<ciso brief/>
Cybersecurity Brief

Dell ControlVault3 ReVault Flaws, Project AK47, and NK IT Workers

Coverage: 05 Aug 2025 (UTC)
< view all daily briefs >

Patches

Talos disclosed a cluster of five vulnerabilities collectively dubbed ReVault affecting Broadcom/Dell ControlVault3 firmware and its associated Windows APIs. The issues include out‑of‑bounds reads/writes (CVE‑2025‑24311, CVE‑2025‑25050), an arbitrary free (CVE‑2025‑25215), a stack overflow (CVE‑2025‑24922), and an unsafe deserialization bug (CVE‑2025‑24919). ControlVault/USH modules on more than 100 Dell Latitude and Precision models handle passwords, biometric templates, smartcards and NFC. Talos reports that a non‑admin Windows user can achieve code execution on the ControlVault device, potentially exfiltrating key material and installing persistent implants that survive OS reinstalls. With physical access, an attacker could also connect to the USH board over USB and exploit the device without Windows credentials, enabling biometric bypass or local privilege escalation. Recommended actions include installing Dell ControlVault firmware updates distributed via Dell support channels and Windows Update where available, disabling unused ControlVault services or devices, and turning off fingerprint login when risk is elevated. Detection guidance highlights enabling chassis‑intrusion alerts in BIOS, monitoring Windows Biometric and Credential Vault service crashes, and applying endpoint detection rules where available.

Incidents

An analysis by Unit 42 details operational overlaps between Microsoft’s ToolShell/Storm‑2603 reporting and activity it tracks as CL‑CRI‑1040, connecting the cluster to a modular toolkit dubbed Project AK47. Components include AK47C2, a backdoor with DNS and HTTP variants, and AK47/X2ANYLOCK ransomware. The backdoor’s command‑and‑control uses shared command formats and XOR‑encoded messages; the DNS variant evolved from UPX‑packed JSON‑over‑DNS to a fragmented session‑key format in April 2025. The ransomware encrypts with AES+RSA, appends “.x2anylock,” drops notes with a Tox ID and ProtonMail contact, and can self‑terminate after a specified date to hinder analysis. Recovered evidence contained AK47 modules alongside offensive utilities and LockBit 3.0 dropper/loader artifacts; a leaked LockBit database and screenshots from the Warlock double‑extortion site showed the same Tox ID as the ransom notes, supporting a financially motivated assessment with ties to LockBit‑affiliated infrastructure. While Microsoft assesses Storm‑2603 as China‑based, Unit 42 does not make a definitive nation‑state attribution and notes tools common in Chinese‑speaking communities. The team advises immediate patching of referenced SharePoint CVEs, review of indicators of compromise, and updated endpoint, DNS, URL filtering, and XDR/XSIAM detections.

An investigation by CNN outlines a multi‑year effort that placed thousands of North Korean IT workers into Western companies using stolen and fabricated U.S. identities. Operatives, often operating from third countries, reportedly leverage AI to mass‑generate applications, craft resumes and interview scripts, and use faceswap tools, VPNs, and remote access to mask origin. U.S.‑based facilitators launder paychecks, procure identities, and run “laptop farms” of company‑issued machines that allow remote operatives to appear local. One facilitator pleaded guilty in 2025 and received a 102‑month sentence after aiding placements at hundreds of companies and moving millions of dollars. In June, authorities executed raids across 16 states, seizing roughly 200 laptops from 29 suspected farms. Experts cited in the report describe layered detection challenges—multiple personas, automated submissions, and subtle cultural or behavioral red flags—while warning the scheme both evades sanctions and could enable pivots to malware or ransomware if positions are compromised. The findings point to the need for tighter hiring controls, human‑risk management, and coordinated enforcement.

Separately, the Cyber Risk Team at UpGuard found a publicly accessible code repository maintained by AggregateIQ that exposed campaign assets and sensitive credentials for multiple Canadian politicians and parties. The materials included WordPress backups, configuration files, API tokens, PEM‑encoded SSL keys, database dumps, and scripts supporting donations, surveys, and reporting. Examples cited include a Stripe secret key and NationBuilder tokens in a candidate repository, a private SSL key and wp‑config credentials in another, and exposed payment endpoint code and an API token associated with a party repository. These assets created realistic attack paths—unauthorized access to donation processors, impersonation using private keys, content‑management takeover, and potential access to voter/contact platforms—illustrating how third‑party misconfigurations can translate into campaign and citizen risk. The disclosure arrives amid broader scrutiny of the firm’s past relationships and ongoing inquiries, underscoring the importance of vendor security controls and credential hygiene in political technology ecosystems.

Research

The H1 2025 threat roundup from ESET highlights three dynamics. First, social‑engineering techniques branded as ClickFix surged from near‑zero to widespread prevalence, with variants such as FakeCaptcha coercing users into running commands under the guise of human verification. Second, coordinated disruptions hit multiple infostealer‑as‑a‑service operations: a late‑2024 takedown of RedLine/Meta Stealer and later actions against LummaStealer and Danabot reduced activity and demonstrated effective public‑private collaboration. ESET describes investigative contributions that supported these efforts and explains why such services flourish—low entry barriers, subscription distribution, and straightforward monetization of stolen credentials. Third, the report documents infighting among ransomware operators, including defacements of leak sites by the smaller Dragonforce group and disruption of a leading operation’s site, emphasizing the ecosystem’s volatility. The researchers characterize the period as a mixed picture: successful disruption has impact, but attackers rapidly adapt with new lures and opportunistic rivalries. The episode encourages teams to consult the full report for indicators and mitigation guidance.

Platforms

A year‑in‑review from the MSRC reports $17 million in 2025 awards to 344 researchers across 59 countries, the program’s largest single‑year payout. The bounties span Azure, Microsoft 365, Dynamics 365, Power Platform, Windows, Edge, and Xbox, with clearly scoped rules, tiers, and submission guidance to support coordinated disclosure. The inaugural Zero Day Quest live hacking competition focused on Copilot and cloud scenarios, generating more than 600 submissions and over $1.6 million in awards across qualifiers and the final event. Over the past year, program priorities expanded to emphasize AI‑related scenarios, identity and Defender scope increases, Microsoft 365 updates, new AI award categories for Dynamics 365 and Power Platform, and refreshed Windows attack‑scenario awards. Awards are determined by severity, customer impact, and submission quality, with continued emphasis on safe research practices. The update frames bounty programs as a proactive control that channels researcher expertise into measurable product hardening.

These and other news items from the day:

Tue, August 5, 2025

Project AK47 Linked to SharePoint ToolShell Exploits

#Active Exploitation #Backdoor Found #LockBit #Microsoft #Ransomware #SharePoint

🔍Unit 42 links a modular malware suite dubbed Project AK47 to SharePoint exploitation activity observed alongside Microsoft’s ToolShell reporting. The toolset includes a dual-protocol backdoor (AK47C2 with dnsclient and httpclient), a ransomware family (AK47 / X2ANYLOCK), and DLL side‑loading loaders. Analysts found high-confidence overlaps with Microsoft’s Storm-2603 indicators, evidence of LockBit 3.0 artifacts in an evidence archive, and a matching Tox ID on a Warlock leak site. Recommended actions include applying patches for the referenced SharePoint CVEs and enabling updated protections from endpoint, URL, and DNS defenses.

read more →

Tue, August 5, 2025

ReVault: Vulnerabilities in Dell ControlVault3 Firmware

#ControlVault #Dell #Insecure Deserialization #Patch #RCE #Security Advisory

🔒 Talos disclosed five vulnerabilities in Dell ControlVault3 firmware and its Windows APIs, collectively named ReVault. The flaws affect more than 100 Latitude and Precision models and can enable persistent firmware implants that survive OS reinstalls. Attackers with local or physical access may bypass biometric authentication or escalate to Admin/System level. Apply Dell firmware updates and recommended mitigations without delay.

read more →

Tue, August 5, 2025

North Korea’s IT worker scheme infiltrating US firms

#AI Security #Laptop Farm #Law Enforcement Action #PII

🔍 Thousands of North Korean IT workers have used stolen and fabricated US identities to secure roles at Western companies, funneling hundreds of millions of dollars annually to Pyongyang’s military programs. They leverage AI for resumes and cultural coaching, faceswap and VPN tools for video calls, and remote-access setups tied to US-based "laptop farms" run by facilitators who launder paychecks and ship company-issued machines abroad. Recent DOJ raids and the 102-month sentence for Christina Marie Chapman highlight legal, financial and national security risks, including potential sanctions violations.

read more →

Tue, August 5, 2025

AggregateIQ Exposure Reveals Canadian Campaign Assets

#AggregateIQ #Breach #Data Leak #PII #Supply-Chain Incident

🔒 The UpGuard Cyber Risk Team discovered an unsecured AggregateIQ (AIQ) code repository containing site backups, API keys, SSL private keys, and other sensitive assets tied to multiple Canadian campaigns and parties. Exposed files included WordPress backups, donation processor keys (Stripe), NationBuilder tokens, and PEM private keys that could enable impersonation or account takeover. The findings illustrate significant third‑party vendor risk and raise regulatory and public‑interest concerns about how AggregateIQ managed client credentials and campaign tooling.

read more →

Tue, August 5, 2025

ESET Threat Report H1 2025: ClickFix and Ransomware

#Data Leak #Law Enforcement Action #Ransomware #Threat Report

🔍 ESET's H1 2025 Threat Report highlights a sharp rise in manipulative social-engineering techniques, coordinated infostealer takedowns, and aggressive infighting among ransomware groups. Hosts Aryeh Goretsky and Ondrej Kubovič analyze the rapid emergence of ClickFix, including the FakeCaptcha variant that coaxes victims into executing commands. They also summarize law enforcement disruptions of RedLine/Meta Stealer and other services, and recount a brazen “deathmatch” in which the small actor Dragonforce defaced and dismantled rival data leak sites.

read more →

Tue, August 5, 2025

Microsoft Bounty Program: $17M Distributed in 2025

#AI Security #Bug Bounty #Conference #Disclosure #IAM #Microsoft #Zero-Day

🔒 The Microsoft Bounty Program distributed $17 million this year to 344 security researchers across 59 countries, marking the largest total payout in the program’s history. In partnership with the Microsoft Security Response Center (MSRC), researchers helped identify and remediate more than a thousand potential vulnerabilities across Azure, Microsoft 365, Windows, and other Microsoft products and services. The program also expanded coverage and awards for Copilot, identity and Defender scopes, Dynamics 365 & Power Platform AI categories, and refreshed Windows attack scenario incentives to prioritize high-impact research.

read more →

< all cybersecurity news >