Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Salesloft Drift Secu ...

 Firewall Daily

A Salesloft Drift cyberattack has compromised the Salesforce environments of numerous organizations, exposing customer data and credentials in a growing software supply chain incident. Triggered by a compromise of OAuth tokens used in the Drift chatbot’s integration with Salesforce, the Salesloft Drift security   show more ...

breach has impacted companies across cybersecurity, cloud infrastructure, DevOps, and SaaS industries.  The Salesloft Drift cyberattack, which occurred between August 8–18, 2025, enabled threat actors to extract sensitive information from Salesforce instances using stolen authorization tokens. Google’s Threat Intelligence team identified the attacker as GRUB1, a threat group that systematically exploited the Salesloft Drift integration to conduct credential harvesting and metadata reconnaissance.  Cloudflare: 'Failure in Vendor Oversight' Cloudflare was among the most heavily impacted. Between August 12–17, the attacker accessed Cloudflare’s Salesforce case data using a compromised OAuth token issued to the Drift app. According to the company’s investigation, the attacker harvested metadata, ran queries against internal Salesforce objects, and eventually exfiltrated freeform customer support case text using Salesforce’s Bulk API 2.0.  Cloudflare’s internal tools later identified 104 exposed API tokens, all of which have since been rotated. The company acknowledged the breach as “a failure in third-party vendor oversight” and is now reevaluating its security policies around third-party integrations. Affected customers were contacted directly by September 2.  Dynatrace, Cato Networks, and Bugcrowd Affected Dynatrace reported that the Salesloft Drift breach affected only its Salesforce CRM system, which is used for marketing purposes. Investigators confirmed that only limited business contact data was accessed. The company immediately deactivated Drift and involved third-party forensic experts. It emphasized that neither Dynatrace products nor infrastructure were affected. Similarly, Cato Networks took immediate containment steps, revoking all Drift-related API access and launching an internal investigation. The data accessed was limited to case metadata and contact information. Cato’s threat intel unit, Cato CTRL, is monitoring the dark web for potential misuse, though no signs have surfaced yet. Bugcrowd confirmed unauthorized access to its Salesforce environment but found no impact on vulnerability reports, customer data, or infrastructure. The company is collaborating with Salesforce and Salesloft to assess the full scope.  BeyondTrust and Zscaler: Proactive Revocation, No System Impact BeyondTrust was alerted by Salesforce on August 22 and immediately revoked OAuth credentials and disabled Drift access. An internal investigation found no impact beyond Salesforce, and no customer data misuse has been detected. Zscaler also acknowledged limited exposure of Salesforce data, including contact and licensing information. The company found no indication of misuse but continues to monitor closely. PagerDuty and JFrog Respond PagerDuty received a formal alert from Salesloft on August 20 confirming a compromise in the Drift OAuth flow. Investigators identified a few Salesforce cases that contained API keys. These keys were revoked, and affected customers were directly notified. PagerDuty advised all customers to rotate any credentials previously shared via Salesforce support cases. JFrog reported potential unauthorized access on August 23. No misuse or broader compromise was found, but customers were advised to rotate any shared credentials as a precaution. Nutanix and Elastic: Minimal Exposure Nutanix confirmed that certain case metadata, like subject lines and descriptions, was accessed, but no file attachments or sensitive system data were involved. Elastic also reported limited access to business contact details stored in Salesforce, with no known misuse or impact on its operational environments. GRUB1’s Attack Chain: Precision and Persistence Cloudflare's detailed forensics highlighted the attacker’s methodology:  August 9: GRUB1 attempted to validate an API token via Salesforce.  August 12–14: Unauthorized access began. The attacker enumerated Salesforce schemas and explored data structures. August 17: Using new infrastructure, GRUB1 executed a data exfiltration job via Salesforce Bulk API 2.0. August 20: Salesloft revoked all Drift OAuth credentials; Cloudflare had not yet received a formal alert. August 23–25: Salesforce and Salesloft formally notified customers, triggering mass revocations and internal containment across affected organizations. Supply Chain Attack Landscape Intensifies The Salesloft Drift security breach exemplifies the growing threat of supply chain attacks. According to Cyble, the rate of supply chain attacks has doubled since April 2025, now averaging 26 incidents per month. These attacks exploit the trust placed in third-party integrations, often bypassing internal security controls.  Cyble reported that at least 20 industries were affected in 2025 alone, and one ransomware group recently claimed to have exfiltrated data on 41,000 customers from a separate supply chain incident.  Security Takeaways from the Salesloft Drift Breach The Salesloft Drift cyberattack stresses critical flaws in OAuth security and third-party risk management: OAuth tokens must be rotated frequently and tightly scoped. Third-party app access should be strictly limited and continuously audited. Organizations should centralize visibility into integrated platforms and enforce least privilege access. Rapid detection and revocation processes are vital to containing OAuth-related threats. Salesforce has since removed Drift from the AppExchange, and Google has disabled Drift’s OAuth integration with Workspace. Salesloft has urged customers to revoke old API keys and reauthenticate with new credentials.

image for Microsoft Patch Tues ...

 Cyber News

Three high-risk Windows kernel flaws were among the fixes included in Microsoft’s September 2025 Patch Tuesday updates released today. In all, the Patch Tuesday September 2025 updates included fixes for 86 Microsoft CVEs – eight of which are considered high risk – and five non-Microsoft flaws in Chromium-based   show more ...

Edge and SQL Server (CVE-2024-21907 in Newtonsoft.Json). The highest rated vulnerabilities patched this month are rated 8.8 under CVSS 3.1, and three of those – in the Windows kernel, NTLM and SMB – are considered at higher risk for exploitation. Windows Kernel Vulnerabilities CVE-2025-54110 is an 8.8 rated Windows kernel Elevation of Privilege vulnerability that Microsoft labeled as “Exploitation More Likely.” CVE-2025-54110, an Integer Overflow or Wraparound vulnerability (CWE-190) in the Windows kernel, could allow an authorized attacker to elevate privileges locally by sending specially crafted input from a sandboxed user-mode process to trigger an integer overflow, resulting in a buffer overflow in the kernel and enabling privilege escalation or sandbox escape. An attacker who successfully exploited the vulnerability could gain SYSTEM privileges, Microsoft said. Microsoft credited an anonymous researcher on Mastodon for the discovery. Microsoft also labeled two 5.5-rated Windows kernel vulnerabilities as being at higher risk of exploitation. CVE-2025-53804 is a Windows kernel-mode driver Information Disclosure vulnerability that Microsoft said “could allow the disclosure of certain memory address within kernel space. Knowing the exact location of kernel memory could be potentially leveraged by an attacker for other malicious activities.” The vulnerability was reported by Lewis Lee. CVE-2025-53803, credited to Lee and three other researchers, is a Windows kernel memory Information Disclosure vulnerability that could also allow the disclosure of memory addresses through the generation of error messages containing sensitive information. Patch Tuesday September 2025: Other High-risk Vulnerabilities CVE-2025-54918 is an 8.8-rated Windows NTLM Elevation of Privilege vulnerability and is remotely exploitable and low complexity. Improper authentication in Windows NTLM could allow an authorized attacker to elevate privileges over a network. The vulnerability was credited to Brian De Houwer of Crimson7. CVE-2025-55234 is an 8.8-severity Windows SMB Elevation of Privilege/Improper Authentication vulnerability. SMB Server might be susceptible to relay attacks depending on the configuration, and Microsoft advises enabling SMB Server hardening measures. Other high-risk vulnerabilities in the Patch Tuesday September 2025 updates include: CVE-2025-54916, a 7.8-rated Windows NTFS Remote Code Execution vulnerability CVE-2025-54098, a 7.8-severity Windows Hyper-V Elevation of Privilege vulnerability CVE-2025-54093, a 7.0 Windows TCP/IP Driver Elevation of Privilege vulnerability Adobe, SAP and Ivanti are among the other IT vendors with critical updates out today.

image for New Linux Botnet Com ...

 Cyber News

Cyble threat intelligence researchers have identified a sophisticated Linux botnet built for cryptocurrency mining, remote command execution, and dozens of DDoS attack types. Cyble Research and Intelligence Labs (CRIL) researchers have dubbed the campaign “Luno.” The malware also includes strong obfuscation and   show more ...

evasion features, “indicating active professional threat actor involvement,” the researchers wrote in a blog post. “Unlike conventional cryptominers or DDoS botnets, LunoC2 exhibits process masquerading, binary replacement, and a self-update system, suggesting the malware is designed as a long-term criminal infrastructure tool,” they said. Linux Botnet Actor Selling DDoS Services Cyble said that while the threat actors behind the malware are unknown, the Luno actor is actively selling DDoS services on a Telegram channel that was created in late July. LunoC2’s architecture and pricing model “suggest intent for long-term monetization and operational flexibility,” Cyble said. DDoS features include tunable parameters such as target, method, time, and threads, with explicit target routines for Roblox, Minecraft, and Valve servers, suggesting a botnet-for-hire model, they said. The malware downloads the xmrig miner from main[.]botnet[.]world and saves it as /bin/ash. The replacement of the legitimate ash shell (Almquist Shell) commonly found in embedded Linux distributions “suggests that the malware is specifically targeting resource-constrained systems for cryptocurrency mining, where ash is the default shell,” Cyble said. Anti-analysis features include debugger/tracer detection, tool detection, network Interface detection that checks NIC interfaces for anomalies, and timing checks to detect execution delay. “It does this by inspecting the execution environment,” the researchers said. “If an anomaly is detected, it attempts to self-delete itself from disk.” Luno's Sophisticated DDoS Capabilities DDoS_attack_launcher contains the core DDoS capabilities, enabling both thread-based floods and external binary execution. Cyble identified more than 20 different DDoS attack modules and types. Attacks like udp-bypass and tcp-bypass are more advanced than standard volumetric floods, allowing the attacker to randomize the packet size and destination port to evade basic signature-based detection rules. An HTTP GET flood attack function simulates real browser traffic with randomized headers, using a hardcoded list of random user-agents with 102 legitimate referrers “that mimic human browsing diversity and evade basic detections.” The malware targets game servers with Minecraft-specific DDoS attack functions, Valorant-specific QUIC packets, and RakNet engine components used by many gaming engines for multiplayer functionality, the researchers said. The malware’s RakNet command uses the RakNet protocol handshake to bypass any simple firewall rules or rate-limiting that block untrusted, non-protocol UDP traffic. “By completing the handshake, the attacker makes the traffic look legitimate to the server, causing the server to waste resources processing the flood of incoming packets,” Cyble said. The more advanced raknet-mix command “floods the target using a variety of randomized packets to make its traffic look more diverse and difficult to block with a single rule.” Cyble said the malware is built to be a long-term threat, and defenders should take note. “Given its resilience, modularity, monetization potential, resource theft, and service disruption capabilities, all of which possess operational and financial risks for organizations, defenders should treat LunoC2 as a long-term threat to Linux environments, particularly internet-facing servers and game-hosting platforms,” the researchers concluded. The full Cyble blog takes an in-depth look at the malware and also includes indicators of compromise (IoCs) and recommendations for defenders.

image for Jaguar Land Rover Cy ...

 Cyber News

Jaguar Land Rover (JLR) has been forced to extend the shutdown of its UK manufacturing operations following a cyberattack on August 31. The Jaguar Land Rover cyberattack has halted vehicle production across multiple facilities and impacted its global supply chain, with disruptions reaching as far as Slovakia, China,   show more ...

and India.  The data breach at Jaguar Land Rover led the company to shut down its internal IT systems in an effort to contain the attack and protect its networks. As of early this week, the company’s UK plants, including Halewood, Solihull, and the Wolverhampton engine facility, are expected to remain closed until at least Wednesday, though JLR has not confirmed when operations will fully resume. JLR Production Comes to a Standstill The Jaguar Land Rover cyberattack has had a widespread impact, not only halting production but also affecting dealerships and repair services. Vehicle registration systems were rendered inoperable, and garages reported difficulties sourcing parts. While some temporary workarounds have been established, full functionality has yet to be restored. Under regular conditions, Jaguar Land Rover produces approximately 1,000 vehicles per day. The sudden stoppage has placed strain on parts suppliers and service providers across its global supply network. Shaun Adams, manager at Qualplast, a supplier for JLR, told the BBC that the disruption is already significant and could escalate. “If this starts progressing over weeks, then we would have to seriously look at what we need to future-proof,” he said.  Many of JLR’s suppliers have followed suit in instructing staff to remain at home, further compounding the operational and economic fallout from the data breach at Jaguar Land Rover.  The timing of the cyberattack added further complications. It occurred just before September 1, a key date for new car registrations in the UK, typically one of the busiest periods for automotive sales and deliveries. The inability to register new vehicles during this time likely introduced additional setbacks for both the company and consumers.  Jaguar Land Rover Response and Investigation In response to the attack, Jaguar Land Rover has been working “around the clock” alongside third-party cybersecurity experts and law enforcement agencies to restore its systems in a safe and controlled manner. However, the company has not publicly commented on growing speculation that the disruption could last several more weeks.  Jaguar Land Rover has declined to confirm whether sensitive data was accessed or whether ransom demands have been made. However, the company remains in active investigation mode and has acknowledged the ongoing threat of further disruption. Hacker Group Claims Responsibility Reports have surfaced that a group of English-speaking hackers, believed to be responsible for prior attacks on UK firms such as Marks & Spencer, has claimed responsibility for the cyberattack on Jaguar Land Rover. The group allegedly posted messages and screenshots on the encrypted app Telegram, suggesting that they had gained unauthorized access to JLR’s internal systems.  The full extent of the Jaguar Land Rover data breach remains under investigation, and it is not yet clear if personal or financial data was compromised. The cyberattack on Jaguar Land Rover stresses the increasing vulnerability of large industrial companies to digital threats.  

image for Popular npm packages ...

 Business

Several popular npm packages used in a number of web projects have been compromised and trojanized by unknown attackers. The attackers, through a phishing attack on maintainers, were able to gain access to at least one repository and injected the packages with malicious code used to hunt for cryptocurrency. Thus, all   show more ...

web applications that used trojanized versions of the packages were turned into cryptodrainers. And there can be quite a few of them — as the compromised packages had more than two billion downloads per day (according to Aikido Security). What are the dangers of the trojanized packages used in this attack? Obfuscated JavaScript was added to all affected packages. If the compromised package is used in a web application, the malicious code is activated on the devices that were used to access this application. Acting at the browser level, malware intercepts network traffic and API requests, and changes data associated with Ethereum, Bitcoin, Solana, Litecoin, Bitcoin Cash, and Tron cryptocurrency wallets. The malware spoofs their addresses and redirects transactions to the attackers wallets. About three hours after the attack began, the npm administration started to remove the infected packages, but its not known exactly how many times they were downloaded during this time. How the attackers managed to gain access to the repositories The attackers used a rather banal technique — they created a phishing email in which maintainers were urged to update their two-factor authentication credentials at the first opportunity. Otherwise, they were threatened with account lockout starting September 10, 2025. The emails were sent from a mailbox on the domain npmjs[.]help, similar to the legitimate npmjs.com. The same domain also hosted a phishing site that mimicked the official npm registry page. Credentials entered on this site immediately fell into the hands of the attackers. The attack was successful against at least one maintainer, compromising the npm packages color, debug, ansi-regex, chalk, and several others. However, the phishing attack appears to have been more extensive, because other maintainers and developers received similar phishing emails, so the full list of trojanized packages may be longer. Which packages were compromised? At the time of writing this post, the following packages are known to be compromised: ansi-regex ansi-styles backslash chalk chalk-template color-convert color-name color-string debug error-ex has-ansi is-arrayish simple-swizzle slice-ansi strip-ansi supports-color supports-hyperlinks wrap-ansi However, as we have already written above, the list may grow. You can keep an eye on the GitHub advisory page for updates. How to stay safe Kaspersky Lab products, both for home and for corporate users, successfully detect and stop the malware used in this attack. Developers are advised to audit the dependencies in their projects, and if one of the compromised packages was used there, pin the safe version using the overrides function in package.json. You can find more detailed instructions here. Maintainers and developers with access to open source software repositories are advised to be doubly careful when receiving emails urging them to log into their accounts. Better yet — also use security solutions with an anti-phishing engine.

image for 18 Popular Code Pack ...

 A Little Sunshine

At least 18 popular JavaScript code packages that are collectively downloaded more than two billion times each week were briefly compromised with malicious software today, after a developer involved in maintaining the projects was phished. The attack appears to have been quickly contained and was narrowly focused on   show more ...

stealing cryptocurrency. But experts warn that a similar attack with a slightly more nefarious payload could lead to a disruptive malware outbreak that is far more difficult to detect and restrain. This phishing email lured a developer into logging in at a fake NPM website and supplying a one-time token for two-factor authentication. The phishers then used that developer’s NPM account to add malicious code to at least 18 popular JavaScript code packages. Aikido is a security firm in Belgium that monitors new code updates to major open-source code repositories, scanning any code updates for suspicious and malicious code. In a blog post published today, Aikido said its systems found malicious code had been added to at least 18 widely-used code libraries available on NPM (short for) “Node Package Manager,” which acts as a central hub for JavaScript development and the latest updates to widely-used JavaScript components. JavaScript is a powerful web-based scripting language used by countless websites to build a more interactive experience with users, such as entering data into a form. But there’s no need for each website developer to build a program from scratch for entering data into a form when they can just reuse already existing packages of code at NPM that are specifically designed for that purpose. Unfortunately, if cybercriminals manage to phish NPM credentials from developers, they can introduce malicious code that allows attackers to fundamentally control what people see in their web browser when they visit a website that uses one of the affected code libraries. According to Aikido, the attackers injected a piece of code that silently intercepts cryptocurrency activity in the browser, “manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.” “This malware is essentially a browser-based interceptor that hijacks both network traffic and application APIs,” Aikido researcher Charlie Eriksen wrote. “What makes it dangerous is that it operates at multiple layers: Altering content shown on websites, tampering with API calls, and manipulating what users’ apps believe they are signing. Even if the interface looks correct, the underlying transaction can be redirected in the background.” Aikido said it used the social network Bsky to notify the affected developer, Josh Junon, who quickly replied that he was aware of having just been phished. The phishing email that Junon fell for was part of a larger campaign that spoofed NPM and told recipients they were required to update their two-factor authentication (2FA) credentials. The phishing site mimicked NPM’s login page, and intercepted Junon’s credentials and 2FA token. Once logged in, the phishers then changed the email address on file for Junon’s NPM account, temporarily locking him out. Aikido notified the maintainer on Bluesky, who replied at 15:15 UTC that he was aware of being compromised, and starting to clean up the compromised packages. Junon also issued a mea culpa on HackerNews, telling the community’s coder-heavy readership, “Hi, yep I got pwned.” “It looks and feels a bit like a targeted attack,” Junon wrote. “Sorry everyone, very embarrassing.” Philippe Caturegli, “chief hacking officer” at the security consultancy Seralys, observed that the attackers appear to have registered their spoofed website — npmjs[.]help — just two days before sending the phishing email. The spoofed website used services from dnsexit[.]com, a “dynamic DNS” company that also offers “100% free” domain names that can instantly be pointed at any IP address controlled by the user. Junon’s mea cupla on Hackernews today listed the affected packages. Caturegli said it’s remarkable that the attackers in this case were not more ambitious or malicious with their code modifications. “The crazy part is they compromised billions of websites and apps just to target a couple of cryptocurrency things,” he said. “This was a supply chain attack, and it could easily have been something much worse than crypto harvesting.” Akito’s Eriksen agreed, saying countless websites dodged a bullet because this incident was handled in a matter of hours. As an example of how these supply-chain attacks can escalate quickly, Eriksen pointed to another compromise of an NPM developer in late August that added malware to “nx,” an open-source code development toolkit with as many as six million weekly downloads. In the nx compromise, the attackers introduced code that scoured the user’s device for authentication tokens from programmer destinations like GitHub and NPM, as well as SSH and API keys. But instead of sending those stolen credentials to a central server controlled by the attackers, the malicious code created a new public repository in the victim’s GitHub account, and published the stolen data there for all the world to see and download. Eriksen said coding platforms like GitHub and NPM should be doing more to ensure that any new code commits for broadly-used packages require a higher level of attestation that confirms the code in question was in fact submitted by the person who owns the account, and not just by that person’s account. “More popular packages should require attestation that it came through trusted provenance and not just randomly from some location on the Internet,” Eriksen said. “Where does the package get uploaded from, by GitHub in response to a new pull request into the main branch, or somewhere else? In this case, they didn’t compromise the target’s GitHub account. They didn’t touch that. They just uploaded a modified version that didn’t come where it’s expected to come from.” Eriksen said code repository compromises can be devastating for developers, many of whom end up abandoning their projects entirely after such an incident. “It’s unfortunate because one thing we’ve seen is people have their projects get compromised and they say, ‘You know what, I don’t have the energy for this and I’m just going to deprecate the whole package,'” Eriksen said. Kevin Beaumont, a frequently quoted security expert who writes about security incidents at the blog doublepulsar.com, has been following this story closely today in frequent updates to his account on Mastodon. Beaumont said the incident is a reminder that much of the planet still depends on code that is ultimately maintained by an exceedingly small number of people who are mostly overburdened and under-resourced. “For about the past 15 years every business has been developing apps by pulling in 178 interconnected libraries written by 24 people in a shed in Skegness,” Beaumont wrote on Mastodon. “For about the past 2 years orgs have been buying AI vibe coding tools, where some exec screams ‘make online shop’ into a computer and 389 libraries are added and an app is farted out. The output = if you want to own the world’s companies, just phish one guy in Skegness.” Image: https://infosec.exchange/@GossiTheDog@cyberplace.social. Aikido recently launched a product that aims to help development teams ensure that every code library used is checked for malware before it can be used or installed. Nicholas Weaver, a researcher with the International Computer Science Institute, a nonprofit in Berkeley, Calif., said Aikido’s new offering exists because many organizations are still one successful phishing attack away from a supply-chain nightmare. Weaver said these types of supply-chain compromises will continue as long as people responsible for maintaining widely-used code continue to rely on phishable forms of 2FA. “NPM should only support phish-proof authentication,” Weaver said, referring to physical security keys that are phish-proof — meaning that even if phishers manage to steal your username and password, they still can’t log in to your account without also possessing that physical key. “All critical infrastructure needs to use phish-proof 2FA, and given the dependencies in modern software, archives such as NPM are absolutely critical infrastructure,” Weaver said. “That NPM does not require that all contributor accounts use security keys or similar 2FA methods should be considered negligence.”

image for Microsoft Patch Tues ...

 Latest Warnings

Microsoft Corp. today issued security updates to fix more than 80 vulnerabilities in its Windows operating systems and software. There are no known “zero-day” or actively exploited vulnerabilities in this month’s bundle from Redmond, which nevertheless includes patches for 13 flaws that earned   show more ...

Microsoft’s most-dire “critical” label. Meanwhile, both Apple and Google recently released updates to fix zero-day bugs in their devices. Microsoft assigns security flaws a “critical” rating when malware or miscreants can exploit them to gain remote access to a Windows system with little or no help from users. Among the more concerning critical bugs quashed this month is CVE-2025-54918. The problem here resides with Windows NTLM, or NT LAN Manager, a suite of code for managing authentication in a Windows network environment. Redmond rates this flaw as “Exploitation More Likely,” and although it is listed as a privilege escalation vulnerability, Kev Breen at Immersive says this one is actually exploitable over the network or the Internet. “From Microsoft’s limited description, it appears that if an attacker is able to send specially crafted packets over the network to the target device, they would have the ability to gain SYSTEM-level privileges on the target machine,” Breen said. “The patch notes for this vulnerability state that ‘Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network,’ suggesting an attacker may already need to have access to the NTLM hash or the user’s credentials.” Breen said another patch — CVE-2025-55234, a 8.8 CVSS-scored flaw affecting the Windows SMB client for sharing files across a network — also is listed as privilege escalation bug but is likewise remotely exploitable. This vulnerability was publicly disclosed prior to this month. “Microsoft says that an attacker with network access would be able to perform a replay attack against a target host, which could result in the attacker gaining additional privileges, which could lead to code execution,” Breen noted. CVE-2025-54916 is an “important” vulnerability in Windows NTFS — the default filesystem for all modern versions of Windows — that can lead to remote code execution. Microsoft likewise thinks we are more than likely to see exploitation of this bug soon: The last time Microsoft patched an NTFS bug was in March 2025 and it was already being exploited in the wild as a zero-day. “While the title of the CVE says ‘Remote Code Execution,’ this exploit is not remotely exploitable over the network, but instead needs an attacker to either have the ability to run code on the host or to convince a user to run a file that would trigger the exploit,” Breen said. “This is commonly seen in social engineering attacks, where they send the user a file to open as an attachment or a link to a file to download and run.” Critical and remote code execution bugs tend to steal all the limelight, but Tenable Senior Staff Research Engineer Satnam Narang notes that nearly half of all vulnerabilities fixed by Microsoft this month are privilege escalation flaws that require an attacker to have gained access to a target system first before attempting to elevate privileges. “For the third time this year, Microsoft patched more elevation of privilege vulnerabilities than remote code execution flaws,” Narang observed. On Sept. 3, Google fixed two flaws that were detected as exploited in zero-day attacks, including CVE-2025-38352, an elevation of privilege in the Android kernel, and CVE-2025-48543, also an elevation of privilege problem in the Android Runtime component. Also, Apple recently patched its seventh zero-day (CVE-2025-43300) of this year. It was part of an exploit chain used along with a vulnerability in the WhatsApp (CVE-2025-55177) instant messenger to hack Apple devices. Amnesty International reports that the two zero-days have been used in “an advanced spyware campaign” over the past 90 days. The issue is fixed in iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8. The SANS Internet Storm Center has a clickable breakdown of each individual fix from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com, which often has the skinny on wonky updates. AskWoody also reminds us that we’re now just two months out from Microsoft discontinuing free security updates for Windows 10 computers. For those interested in safely extending the lifespan and usefulness of these older machines, check out last month’s Patch Tuesday coverage for a few pointers. As ever, please don’t neglect to back up your data (if not your entire system) at regular intervals, and feel free to sound off in the comments if you experience problems installing any of these fixes.

 Feed

Threat hunters have discovered a set of previously unreported domains, some going back to May 2020, that are associated with China-linked threat actors Salt Typhoon and UNC4841. "The domains date back several years, with the oldest registration activity occurring in May 2020, further confirming that the 2024 Salt Typhoon attacks were not the first activity carried out by this group," Silent Push

 Feed

It’s budget season. Once again, security is being questioned, scrutinized, or deprioritized. If you're a CISO or security leader, you've likely found yourself explaining why your program matters, why a given tool or headcount is essential, and how the next breach is one blind spot away. But these arguments often fall short unless they're framed in a way the board can understand and appreciate.

 Feed

Multiple npm packages have been compromised as part of a software supply chain attack after a maintainer's account was compromised in a phishing attack. The attack targeted Josh Junon (aka Qix), who received an email message that mimicked npm ("support@npmjs[.]help"), urging them to update their update their two-factor authentication (2FA) credentials before September 10, 2025, by clicking on

 Feed

A new Android malware called RatOn evolved from a basic tool capable of conducting Near Field Communication (NFC) attacks to a sophisticated remote access trojan with Automated Transfer System (ATS) capabilities to conduct device fraud. "RatOn merges traditional overlay attacks with automatic money transfers and NFC relay functionality – making it a uniquely powerful threat," the Dutch mobile

 Feed

⚠️ One click is all it takes. An engineer spins up an “experimental” AI Agent to test a workflow. A business unit connects to automate reporting. A cloud platform quietly enables a new agent behind the scenes. Individually, they look harmless. But together, they form an invisible swarm of Shadow AI Agents—operating outside security’s line of sight, tied to identities you don’t even know exist.

 Feed

Cybersecurity researchers have disclosed details of a phishing campaign that delivers a stealthy banking malware-turned-remote access trojan called MostereRAT. The phishing attack incorporates a number of advanced evasion techniques to gain complete control over compromised systems, siphon sensitive data, and extend its functionality by serving secondary plugins, Fortinet FortiGuard Labs said. "

 Feed

Cybersecurity researchers have discovered a variant of a recently disclosed campaign that abuses the TOR network for cryptojacking attacks targeting exposed Docker APIs. Akamai, which discovered the latest activity last month, said it's designed to block other actors from accessing the Docker API from the internet. The findings build on a prior report from Trend Micro in late June 2025, which

 Feed

Threat actors are abusing HTTP client tools like Axios in conjunction with Microsoft's Direct Send feature to form a "highly efficient attack pipeline" in recent phishing campaigns, according to new findings from ReliaQuest. "Axios user agent activity surged 241% from June to August 2025, dwarfing the 85% growth of all other flagged user agents combined," the cybersecurity company said in a

 AI

In episode 67 of The AI Fix, Graham talks to an AI with a fax machine, Bill Gates says there's one job AI will never replace, criminals use Claude Code for cyberattacks, Mark reveals why GPT-5 was better than you think, and a bird brings new meaning to the words "cloud storage". Also, Graham reveals that   show more ...

web-browsing AI agents are as gullible and click-happy as your most credulous distant relative, and Mark explains why the crowd at a recent Will Smith gig included somebody who wasn't there and a man whose hands look like feet. All this and much more is discussed in the latest edition of "The AI Fix" podcast by Graham Cluley and Mark Stockley.

 Cyber Security News

Source: securityboulevard.com – Author: Marc Handelman via the comic artistry and dry wit of Randall Munroe, creator of XKCD Permalink The post Randall Munroe’s XKCD ‘Cesium’ appeared first on Security Boulevard. Original Post URL: https://securityboulevard.   show more ...

com/2025/09/randall-munroes-xkcd-cesium/?utm_source=rss&utm_medium=rss&utm_campaign=randall-munroes-xkcd-cesium Category & Tags: Humor,Security Bloggers Network,Randall Munroe,Sarcasm,satire,XKCD – Humor,Security Bloggers Network,Randall Munroe,Sarcasm,satire,XKCD Views: 0 La entrada Randall Munroe’s XKCD ‘Cesium’ – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0CISO2CISO

Source: securityboulevard.com – Author: Jeffrey Burt The Chinese state-sponsored group APT41 is accused of using a fake email impersonating a U.S. representative containing spyware and sent to government agencies, trade groups, and laws firms to gain information about U.S. strategy in trade talks with China.   show more ...

The post Chinese Group Accused of Using Fake U.S. Rep. […] La entrada Chinese Group Accused of Using Fake U.S. Rep. Email to Spy on Trade Talks – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 AI

Source: securityboulevard.com – Author: Michael Vizard UltraViolet Cyber has acquired the application security testing services arm of Black Duck Software as part of an effort to expand the scope of the managed security services it provides. Company CEO Ira Goldstein said this addition to its portfolio will   show more ...

provide penetration testing, red teaming, threat modeling, cloud […] La entrada UltraViolet Cyber Acquires Application Security Testing Service from Black Duck – Source: securityboulevard.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Artificial Intelligence

Source: www.csoonline.com – Author: CISOs told the best defense is ‘boring cyber hygiene practices.’ The creation of an AI proof of concept that can autonomously build and execute a ransomware attack from scratch shouldn’t alarm CISOs who are prepared, says an expert. The defense against such a proposed   show more ...

new tool, said Taylor Grossman, director for […] La entrada AI powered autonomous ransomware campaigns are coming, say experts – Source: www.csoonline.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 CSOonline

Source: www.csoonline.com – Author: Eine Cyberattacke auf die Wehrle-Werk AG sorgte im Jahr 2024 für massive Betriebsausfälle. Die Traditionsfirma hat jetzt Insolvenz angemeldet. Die Wehrle-Werk AG hat kürzlich einen Insolvenzantrag gestellt. Ein Cyberangriff im vergangenen Jahr hat großen Schaden   show more ...

angerichtet. stockwerk-fotodesign – shutterstock.com Die Wehrle-Werk AG mit Sitz in Baden-Württemberg steckt nach 165 Jahren Geschichte […] La entrada Hackerangriff treibt Wehrle-Werk in Insolvenz – Source: www.csoonline.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 CSOonline

Source: www.csoonline.com – Author: Attackers abused GitHub Actions workflows to siphon off thousands of credentials from hundreds of npm and PyPI repositories. GitGuardian has disclosed a new software supply chain attack campaign, dubbed GhostAction, that exfiltrated thousands of sensitive credentials before   show more ...

being detected and contained on September 5. The attackers manipulated GitHub Actions workflows, the […] La entrada GhostAction campaign steals 3325 secrets in GitHub supply chain attack – Source: www.csoonline.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Careers

Source: www.csoonline.com – Author: It’s time to split the job before it breaks the business. A recent story by Tyler Farrar (The CISO code of conduct: Ditch the ego, lead for real) really got me thinking. While I agree with most of the content and the code of conduct it suggests, I think there are […]   show more ...

La entrada Is the CISO role broken? – Source: www.csoonline.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 1 - Cyber Security News Post

Source: hackread.com – Author: Waqas. Aikido Security flagged the largest npm attack ever recorded, with 18 packages like chalk, debug, and ansi-styles hacked to hijack crypto wallets via injected code. Aikido Security has flagged what could be the biggest npm supply chain compromise ever recorded. The account   show more ...

of a long-trusted maintainer known as qix was […] La entrada npm Packages With 2 Billion Weekly Downloads Hacked in Major Attack – Source:hackread.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 0day

Source: hackread.com – Author: Deeba Ahmed. A critical zero-day vulnerability (CVE-2025-53690) is being actively exploited in Sitecore. This flaw, originating from old, insecure keys, allows hackers to achieve Remote Code Execution (RCE) via ViewState deserialization attacks. For your information, this exploit   show more ...

hinges on a feature called ViewState, which is part of ASP.NET and helps a […] La entrada Zero-Day in Sitecore Exploited to Deploy WEEPSTEEL Malware – Source:hackread.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 1 - Cyber Security News Post

Source: hackread.com – Author: Deeba Ahmed. MostereRAT malware targets Windows through phishing, bypasses security with advanced tactics, and grants hackers full remote control. Cybersecurity researchers at FortiGuard Labs have identified a new malware threat called MostereRAT that is being delivered via a   show more ...

phishing campaign targeting Windows devices. The research, which was shared with Hackread.com, warns […] La entrada MostereRAT Targets Windows, Uses AnyDesk and TightVNC for Full Access – Source:hackread.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.lastwatchdog.com – Author: bacohido By Byron V. Acohido In cybersecurity, trust often hinges on what users think their software is doing — versus what’s actually happening under the hood. Related: Eddy Willem’s ‘Borrowed Brains’ findings Take antivirus, for example. Many users assume   show more ...

threat detection is based on proprietary research, unique signatures, and internal analysis. […] La entrada SHARED INTEL Q&A: Is your antivirus catching fresh threats — or just echoing VirusTotal? – Source: www.lastwatchdog.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.securityweek.com – Author: Ionut Arghire Hackers used the secrets stolen in the recent Nx supply chain attack to make public over 6,700 private repositories, cybersecurity firm Wiz says. As part of the attack, dubbed s1ngularity, a threat actor used an NPM token for the Nx repository to publish   show more ...

eight malicious versions of the popular […] La entrada Over 6,700 Private Repositories Made Public in Nx Supply Chain Attack – Source: www.securityweek.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 acquisitions

Source: www.securityweek.com – Author: Eduard Kovacs Twenty-seven cybersecurity merger and acquisition (M&A) deals were announced in August 2025, a significant drop compared to previous months. An analysis conducted by SecurityWeek shows that 405 cybersecurity-related mergers and acquisitions were   show more ...

announced in 2024. Check out the detailed report.  Here is a list of the most important cybersecurity […] La entrada Cybersecurity M&A Roundup: 27 Deals Announced in August 2025 – Source: www.securityweek.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.schneier.com – Author: Bruce Schneier About Bruce Schneier I am a public-interest technologist, working at the intersection of security, technology, and people. I’ve been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I’m a fellow and   show more ...

lecturer at Harvard’s Kennedy School, a board member of EFF, […] La entrada Signed Copies of Rewiring Democracy – Source: www.schneier.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 AI

Source: www.schneier.com – Author: Bruce Schneier Just a few months after Elon Musk’s retreat from his unofficial role leading the Department of Government Efficiency (DOGE), we have a clearer picture of his vision of government powered by artificial intelligence, and it has a lot more to do with   show more ...

consolidating power than benefitting the public. Even […] La entrada AI in Government – Source: www.schneier.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2025-09
Aggregator history
Tuesday, September 09
MON
TUE
WED
THU
FRI
SAT
SUN
September