CyberWatch Weekly: Top 3 Cybersecurity News from September 1st Week

This week has seen a surge of global cyber incidents, highlighting how vulnerable critical infrastructure and political systems remain to advanced threat actors. From state-backed espionage campaigns to newly discovered groups exploiting servers for fraud, governments and organizations are scrambling to respond. Chinese hackers have been accused of targeting high-profile US leaders, a new group is manipulating search engines for financial gain, and Washington has placed a multi-million-dollar bounty on Russian operatives. Here’s a closer look at this week’s top cybersecurity headlines shaping global security.

Chinese Hackers Target Trump, JD Vance in Massive Global Cyber Campaign

A sweeping cyberattack by Chinese state-backed group Salt Typhoon has exposed the vulnerability of U.S. leaders and millions of citizens. Investigators confirmed that former President Donald Trump and Vice President JD Vance were targeted during their campaign, alongside other high-profile politicians. The attack reflects China’s long-running strategy of exploiting telecommunications and internet providers to harvest sensitive data. The breach occurred because outdated vulnerabilities in telecom networks were left unpatched, allowing attackers to infiltrate core systems. Once inside, hackers intercepted calls, texts, and files, enabling surveillance of political figures, activists, and dissidents. Investigators traced the campaign to multiple Chinese tech firms working closely with state intelligence, linking the activity to years of intellectual property theft and global espionage.

Solutions demand urgent upgrades to network defenses, particularly patch management, stronger encryption, and stricter international cooperation. Experts stress that governments must enforce secure coding practices, harden telecom infrastructure, and share intelligence across borders. Without coordinated action, such indiscriminate campaigns will continue to undermine national security and global trust in critical communications systems.

Source: Euronews

New GhostRedirector Group Hijacks Servers for SEO Fraud

A newly identified cyber group, GhostRedirector, has been found exploiting Windows servers across Brazil, Thailand, Vietnam, and the United States. In June 2025, at least 65 servers were compromised, with many linked to companies leasing infrastructure abroad.

The group relies on two custom tools: Rungan, a passive C++ backdoor that executes commands on infected servers, and Gamshen, a malicious IIS module that manipulates Google search results. The operation’s primary aim is to drive traffic to gambling websites through large-scale SEO fraud. Attackers gain entry by exploiting vulnerabilities, likely SQL injections, before deploying privilege escalation tools such as EfsPotato and BadPotato. These enable the creation of rogue accounts and installation of multiple webshells, ensuring long-term control. GhostRedirector further strengthens persistence by using layered backdoors and redundant access points.

The campaign shows no industry preference, with victims spanning healthcare, education, technology, and retail. Analysts warn that organizations must patch vulnerable systems, monitor anomalous activity, and strengthen defenses against targeted exploitation.

Source: Help Net Security

US Offers $10M Reward for Russians Accused of Hacking Critical Infrastructure

The US State Department has announced a $10 million reward for information leading to the capture of three Russian nationals accused of cyberattacks on critical infrastructure worldwide. The suspects, linked to Russia’s Federal Security Service (FSB) Center 16, are alleged to have compromised more than 500 energy firms in 135 countries since 2012. Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov are accused of exploiting a long-patched Cisco vulnerability (CVE-2018-0171) in Smart Install software to infiltrate thousands of networking devices. Investigators claim the group hijacked unpatched or end-of-life equipment to steal data, map networks, and install custom malware such as SYNful Knock. Targets reportedly included oil and gas facilities, nuclear plants, utilities, and the Wolf Creek nuclear power station in Kansas.

The campaign allegedly sought long-term surveillance and potential disruption capabilities. While the suspects remain in Russia, beyond US extradition reach, officials argue the bounty underscores Washington’s intent to deter foreign state-backed cyber operations.

Source: The Register

Conclusion

The week’s developments reveal the scale, sophistication, and persistence of cyber operations targeting governments, businesses, and individuals alike. With geopolitical rivalries intensifying and attackers exploiting unpatched systems, coordinated defense measures are more urgent than ever. Strengthened resilience, proactive monitoring, and international collaboration remain the most effective tools against evolving digital risks.

Stay vigilant and informed, tune in next week for more updates in InfosecTrain’s CyberWatch Weekly!