New technologies are awesome, they often allow us to achieve more, get further, be more creative. But unfortunately, this is true for the bad guys as well. Week after week, we see in this cybersecurity news summary that there’s a new and rather not very complex way AI chats are used to exfiltrate data and now more and more MCP servers are getting impersonated and used for exfiltration as well.
So I would say, one thing to prioritise in your GRC programs right now is vendor reviews and usage of all the different AI tools. Absolutely we all want to use them, but when a year ago our biggest collective concern was that OpenAI will use our data for training then I think the risk has moved significantly to interception and exfiltration of data through the brwoser / MCP servers.
1. Fake Postmark MCP npm Connector Exfiltrated Thousands of Emails
A malicious “postmark-mcp” npm package impersonated Postmark’s MCP connector and, since version 1.0.16, silently Bcc:’d every outgoing email to an attacker-controlled server. With ~1,500 weekly downloads, it likely exposed password resets, invoices and confidential correspondence across hundreds of organizations.
Key Details
- Backdoor added via one-line Bcc to phan@giftshop.club in version 1.0.16
- Estimated impact: 3,000–15,000 emails per org per day, ~500 orgs affected
- Package unpublished quickly but remains on any systems already using v1.0.16+
- MCP connectors run with full email and API privileges, bypassing DLP and gateways
Next Steps
- Establish strict review rules for any high priviledge MCP connection and/or npm package
- Uninstall postmark-mcp v1.0.16 and later
- Audit and inventory all MCP connectors in use
- Review compromised information since using 1.0.16 of this package.
Read more at CSO Online
2. Four Cisco Zero-Days Wave Hits ASA Firewalls and IOS
Cisco and CISA warn of an active campaign exploiting four zero-days—critical RCE and privilege-escalation flaws in ASA 5500-X firewalls, plus an SNMP stack overflow in IOS/IOS XE—enabling root access, ROM tampering for persistence, and DoS across millions of devices.
Key Details
- CVE-2025-20333 & CVE-2025-20363 (CVSS 9.9/9.0): unauthenticated RCE on ASA devices
- CVE-2025-20362 (CVSS 6.5): privilege escalation on ASA VPN web services
- CVE-2025-20352 (CVSS 7.7): SNMP stack overflow in IOS/IOS XE, authenticated RCE & DoS
- Impacted ASA models: 5512-X, 5515-X, 5525-X, 5545-X, 5555-X, 5585-X (ASA 9.12/9.14 w/ VPN Web enabled)
Next Steps
- Deploy Cisco updates for CVE-2025-20333, 20362, 20363, and 20352
- There’s really no reason not to have automatic updates on for critical infrastructure. When was the last time an update caused problems? Probably less frequently than a zero-day causing problems.
Read more at Dark Reading
3. UK Arrests Suspect in Ransomware Attack Disrupting European Airports
Britain’s National Crime Agency has arrested and bailed a man in his forties in connection with last weekend’s ransomware attack on Collins Aerospace’s MUSE check-in and baggage systems, which grounded flights and forced manual workarounds at Heathrow, Brussels, Berlin and Dublin. The attack, detected on September 19, exploited customer-networked systems outside RTX’s enterprise environment and remains under investigation, underscoring the operational risks posed by supplier software in critical infrastructure.
Key Details
- The suspect, detained in West Sussex, was released on conditional bail.
- MUSE systems support passenger check-in, baggage tagging and boarding.
- RTX confirmed the “product cybersecurity incident” in an SEC 8-K filing.
- ENISA has identified the ransomware family used, though details remain undisclosed.
Read more at The Record, National Crime Agency, SEC Filing
4. Malware Operators Partner with North Korean IT Workers
A newly identified alliance, dubbed DeceptiveDevelopment, merges cybercriminal malware toolsets with North Korean IT-worker fraud (WageMole) to breach corporate networks and steal sensitive data. Operators pose as recruiters on LinkedIn and Upwork, use ClickFix-style fake video assessments to trick targets into downloading stealer and RAT malware, then leverage stolen identities for deeper infiltration. This hybrid threat blends traditional identity theft with state-aligned malware rentals, raising the stakes for hiring and on-boarding security controls.
Key Details
- Social engineers impersonate recruiters to deliver BeaverTail, InvisibleFerret and WeaselStore.
- ClickFix sites mimic camera/microphone error pages, prompting terminal commands to install payloads.
- Stolen credentials are used by North Korean IT workers to secure roles at targeted companies.
Next Steps
- Validate recruiter identities before sharing technical materials.
- Train emplyees of such complex social engineering scenarios.
Read more at Cybersecurity News
5. Volvo & Others Employees’ SSNs Exposed in Ransomware Attack on HR Vendor Miljödata
Volvo Group North America has confirmed that nearly 20,000 employees’ names and Social Security numbers were compromised after the DataCarry ransomware group breached its third-party HR software provider, Miljödata.
Key Details
- Miljödata’s cloud infrastructure was breached on August 20; attackers demanded 1.5 BTC (~$165 K).
- DataCarry published stolen data on the Dark Web on September 12 after the ransom wasn’t paid.
- Besides Volvo NA’s 20K employees, breach impacted 164 municipalities, 25 companies, and over 1.5 M individuals.
- Other clients lost PII including birth dates, home addresses, employment records, and 870,100 email addresses.
Next Steps
- Audit SaaS vendors’ security controls and breach response SLAs.
- Enforce encryption-at-rest and granular access limits on third-party PII.
- Implement continuous monitoring of vendor information security programs reviews and certifications
Read more at Dark Reading
6. China-linked APT UNC5221 Deploys Brickstorm Backdoors on Unmonitored Edge Appliances
The China-linked group UNC5221 is targeting Linux and BSD network appliances—firewalls, VPNs, IDS/IPS and VMware vCenter/ESXi hosts—that lack EDR support to install a Go-based backdoor called Brickstorm. By mimicking legitimate software and using per-victim, obfuscated C2 domains and delayed-start payloads, Brickstorm has enabled average dwell times of 393 days, letting attackers exfiltrate emails and pivot into downstream customer environments.
Key Details
- Brickstorm backdoor runs as a SOCKS proxy, file server and command executor in Go.
- Targets include edge appliances (Linux/BSD) and virtualization management systems (vCenter/ESXi).
- Uses per-victim C2 domains (Cloudflare Workers, Heroku, sslip.io, nip.io) and code obfuscation with Garble.
- Attackers exploit known and zero-day flaws (e.g., Ivanti Connect Secure) for initial access.
Next Steps
- Maintain an up-to-date inventory of all edge appliances.
- Restrict internet-facing management interfaces and protocols.
- Forward appliance logs into centralized SIEM for anomaly detection.
Read more at Darkreading
7. Iranian APT UNC1549 Uses Valid SSL.com Certificates to Evade Malware Detection
Iranian state-aligned group UNC1549 (aka Subtle Snail) is signing backdoors and infostealer malware with legitimate SSL.com code-signing certificates, drastically reducing detection by antivirus and threat-detection tools. Researchers found the certificates were issued to shell companies with minimal validation, exposing gaps in CA vetting and putting any organization that trusts signed binaries at risk.
Key Details
- Multiple malware families (Nimbus Manticore, Smoke Sandstorm, Tortoiseshell) signed with SSL.com certs.
- Certificates issued since May 2025 to shell firms Insight Digital B.V., RGC Digital AB and Sevenfeet Software AB.
- Three of four observed certificates remain valid despite CAB Forum requiring revocation within five days of misuse evidence.
- Other Iranian groups, including Void Manticore’s DruidFly wiper, have also abused SSL.com service.
Next Steps
- Ingest Check Point and Prodaft IoCs for UNC1549 into EDR/AV rules.
- Audit code-signing certificates for metadata anomalies (date mismatches, signer vs. file name).
- Review and harden CA partners’ validation processes, request compliance evidence.
Read more at Dark Reading
8. Salesforce Agentforce Prompt Injection Flaw Could Leak Sensitive CRM Data
Researchers at Noma Security have discovered “ForcedLeak,” a critical CVSS 9.4 vulnerability in Salesforce’s Agentforce AI platform that allows attackers to use indirect prompt injection via Web-to-Lead forms. The flaw lets malicious prompts in form submissions coerce AI agents into exfiltrating PII and corporate secrets to attacker-controlled domains.
Key Details
- ForcedLeak chains cross-site scripting–style prompt injection with overly permissive AI context handling.
- Attackers embed malicious instructions in the “Description” field of Web-to-Lead forms.
- Bypassing CSP via an expired but whitelisted domain (my-salesforce-cms.com) enabled data exfiltration.
- Salesforce patched the issue by enforcing a Trusted URL allowlist for Agentforce and Einstein AI.
Read more at Dark Reading
9. ShadowV2 Turns Misconfigured AWS Docker Containers into DDoS-as-a-Service Platform
Darktrace researchers warn of ShadowV2, a DDoS-for-hire botnet that hijacks exposed Docker daemons on AWS EC2 to deploy custom containers and launch large-scale HTTP floods via a Go-based RAT. With a polished API, web dashboard and subscription tiers, ShadowV2 industrializes DDoS attacks, lowering barriers for even novice actors and underscoring the need for hardened container configurations and API monitoring.
Key Details
- Targets exposed Docker APIs on AWS EC2 using Python Docker SDK to communicate with daemons.
- Dynamically builds and commits malicious containers on victims rather than pulling pre-built images.
- Installs a Go-based Remote Access Trojan that heartbeats to a C2 API every second and polls commands every five seconds.
- Includes advanced HTTP/2 rapid-reset floods and Cloudflare “Under Attack Mode” bypass capabilities.
Next Steps
- Restrict Docker daemon exposure; bind it to localhost or socket only.
- Enforce least-privilege IAM roles for container hosts on AWS.
- Scan existing EC2 instances for open Docker ports and remediate misconfigurations.
Read more at CSO Online
10. Tech Sector Surpasses Gaming as Primary DDoS Target Amid 41% Surge in Attacks
The latest Gcore Radar report shows DDoS attacks climbed 41% year-on-year in H1 2025, peaking at 2.2 Tbps and lasting longer with multi-layer tactics. Technology firms now account for 30% of all attacks, overtaking gaming, while financial services and application-layer assaults also surge.
Key Details
- Total incidents rose from 969,000 in H2 2024 to 1.17 million in H1 2025.
- Application-layer attacks jumped to 38% of all vectors, up from 28%.
- Technology (30%) and financial services (21%) lead targets; gaming fell to 19%.
- Top attack sources: United States, Netherlands and emerging Hong Kong.
Read more at The Hacker News
11. Researchers Identify Phishing Campaigns Delivering CountLoader Malware and PureRAT Backdoor with SVG
Fortinet and Huntress reveal two fileless phishing campaigns: one spoofing Ukrainian police with SVG attachments to deploy CountLoader, which loads Amatera Stealer and PureMiner, and another using copyright-themed lures to stage PXA Stealer and ultimately PureRAT.
These multi-stage attacks exploit SVG, CHM, and in-memory .NET execution to steal credentials, hijack resources, and establish persistent access.
Key Details
- Emails spoof National Police of Ukraine with embedded SVG leading to password-protected ZIPs and CHM files
- CountLoader drops Amatera Stealer (browser & wallet data exfiltration) and PureMiner (cryptomining) via fileless .NET AOT and PythonMemoryModule
- Separate campaign uses copyright infringement phishing to deliver PXA Stealer, layered in-memory loaders, and PureRAT backdoor
Next Steps
- Block or quarantine incoming SVG and CHM attachments at the email gateway
Read more at Fortinet FortiGuard Labs, Huntress, The Hacker News
12. Iran-Linked APT Nimbus Manticore Expands Attacks to European Defense, Telecom, and Aviation Firms
Iran-backed threat group Nimbus Manticore is targeting defense, telecommunications, and aerospace firms in Denmark, Portugal, and Sweden with new variants of its MiniJunk backdoor and MiniBrowse stealer delivered via tailored job-related spear-phishing emails. These improved tools use advanced compiler-level obfuscation, signed malware binaries, and multi-stage DLL sideloading to maintain persistence and evade detection, posing heightened risks to critical infrastructure.
Key Details
- Targets include defense manufacturing, telecoms, and aviation sectors in Western Europe.
- MiniJunk backdoor and MiniBrowse credential stealer use junk code, control-flow obfuscation, and signed SSL.com certificates.
- Spear-phishing via fake HR job sites delivers malware through multi-stage sideloading of Windows Defender component.
- Malware communicates with 3–5 HTTPS C2 servers using obfuscated traffic to avoid detection.
Read more at DarkReading, Check Point Research
13. UK to Launch ‘Report Fraud’ Replacement for Failing Action Fraud Service
Britain's national fraud reporting portal Action Fraud will be replaced later this year by 'Report Fraud', which uses Palantir’s Foundry platform to automatically analyze reports and rebuild public trust amid a 31% rise in fraud incidents. The system integrates data from tech, telecom, and financial partners, enabling the National Fraud Intelligence Bureau to spot patterns and issue real-time intelligence.
Key Details
- Fraud incidents rose 31% in the year to March, with estimated losses in the billions.
- Palantir Foundry–based back end has been operational since November 2023.
Read more at The Record
Subscribe
Subscribe to receive weekly cybersecurity news summary to your inbox every Monday.