Posted inCybersecurity News Bytes

SparTech Software – Cybersecurity News Bytes (July 23, 2025 1:22 PM)

No CommentsPosted inCybersecurity News Bytes

Cybersecurity News — July 23, 2025

Table of Contents

  • US Agencies Warn of Interlock Ransomware Targeting Critical Infrastructure
  • Lapsed CISA Contract Hampers National Lab’s Threat-Hunting Efforts
  • Trump Administration Pushes AI for Critical Infrastructure Cyber Defense
  • RingReaper: New Linux EDR Evasion Tool Exploiting io_uring Emerges
  • Linux Secure Boot Vulnerability Allows Bypass via initramfs Manipulation

US Agencies Warn of Interlock Ransomware Targeting Critical Infrastructure

Discovery and Victimology

In a joint advisory released today, several US federal agencies detailed the significant threat posed by the Interlock ransomware group, which has recently intensified campaigns against key infrastructure sectors across North America and Europe. Interlock was first observed in late September 2024 and has since established a pattern of targeting networks based on opportunity, with a focus on financial gain.

Technical Intrusion Mechanisms

Interlock ransomware exhibits notable technical flexibility. Operators utilize custom-built encryptors for both Windows and Linux platforms, and are known to specifically target virtual machines in both operating system environments. A distinctive aspect is the use of drive-by downloads initiated through compromised legitimate websites—an infection vector rare among established ransomware actors. This approach increases the challenge of early threat detection, since compromised sites often maintain high reputational trust.

Social Engineering via ClickFix

The group frequently employs the so-called ClickFix tactic, a social engineering ploy that deceives users into executing malicious code by masquerading as a critical system fix or update. Once the payload is deployed, threat actors engage in system discovery, credential harvesting, and lateral movement to expand their foothold within the network.

Double Extortion and Data Exfiltration

Interlock’s operations encompass a double extortion model: after stealing data, they encrypt systems, demanding a ransom both for decryption and to prevent public data leaks. Organizations are thus exposed to both data loss and reputational damage, amplifying the pressure to comply with ransom demands.

Lapsed CISA Contract Hampers National Lab’s Threat-Hunting Efforts

CyberSentry Monitoring Disruption

Threat intelligence coverage in the United States suffered a setback this week due to a contract lapse between the Cybersecurity and Infrastructure Security Agency (CISA) and the Lawrence Livermore National Laboratory (LLNL). The contract, critical for ongoing threat-hunting on CISA’s CyberSentry network-monitoring program, expired on July 20. As a result, LLNL analysts are temporarily unable to review incident data from CyberSentry sensors that provide crucial visibility into attacks on critical sites such as power plants, hospitals, and water treatment facilities.

Operational Impact and Continuity Measures

While the CyberSentry platform itself remains operational, the pool of experts scrutinizing collected data is diminished. The potential for undetected threats or delayed response to ongoing attacks is increased until contract renewal restores full team capacity. CISA reports that some analysts external to LLNL continue to monitor network activity, but at a reduced level of coverage.

Critical Infrastructure Risk

This temporary reduction in threat monitoring raises concerns about the exposure of operational technology (OT) networks, which often lack the visibility and timely response resources present in enterprise IT environments. Rapid contract resolution is seen as urgent to maintain robust cyber defense posture in the nation’s most essential sectors.

Trump Administration Pushes AI for Critical Infrastructure Cyber Defense

AI Action Plan Overview

The White House today announced a comprehensive AI Action Plan focused on leveraging artificial intelligence to improve the cybersecurity of U.S. critical infrastructure. The plan advocates for the adoption of AI-powered defensive tools by both private and public sector entities, particularly those with limited cybersecurity budgets.

AI Strengths and Limitations

Advanced AI models, including large language models (LLMs), are increasingly recognized for their ability to expedite threat analysis, automate detection, and rapidly contain cyber incidents. However, these same systems can become liabilities if not properly secured: vulnerabilities include susceptibility to prompt injection, data poisoning, jailbreak exploits, and accidental data disclosure. These risks could undermine their intended defensive role.

Secure by Design and Industry Cooperation

To address these challenges, the administration’s plan strongly encourages vendors to adopt secure by design frameworks—embedding security features from initial development through deployment. While this extends an earlier initiative from the Cybersecurity and Infrastructure Security Agency, some experts have expressed skepticism about the voluntary nature of these commitments in the absence of regulatory enforcement.

RingReaper: New Linux EDR Evasion Tool Exploiting io_uring Emerges

Introduction to RingReaper

The emergence of the RingReaper tool marks a major advancement in Linux malware development. RingReaper employs the io_uring kernel feature to bypass detection by modern Endpoint Detection and Response (EDR) solutions. io_uring, introduced for high-performance asynchronous I/O, can be misused by adversaries for stealthy memory manipulation and execution.

Technical Mechanism

RingReaper leverages io_uring to execute payloads with minimal signature on system memory and process tracking utilities. This technique complicates detection by security solutions that rely heavily on monitoring conventional process spawning, code injection, or suspicious file operations. By exploiting legal and documented kernel functionality, RingReaper can mimic benign application patterns, enhancing its evasion capability.

Implications for Defenders

Because io_uring is a feature with legitimate use cases, security teams must prioritize sophisticated behavioral analysis and kernel-level monitoring to distinguish normal use from exploitation. Standard indicators of compromise may not surface, raising the bar for defender expertise and tool sophistication.

Linux Secure Boot Vulnerability Allows Bypass via initramfs Manipulation

Vulnerability Details

A significant security flaw has been uncovered in modern Linux distributions, potentially undermining Secure Boot protections. Attackers with brief physical access can manipulate the initramfs (initial RAM filesystem), which is loaded early in the boot process and holds scripts vital to starting the Linux operating system.

Attack Path and Impact

The vulnerability allows malicious actors to modify or inject code into the initramfs image, enabling the execution of unauthorized payloads regardless of Secure Boot policies. Secure Boot, intended to ensure only trusted code loads during system startup, can thus be circumvented using this technique.

Mitigation and Defense

Until upstream patches and vendor advisories are available and widely adopted, organizations are advised to restrict unauthorized physical access to servers and endpoints, audit boot configurations, and closely monitor system integrity during pre-boot and boot processes. Security teams should also stay alert for updates on kernel and bootloader protections designed to address this class of attack.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply