In today’s cybersecurity news…
DARPA awards $4 million prize for AI code review at DEF CON
The winner of a two-year competition to “create the best artificial intelligence systems that can find and fix vulnerabilities” was announced at DEF CON by the competition sponsor, the U.S. Defense Department. Team Atlanta is “composed of tech experts from Georgia Tech, Samsung Research, the Korea Advanced Institute of Science & Technology (KAIST) and the Pohang University of Science and Technology (POSTECH). “The final competition saw teams attempt to find and generate patches for synthetic vulnerabilities buried in 54 million lines of code. Teams were judged on the ability of their systems to create patches for the bugs that were found.”
North Korea ScarCruft group adds ransomware to its activities
According to analysts at South Korean cybersecurity firm S2W, ScarCruft, best known for espionage against “against high-profile individuals and government entities,” is now deploying a ransomware variant known as VCD, after the extension it adds to the names of encrypted files. The group uses phishing emails to deliver its payloads. A recent example “displayed a message about postal code updates tied to changes in street addresses.”
Columbia University hack affects over 860,000
Following up on a story we covered last month, the tally of victims in the Columbia University attack is now at 869,000, and includes Social Security numbers demographic information, academic history, financial aid information, health insurance information and more. This hack was – and still is – described as having been performed by highly sophisticated hackers with a political agenda. The hacker has presented samples of the stolen data to the New York Times and Bloomberg. “No patient records were taken from Columbia University Irving Medical Center.”
The Franklin volunteer hackers who defend the water system
A year after launching the program at last year’s DEF CON, former White House official and executive director at the University of Chicago’s Cyber Policy Initiative, Jake Braun, says his Franklin project continues to grow, with more volunteers than they can handle. The Franklin project focuses on providing free cybersecurity services to critical infrastructure, especially water systems, to help them with activities such as setting passwords, activating multi-factor authentication, conducting “asset inventories, operational technology (OT) assessments, and network mapping and scanning.” In addition to an excess of need, Braun told The Register during this year’s DEF CON that “One of the volunteers’ first challenges was convincing the water utilities that, despite being located in small towns, they were still a target for Chinese and Iranian cyber crews.”
Huge thanks to our sponsor, Vanta
We know that real-time visibility is critical for security, but when it comes to our GRC programs…we rely on point-in-time checks.
But more than 9,000 companies have continuous visibility into their controls with Vanta.
Vanta brings automation to evidence collection across over 35 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done 5 times faster with AI.
Now that’s…a new way to GRC. Get started at Vanta.com/headlines
WinRAR zero-day exploited to plant malware on archive extraction
As posted in BleepingComputer, a recently fixed vulnerability in the Windows WinRAR compression tool, tracked as CVE-2025-8088, was exploited as a zero-day in phishing attacks to install the RomCom malware.” This flaw is a directory traversal vulnerability, which was fixed in WinRAR 7.13, which “allows specially crafted archives to extract files into a file path selected by the attacker.” This vulnerability allows attackers to create archives that extract executables into autorun paths, such as the Windows Startup folder. Since WinRAR does not include an auto-update feature, Microsoft advises that all users manually download and install the latest version so they are protected from this vulnerability.
Microsoft delivers warning about cyberattack preparedness
In a message that has been delivered many times before, but seemingly bears repeating, Microsoft threat intelligence hunting and response leaders spoke last Thursday at Black Hat, saying that “Only 1 in 4 organizations have an incident response plan and have rehearsed it.” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, described the issue as, “attackers and threat actors think in graphs. They see the pathways that they can take to pivot around inside of a network, [while] defenders think in lists,” she said. She also repeated the significance of security fundamentals, such as keeping software up to date and configuring it properly. “If you do experience a breach, missing logs really contribute to a nightmare scenario for both intel and incident responders,” she said.
Lenovo webcam flaws turn them into BadUSB devices
Researchers at Eclypsium have discovered vulnerabilities in some Lenovo webcams, which they collectively call BadCam. These flaws, demonstrated at DEF CON 33, could “let attackers turn them into BadUSB devices that can inject keystrokes and launch OS-independent attacks. The researchers stated the problem stems from “select model webcams from Lenovo [that] run Linux, do not validate firmware, and can be weaponized without requiring physical access.
Windows EPM poisoning leads to domain privilege escalation
Researchers at SafeVreach have described new findings related to a now-patched security issue in Microsoft’s Windows Remote Procedure Call (RPC) communication protocol. The vulnerability is being described as a Windows Storage spoofing bug. Although fixed last month as part of Patch Tuesday, the researchers warn that the vulnerability makes it possible to “manipulate a core component of the RPC protocol and stage an End Point Mapper (EPM) poisoning attack that allows unprivileged users to pose as a legitimate, built-in service with the goal of coercing a protected process to authenticate against an arbitrary server of an attacker’s choosing.
