Little-Known Microsoft "Escorts" Handle Sensitive DOD Data; Salt Typhoon Compromised US Army National Guard Network; Stuxnet Anniversary Congressional Hearing on Cyber Threats to Critical Infrastructure

For almost ten years, Microsoft has employed global software engineers to help maintain US Department of Defense (DOD) computer systems. Because non-US citizens may not handle the sensitive Impact Level 4 and 5 DOD data -- whose "loss of confidentiality, integrity, or availability ... could be expected to have a severe or catastrophic effect," -- these engineers must be "escorted" by US citizens with security clearances who execute instructions from their international experts, copying and pasting their commands into the federal cloud. However, hiring documentation and insider reports indicate these chaperones "often lack the technical expertise to police foreign engineers with far more advanced skills." One current escort hired by Microsoft's third-party contractor, Insight Global, anonymously told ProPublica that escorts are inadequately trained: "We’re trusting that what they’re doing isn’t malicious, but we really can’t tell. [...] People are getting these jobs because they are cleared, not because they’re software engineers." Indy Crowley, who liaised for Microsoft with the government per the Federal Risk and Authorization Management Program (FedRAMP), characterized the escort program as "the path of least resistance" over security and cost concerns to win the DOD cloud contract and FedRAMP accreditation in 2016. This program has not been publicly reported before 2025, and its existence is unknown among former federal government and intelligence staffers and administrators, many of whom express concern about the knowledge gap between experts and escorts, and specifically about risks posed by state-sponsored threats from China, citing the 2015 breach of the Office of Personnel Management via a third-party contractor's system, and the 2023 breach of State Department emails through a Microsoft engineer's compromised account. Microsoft insiders interviewed by ProPublica indicate a history of security concerns raised internally about the escort program.

Read more in

Salt Typhoon threat actors had access to the network of a US state's Army National Guard between March and December 2024. A June 11 Department of Homeland Security Office of Intelligence and Analysis memo obtained through a Freedom of Information Act request says that the threat actors "collected its network configuration and its data traffic with its counterparts’ networks in every other US state and at least four US territories, according to a DOD report. This data also included these networks’ administrator credentials and network diagrams—which could be used to facilitate follow-on Salt Typhoon hacks of these units." Salt Typhoon is believed to be responsible for cyberattacks against telecommunications companies in the US and around the world.

Read more in

On Tuesday, July 22 at 10am ET, the US House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection will hold a hearing titled “Fully Operational: Stuxnet 15 Years Later and the Evolution of Cyber Threats to Critical Infrastructure.” Witnesses scheduled to provide testimony include Tatyana Bolton, Executive Director, Operational Technology Cyber Coalition (OTCC); Kim Zetter, Author of “Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon,” and Cybersecurity and National Security Reporter, WIRED; Robert M. Lee, CEO and Co-Founder, Dragos; and Nate Gleason, Program Leader, Lawrence Livermore National Laboratory.

Read more in

In a blog post, Cloudflare writes that “the root cause [of the global July 14 1.1.1.1 DNS Resolver outage] was an internal configuration error and not the result of an attack or a BGP hijack. Cloudflare explained that "On 14 July 2025, [we] made a change to our service topologies that caused an outage for 1.1.1.1 on the edge, resulting in downtime for 62 minutes for customers using the 1.1.1.1 public DNS Resolver as well as intermittent degradation of service for Gateway DNS." For many users, the incident meant that they were not able to access internet services. In their blog post, Cloudflare offers a technical explanation of how the misconfiguration occurred, how the misconfiguration caused the outage, and what the company is doing to ensure this does not happen again.

Read more in

Google Threat Intelligence Group (GTIG) and Mandiant have published a blog post detailing an active malware campaign targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances, which act as secure network access gateways for mobile devices. The attackers, tracked by Mandiant as UNC6148, appear to have gained access using previously stolen credentials and one-time password (OPT) seeds, though the initial infection vector is unclear due to the malware's ability to selectively delete logs. GTIG suggests but cannot confirm the possible exploitation of five known CVEs publicly associated with SMA 100 appliances, and "assesses with moderate confidence" that the attackers may have leveraged an unknown zero-day remote code execution flaw to deploy the malware. Dubbed "OVERSTEP" by GTIG, the malware is a backdoor specifically designed for this appliance, hiding itself through rootkit capabilities and log deletion, establishing a reverse shell, and exfiltrating credentials, communicating indirectly with a command-and-control server. An unknown vulnerability may have been used to gain shell access, as this should be impossible by design on SMA 100 appliances. The total number of known attacks is undisclosed but "limited." GTIG urges organizations to immediately isolate and analyze affected appliances, "acquir[ing] disk images for forensic analysis to avoid interference from the rootkit anti-forensic capabilities." The blog post provides indicators of compromise (IoCs) and a YARA rule; GTIG recommends users reset all credentials including passwords and OTP bindings to ensure secrets stolen from previous compromises are invalidated, and revoke and reissue any certificates with private keys stored on the affected appliance. SonicWall is working with GTIG, and intends to help customers migrate to SMA 1000 and the Cloud Secure Edge service, emphasizing that while the company will continue releasing firmware updates, the vulnerable SMA 100 has reached "end-of-sale," and SonicWall's goal is a safe transition to cloud-native architectures.

Read more in

On Wednesday, July 16, Oracle released more than 300 patches to address roughly 200 discrete CVEs affecting more than 100 of their products. Of those, nine are rated critical. Eighty-four of the fixes address vulnerabilities in Oracle Communications; of those, 50 are remotely exploitable without authentication. Other products receiving multiple fixes include MySQL (40 vulnerabilities), Fusion Middleware (36 vulnerabilities), and Communications Applications (29 vulnerabilities). In a related story, Tenable Security has written a blog post describing a remote code execution vulnerability they discovered in Oracle Cloud Infrastructure (OCI) Code Editor. Tenable notes that "Oracle Cloud Infrastructure addressed the vulnerability by implementing an additional layer of protection in the form of a required custom HTTP header."

Read more in

Cisco has released security bulletins to address seven new CVEs. The first is an update to an existing (June 25, 2025) bulletin to add another critical remote code execution vulnerability affecting Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). The two CVEs identified in June (CVE-2025-20281 and CVE-2025-20282) and the newly-added CVE (CVE-2025-20337) all have CVSS scores of 10.0. Cisco has also released a bulletin to address a high-severity vulnerability (CVE-2025-20274) affecting "the web-based management interface of Cisco Unified Intelligence Center [that] could allow an authenticated, remote attacker to upload arbitrary files to an affected device." And finally, Cisco has published three medium-severity advisories to address a total of five vulnerabilities in ISE and ISE-PIC, Evolved Programmable Network Manager (EPNM), Prime Infrastructure, and Unified Intelligence Center.

Read more in

United Natural Foods Inc. (UNFI) has published a press release providing 2025 fiscal information including the estimated impact of operational disruptions and shutdown of the ordering system resulting from a June 2025 cyberattack. "The Company estimates that the cyber incident will impact fiscal 2025 net sales by approximately $350 to $400 million, net (loss) income by $50 to $60 million," apart from "adequate" forthcoming insurance proceeds. UNFI executives stated during a July 16 call with investors that the financial impact is not expected to extend beyond the current quarter. Remediation costs including cybersecurity, legal, and governance consultation, are reportedly estimated to have cost $5M, with another $20M "incurred as the company used manual workarounds."

Read more in

UK consumer organization Co-op Group's CEO Shirine Khoury-Haq stated to the BBC that while the company was able to shut down its network in April 2025 before ransomware could be installed, investigation revealed that the attackers successfully copied and stole files belonging to all 6.5 million Co-op members. Members are consumers who pay a £1 (US$1.34) fee for part-ownership, granting the opportunity to vote on some business decisions, among other benefits. Khoury-Haq characterized the information stolen as "out there anyway," stating that "names and addresses and contact information" were taken, but no financial or transaction data. Insurance Insider reports that Co-op was not covered by cybersecurity insurance at the time of the attack.

Read more in

The UK National Cyber Security Centre (NCSC) has launched a Vulnerability Research Initiative (VRI), which will expand the breadth of their vulnerability research by working with external experts. Until now, NCSC's vulnerability research was conducted by an in-house team. NCSC writes that establishing the VRI was necessitated by the fact that "Developing deep understanding and expertise of technologies, security mitigations and products takes time. Technology growth is constant, ever complex, security is improving, and thus VR is getting harder. This means the NCSC demand for VR continues to grow. [...] The VRI’s mission is to strengthen the UK’s ability to carry out VR."

Read more in

Earlier this week, former US Army soldier Cameron John Wagenius "pleaded guilty to conspiracy to commit wire fraud, extortion in relation to computer fraud, and aggravated identity theft" for his role in a series of cyberattacks targeting telecommunications and technology companies. Wagenius conspired with other individuals to gain access to the companies' networks, access sensitive information, and attempt to extort the companies by threatening to publish the stolen data unless they were paid a ransom. Wagenius will face up to 27 years in prison when he is sentenced later this year.

Read more in