July 18, 2025 • 13 mins
The provided source is a cybersecurity threat brief from Byer-Nichols, covering the first half of July 2025. It highlights Qilin as the leading ransomware and notes that small businesses, particularly in the manufacturing and technology sectors in the U.S., are the most frequent victims. The report also identifies emerging adversaries like Gamaredon and Scattered Spider, lists actively exploited vulnerabilities including those in Wing FTP Server and Chromium V8, and details trending malware such as Anatsa and Gh0stRAT. Finally, it summarizes top cybersecurity news, ranging from browser zero-day attacks to the disruption of a North Korean IT worker scheme.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome back to Digital Rage. I'm Jeff at the producer here at Byer Company.
(00:04):
This is our first episode for a new collaboration called the Byer-Nichols
Threat Brief written by Cybersecurity Expert Jeremy Nichols. This will be a
twice a month report presenting data about the latest cybersecurity threats and
trends. This first episode will be published on July 21st and the data
covers July 1st through the 15th. Let's check it out.
(00:27):
Welcome to the Deep Dive. You know in cybersecurity it really feels like you're
trying to walk on quicksand sometimes. The ground's always shifting, threats
change constantly and just trying to keep up. Feels like a full-time job.
It absolutely can. But what if you could get the really crucial insights?
Those aha moments from the latest intelligence without having to weigh
(00:51):
through all the data yourself? Yeah that's the goal. Well that's exactly our
mission today. We're doing a deep dive into the buyer Nichols threat brief
cybersecurity data specifically for July 1st to 15th 2025. A very recent snapshot.
Exactly. Think of it as your shortcut to getting you know really well informed
quickly. Thirdly. This report gives us that precise picture of what's been
(01:13):
happening. The big rents where players critical vulnerabilities, those high
profile incidents, the stuff that makes headlines. And you're so right about
the dynamic nature. It moves incredibly fast. What was a major threat last month
might be well old news today or it's mutated into something else entirely.
Understanding these trends isn't just for security pros anymore is it? It's
(01:36):
becoming vital for pretty much everyone online. Absolutely. The speed is just yeah.
So this kind of focused look incredibly relevant. Okay let's jump right in then.
The evolving battlefield. First half of July 2025. One name really jumps out on
the ransomware front. Quailin. Quailin. It was responsible for what 16.3% of
(02:00):
attacks. That's huge. It is a significant chunk. Yeah. So what's behind that? Why was
Quailin hitting so hard during this period? Well Quailin's dominance isn't just about
how effective the malware itself is though it is effective. It's also about
its operational model. It's quite flexible making it accessible for various
bad actors. But what's really striking honestly when you look at who they're
hitting. Yeah. It's small businesses. They are just bearing the brunt of this. The
(02:23):
report says organizations with 500 employees or less get this accounted for 80.65
percent of victims. 80 percent. Wow. That's that's actually pretty alarming. It is
very alarming. Clearly the primary target group. And within that group are
their specific sectors getting hit harder? Yes definitely. Manufacturing leads
(02:44):
the pack at almost 16 percent, 15.94 percent. Okay. Followed pretty closely by
technology at 13.55 percent. Then you see construction, financial services,
retail kind of lining up behind them. So manufacturing and tech. Why those two do
you think is it just weaker defenses and smaller companies or something else
going on? It's definitely more nuanced than just weak defenses. Although you know
(03:06):
smaller security budgets can be a factor for manufacturing. It's often about
that mix of IT and OT operational technology. Right. The factory source stuff.
Exactly. That OT is often older, maybe less secure. And now it's increasingly
connected to the main IT network. Creates a sort of perfect storm for
attackers, a really vulnerable spot. Okay. That makes sense. And tech companies.
For tech, it's often about the data they hold. Intellectual property, customer
(03:29):
info. And sometimes ironically, they're seen as a stepping stone. A gateway to
bigger targets. Precisely. Hitting a smaller tech vendor can sometimes give
attackers access further up the supply chain. Hmm. And geographically. Where are
these attacks concentrated? The concentration is pretty stark there too.
The USA accounts for almost half 49% of victims. 49%. Then you've got Canada,
(03:54):
Italy, the UK, Germany following behind. So heavily Western focused, it seems.
It does seem that way. Yeah. It shows that even though cybercrime is global,
the attackers could be anywhere. The impact often clusters in areas with,
you know, high digital adoption and economic activity. Okay. Let's sort of unpack
this. So the picture is small businesses, especially manufacturers and tech
(04:15):
firms, mostly in the US. It's fascinating how clear that target profile is.
It really is. Not just who, but how their specific weaknesses are exploited.
Right. Now moving beyond the main targets, the report talks about trending
adversaries. Groups like Gameraidon, scattered spider, silk typhoon, Tag 140, UNC,
5174, Void or Acne. What makes these groups trending?
(04:39):
Trending usually means their activity level has spiked. Or perhaps they're
using new methods, new TTPs, tactics, techniques and procedures that have
really caught the eye of security researchers. They're either busier or smarter,
basically. Kind of. Yeah. It signals they're becoming more effective or maybe
more innovative in how they attack. It shows how agile these groups are.
They adapt constantly. Like startups, but for crime. Yeah. Not a bad analogy,
(05:02):
unfortunately. Always iterating. And on the malware side, the report flags
the NOTSA and goes DRAT. A NOTSA that rings a bell. Banking Trojan, right?
That's its main game. Yes. A NOTSA is typically focused on stealing financial
credentials, trying to get into bank accounts, authorized transactions, very
direct financial threat. Okay. And goes DRAD Strat. That sounds more like
(05:23):
general spying. Reload access. Exactly. Go to Strat is a remote access Trojan.
It gives the attacker persistent backdoor control over a compromised
machine. So they can do pretty much anything.
More or less, exfiltrate data, monitor user activity, even use that machine to
launch further attacks deeper into a network.
(05:45):
Its prevalence is a big worry because it represents that deep, persistent access,
hitting both individuals and companies hard. So we've got direct theft with
NOTSA and deep system compromise with Goaches Strat.
Both trending. And if you connect that to the trending adversaries,
it shows this constant churn, new groups, persistent malware types, the
(06:06):
landscape just keeps adapting at this incredible speed. Attackers don't stand still.
Relentless innovation on their side. Yeah. Which brings us to vulnerabilities,
the open doors they're walking through. Right. The CVEs. The report list
actively exploited CVEs. It interestingly includes some brand new 2025 ones already. Like CVE,
2025, 478, 12 in the WingFTP server. And CVE 2025, 655, 4 in Chromium V8.
(06:28):
Yeah. Seeing 2025 CVEs exploited this early in the year is, well, it's concerning.
What's the significance there? Yeah. Especially the Chromium one.
Well, a CVE, as you know, common vulnerabilities and exposures is a known flaw.
The fact that attackers are jumping on these 2025 ones immediately shows how fast they operate.
And the Chromium V8 one, that's particularly critical because Chromium is the engine behind so
(06:51):
many browsers. Chrom, Edge, others. A flaw there exposes a massive number of users worldwide.
It's a huge attack surface. Wow. Okay. And there were others mentioned too.
Telemessage, Microsoft SQL Server. Yep. Showing a range of systems already under fire with these
fresh vulnerabilities. But here's something that also caught my eye. The list wasn't just new CVEs.
(07:12):
It included older ones too. From 2014, 2016, 2019, things affecting PHP,
Mail, or Ruby on Rails. Why are these still being actively exploited years later?
Shouldn't they be patched by now? Well, that's the million dollar question, isn't it? It really
boils down to a fundamental ongoing problem, patching discipline. People just aren't doing it.
Often, no. Especially perhaps in smaller organizations or with older legacy systems,
(07:35):
they just don't get updated consistently. So these known flaws, flaws with readily available patches,
sometimes for years, they remain unaddressed. Making easy targets, low hanging fruit. Exactly.
Attackers don't always need super sophisticated zero-day exploits when they know plenty of doors
are just left unlocked with old known vulnerabilities. It's like knowing a house has a faulty
(07:59):
lock that was reported years ago and just trying to handle. Precisely. It raises that crucial question.
Why, despite fixes being available for so long, are these still working for the bad guys?
It really points to organizational practice or lack thereof. The human element or maybe organizational
inertia is often the weakest link. Okay, so this is where it gets really interesting, I think. Beyond
(08:20):
the stats and the CVE numbers, the report dives into some specific high-profile incidents.
Real-world stuff. Yeah, the headline grabbers. Let's look at a few. First, those browser attacks,
a Chrome zero-day, and these foxy-wallet Firefox attacks. What made those stand out?
Well, the Chrome zero-day is alarming because zero-day means the flaw was actively exploited before
(08:40):
Google even knew about it. So no defense ready. Right. No patch available initially. Millions of
users potentially expose until a fix could be developed and rolled out. It's like finding out there's
a secret door to your house you never knew existed and someone's already using it. It's scary thought.
And foxy-wallet. That highlights attacks targeting browser extensions. Things people willingly
(09:01):
install, thinking they're safe, but they've been poisoned with spyware. It shows how attackers abuse
trusted channels. Okay, so attacking us right where we live online, the browser. Now get this one.
This detail just leaps out. An employee apparently got paid $920. $920. Yeah, just $920 for
login credentials. Credentials that were then used in a $140 million bank heist. Wow, just wow.
(09:27):
What does that tell you? That tiny payment for such a massive outcome. It speaks volumes,
doesn't it? First, about the insider threat, whether someone was tricked or was complicit.
But more profoundly, it shows the incredible, almost unbelievable value of even seemingly small pieces
of information. A single login bought for less than a grand unlocked access to $140 million.
(09:51):
The leverage is astronomical. It completely changes how you think about a minor security
lapse, right? Absolutely. It underscores how attackers can turn a tiny crack into a catastrophic
breach. And maybe it says something uncomfortable about the risk reward calculation someone might
make. Yeah, definitely food for thought. The report also mentioned a few other things quickly.
The US DOJ busting a North Korean IT worker scheme. Right. Highlighting state-sponsored activity,
(10:15):
often financially motivated to fund other operations. Shows law enforcement is active on that front.
And please taking down an investment fraud wing that stole 10 million. Classic cybercrime for
profit. Huge driver for a lot of this activity. Also, Hunters International Ransomware apparently
shut down, but then rebranded as world leaks. The rebrand. Very common tactic in the Ransomware
(10:37):
world. They shut down one brand maybe because it's getting too much heat or it's reputation
a shot and then they pop up under a new name, often using the same underlying infrastructure or tools.
Helps evade detection for a while. Sneaky. And finally, a North American ABT group
using an exchange zero day against China. Yeah, that points to the geopolitical side of things.
(11:00):
Advanced persistent threats, often state linked, engaging in espionage or disruption against
other nations. Using powerful zero day exploits for targeted attacks. It's a whole different
layer of cyber activity. Okay, so let's try to wrap this up to summarize what we've gone through
today for you, the listener. This first half of July 2025 really showed us a few key things.
(11:21):
We saw small businesses taking a massive hit, especially manufacturing and tax. A huge percentage.
We saw this constant evolution, new agile adversaries, new malware, like an ATSA and Ghostsrat.
But also those old unpatched vulnerabilities still causing major problems years later.
Still providing easy entry points. And then we saw the real world impacts. Yeah, massive bank
(11:42):
heist from tights initial compromises, state sponsored activity, browser attacks, hitting everyday
users. It's all very tangible. Absolutely. And understanding these trends, seeing these patterns,
it's just crucial for everyone now. It doesn't matter if you run a small shop,
work in a big tech firm, or honestly, just browse the web. These insights help you grasp the risks
(12:03):
out there. So what does this all really mean for you? I think the big takeaway is that cyber security
isn't just an IT department problem anymore. Not at all. It's really a shared responsibility.
It affects all of us. Every click we make, every app we download, every system that doesn't get
patched, it's all part of the picture. Being informed, like you are by tuning in, is honestly your
(12:24):
first line of defense. Well said. And maybe to leave you with one final thought to chew on,
building on that high story. Yeah. Given that an employee received only $920,
less than $1,000 for credentials that enabled $140 million set. What does that tell us about
how the digital underground actually values information right now? And maybe more importantly,
(12:44):
how should it change our perception for what we consider a minor security lapse? Think about
the potential ripple effects, the sheer scale of impact that can come from even the smallest
most early level of vulnerability or mistake. Reach out to us at jbuyer.com for comments and
questions. Follow us at buyer company on social media. And if you'd be so kind, please rate and
review us in your podcast app.
Welcome back to Digital Rage. I'm Jeff at the producer here at Byer Company.
(00:04):
This is our first episode for a new collaboration called the Byer-Nichols
Threat Brief written by Cybersecurity Expert Jeremy Nichols. This will be a
twice a month report presenting data about the latest cybersecurity threats and
trends. This first episode will be published on July 21st and the data
covers July 1st through the 15th. Let's check it out.
(00:27):
Welcome to the Deep Dive. You know in cybersecurity it really feels like you're
trying to walk on quicksand sometimes. The ground's always shifting, threats
change constantly and just trying to keep up. Feels like a full-time job.
It absolutely can. But what if you could get the really crucial insights?
Those aha moments from the latest intelligence without having to weigh
(00:51):
through all the data yourself? Yeah that's the goal. Well that's exactly our
mission today. We're doing a deep dive into the buyer Nichols threat brief
cybersecurity data specifically for July 1st to 15th 2025. A very recent snapshot.
Exactly. Think of it as your shortcut to getting you know really well informed
quickly. Thirdly. This report gives us that precise picture of what's been
(01:13):
happening. The big rents where players critical vulnerabilities, those high
profile incidents, the stuff that makes headlines. And you're so right about
the dynamic nature. It moves incredibly fast. What was a major threat last month
might be well old news today or it's mutated into something else entirely.
Understanding these trends isn't just for security pros anymore is it? It's
(01:36):
becoming vital for pretty much everyone online. Absolutely. The speed is just yeah.
So this kind of focused look incredibly relevant. Okay let's jump right in then.
The evolving battlefield. First half of July 2025. One name really jumps out on
the ransomware front. Quailin. Quailin. It was responsible for what 16.3% of
(02:00):
attacks. That's huge. It is a significant chunk. Yeah. So what's behind that? Why was
Quailin hitting so hard during this period? Well Quailin's dominance isn't just about
how effective the malware itself is though it is effective. It's also about
its operational model. It's quite flexible making it accessible for various
bad actors. But what's really striking honestly when you look at who they're
hitting. Yeah. It's small businesses. They are just bearing the brunt of this. The
(02:23):
report says organizations with 500 employees or less get this accounted for 80.65
percent of victims. 80 percent. Wow. That's that's actually pretty alarming. It is
very alarming. Clearly the primary target group. And within that group are
their specific sectors getting hit harder? Yes definitely. Manufacturing leads
(02:44):
the pack at almost 16 percent, 15.94 percent. Okay. Followed pretty closely by
technology at 13.55 percent. Then you see construction, financial services,
retail kind of lining up behind them. So manufacturing and tech. Why those two do
you think is it just weaker defenses and smaller companies or something else
going on? It's definitely more nuanced than just weak defenses. Although you know
(03:06):
smaller security budgets can be a factor for manufacturing. It's often about
that mix of IT and OT operational technology. Right. The factory source stuff.
Exactly. That OT is often older, maybe less secure. And now it's increasingly
connected to the main IT network. Creates a sort of perfect storm for
attackers, a really vulnerable spot. Okay. That makes sense. And tech companies.
For tech, it's often about the data they hold. Intellectual property, customer
(03:29):
info. And sometimes ironically, they're seen as a stepping stone. A gateway to
bigger targets. Precisely. Hitting a smaller tech vendor can sometimes give
attackers access further up the supply chain. Hmm. And geographically. Where are
these attacks concentrated? The concentration is pretty stark there too.
The USA accounts for almost half 49% of victims. 49%. Then you've got Canada,
(03:54):
Italy, the UK, Germany following behind. So heavily Western focused, it seems.
It does seem that way. Yeah. It shows that even though cybercrime is global,
the attackers could be anywhere. The impact often clusters in areas with,
you know, high digital adoption and economic activity. Okay. Let's sort of unpack
this. So the picture is small businesses, especially manufacturers and tech
(04:15):
firms, mostly in the US. It's fascinating how clear that target profile is.
It really is. Not just who, but how their specific weaknesses are exploited.
Right. Now moving beyond the main targets, the report talks about trending
adversaries. Groups like Gameraidon, scattered spider, silk typhoon, Tag 140, UNC,
5174, Void or Acne. What makes these groups trending?
(04:39):
Trending usually means their activity level has spiked. Or perhaps they're
using new methods, new TTPs, tactics, techniques and procedures that have
really caught the eye of security researchers. They're either busier or smarter,
basically. Kind of. Yeah. It signals they're becoming more effective or maybe
more innovative in how they attack. It shows how agile these groups are.
They adapt constantly. Like startups, but for crime. Yeah. Not a bad analogy,
(05:02):
unfortunately. Always iterating. And on the malware side, the report flags
the NOTSA and goes DRAT. A NOTSA that rings a bell. Banking Trojan, right?
That's its main game. Yes. A NOTSA is typically focused on stealing financial
credentials, trying to get into bank accounts, authorized transactions, very
direct financial threat. Okay. And goes DRAD Strat. That sounds more like
(05:23):
general spying. Reload access. Exactly. Go to Strat is a remote access Trojan.
It gives the attacker persistent backdoor control over a compromised
machine. So they can do pretty much anything.
More or less, exfiltrate data, monitor user activity, even use that machine to
launch further attacks deeper into a network.
(05:45):
Its prevalence is a big worry because it represents that deep, persistent access,
hitting both individuals and companies hard. So we've got direct theft with
NOTSA and deep system compromise with Goaches Strat.
Both trending. And if you connect that to the trending adversaries,
it shows this constant churn, new groups, persistent malware types, the
(06:06):
landscape just keeps adapting at this incredible speed. Attackers don't stand still.
Relentless innovation on their side. Yeah. Which brings us to vulnerabilities,
the open doors they're walking through. Right. The CVEs. The report list
actively exploited CVEs. It interestingly includes some brand new 2025 ones already. Like CVE,
2025, 478, 12 in the WingFTP server. And CVE 2025, 655, 4 in Chromium V8.
(06:28):
Yeah. Seeing 2025 CVEs exploited this early in the year is, well, it's concerning.
What's the significance there? Yeah. Especially the Chromium one.
Well, a CVE, as you know, common vulnerabilities and exposures is a known flaw.
The fact that attackers are jumping on these 2025 ones immediately shows how fast they operate.
And the Chromium V8 one, that's particularly critical because Chromium is the engine behind so
(06:51):
many browsers. Chrom, Edge, others. A flaw there exposes a massive number of users worldwide.
It's a huge attack surface. Wow. Okay. And there were others mentioned too.
Telemessage, Microsoft SQL Server. Yep. Showing a range of systems already under fire with these
fresh vulnerabilities. But here's something that also caught my eye. The list wasn't just new CVEs.
(07:12):
It included older ones too. From 2014, 2016, 2019, things affecting PHP,
Mail, or Ruby on Rails. Why are these still being actively exploited years later?
Shouldn't they be patched by now? Well, that's the million dollar question, isn't it? It really
boils down to a fundamental ongoing problem, patching discipline. People just aren't doing it.
Often, no. Especially perhaps in smaller organizations or with older legacy systems,
(07:35):
they just don't get updated consistently. So these known flaws, flaws with readily available patches,
sometimes for years, they remain unaddressed. Making easy targets, low hanging fruit. Exactly.
Attackers don't always need super sophisticated zero-day exploits when they know plenty of doors
are just left unlocked with old known vulnerabilities. It's like knowing a house has a faulty
(07:59):
lock that was reported years ago and just trying to handle. Precisely. It raises that crucial question.
Why, despite fixes being available for so long, are these still working for the bad guys?
It really points to organizational practice or lack thereof. The human element or maybe organizational
inertia is often the weakest link. Okay, so this is where it gets really interesting, I think. Beyond
(08:20):
the stats and the CVE numbers, the report dives into some specific high-profile incidents.
Real-world stuff. Yeah, the headline grabbers. Let's look at a few. First, those browser attacks,
a Chrome zero-day, and these foxy-wallet Firefox attacks. What made those stand out?
Well, the Chrome zero-day is alarming because zero-day means the flaw was actively exploited before
(08:40):
Google even knew about it. So no defense ready. Right. No patch available initially. Millions of
users potentially expose until a fix could be developed and rolled out. It's like finding out there's
a secret door to your house you never knew existed and someone's already using it. It's scary thought.
And foxy-wallet. That highlights attacks targeting browser extensions. Things people willingly
(09:01):
install, thinking they're safe, but they've been poisoned with spyware. It shows how attackers abuse
trusted channels. Okay, so attacking us right where we live online, the browser. Now get this one.
This detail just leaps out. An employee apparently got paid $920. $920. Yeah, just $920 for
login credentials. Credentials that were then used in a $140 million bank heist. Wow, just wow.
(09:27):
What does that tell you? That tiny payment for such a massive outcome. It speaks volumes,
doesn't it? First, about the insider threat, whether someone was tricked or was complicit.
But more profoundly, it shows the incredible, almost unbelievable value of even seemingly small pieces
of information. A single login bought for less than a grand unlocked access to $140 million.
(09:51):
The leverage is astronomical. It completely changes how you think about a minor security
lapse, right? Absolutely. It underscores how attackers can turn a tiny crack into a catastrophic
breach. And maybe it says something uncomfortable about the risk reward calculation someone might
make. Yeah, definitely food for thought. The report also mentioned a few other things quickly.
The US DOJ busting a North Korean IT worker scheme. Right. Highlighting state-sponsored activity,
(10:15):
often financially motivated to fund other operations. Shows law enforcement is active on that front.
And please taking down an investment fraud wing that stole 10 million. Classic cybercrime for
profit. Huge driver for a lot of this activity. Also, Hunters International Ransomware apparently
shut down, but then rebranded as world leaks. The rebrand. Very common tactic in the Ransomware
(10:37):
world. They shut down one brand maybe because it's getting too much heat or it's reputation
a shot and then they pop up under a new name, often using the same underlying infrastructure or tools.
Helps evade detection for a while. Sneaky. And finally, a North American ABT group
using an exchange zero day against China. Yeah, that points to the geopolitical side of things.
(11:00):
Advanced persistent threats, often state linked, engaging in espionage or disruption against
other nations. Using powerful zero day exploits for targeted attacks. It's a whole different
layer of cyber activity. Okay, so let's try to wrap this up to summarize what we've gone through
today for you, the listener. This first half of July 2025 really showed us a few key things.
(11:21):
We saw small businesses taking a massive hit, especially manufacturing and tax. A huge percentage.
We saw this constant evolution, new agile adversaries, new malware, like an ATSA and Ghostsrat.
But also those old unpatched vulnerabilities still causing major problems years later.
Still providing easy entry points. And then we saw the real world impacts. Yeah, massive bank
(11:42):
heist from tights initial compromises, state sponsored activity, browser attacks, hitting everyday
users. It's all very tangible. Absolutely. And understanding these trends, seeing these patterns,
it's just crucial for everyone now. It doesn't matter if you run a small shop,
work in a big tech firm, or honestly, just browse the web. These insights help you grasp the risks
(12:03):
out there. So what does this all really mean for you? I think the big takeaway is that cyber security
isn't just an IT department problem anymore. Not at all. It's really a shared responsibility.
It affects all of us. Every click we make, every app we download, every system that doesn't get
patched, it's all part of the picture. Being informed, like you are by tuning in, is honestly your
(12:24):
first line of defense. Well said. And maybe to leave you with one final thought to chew on,
building on that high story. Yeah. Given that an employee received only $920,
less than $1,000 for credentials that enabled $140 million set. What does that tell us about
how the digital underground actually values information right now? And maybe more importantly,
(12:44):
how should it change our perception for what we consider a minor security lapse? Think about
the potential ripple effects, the sheer scale of impact that can come from even the smallest
most early level of vulnerability or mistake. Reach out to us at jbuyer.com for comments and
questions. Follow us at buyer company on social media. And if you'd be so kind, please rate and
review us in your podcast app.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Herd with Colin Cowherd
The Herd with Colin Cowherd is a thought-provoking, opinionated, and topic-driven journey through the top sports stories of the day.