DEF CON Franklin Assists US Water Utilities at No Cost; CISA Pledges Ongoing CVE Funding; DARPA AI Cyber Challenge Winners Announced

Over the past nine months, DEF CON Franklin provided free cybersecurity assistance to five US water utilities in Indiana, Oregon, Utah, and Vermont. The project was founded last year, and due to an uptick in cyberattacks launched against utilities by state-sponsored hackers, the program aims to scale up to help thousands of water utilities across the country. Through the pilot program volunteers "provided no-cost assistance with cybersecurity basics, such as making sure the utilities had changed default passwords and turned on multi-factor authentication. They also assisted with asset inventories, operational technology (OT) assessments, and network mapping and scanning." Some of the small utilities had to be convinced that they needed help because they did not perceive themselves as being viable targets for state-sponsored hackers. DEF Con Franklin co-founder and Executive Director at the University of Chicago's Cyber Policy Initiative Jake Braun said, "Our volunteers are now working with companies like Dragos to figure out what tools are most applicable to water, which ones are free ... and then we're figuring out how we can put together a suite of these free tools to deploy to water utilities quickly so that we can start doing thousands, not onesies and twosies." DEF CON Franklin is a collaborative effort between DEF CON, the National Rural Water Association, and the University of Chicago Harris Cyber Policy Initiative, with support from Craig Newmark Philanthropies.

Last week at Black Hat, US Cybersecurity and Infrastructure Security Agency (CISA) leaders pledged to continue funding for the CVE (Common Vulnerabilities and Exposures) catalog program. Chris Butera, acting executive assistant director for the cybersecurity division at CISA, noted that the program is "central to all of our cybersecurity operations," and that the agency plans to continue to fund and improve it. In April 2025, the organization that runs the CVE program announced that its federal funding would not be renewed; a day after that announcement, CISA publicly committed to supporting the program for 11 months. The uncertainty spawned by the announcements has prompted the European Union to develop their own vulnerability database. In addition, several members of the CVE Program board established the CVE Foundation, which "vehemently believes the best path forward to preserve the critical service of the CVE Program is to transition it to a nonprofit entity with true international coordination, rigorous and transparent governance, and multiple funding sources from public, private, and nonprofit organizations" and that it "must be a shared and global responsibility, and not one owned or controlled by a single nation." On a related note, CISA leaders are hopeful that US legislators will reauthorize the Cybersecurity Information Sharing Act, which is set to expire at the end of September.

Last week at DEF CON, the Defense Advanced Research Projects Agency (DARPA) announced the winners of their AI Cyber Challenge, a two-year competition to develop an AI system that can detect and fix vulnerabilities. The winner of the competition is team Atlanta, which comprises experts from Georgia Tech, Samsung Research, the Korea Advanced Institute of Science & Technology (KAIST) and the Pohang University of Science and Technology (POSTECH). Second place went to NYC cybersecurity firm Trail of Bits, and third place went to Theori, a team of AI researchers and security professionals from the U.S. and South Korea. Seven semi-finalists were announced at last year's DEF CON; all seven semi-finalist models will be released as open source over the next few weeks. In all, DARPA awarded $8.5 million to three different projects, with the first, second, and third place finishers receiving $4 million, $3 million, and $1.5 million, respectively.

On August 7, 2025, the Federal Courts of the United States published a press release announcing their effort to enhance the security of electronic systems for filing sensitive case documents, following "recent escalated cyberattacks." In a Politico article published the day before, two anonymous insider sources disclosed a data breach of "sensitive court data across multiple US states" observed and judged to be serious by the Administrative Office of the US Courts (AOUSC) around July 4, 2025. The breach concerns the Case Management / Electronic Case Files (ECF) and Public Access to Court Electronic Records (PACER) systems, respectively representing the internal and public-facing systems for managing sensitive case documents, and while the Courts' press release states that the majority of filed documents are available to the public, certain "confidential or proprietary information" including sealed indictments containing non-public details of crimes, arrests, and warrants, may pose risk to cooperating witnesses or be otherwise exploitable by criminals. The AOUSC is working with Congress, the Department of Justice (DoJ), the Department of Homeland Security (DHS), and executive branch partners "to mitigate the risks and impacts" of the attacks, also "restrict[ing] access to sensitive documents under carefully controlled and monitored circumstances." The AOUSC, FBI, and US Department of Justice have not commented, nor revealed the nature or scope of the incident.

Researchers from ESET have published a blog post detailing their observation of a zero-day vulnerability in WinRAR under active exploitation by a threat actor linked to Russia. CVE-2025-8088, CVSS score 8.4, allows an attacker to execute arbitrary code by crafting an archive file containing multiple hidden malicious alternate data streams, due to a path traversal vulnerability in WinRAR before version 7.13. ESET discovered the vulnerability under exploitation on July 18, 2025, disclosed it to WinRAR on July 24, and on the same day the archiver's developer released WinRAR 7.13 beta 1 including a fix, with full release of 7.13 on July 30. Users should update immediately; ESET notes that "software solutions relying on publicly available Windows versions of UnRAR.dll or its corresponding source code are affected as well, especially those that have not updated their dependencies." The exploitation appeared in a spear phishing email campaign "targeting financial, manufacturing, defense, and logistics companies in Europe and Canada. [...] According to ESET telemetry, none of the targets were compromised." A few days after ESET's discovery, researchers from BI.ZONE separately observed a different threat actor independently exploiting what appears to be the same zero-day flaw, as well as a known flaw fixed in June, to target Russian organizations.

Three and a half months after Marks & Spencer's (M&S's) online services were first disrupted following a ransomware attack and data breach, the UK retailer has now announced its "Click & Collect" service and full online ordering and returns services have been restored for domestic customers. The company took down its online services for remediation on April 25, 2025, and some processes are still offline including international online ordering, the ability to check stock online, Sparks Pay M&S credit accounts, and occasion-cake ordering. "Scan and Shop" in-app purchases are currently limited to £45 (US$60) or less.

Connex Credit Union, "one of Connecticut's largest credit unions with over $1 Billion in assets and serving more than 70,000 members," has filed a report with the Maine Attorney General disclosing a cyberattack that took place starting on June 2, 2025, and was detected on June 3. Upon discovery of unusual activity, Connex secured its network systems, engaged independent experts to aid investigation, and began working to determine the scope of the unauthorized data access and theft. By July 27 the company had identified an estimated 172,000 affected individuals, and mailed notification to 467 Maine residents on August 7. "The potentially affected data elements included names, account numbers, debit card information, Social Security numbers, and/or other government ID used to open the individual’s account. [...] Connex has no reason to believe the incident involved unauthorized access to member accounts or funds." The credit union has arranged an informational call center through Cyberscout, a company which will also handle the 12 months of complimentary credit and identity protection services offered to Maine residents. At the time of this writing, the Connex website has a banner warning of communications impersonating Connex employees, urging members to call the officially posted number directly when in doubt.

A social media post from Pennsylvania Attorney General Dave Sunday on August 11, 2025, states that "the network that hosts the Office of Attorney General’s systems is currently down, meaning the office’s website is offline, as are office email accounts and land phone lines." The post describes this outage only as a "cyber incident," noting that IT staff and law enforcement are working to restore systems and minimize interruptions. Investigation of the cause is ongoing, and Sunday promises public updates as the situation develops.

Columbia University has filed reports with the Attorneys General of Maine and California disclosing information about a data breach that was discovered on June 24, 2025 after a disruptive technical outage. The university activated its response process and informed law enforcement, and subsequent investigation with external cybersecurity experts revealed that unauthorized access and exfiltration of files began on or about May 16. The notification letters to affected individuals state that while there is no evidence that Irving Medical Center patient records were affected, data accessed may include "date of birth, and Social Security number, as well as any personal information that you provided in connection with your application to Columbia, or that we collected during your studies if you enrolled. This included your contact details, demographic information, academic history, financial aid-related information, and any insurance-related information and health information." The university is enhancing its current security safeguards and examining additional protective measures for the future. Two years of credit monitoring, fraud consultation, and identity restoration services are available free of charge to those affected, and Columbia urges vigilance over account statements and credit reports, also offering a dedicated call center for questions. The report to the Maine AG estimates the total number of persons affected at 868,969.

Google says that a breach of one of their Salesforce Customer Relationship Management (CRM) instances compromised data associated with Google Ads. In a breach notification seen by BleepingComputer, Google writes, "Our records indicate basic business contact information and related notes were impacted by this event." The threat actors behind the breach are known as ShinyHunters. BleepingComputer writes that "As part of these attacks, the threat actors conduct social engineering attacks against employees to gain access to credentials or trick them into linking a malicious version of Salesforce's Data Loader OAuth app to the target's Salesforce environment." Google Threat Intelligence reported on attacks targeting Salesforce instances back in June. Other organizations whose Salesforce instances have reportedly been targeted include Chanel cosmetics and jewelry retailer Pandora. In addition, European airlines KLM and Air France have reported data breaches due to unauthorized access to third-party platforms.