lead to remote code execution. A couple of the vulnerabilities are rated as high-severity vulnerabilities and can be exploited for DoS attacks, while a medium severity flaw could be used to manipulate communication channels and cause incorrect system behavior. CISA points out that the impacted products “are used worldwide, including in critical infrastructure sectors such as critical manufacturing, chemical, energy, water, and healthcare.”
Huge thanks to our episode sponsor, Dropzone AI
Another WordPress theme flaw threatens RCE
The flaw, in a theme called “Alone – Charity Multipurpose Non-profit WordPress Theme” contains a vulnerability with a CVE number (CVE-2025-5394) and which carries a CVSS score of 9.8. According to WordPress security company Wordfence, the vulnerability is rooted in a plugin installation function and could “make it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover.” WordPress site owners using the theme are advised to apply the latest updates, check for any suspicious admin users, and scan logs for a particular action request that is included in the show notes to this episode. “/wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin.”
Proton launches free standalone cross-platform Authenticator app
Proton Authenticator works on Windows, macOS, Linux, Android, and iOS. Like other 2FA authenticator apps, it generates time-based one-time passwords. The Proton Authenticator uses no ads, trackers, or vendor lock-in, and is open-source.
Critical flaws in Dahua cameras demand instant patching
On Monday we covered a story about flaws in LG surveillance cameras that allow for admin access. Now another company’s cameras have joined the group. According to researchers at Bitdefender, the Dahua Hero C1 smart camera series is also vulnerable to remote code execution. These cameras are mostly used in retail stores, warehouses, and private homes. The flaws, which have a CVE number and a CVSS score of 8.1.
Kremlin monitors foreign embassies in Moscow at ISP level
According to researchers at Microsoft, the Russian government is “monitoring foreign embassies in Moscow by installing malware through its control of local internet service providers (ISPs).” This campaign, which has been in operation since last year, is known by Microsoft as Secret Blizzard, but this is the first time it has been able to confirm that Secret Blizzard, also tracked as Turla, has the capability to conduct espionage activities at the ISP level. “In a blog post on Thursday, Microsoft said it first saw the spies using an adversary-in-the-middle (AiTM) technique to deploy the ApolloShadow malware against foreign embassies in February 2025 — allowing them to collect intelligence from diplomatic entities and maintain access to systems.”
