Zscaler Confirms Limited Data Exposure Linked to Third-Party App
Zscaler disclosed a security incident involving Salesloft Drift, a marketing automation service, which led to the exposure of business contact details and Salesforce data. Zscaler revoked Salesloft Drift’s access, rotated API tokens, and launched an investigation. Customers are advised to remain vigilant against phishing attempts and verify the source of unsolicited communications.
Silver Fox APT Exploits Signed Windows Driver to Deliver ValleyRAT
Silver Fox APT is exploiting a signed but vulnerable WatchDog driver to disable Windows security and deliver ValleyRAT malware. The driver, amsdk.sys version 1.0.600, allows attackers to terminate security processes and install the malware, even after a patch was released. This campaign highlights the risks of trusting signed drivers without additional security checks.
Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices
Ukrainian network FDN3, part of a larger abusive infrastructure, launched massive brute-force and password spraying campaigns targeting SSL VPN and RDP devices between June and July 2025. This network, along with others, is believed to be operated by a common bulletproof hosting administrator, leveraging offshore locations like Seychelles for anonymity. The investigation highlights the ongoing issue of abusive activities enabled by offshore ISPs.
Austria’s Interior Ministry Sees 100 Email Accounts Breached
Austria’s Ministry of the Interior (BMI) reported a breach of 100 government email accounts due to a targeted cyberattack. The breach, which did not compromise personal data or law enforcement information, is under investigation by the Austrian Federal Criminal Police Office’s cybercrime center. The attack did not affect police operations and backup communication measures are in place.
Law Enforcement Operation Seizes Fake ID Platform VerifTools
A joint U.S.-Dutch law enforcement operation shut down VerifTools, a platform selling fake IDs used in various cybercrimes. Authorities seized servers and domains, and are analyzing data to identify the platform’s administrators and users. VerifTools offered counterfeit identification documents for as little as $9, facilitating crimes like phishing, help desk fraud, and bypassing financial verification checks.
Planning for mandatory multifactor authentication for Azure and other admin portals learn.microsoft.com/en-us/ent…
At Microsoft, we’re committed to providing our customers with the highest level of security. One of the most effective security measures available to them is multifactor authentication (MFA). Research by Microsoft shows that MFA can block more than 99.2% of account compromise attacks.
That’s why, starting in 2024, we’ll enforce mandatory MFA for all Azure sign-in attempts. For more background about this requirement, see our blog post. This topic covers which applications and accounts are affected, how enforcement gets rolled out to tenants, and other common questions and answers.
Spanish government cancels €10m contract using Huawei equipment therecord.media/spain-can…
The Spanish government cancelled a contract that would have seen Huawei equipment deployed in the national academic and research network used to connect the country’s universities, research institutes and parts of the Ministry of Defense.
Last week, a contract worth €10 million ($11.7 million) had been awarded to the Spanish multinational Telefónica to use Huawei kit to upgrade the RedIRIS network, effectively more than 16,000km of infrastructure. On Friday, the government reversed course for “reasons of digital strategy and strategic autonomy,” as reported by El País.
Amazon disrupts Russian APT29 hackers targeting Microsoft 365 www.bleepingcomputer.com/news/secu…
Researchers have disrupted an operation attributed to the Russian state-sponsored threat group Midnight Blizzard, which sought access to Microsoft 365 accounts and data.
Also known as APT29, the hacker group compromised websites in a watering hole campaign to redirect selected targets “to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft’s device code authentication flow.”
The Midnight Blizzard threat actor has been linked to Russia’s Foreign Intelligence Service (SVR) and is well-known for its clever phishing methods that recently impacted European embassies, Hewlett Packard Enterprise, and TeamViewer.
Amazon’s threat intelligence team discovered the domain names used in the watering hole campaign after creating an analytic for APT29’s infrastructure.
An investigation revealed that the hackers had compromised multiple legitimate websites and obfuscated malicious code using base64 encoding.
By using randomization, APT29 redirected roughly 10% of the compromised website’s visitors to domains that mimic Cloudflare verification pages, like findcloudflare[.]com or cloudflare[.]redirectpartners[.]com.
As Amazon explains in a report on the recent action, the threat actors used a cookies-based system to prevent the same user from being redirected multiple times, reducing suspicion.
Victims that landed on the fake Cloudflare pages were guided to a malicious Microsoft device code authentication flow, in an attempt to trick them into authorizing attacker-controlled devices.
TransUnion reported a data breach affecting 4.4 million Americans after hackers infiltrated the company’s Salesforce account on July 28, 2025, with the intrusion discovered two days later. The ShinyHunters cybercriminal group claims responsibility and states they actually stole over 13 million records globally, with the breach exposing names, addresses, phone numbers, email addresses, dates of birth, and unredacted Social Security numbers despite TransUnion describing the data as “limited.” The stolen information, which also includes customer support tickets and transaction reasons like credit report requests, provides sufficient detail for identity theft, fraudulent account opening, and targeted phishing attacks. TransUnion is offering 24 months of free credit monitoring and identity theft protection to affected users, while security experts recommend placing credit freezes with all three major credit bureaus, monitoring financial accounts closely, and exercising caution with incoming communications as attackers may impersonate banks or government agencies using the stolen contact information.
Google issues another warning for Gmail users to secure their accounts | Mashable
Google urges Gmail users to change their passwords and enable two-factor authentication due to increased phishing activity and data breaches. Users should be cautious of suspicious emails and check their Google security activity regularly.
FBI cyber cop: Salt Typhoon pwned ‘nearly every American’ • The Register
The Salt Typhoon cyber espionage campaign, backed by China, has compromised telecommunications networks and collected information from nearly every American since at least 2019. The campaign, which targeted at least 80 countries and 200 American organizations, involved indiscriminate data collection, including geo-location, internet traffic monitoring, and phone call interception. The scale and recklessness of this breach underscore the need for increased cybersecurity measures.
Amazon blocks APT29 campaign targeting Microsoft device code authentication
Amazon disrupted a watering hole campaign by APT29, a Russia-linked cyber espionage group, that targeted Microsoft device code authentication. The campaign used compromised websites to redirect visitors to malicious infrastructure, employing tactics like obfuscated JavaScript and server-side redirects.
WhatsApp Issues Emergency Update for Zero-Click Exploit Targeting iOS and macOS Devices
WhatsApp addressed a security vulnerability (CVE-2025-55177) in its iOS and macOS apps, potentially exploited in conjunction with an Apple flaw (CVE-2025-43300) in targeted attacks. The flaw, affecting versions prior to 2.25.21.73, could allow unauthorized access to linked device synchronization messages. WhatsApp notified targeted individuals and recommended a factory reset and software updates.
Pentagon Probes Microsoft’s Use of Chinese Coders
The Pentagon is reviewing Microsoft’s use of Chinese nationals to write code for military cloud infrastructure. The program, which involved inexperienced U.S. citizens overseeing foreign coders, has been suspended and a third-party audit is being conducted. Concerns were raised about potential exposure of sensitive data and access to military systems.
CISA AA25-239A: Global Advisory on Chinese State-Sponsored Threat Campaigns
The CISA Cybersecurity Advisory AA25-239A, co-authored by leading cybersecurity agencies from the United States, Canada, United Kingdom, Australia, New Zealand, Japan, and Europe, highlights a sophisticated, ongoing campaign by Chinese state-sponsored threat actors targeting government, transportation, telecommunications, military, and other critical infrastructure sectors worldwide. The advisory identifies multiple threat groups—including Salt Typhoon, RedMike, UNC5807, OPERATOR PANDA, and GhostEmperor—that exploit a range of CVEs, such as CVE-2024-21887 and CVE-2024-3400, to compromise network edge devices, establish persistent access, and exfiltrate sensitive data for espionage purposes.
What sets this advisory apart is its in-depth technical detail and practical guidance. CISA outlines specific malicious techniques—including the use of custom tunnels, SSH backdoors, Guest Shell exploits on Cisco platforms, and tactics for evading detection by masking source IP addresses in system logs. The document provides comprehensive mitigation strategies, such as hardening of exposed infrastructure, monitoring for abnormal container or Guest Shell activity, disabling unused services, regular patching, and robust logging. It offers downloadable indicators of compromise (IOCs) and maps adversary activity directly to the MITRE ATT&CK framework, aiding defenders in threat hunting and incident response. Notably, CISA stresses an intelligence gap regarding some initial access vectors and encourages organizations to share relevant information to improve collective defences. The advisory serves as both a technical reference and a collaborative call to action for network defenders worldwide.
#Cybersecurity #CISA #AA25239A #ThreatIntel #ChinaAPT #SaltTyphoon #RedMike #UNC5807 #OperatorPanda #GhostEmperor #CriticalInfrastructure #TelecomSecurity #GovernmentSecurity #TransportSecurity #MilitaryCyber #VulnerabilityManagement #CVE202421887 #CVE20243400 #NetworkSecurity #EdgeDevices #SSHBackdoor #GuestShell #CiscoSecurity #Espionage #CyberThreats #InfoSec #CyberDefense #ThreatHunting #MITREATTACK #IncidentResponse #CyberOps #CyberResilience #PatchManagement #MFA #ZeroTrust #GlobalSecurity
Interlock Ransomware: The 2025 Cyber Threat Redefining Ransomware Tactics
The Interlock ransomware group has emerged as a significant cybersecurity threat in 2025, employing sophisticated social engineering tactics that distinguish it from traditional ransomware operations. First observed in September 2024, the financially motivated group operates without the typical ransomware-as-a-service model, instead functioning as a closed organisation that targets businesses and critical infrastructure across North America and Europe. Their signature attack method involves the “ClickFix” technique, where victims visiting compromised websites are tricked into manually executing malicious commands under the guise of software updates, effectively bypassing traditional security defences. The group’s most notable attacks include the breach of kidney dialysis provider DaVita, affecting over 200,000 patients, and the July 2025 ransomware attack on Saint Paul, Minnesota, which compromised systems and put 3,500 city employees' personal data at risk.
What makes Interlock particularly concerning for organisations is their double extortion methodology, which combines data theft with encryption before demanding ransom payments through their “Worldwide Secrets Blog” leak site. The U.S. Cybersecurity and Infrastructure Security Agency and FBI issued joint warnings in June and July 2025 about the group’s evolving capabilities, noting their upgraded malware’s increased resistance to detection and ability to encrypt both Windows and Linux virtual machines. With at least 58 confirmed victims posted to their leak site and a demonstrated willingness to target government infrastructure, Interlock represents a growing threat to organisations that rely on traditional endpoint security measures, prompting cybersecurity experts to recommend enhanced DNS filtering, network segmentation, and multi-factor authentication as essential defensive measures.
#Cybersecurity #Ransomware #Interlock #ClickFix #CyberThreats #InfoSec #ThreatIntel #CyberAttack #DataBreach #DoubleExtortion #Malware #CISO #SecurityAwareness #CriticalInfrastructure #CyberDefense #Phishing #SocialEngineering #IncidentResponse #DataSecurity #RiskManagement #CyberResilience #NetworkSecurity #EndpointSecurity #CyberOps #SecurityStrategy #CyberRisk #Encryption #HealthcareSecurity #GovernmentSecurity #CyberEspionage #CyberAlerts #CISOTips #DNSFiltering #ZeroTrust #MFA
Germany’s highest court has reignited the decade-long battle between publishers and privacy advocates over ad-blocking technology. The ruling sends Axel Springer’s case against Eyeo back to the Hamburg courts, where judges must decide if blocking ads counts as unauthorized modification of protected software. The outcome could reshape the balance between online privacy, user rights and sustainable revenue models across Europe.
AI’s Energy Challenge: Efficiency Gains vs. Rising Demand
AI has achieved remarkable efficiency gains, with energy use per query dropping more than thirtyfold in the past year, yet overall demand is still set to surge dramatically. The challenge ahead is ensuring that innovation is matched by sustainable energy strategies to keep growth responsible and resilient.
Dutch intelligence agencies report country was targeted by Chinese cyber spies therecord.media/dutch-int…
The Netherlands announced on Thursday that it had been targeted by a Chinese cyber-espionage campaign tracked as Salt Typhoon and RedMike that has been compromising critical infrastructure globally.
“Dutch organizations most likely didn’t receive the same level of attention from the Salt Typhoon hackers as those in the US,” but the country’s intelligence agencies observed targeting in the Netherlands, the Ministry of Defence said.
Shadow IT Is Expanding Your Attack Surface. Here’s Proof www.bleepingcomputer.com/news/secu…
Shadow IT - the systems your security team doesn’t know about - is a persistent challenge. Policies may ban them, but unmanaged assets inevitably slip through. And if defenders don’t uncover them first, there’s always a risk attackers will.
With just a few days of effort, Intruder’s security team uncovered multiple real-world examples of Shadow IT exposures: unsecured backups, open Git repositories, unauthenticated admin panels, and more.
Every one of them contained highly sensitive data or credentials, and none required advanced exploitation.
Cephalus ransomware: What you need to know www.fortra.com/blog/ceph…
Cephalus is a relatively new ransomware operation that emerged in mid-2025, and has already been linked to a wave of high-profile data leaks.
Like many other ransomware attacks, Cephalus not only encrypts but also steals sensitive data - with victims named-and-shamed on a dedicated leak site hosted on the dark web.
AppSuite PDF Editor Backdoor: A Detailed Technical Analysis www.gdatasoftware.com/blog/2025…
Some threat actors are bold enough to submit their own malware as false positive to antivirus companies and demand removal of the detection. This is exactly what happened with AppSuite PDF Editor. Initially, automation flagged it as a potentially unwanted program—a verdict that is typically reserved for legitimate software with shady features like unwanted advertisement or installation of third-party programs without proper consent. In the case of AppSuite, however, we found a backdoor
The Resurgence of IoT Malware: Inside the Mirai-Based Botnet Campaign www.fortinet.com/blog/thre…
Over the past year, FortiGuard Labs has been tracking a stealthy malware strain exploiting a range of vulnerabilities to infiltrate systems. Initially disclosed by a Chinese cybersecurity firm under the name “Gayfemboy.” The malware resurfaced this past July with new activity, this time targeting vulnerabilities in products from vendors such as DrayTek, TP-Link, Raisecom, and Cisco, and exhibiting signs of evolution in both form and behavior.
This article presents an in-depth analysis of the malware, revealing its technical details and exploring the implications of its evolving behavior.
Chasing the Silver Fox: Cat & Mouse in Kernel Shadows research.checkpoint.com/2025/silv…
Check Point Research (CPR) uncovered an ongoing in-the-wild campaign attributed to the Silver Fox APT which involves the abuse of a previously unknown vulnerable driver, amsdk.sys (WatchDog Antimalware, version 1.0.600). This driver, built on the Zemana Anti-Malware SDK, was Microsoft-signed, not listed in the Microsoft Vulnerable Driver Blocklist, and not detected by community projects like LOLDrivers.
The attackers leveraged this unknown vulnerable driver to terminate protected processes (PP/PPL) associated with modern security solutions, allowing EDR/AV evasion on fully updated Windows 10 and 11 systems without triggering signature-based defenses. A dual-driver strategy was employed to ensure compatibility across Windows versions: a known vulnerable Zemana driver for legacy systems, and the undetected WatchDog driver for modern environments. Both were embedded in a single self-contained loader which also included anti-analysis layers and the ValleyRAT downloader.
Following CPR’s disclosure, the vendor released a patched driver (wamsdk.sys, version 1.1.100). Although we promptly reported that the patch did not fully mitigate the arbitrary process termination issue, the attackers quickly adapted and incorporated a modified version of the patched driver into the ongoing campaign. By flipping a single byte in the unauthenticated timestamp field, they preserved the driver’s valid Microsoft signature while generating a new file hash, effectively bypassing hash-based blocklists. This subtle yet efficient evasion technique mirrors patterns seen in earlier campaigns.
The final payload delivered in all observed samples was ValleyRAT, a modular Remote Access Trojan attributed to the Silver Fox APT with infrastructure located in China.
This campaign highlights a growing trend of weaponizing signed-but-vulnerable drivers to bypass endpoint protections and evade static detection.
Google’s AI hurricane model impresses in first real-time test with Hurricane Erin - CBS Miami
Hurricane Erin’s rapid escalation to a Category 5 storm provided an early test for Google DeepMind’s new artificial intelligence forecasting model, which outperformed traditional American and European systems in predicting the storm’s track and intensity. By leveraging historical hurricane data to detect patterns beyond human analysis, the AI delivered highly accurate early forecasts, though experts caution it remains in development and is not yet ready for public use. If further trials confirm its reliability, the model could soon play a significant role in official forecasting efforts.