July 18, 2025 • 9 mins
In today's episode, host Jim Love covers recent cybersecurity threats, including malware hidden in DNS records, a custom backdoor targeting SonicWall SMA devices, the US military assuming a network compromise after Chinese hackers targeted VPNs and email servers, and a $27 million theft from the BigONE crypto exchange. The show highlights how attackers are using innovative techniques to evade detection and emphasizes the need for increased vigilance in monitoring and securing systems.
00:00 Introduction to Cybersecurity News
00:26 Malware Hidden in DNS Records
02:26 SonicWall Devices Under Attack
04:30 US Military Breach by Chinese Hackers
07:07 $27 Million Crypto Theft
08:58 Conclusion and Listener Engagement
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Hackers hide malware in DNS recordsusing hex encoded fragments.
Custom backdoor hits SonicWall, SMAdevices even fully patched units.
US military assumes that they'vebeen breached after Chinese hackers
Target VPNs and global email servers.
And $27 million was stolenin the BigONE Crypto Hack.
(00:21):
This is cybersecurity today.
I'm your host, Jim Love.
malware delivery, just got sneakier.
Researchers from domain tools recentlyspotted attackers using DNS records,
normally reserved for routine networktasks to smuggle in a piece of nuisance
malware called joke Screen mate, astrain of malware that interferes with
(00:42):
normal and safe functions of a computer.
Instead of delivering the malware as asingle file, attackers converted it into
Hexa decimal, a compact text format usingzero to nine and A to F to encode messages
and embedded those fragments in DNStext records tied to malicious domains.
(01:03):
Each time the infected system lookedup one of those domains, it pulled
down another sliver of the payload,
Text format using zero to nineand A to F as its characters And
embedded those fragments in DNS textrecords tied to malicious domains.
Each time the infected system lookedat one of those domains, it pulled
down another sliver of the payload.
(01:24):
In total, the malware made 56 DNS querieseach returning a small block of code,
A script on the compromised systemquietly stitched the blocks together
and decoded them, reconstructing thefull PowerShell malware, all without
downloading a traditional binaryor triggering endpoint defenses.
Because DNS traffic is oftenoverlooked and text records
(01:47):
are typically used for harmlessmetadata like email authentication.
this tactic bypasses most firewallsand antivirus tools, Info blocks,
which also analyzed the campaign saidit reflects a growing shift towards
"living off the land." Attackersexploiting legitimate infrastructure
like DNS to stay under the radar.
(02:09):
Security teams are urged to monitoroutbound DNS requests more closely,
especially when they involve text recordsfrom unknown or suspicious domains.
Even background protocols likeDNS are no longer safe to ignore.
Google has uncovered a stealthbackdoor targeting SonicWalls SMA
(02:30):
100 series devices, and even fullypatched appliances weren't safe.
The malware dubbed overstep was installedby a threat group tracked as UNC6148
Which exploited vulnerabilitiesand reused stolen credentials
to maintain deep access.
In some cases, credentials were harvestedmonths before the implants were deployed,
(02:54):
suggesting a long-term staging operation.
Google researchers said the attackersmay have intimate knowledge of SonicWall
internals based on how preciselythe malware mimicked the legitimate
processes and avoided detection.
The backdoor targeted SMA 200, 210, 400, 4 10, and 500 V models.
(03:16):
All currently end of sale,but still receiving patches.
The attackers deployed a root kit thatpersisted across firmware upgrades
by hijacking the system boot loader.
As noted, the attack revealed astrong knowledge of SonicWall devices.
The payload was disguisedto match legitimate binaries
in both name and file size.
(03:38):
Once active, it created newadmin accounts, suppressed logs,
and filtered outbound trafficto avoid triggering alerts.
One of the exploited flaws,CVE 2021 dash 2 0 0 3 8
a remote code execution bugrated CVSs 9.8, but overstep
didn't rely just on known bugs.
(04:01):
It likely leveraged zero dayand long-term credential theft.
This meant even patch deviceswere at risk if threat actors
had already gained a foothold.
SonicWall has since moved the SMA100 series to end of support by
December 31st, 2025, and urges.
Immediate audits of user accounts,log integrity and boot loader configs.
(04:24):
For organizations still running thesedevices migration plans should start now.
The US military has ordered every branchto assume its networks are compromised
after a stealth campaign by suspectedChinese hackers breached internal
email servers and likely much more.
The group known as Salt Typhoonor APT40 exploited vulnerabilities
(04:49):
in Ivanti Connect secure VPNs togain access to sensitive systems.
But this wasn't just a military operation.
According to researchers, the samecampaign targeted over 100 organizations
worldwide, including defensecontractors, educational institutions,
and critical infrastructure providers,all using the same vulnerable devices.
(05:13):
Inside the Department of Defense,attackers moved laterally to
access internal military emailservers using valid credentials and
built-in admin tools to stay hidden.
Investigators believe some compromisedaccounts and credentials may have been
stolen months , perhaps even as muchas a year before detection, meaning
the attackers were already insidewhen patches were finally applied.
(05:38):
What triggered a full scale responsewasn't just the intrusion, it was
the methodical precision salt.
Typhoon avoided malware and insteadused living off the land techniques
like PowerShell, remote desktops andscheduled tasks, making them nearly
invisible to traditional security tools.
On July 9th, the Pentagon issued anassume breach directive instructing
(06:01):
all branches to conduct internalaudits, rotate credentials, and
investigate for lateral movement.
This warning applieseven to patched systems.
The breach highlights just how deepforeign cyber criminal gangs may
be in networks that are essentialto the defense and security of the
United States and other countries.
(06:22):
Not only defense, but telecommunicationsand infrastructure and others have been
massively invaded over the past few years.
The fact that these attacks haveremained undetected for so long
is also a huge cause for concern.
So just how much of the defense andcritical infrastructure is still affected.
It will take a massive effort to detect,expunge, and protect for the future,
(06:46):
but without such an effort, therewill always be the question of how
much information has been exfiltrated.
And how vulnerable the US is ina world increasingly filled with
global and regional conflicts.
Until then, the advice is validfor most areas of US infrastructure
and perhaps for the world.
(07:07):
Assume you have been breached anothermajor crypto theft has hit the books.
On July 15th, hackers drained $27million in Ethereum from BigONE, a
Singapore based exchange by gainingaccess to hot wallet operator keys, the
attackers use the stolen credentialsto authorize transfers directly from
(07:28):
one of BigONE's, internet connectedwallets, blockchain analysts from cybers.
Detected the activity in real time.
Watching as the stolen funds werequickly dispersed across multiple
wallets, a classic launderingmove to obscure the trail.
The attack didn't exploit a vulnerabilityin smart contracts or exchange software.
(07:49):
Instead, it was a case of key compromise.
The attackers likely obtained a validoperational key or private credential with
transaction authority, and that's whatmakes it especially dangerous as no alarms
go off until the funds are already gone.
BigONE says, no customer fundswere lost, and it will cover the
(08:09):
damage internally, but the incidentis part of a much larger trend.
According to Cyvers, over $430million has been stolen from crypto
platforms so far this year, largelyby compromising hot wallets.
The very systems designed to enable fast.
Flexible transactions.
Many of these attacks, they sayoriginate from infrastructure linked
(08:32):
to the North Korean Lazarus group.
The big one breach adds to thegrowing pressure on crypto exchanges
to harden key management, rotatecredentials proactively, and segment
critical wallet infrastructure.
Because in this environment, one leakedkey can cost millions And as an added
downside, the funds could be a bigpart of supporting the rogue North
(08:54):
Korean regime and its nuclear program.
And that's our show.
Love to hear your thoughts.
You could reach us@technewsday.com or.ca.
Take your pick.
Just go to the contactus form, drop us a note.
If you're on YouTube watching this, youknow what to do, put it under the video.
Thanks again to all of our listenersand supporters as we prepare to
(09:15):
turn the dial for our 10000000thdownload over the weekend.
I'm your host, Jim Love.
And if I've said it once, I'vesaid it a million times, well
actually several million times.
Thanks for listening.
Hackers hide malware in DNS recordsusing hex encoded fragments.
Custom backdoor hits SonicWall, SMAdevices even fully patched units.
US military assumes that they'vebeen breached after Chinese hackers
Target VPNs and global email servers.
And $27 million was stolenin the BigONE Crypto Hack.
(00:21):
This is cybersecurity today.
I'm your host, Jim Love.
malware delivery, just got sneakier.
Researchers from domain tools recentlyspotted attackers using DNS records,
normally reserved for routine networktasks to smuggle in a piece of nuisance
malware called joke Screen mate, astrain of malware that interferes with
(00:42):
normal and safe functions of a computer.
Instead of delivering the malware as asingle file, attackers converted it into
Hexa decimal, a compact text format usingzero to nine and A to F to encode messages
and embedded those fragments in DNStext records tied to malicious domains.
(01:03):
Each time the infected system lookedup one of those domains, it pulled
down another sliver of the payload,
Text format using zero to nineand A to F as its characters And
embedded those fragments in DNS textrecords tied to malicious domains.
Each time the infected system lookedat one of those domains, it pulled
down another sliver of the payload.
(01:24):
In total, the malware made 56 DNS querieseach returning a small block of code,
A script on the compromised systemquietly stitched the blocks together
and decoded them, reconstructing thefull PowerShell malware, all without
downloading a traditional binaryor triggering endpoint defenses.
Because DNS traffic is oftenoverlooked and text records
(01:47):
are typically used for harmlessmetadata like email authentication.
this tactic bypasses most firewallsand antivirus tools, Info blocks,
which also analyzed the campaign saidit reflects a growing shift towards
"living off the land." Attackersexploiting legitimate infrastructure
like DNS to stay under the radar.
(02:09):
Security teams are urged to monitoroutbound DNS requests more closely,
especially when they involve text recordsfrom unknown or suspicious domains.
Even background protocols likeDNS are no longer safe to ignore.
Google has uncovered a stealthbackdoor targeting SonicWalls SMA
(02:30):
100 series devices, and even fullypatched appliances weren't safe.
The malware dubbed overstep was installedby a threat group tracked as UNC6148
Which exploited vulnerabilitiesand reused stolen credentials
to maintain deep access.
In some cases, credentials were harvestedmonths before the implants were deployed,
(02:54):
suggesting a long-term staging operation.
Google researchers said the attackersmay have intimate knowledge of SonicWall
internals based on how preciselythe malware mimicked the legitimate
processes and avoided detection.
The backdoor targeted SMA 200, 210, 400, 4 10, and 500 V models.
(03:16):
All currently end of sale,but still receiving patches.
The attackers deployed a root kit thatpersisted across firmware upgrades
by hijacking the system boot loader.
As noted, the attack revealed astrong knowledge of SonicWall devices.
The payload was disguisedto match legitimate binaries
in both name and file size.
(03:38):
Once active, it created newadmin accounts, suppressed logs,
and filtered outbound trafficto avoid triggering alerts.
One of the exploited flaws,CVE 2021 dash 2 0 0 3 8
a remote code execution bugrated CVSs 9.8, but overstep
didn't rely just on known bugs.
(04:01):
It likely leveraged zero dayand long-term credential theft.
This meant even patch deviceswere at risk if threat actors
had already gained a foothold.
SonicWall has since moved the SMA100 series to end of support by
December 31st, 2025, and urges.
Immediate audits of user accounts,log integrity and boot loader configs.
(04:24):
For organizations still running thesedevices migration plans should start now.
The US military has ordered every branchto assume its networks are compromised
after a stealth campaign by suspectedChinese hackers breached internal
email servers and likely much more.
The group known as Salt Typhoonor APT40 exploited vulnerabilities
(04:49):
in Ivanti Connect secure VPNs togain access to sensitive systems.
But this wasn't just a military operation.
According to researchers, the samecampaign targeted over 100 organizations
worldwide, including defensecontractors, educational institutions,
and critical infrastructure providers,all using the same vulnerable devices.
(05:13):
Inside the Department of Defense,attackers moved laterally to
access internal military emailservers using valid credentials and
built-in admin tools to stay hidden.
Investigators believe some compromisedaccounts and credentials may have been
stolen months , perhaps even as muchas a year before detection, meaning
the attackers were already insidewhen patches were finally applied.
(05:38):
What triggered a full scale responsewasn't just the intrusion, it was
the methodical precision salt.
Typhoon avoided malware and insteadused living off the land techniques
like PowerShell, remote desktops andscheduled tasks, making them nearly
invisible to traditional security tools.
On July 9th, the Pentagon issued anassume breach directive instructing
(06:01):
all branches to conduct internalaudits, rotate credentials, and
investigate for lateral movement.
This warning applieseven to patched systems.
The breach highlights just how deepforeign cyber criminal gangs may
be in networks that are essentialto the defense and security of the
United States and other countries.
(06:22):
Not only defense, but telecommunicationsand infrastructure and others have been
massively invaded over the past few years.
The fact that these attacks haveremained undetected for so long
is also a huge cause for concern.
So just how much of the defense andcritical infrastructure is still affected.
It will take a massive effort to detect,expunge, and protect for the future,
(06:46):
but without such an effort, therewill always be the question of how
much information has been exfiltrated.
And how vulnerable the US is ina world increasingly filled with
global and regional conflicts.
Until then, the advice is validfor most areas of US infrastructure
and perhaps for the world.
(07:07):
Assume you have been breached anothermajor crypto theft has hit the books.
On July 15th, hackers drained $27million in Ethereum from BigONE, a
Singapore based exchange by gainingaccess to hot wallet operator keys, the
attackers use the stolen credentialsto authorize transfers directly from
(07:28):
one of BigONE's, internet connectedwallets, blockchain analysts from cybers.
Detected the activity in real time.
Watching as the stolen funds werequickly dispersed across multiple
wallets, a classic launderingmove to obscure the trail.
The attack didn't exploit a vulnerabilityin smart contracts or exchange software.
(07:49):
Instead, it was a case of key compromise.
The attackers likely obtained a validoperational key or private credential with
transaction authority, and that's whatmakes it especially dangerous as no alarms
go off until the funds are already gone.
BigONE says, no customer fundswere lost, and it will cover the
(08:09):
damage internally, but the incidentis part of a much larger trend.
According to Cyvers, over $430million has been stolen from crypto
platforms so far this year, largelyby compromising hot wallets.
The very systems designed to enable fast.
Flexible transactions.
Many of these attacks, they sayoriginate from infrastructure linked
(08:32):
to the North Korean Lazarus group.
The big one breach adds to thegrowing pressure on crypto exchanges
to harden key management, rotatecredentials proactively, and segment
critical wallet infrastructure.
Because in this environment, one leakedkey can cost millions And as an added
downside, the funds could be a bigpart of supporting the rogue North
(08:54):
Korean regime and its nuclear program.
And that's our show.
Love to hear your thoughts.
You could reach us@technewsday.com or.ca.
Take your pick.
Just go to the contactus form, drop us a note.
If you're on YouTube watching this, youknow what to do, put it under the video.
Thanks again to all of our listenersand supporters as we prepare to
(09:15):
turn the dial for our 10000000thdownload over the weekend.
I'm your host, Jim Love.
And if I've said it once, I'vesaid it a million times, well
actually several million times.
Thanks for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.