Byer-Nichols Threat Brief August 15 2025
Digital Rage

Byer-Nichols Threat Brief August 15 2025

Season: 2 | Episode: 31

Published: August 19, 2025

By: Byer Co

This cybersecurity threat brief provides an overview of various threats observed between August 1st and August 15th, 2025. It highlights that small businesses are disproportionately affected by cyber breaches, facing significant risk to their survival. The report details top ransomware variants, with Qilin and Akira leading, and identifies key victim sectors like manufacturing and financial services, primarily in the USA. Additionally, it brings attention to trending adversaries such as the Russian-linked Curly COMrades, lists actively exploited vulnerabilities including a critical Microsoft Exchange flaw, and notes emerging malware strains. The brief concludes with a summary of top cybersecurity news, featuring major zero-day exploits and significant law enforcement actions.

Link: Byer-Nichols Threat Brief August 15 2025

RSS Apple Spotify YouTube YouTube Amazon Music Overcast iHeart Radio Audacy

Keywords: CyberSecurity News,cybersecurity marketing,cybersecurity report

Episode Transcript

Download SRT file
00:00:00 - 00:00:06
Welcome back to Digital Rage. I'm Jeff the producer here at Byer Company. This is the third
00:00:06 - 00:00:12
Byer-Nichols Cybersecurity Brief episode. In the first half of August we are seeing an uptick in threats
00:00:12 - 00:00:18
and an overwhelming number of small businesses in the USA are being attacked. This report data is
00:00:18 - 00:00:23
collected and sent to us by Jeremy Nichols, the former director of the Global Threat Intelligence
00:00:23 - 00:00:28
Center. Executive summaries and threat actor bios are provided by Cybersecurity expert Geoff
00:00:28 - 00:00:34
Remitt, lots of data in this one so let's get going. Welcome to the Deep Dive. In the digital world,
00:00:34 - 00:00:41
this battle between defenders and attackers, it's not just constant is it. It feels like it's always
00:00:41 - 00:00:47
evolving, always accelerating. It really is a never ending race basically. Patching, predicting,
00:00:47 - 00:00:52
trying to stay one step ahead of whatever's next. Exactly. So today we're doing a crucial deep dive.
00:00:52 - 00:00:59
We're looking at the latest cybersecurity landscape specifically for the first half of August 2025.
00:00:59 - 00:01:04
Our mission really is to cut through the noise of the buyer Nichols Cybersecurity Threat Brief.
00:01:04 - 00:01:08
We want to pull out the most important insights, maybe some surprising facts, and definitely some
00:01:08 - 00:01:14
actionable knowledge for youth listener. Okay, let's unpack this. Yeah, it's been a, well, a pretty
00:01:14 - 00:01:19
active couple of weeks and this brief it gives a remarkably clear picture of where threats aren't
00:01:19 - 00:01:24
just lurking but are actively getting worse. That's a good way to put it, actively getting worse.
00:01:24 - 00:01:28
And the thing that really jumps out right from the executive summary, it almost stops you in your
00:01:28 - 00:01:36
tracks. This number roughly 84% 84% of all breach victims are small businesses. I mean, you think
00:01:36 - 00:01:43
about small businesses. They're the backbone, right? Like half of global employment, maybe 44% of USGDP,
00:01:43 - 00:01:50
that number feels well pretty bleak. It absolutely does. And what's particularly worrying about that
00:01:50 - 00:01:55
figure is why it's so high. You know, small and medium-sized businesses, SMBs, they often lag. They're
00:01:55 - 00:02:01
just not where larger enterprises are with security posture, with capabilities. You don't have the
00:02:01 - 00:02:06
huge IT teams or the massive budget. Exactly. They simply don't have the cash for the really advanced
00:02:06 - 00:02:13
stuff. And here's the kicker. Unlike a big corporation, a major cyber attack, it's far more likely
00:02:13 - 00:02:18
to just shut an SMB down for good. Wow. The report is very clear on this. They're survival. I mean,
00:02:18 - 00:02:23
it really hinges on taking cyber risks seriously. Okay. So if small businesses are getting hit the most,
00:02:23 - 00:02:28
where is this happening geographically? Which sectors? Look at the victim sectors.
00:02:28 - 00:02:35
Manufacturing financial services seem to be leading both saw increases. Manufacturing is just over 16.5%.
00:02:35 - 00:02:40
Financial services are really close, like 16.1%. Construction is still up there, run 13.4%
00:02:40 - 00:02:45
and retail about 11%. Though interestingly, they're sure actually dropped a bit.
00:02:45 - 00:02:50
Yeah. Slight decrease for those two and for tech as well. Right. Technology sucked up two down to
00:02:50 - 00:02:55
just over 8.2%. And then geographically, still the US leading by a mile.
00:02:55 - 00:03:02
Oh, yeah. The USA continues to dominate almost 57.5% of victim locations. And that's an increase
00:03:02 - 00:03:09
from before. Then you've got the UK just over 6.2%. Germany around 5.1%. They saw increases too.
00:03:09 - 00:03:14
Right. Italy's around 4.3% Canada about 3.1% rounding out the top five.
00:03:14 - 00:03:19
But what does this pattern tell us? I mean, where cyber criminals really focusing their efforts and
00:03:19 - 00:03:24
maybe why there? Well, this pattern, it really does show a kind of strategic calculation, doesn't it?
00:03:24 - 00:03:29
The increases in manufacturing and financial services. It suggests attackers are prioritizing sectors
00:03:29 - 00:03:34
with really valuable IP sensitive financial data, maybe critical infrastructure links.
00:03:34 - 00:03:40
Going for maximum impact. Exactly. Maximum leverage. Retail dipping slightly.
00:03:40 - 00:03:46
Maybe it's a shift to targets perceived as higher value or maybe just maybe some retailers are getting
00:03:46 - 00:03:53
a bit better at defense. Hard to say for sure. But the overwhelming dominance of the US plus the
00:03:53 - 00:04:00
increases in the UK and Germany. It clearly points to a focus on well, economically powerful nation.
00:04:00 - 00:04:05
It's not random. It's about targeting where the biggest financial leverage is, where the most
00:04:05 - 00:04:10
valuable data resides. Bigger payouts, more disruption. Okay. So we know where they're hitting.
00:04:10 - 00:04:15
Now, how are they doing it? What's in their toolkit? Especially ransomware. That's always evolving.
00:04:15 - 00:04:18
We've definitely seen some shifts at the top. The ransomware charts,
00:04:18 - 00:04:22
queeline seems to have really locked down that number one spot. Yeah, they have. Now over 20% of
00:04:22 - 00:04:28
attacks. That's up from what? About 13% before. Right. And Akira's moved up too. Stronger in the number
00:04:28 - 00:04:35
two spot, almost 14.2% up from just under 10%. Hmm. Significant jumps for both. And the rest of the top five.
00:04:35 - 00:04:43
These are newer names, right? Play I had about 7.5%. Sonobi around 6.7% and Black Nevis at roughly 4.7%.
00:04:43 - 00:04:48
That's right. New players making a mark. And Black Nevis. That was interesting. Also known as trial
00:04:48 - 00:04:53
recovery. The breeze mentions it just reappeared after being quiet for months. It was first seen back in
00:04:53 - 00:04:59
September 2024. What's the deal with its return? Yeah, what's fascinating here is just how dynamic this
00:04:59 - 00:05:04
ransomware world is. Quellen and Akira surging. It shows how effective they are. The resources they
00:05:04 - 00:05:10
must have. And then these new players play wise. Sonobi popping into the top five so quickly. It just
00:05:10 - 00:05:15
underscores how fast new variants can take hold. Maybe new techniques, different targeting. Always
00:05:15 - 00:05:20
something new. Always. And Black Nevis coming back. That's classic. Thread actors often go dark. You
00:05:20 - 00:05:26
know they retool. Find their methods. Maybe find new vulnerabilities. Then they reemerge. Often
00:05:26 - 00:05:32
stronger. Posing a renewed threat. Exactly. It's this constant arms race. New tools deployed fast.
00:05:32 - 00:05:38
And beyond ransomware, the brief flags. Other malware trends too. Things like a 4-0, 4-MD4-R,
00:05:38 - 00:05:44
EDR kill shifter, muquer agent, plague, spark kitty. And the exit backdoor is still around of course.
00:05:44 - 00:05:49
Kill a factor. Yes. Okay. So we've mapped the battlefield. Look to the weapons. What about the
00:05:49 - 00:05:55
minds behind these attacks? The adversaries. The brief highlights a group called Curly Comrades.
00:05:55 - 00:06:01
An APT advanced persistent threat group. Apparently linked to the Russian Federation. That's the
00:06:01 - 00:06:08
assessment. Yes. An APT group. And their name. It comes from using curl.exe right for command and
00:06:08 - 00:06:13
control. C2. Correct. That's how they talk to compromised machines and instructions. And also
00:06:13 - 00:06:20
for data exfiltration, sneaking data out. And their target seems specific. Eastern Europe. Moldova,
00:06:20 - 00:06:26
Georgia. Places looking towards the EU. Primarily yes. That seems to be their focus. Once they're inside
00:06:26 - 00:06:30
a network, they set up these reversed proxy tunnels back to servers they control. Think of them like
00:06:30 - 00:06:35
secret highways for stolen data. All for espionage basically. That appears to be the main goal. Yes.
00:06:35 - 00:06:40
Espionage. The good news though is that Bitdefenders report details their IOCs, indicators of
00:06:40 - 00:06:45
compromise and their TTPs, tactics, techniques and procedures. So defenders can use that to build
00:06:45 - 00:06:51
detection rules. Precisely. Now the brief does note and we should mention this impartially that
00:06:51 - 00:06:56
these types of groups are often characterized by targeting countries that support Ukraine. That's
00:06:56 - 00:07:01
the reported characteristics. Understood. Just reporting what's in the brief. And besides Curly Comrades,
00:07:01 - 00:07:07
other trending adversaries mentioned are linen typhoon, shiny hunters, storm 2603 and violet typhoon.
00:07:07 - 00:07:13
Quite a list. A busy landscape for threat hunters. Definitely. Now, vulnerabilities. This is always
00:07:13 - 00:07:17
crucial. And some old ones just won't go away. Well, they certainly want three D-link vulnerabilities
00:07:17 - 00:07:28
from 2020 and 2022. CVE 2020 25078, 2507 9 and CVE 2022 40799. Still needing attention.
00:07:28 - 00:07:32
It's incredible, isn't it? It highlights a huge problem. The attack surface isn't just about
00:07:32 - 00:07:37
new threats. It's these old known weaknesses that people just don't patch leaving the door wide
00:07:37 - 00:07:40
open. Easy pickings. But there's also a really urgent new one. High severity.
00:07:40 - 00:07:48
Effecting on-premises Microsoft Extreme Server 2019. Yes. CVE 2025 53786. This one is serious.
00:07:48 - 00:07:55
Microsoft strongly recommending applying hot fixes from April 2025. Like now. And maybe even isolating
00:07:55 - 00:07:59
vulnerable servers from the internet until they are patched. Absolutely critical advice.
00:07:59 - 00:08:04
Extreme servers are, well, they're central. Compromise that and you potentially have the keys to
00:08:04 - 00:08:10
the kingdom communications wise high value target. Definitely. And there are also new vulnerabilities
00:08:10 - 00:08:19
mentioned for Fortinet Fortissim and Trend Micro Apex 1. CVE 2025 25256 for Fortissim and CVE 2025 54948
00:08:19 - 00:08:25
for Apex 1. More things to add to the patching list. So putting all this together, the vulnerabilities,
00:08:25 - 00:08:31
the adversaries. What does this all mean? What's the bottom line for organizations and even individuals
00:08:31 - 00:08:35
just trying to stay secure? Well, the big takeaway, especially with that exchange vulnerability,
00:08:35 - 00:08:40
is aggressive patching. Organizations have to prioritize patching critical systems. When things
00:08:40 - 00:08:46
like Exchange get popped, attackers can get deep, pervasive access. It's bad. And for individuals,
00:08:46 - 00:08:52
it just reinforces the need for constant vigilance, right? Spotting fishing, keeping your own devices
00:08:52 - 00:08:58
updated. Because the threats are sophisticated. And the focus on espionage, like with curly comrades,
00:08:58 - 00:09:03
it reminds us it's not always just about money. It's data, intelligence, geopolitics, demands a
00:09:03 - 00:09:09
broader view of defense. Good point. Now, beyond the core stats and threats, the brief also
00:09:09 - 00:09:16
touches on some big cybersecurity news items making waves recently. Like critical zero-day bugs,
00:09:16 - 00:09:21
cracking open password vaults from cyber arc and hashie corp. That sounds really bad for password
00:09:21 - 00:09:25
security. Extremely concerning password managers are supposed to be the secure place. Right? And
00:09:25 - 00:09:31
Microsoft paying a record $17 million in bounties shows the scale of vulnerability discovery.
00:09:31 - 00:09:35
And the value placed on finding flaws before the bad guys do. Then there's this new shade
00:09:35 - 00:09:41
bios technique reportedly beats all AV by hiding in the system's firmware. Yeah, that's deeply
00:09:41 - 00:09:46
worrying. Malware at the bios level is incredibly stealthy, very hard to read out. And ghost calls
00:09:46 - 00:09:51
abusing zoom in teams. Making fake calls look real to trick people. Another example of attackers
00:09:51 - 00:09:56
exploiting the tools we rely on every day. Social engineering basically. We also seem shiny
00:09:56 - 00:10:01
hunters tactics starting to look like scattered spiders. Suggest threat actors learn from each other,
00:10:01 - 00:10:08
adapt successful playbooks, the landscape evolves. Sonic wall urging admins to disable SSL VPN
00:10:08 - 00:10:13
due to a critical bug. Another reminder about securing the network edge.
00:10:13 - 00:10:19
Perimeter security is still absolutely vital, yes. And on the plus side, maybe, the DOJ seized
00:10:19 - 00:10:24
over $300 million in cybercrime crypto. A significant win for law enforcement, yeah.
00:10:24 - 00:10:29
Shows their making progress and tracing illicit funds. And a hacker extra-dited to the US for
00:10:29 - 00:10:36
stealing $3.3 million in crypto. Accountability. Important to see those real world consequences.
00:10:36 - 00:10:42
So if we try and connect these news items to the bigger picture, what does this flurry of activity
00:10:42 - 00:10:47
tell us? I think it really shows the attackers relentless creativity. They're constantly probing
00:10:47 - 00:10:52
for new ways in from your deepest system levels like the BIOS with shade BIOS to
00:10:52 - 00:10:57
manipulating the everyday tools we use like Zoom and Teams with Ghost Calls.
00:10:57 - 00:11:01
They're getting us high and low. Exactly. It tells us that just defending the perimeter isn't
00:11:01 - 00:11:08
enough anymore. The fight is internal too. Continuous vigilance needed everywhere. The huge
00:11:08 - 00:11:14
bounties shows the growing industry around finding flaws both ethical hackers and unfortunately,
00:11:14 - 00:11:18
those selling them on the black market. Right. And the law enforcement wins, the seizures,
00:11:18 - 00:11:24
the extraditions. There are crucial reminders that even in the perceived anonymity of cyberspace,
00:11:24 - 00:11:29
there are efforts to bring people to justice. It's not a totally lawless space.
00:11:29 - 00:11:33
Okay, so wrapping up this deep dive on the buyer Nichols' brief for early August.
00:11:33 - 00:11:39
Let's recap the core insights. First, small businesses are overwhelmingly the primary victims.
00:11:39 - 00:11:43
They desperately need to boost their defenses. It's an existential issue for many--
00:11:43 - 00:11:48
Absolutely key takeaway. Second, the ransomware scene is churning. New groups rising fast. Old ones
00:11:48 - 00:11:53
like Black Nevis coming back strong. It's incredibly dynamic. Constant change there. Third, we have a
00:11:53 - 00:11:59
specific well-funded adversaries like Curly Comrades, potentially state-linked, focused on espionage
00:11:59 - 00:12:04
and critical regions. A reminder that not all threats are financially motivated. And finally,
00:12:04 - 00:12:10
patching is paramount. Old vulnerabilities like those delink ones persist. And new critical flaws,
00:12:10 - 00:12:15
especially in core systems like Microsoft Exchange, demand immediate attention.
00:12:15 - 00:12:20
Can't stress that enough, patch, patch, patch. So understanding these trends. It's not just about
00:12:20 - 00:12:26
the numbers, is it? It's about giving you the listener the context you need to navigate this digital
00:12:26 - 00:12:31
world a bit more safely, to be genuinely informed about what's out there. Knowledge is power in this domain.
00:12:31 - 00:12:36
It really is. So here's a final thought to maybe mullover. In an environment where these old
00:12:36 - 00:12:42
vulnerabilities can hang around for years, literally years, while brand new sophisticated threats pop up
00:12:42 - 00:12:48
constantly. What does being truly proactive in cybersecurity even mean anymore? And how do we actually
00:12:48 - 00:12:54
shift from just reacting, constantly putting out fires, to genuinely getting ahead of these evolving
00:12:54 - 00:12:58
dangers? That's the million dollar question, isn't it? Moving from reactive to truly proactive.
00:12:58 - 00:13:03
A tough challenge for everyone. Reach out to us at jbuyer.com for comments and questions.
00:13:03 - 00:13:08
Follow us at buyer company on social media. And if you'd be so kind, please rate and review us
00:13:08 - 00:13:11
in your podcast app.