EDR-Freeze, DeepMind persuasion, vendors exit ATT&CK

Channel: CISO Series Published: 2025-09-23 1,186 words Source: auto_caption

Transcript

From the CISO series, it's cyber security headlines. >> These are the cyber security headlines for Tuesday, September 23rd, 2025. I'm Rich Dalino. EDR freeze tool suspends security software. Security researcher Zero Salarium published a proof of concept tool called EDR Freeze, which uses the Windows error reporting system to indefinitely suspend EDR and antivirus processes.

It does this by using the crash dump collection component where fault secure to trigger the mini dump write dump API which suspends threads in a target process to generate a snapshot of memory and state. By suspending where fault secure, the targeted process is left suspended. Security researcher Steven Lim created a tool to map where fault secure to Microsoft Defender processes to make it easy to see any potential abuse. Deep Mind updates Frontier Safety Framework. The Google subsidiary added a new category to this framework, now stating the risks models pose for harmful manipulation defined around AI models with powerful manipulative capabilities that could be misused to systemically and substantially change beliefs and behaviors in identified highstakes context.

This comes after some AI models have shown the ability to deceive individual users to achieve goals. DeepMind says it adds these new capability levels when frontier AI models pose heightened risk of severe harm without any other mitigations. Axios pointed out that this comes after open AI removed a persuasiveness specific risk category in its model evaluation process earlier this year. Major vendors withdraw from MITER edr evaluations. Both Sentinel 1 and PaloAlto Networks announced this month that they would not take part in MITER's Ingenuity attack evaluation following a similar announcement from Microsoft back in June.

All three companies said the move was done to better focus on product development. Last year, Microsoft topped MITER's EDR test with Sentinel 1 ranked fifth and PaloAlto 12th. MITER CTO Charles Clansancy told Info Security magazine that participating in these tests is resource intensive for vendors with the company seeking to make them harder each year, such as adding cloud environments in the 2025 edition. Clansancy said MITER will reestablish its vendor forum in 2026 to address some of these concerns. Fake repos target Mac OS with info stealer campaign.

The password manager, LastPass, warned about this ongoing campaign that uses SEO poisoning to serve up links to malicious GitHub sites in search, claiming to offer Mac downloads for LastPass, One Password, Base Camp, Dropbox, Gemini, Hootsweet, Notion, Obsidian, Robin Hood, and Sales Loft. These repos actually download the atomic info stealer, a piece of malware generally used by financially motivated threat groups. Last Pass published a full list of malicious URLs and other indicators of compromise. And now, a huge thanks to our episode sponsor, Conveyor. Security reviews don't have to feel like a hurricane.

Most teams are buried in back and forth emails and neverending customer requests for documentation or answers. But Conveyor takes all that chaos and turns it into calm. AI fills in the questionnaire. Your trust center is always ready and sales cycles move without stalls. Breathe easier.

Check out Conveyor at conveyor.com. That's co n v y o r.com. Russia steps up misinformation in Muldova. Muldova is set to elect a new parliament on September 28th with ramifications for the country's potential entry into the European Union in the coming years. The BBC reports that over the weekend, a network funded by Russia paid people in the country the equivalent of $170 US per month to post propaganda on social media.

These recruits were told to use LLM systems to attack the ruling party of action and solidarity with claims of rig voting and child trafficking. Bloomberg reports that leaked documents show that this is specifically part of a Russian campaign to mobilize diaspora voters from Muldova and weaken Muldovven President Sandeu. Microsoft patches critical entra flaw. Back in July, Microsoft patched a critical entra ID flaw that opened the door to impersonating any user across any tenant. There was no evidence of exploitation in the wild.

Security researcher Durkan MMA reported the flaw. This used a serviceto-service actor token from Entra's access control service to be used for cross-tenant access due to a lack of adequate validation in the Azure AD graph API. The blast radius on this could have been nasty as thread actors with graph API access could have made unauthorized modifications to conditional access policies. A lack of API level logging means this could have been done without much of a trace. Aside from the patch, the attack is now mostly academic as Microsoft retired Graph API on August 31st, 2025.

Steam game caught distributing malware. The 2D platformer game Block Blaster was released on Valve's Steam store on July 30th. VX Underground reports that the developer tried to increase downloads of the title by messaging cryptocurrency holders to try out the game as part of a paid promotion. On August 30th, the game was updated to include malware files, collecting information on browser extensions and crypto wallets. Researchers estimate that threat actors used the information to drain funds from 261 users, including one user seeing the attack on a live stream from a fund for their cancer treatment.

Researchers discovered a similar Trojan game on the Steam store called Chamia back in July. Stalantis investigating unauthorized access over the weekend. and the multinational car maker said an incident at a third party provider supporting its North American branch's customer service exposed customer data. This incident did not impact any system with financial or sensitive data and appears limited to leaking contact data. The company warned customers to be on alert for any fishing attacks using this information.

Bleeping computer sources say this breach was part of the Shiny Hunter Salesforce data breaches that we've covered extensively already on this show. Mosilla lets devs roll back add-on updates. Firefox added the ability for developers to revert versions of an add-on to an earlier state. Once reverted, the browser will automatically revert to the previous version within 24 hours, preventing downloads of the latest version. Up until now, developers had to get an update approved by Mozilla before it could be released, creating a lag time for addressing security vulnerabilities.

Self-distributing developers can revert to any version, while those distributing on add-ons.mosilla.org org are limited to two previous versions. If you want to help make some great content for the CESO series, we've got a great way to participate. We need our listeners to fill out a quick five question survey. They're family feud style questions and your responses will be used for an upcoming live event. If you've got an extra minute, head on over to cesoseries.com/participate to fill it out.

We'd really appreciate it. And if you have some thoughts on the news from today or about the show in general, be sure to hit us up at feedbackseries.com. We'd love to hear from you. Reporting for the CESO series, I'm Rich Dalino, reminding you to have a super sparkly day. Cyber security headlines are available every weekday.

Head to cesoseries.com for the full stories behind the headlines. [Music]