{"id":20178,"date":"2025-08-04T10:06:02","date_gmt":"2025-08-04T08:06:02","guid":{"rendered":"https:\/\/kordon.app\/?p=20178"},"modified":"2025-08-11T13:10:23","modified_gmt":"2025-08-11T11:10:23","slug":"17-cybersecurity-news-worth-your-attention-this-week-summarised-04-08-2025","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/17-cybersecurity-news-worth-your-attention-this-week-summarised-04-08-2025\/","title":{"rendered":"17 Cybersecurity News Worth Your Attention this Week Summarised &#8211; 04\/08\/2025"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">1. Palo Alto Networks to Acquire CyberArk for $25 Billion, Targeting Identity Security<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Palo Alto Networks announced plans to buy <strong>identity security specialist CyberArk for about $25 billion<\/strong>, marking its biggest acquisition to date and a strategic push into complex identity management.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The $25 billion all-cash deal is roughly <strong>25\u00d7 larger than Palo Alto\u2019s typical acquisitions.<\/strong><\/li>\n\n\n\n<li>CyberArk generated over $1 billion in revenue in 2024, up 33% year-over-year.<\/li>\n\n\n\n<li><strong>Machine identities now outnumber human identities 45:1<\/strong>, with 79% of orgs expecting a 150% spike.<\/li>\n\n\n\n<li>This is the second-largest cybersecurity transaction of 2025, following Google\u2019s $32 billion Wiz buy.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.csoonline.com\/article\/4031259\/palo-alto-networks-to-buy-cyberark-for-25b-as-identity-security-takes-center-stage.html\">CSO Online<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. New \u201cPlague\u201d PAM Backdoor Enables Silent SSH Credential Theft on Linux<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Security researchers have identified <strong>a new Linux backdoor named \u201cPlague\u201d that embeds into Pluggable Authentication Modules (PAM) to bypass authentication and harvest SSH credentials undetected<\/strong>.  <strong>Deployed since at least July 2024<\/strong> and invisible to antivirus engines, Plague persists through updates, erases session traces, and uses built-in credentials and anti-debugging techniques to maintain covert access.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>First spotted on VirusTotal in July 2024, <strong>none of its samples trigger AV detections.<\/strong><\/li>\n\n\n\n<li>Four core features: <strong>static backdoor credentials, anti-debugging, string obfuscation, SSH session erasure.<\/strong><\/li>\n\n\n\n<li>Erases SSH_CONNECTION\/SSH_CLIENT vars and redirects HISTFILE to \/dev\/null to remove audit logs.<\/li>\n\n\n\n<li>Deeply integrates into the PAM stack, survives system updates, and leaves minimal forensic footprints.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Audit \/etc\/pam.d and \/lib\/security for unauthorized modules<\/li>\n\n\n\n<li>Enable file integrity monitoring on PAM libraries<\/li>\n\n\n\n<li>Restrict write permissions on authentication modules<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/thehackernews.com\/2025\/08\/new-plague-pam-backdoor-exposes.html\">The Hacker News<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.nextron-systems.com\/2025\/08\/01\/plague-a-newly-discovered-pam-based-backdoor-for-linux\/\">Nextron Systems<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Akira Ransomware Hits Fully-Patched SonicWall SSL VPNs via Likely Zero-Day<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Researchers report <strong>a surge in Akira ransomware intrusions<\/strong> leveraging SonicWall SSL VPN appliances, <strong>including fully-patched devices<\/strong>, since mid-July 2025\u2014indicating a probable zero-day vulnerability. Compromised VPN sessions rapidly escalate to ransomware encryption, putting business continuity at risk. <strong>Security teams should treat all SonicWall SSL VPN endpoints as high-risk until a vendor patch is available.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Multiple intrusions showed VPN access to SonicWall SSL VPNs followed by ransomware within hours.<\/strong><\/li>\n\n\n\n<li>Some attacks targeted fully-patched devices, <strong>suggesting exploitation of an unknown zero-day flaw.<\/strong><\/li>\n\n\n\n<li>Akira group has extorted an estimated $42 million from 250+ victims since 2023 and was Q2 2025\u2019s second-most active ransomware actor.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Disable SonicWall SSL VPN services<\/strong> until a security update is released.<\/li>\n\n\n\n<li><strong>Enforce multi-factor authentication for all remote access accounts.<\/strong><\/li>\n\n\n\n<li>Audit VPN logs for connections from non-ISP IP ranges (e.g., VPS hosts).<\/li>\n\n\n\n<li><strong>Remove or disable inactive local firewall user accounts.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/thehackernews.com\/2025\/08\/akira-ransomware-exploits-sonicwall.html\">The Hacker News: Akira Ransomware Exploits SonicWall VPNs<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/arcticwolf.com\/resources\/blog\/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn\/\">Arctic Wolf Labs: July 2025 Uptick in Akira Ransomware Activity<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/research.checkpoint.com\/2025\/the-state-of-ransomware-q2-2025\/\">Check Point Research: The State of Ransomware Q2 2025<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Threat Actors Impersonate 50+ Microsoft OAuth Apps with Tycoon Kit to Phish MFA<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Researchers at Proofpoint have uncovered an ongoing campaign where <strong>attackers register fake Microsoft OAuth applications\u2014masquerading as vendors like RingCentral, Adobe, SharePoint and ILSMart\u2014and use Tycoon and ODx phishing kits to harvest credentials and MFA codes from targeted Microsoft 365 users.<\/strong> <br><br><strong>More than 3,000 account compromise attempts across 900+ Microsoft 365 tenants have been observed in 2025 alone<\/strong>, driven by phishing emails from compromised senders that lure victims into granting OAuth permissions or completing a CAPTCHA before landing on an adversary-in-the-middle login page.  <strong>Microsoft\u2019s planned August 2025 update to block legacy authentication and enforce admin consent on third-party apps is expected to curtail this technique.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The campaign began in early 2025 and leverages over 50 distinct fake OAuth apps.<\/li>\n\n\n\n<li><strong>Even if users deny permission, they\u2019re redirected through a CAPTCHA to a phishing page.<\/strong><\/li>\n\n\n\n<li>Proofpoint observed a recent Adobe-impersonation variant sent via Twilio SendGrid.<\/li>\n\n\n\n<li><strong>Microsoft\u2019s August 2025 changes will block legacy auth protocols and require admin-level consent for new apps.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit<\/strong> existing OAuth <strong>app consents<\/strong> in Azure AD.<\/li>\n\n\n\n<li><strong>Enforce admin consent for all third-party application<\/strong> permissions.<\/li>\n\n\n\n<li><strong>Block legacy authentication protocols<\/strong> via Conditional Access.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/thehackernews.com\/2025\/08\/attackers-use-fake-oauth-apps-with.html\">The Hacker News<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/microsoft-oauth-app-impersonation-campaign-leads-mfa-phishing\">Proofpoint Threat Insight<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Storm-2603 Deploys DNS-Based AK47 C2 Backdoor to Deliver Warlock and LockBit Ransomware<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">A China-linked actor exploited two SharePoint Server flaws (CVE-2025-49704, CVE-2025-49706) <strong>to install a custom DNS-controlled AK47 C2 backdoor, enabling deployment of Warlock and LockBit Black ransomware. <\/strong>The operation combines open-source tools and a BYOVD anti-defense driver to disable security software, illustrating a hybrid APT-style methodology with likely financial motives.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AK47 C2 framework includes HTTP (AK47HTTP) and DNS (AK47DNS) clients using <strong>update.updatemicfosoft[.]com.<\/strong><\/li>\n\n\n\n<li>Ransomware delivered via DLL sideloading: 7z.exe\/7z.dll for Warlock, MSI installer for LockBit Black.<\/li>\n\n\n\n<li>Custom \u201cVMToolsEng.exe\u201d <strong>kills endpoint defenses using a BYOVD driver <\/strong>(ServiceMouse.sys).<\/li>\n\n\n\n<li>Activity dates back to March 2025, <strong>targeting Latin America and APAC concurrently.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Monitor DNS queries <\/strong>for update.updatemicfosoft[.]com.<\/li>\n\n\n\n<li><strong>Audit<\/strong> use of<strong> 7z.exe, MSI installers <\/strong>and their <strong>DLL load paths.<\/strong><\/li>\n\n\n\n<li><strong>Block<\/strong> <strong>ServiceMouse.sys<\/strong> driver loads.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/thehackernews.com\/2025\/08\/storm-2603-exploits-sharepoint-flaws-to.html\">The Hacker News<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Secret Blizzard Conducts ISP-Level AitM Attacks on Moscow Embassies with ApolloShadow Malware<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Secret Blizzard has been intercepting ISP traffic for foreign embassies in Moscow since 2024, redirecting devices to captive portals to install ApolloShadow malware. <strong>ApolloShadow implants trusted root certificates, creates backdoor accounts, and relaxes firewall rules to maintain persistent espionage access.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Malware delivered via <strong>ISP-level adversary-in-the-middle using lawful intercept.<\/strong><\/li>\n\n\n\n<li><strong>ApolloShadow installs two root certificates <\/strong>via certutil and a Firefox-compatible wincert.js.<\/li>\n\n\n\n<li><strong>Creates \u201cUpdatusUser\u201d admin account<\/strong> and switches network profiles to Private.<\/li>\n\n\n\n<li>Campaign active since at least 2024 against diplomatic devices in Moscow.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit<\/strong> and revoke any untrusted <strong>root certificates<\/strong> immediately.<\/li>\n\n\n\n<li><strong>Enforce least-privilege access<\/strong> and routinely review admin group memberships.<\/li>\n\n\n\n<li><strong>Route traffic through trusted VPNs<\/strong> or encrypted tunnels.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/thehackernews.com\/2025\/07\/secret-blizzard-deploys-malware-in-isp.html\">The Hacker News \u2013 Secret Blizzard Deploys Malware in ISP-Level AitM Attacks<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Silk Typhoon Hackers File Over Ten Patents for Intrusive Forensics and Data Collection Tools<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">SentinelLabs analysis <strong>revealed that two companies tied to China\u2019s Ministry of State Security have lodged<\/strong> <strong>over ten patent applications for advanced forensics and data collection tools. <\/strong>The filings cover automated evidence collection across Windows, macOS, mobile, routers, and IoT, indicating a systematic build-out of Silk Typhoon\u2019s offensive arsenal and increasing risk to enterprise networks.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Patents filed by <strong>Shanghai Powerock Network Co. and Shanghai Firetech Info Science &amp; Tech Co<\/strong>.<\/li>\n\n\n\n<li>Tools include <strong>\u201cremote automated evidence collection,\u201d Apple forensics, router traffic capture, and IoT analysis<\/strong><\/li>\n\n\n\n<li>Applications cover<strong> FileVault bypass, hard-drive decryption, and remote mobile device evidence extraction<\/strong><\/li>\n\n\n\n<li>Investigation follows DOJ indictment of two MSS-affiliated hackers linked to Hafnium\/Silk Typhoon<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/cybersecuritynews.com\/chinese-silk-typhoon-hackers-filed-10-patents\/\" target=\"_blank\" rel=\"noopener\" title=\"\">Cybersecurity News<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.sentinelone.com\/labs\/chinas-covert-capabilities-silk-spun-from-hafnium\/\">SentinelOne Labs<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Attackers Weaponize Free EDR Trials to Disable Existing Security Tools<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Researchers have discovered \u201c<strong>EDR-on-EDR violence<\/strong>,\u201d where attackers <strong>enroll in free trials of endpoint detection and response software, <\/strong>install it on compromised hosts, <strong>and use it to silently disable existing security agents\u2014even those protected by tamper safeguards.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security researchers Ezra Woods and Mike Manrod documented how trial EDR installs can remove exclusions and block hashes of incumbent agents without alerts.<\/li>\n\n\n\n<li><strong>Cisco Secure Endpoint trials disabled CrowdStrike Falcon and Elastic Defend <\/strong>cleanly, causing targets to \u201cgo offline\u201d from the console.<\/li>\n\n\n\n<li><strong>Some products (e.g., ESET) allow full takeover <\/strong>of remote-management and disk-encryption controls when abused.<\/li>\n\n\n\n<li>CrowdStrike\u2019s 2024 Threat Hunting Report shows a 70% YOY increase in RMM tool abuse, accounting for 27% of hands-on-keyboard intrusions.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce application control to block unauthorized EDR installations.<\/li>\n\n\n\n<li>Create custom Indicators of Attack for unsolicited EDR-trial deployments.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.csoonline.com\/article\/4032009\/edr-on-edr-violence-hackers-turn-security-tools-against-each-other.html\">CSO Online: EDR-on-EDR Violence<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/medium.com\/@mikemanrod\/edr-on-edr-violence-an-accidental-offshoot-of-our-rmm-abuse-research-byoedr-4688957f31a9\">Medium: Researchers\u2019 Detailed Analysis<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">9. H1 2025 Sees 800% Credential Theft Spike, 179% Ransomware Surge: Flashpoint Report<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Flashpoint\u2019s midyear threat intelligence finds <strong>credential theft up 800%, ransomware incidents up 179%, and vulnerability disclosures rising 246% <\/strong>exposing billions of records and straining security teams.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>1.8 billion credentials stolen via info-stealers like Lumma, Redline, StealC and Acreed.<\/li>\n\n\n\n<li>9.45 billion records exposed in breaches, 78% due to unauthorized access.<\/li>\n\n\n\n<li>20,000+ vulnerabilities disclosed H1 2025; 2,447 remotely exploitable with public exploits.<\/li>\n\n\n\n<li>2,160 ransomware attacks in the US; manufacturing, technology and legal hardest hit.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce multifactor and adaptive authentication to curb credential misuse<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.csoonline.com\/article\/4032035\/ransomware-up-179-credential-theft-up-800-2025s-cyber-onslaught-intensifies.html\">CSO Online<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">10. 17,000 SharePoint Servers Exposed Online; 840 Vulnerable to Critical Zero-Day<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Shadowserver Foundation has found over 17,000 on-premises SharePoint servers exposed to the internet, including 840 vulnerable to the critical CVE-2025-53770 zero-day that enables unauthenticated remote code execution.<\/strong> <br><br>Chinese threat actors have exploited this flaw since July 7\u2014deploying webshells, stealing machine keys and delivering Warlock ransomware\u2014posing immediate risk to government, healthcare, finance and education organizations.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The \u201cToolShell\u201d exploit chain carries a <strong>CVSS score of 9.8<\/strong> and bypasses authentication.<\/li>\n\n\n\n<li><strong>At least 20 compromised servers host webshells (e.g., \u201cspinstall0.aspx\u201d),<\/strong> indicating active intrusion.<\/li>\n\n\n\n<li>Victims include U.S. federal agencies (DOE\u2019s NNSA, DHS, HHS, Education) and multiple sectors.<\/li>\n\n\n\n<li>CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog with an emergency deadline.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Apply Microsoft\u2019s emergency SharePoint patches immediately<\/li>\n\n\n\n<li>Rotate ASP.NET machine keys after patching<\/li>\n\n\n\n<li>Enable AMSI and scan servers for webshell artifacts<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/cybersecuritynews.com\/sharepoint-servers-exposed-to-internet\/\">CybersecurityNews: SharePoint Servers Exposed to Internet<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/cybersecuritynews.com\/toolshell-exploit-chain-sharepoint-servers\/\">CybersecurityNews: ToolShell Exploit Chain on SharePoint Servers<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Scattered Spider Exploits Help Desk to Hijack VMware vSphere and Deploy Ransomware<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Google\u2019s Threat Intelligence Group warns that UNC3944 (Scattered Spider) is using<strong> phone-based social engineering to reset Active Directory passwords and gain hypervisor access on VMware vSphere<\/strong>, enabling undetectable data theft and direct ransomware deployment.  <strong>Their five-step method bypasses traditional EDR by operating at the ESXi hypervisor layer, manipulating VCSA bootloaders, and using Teleport for persistent SSH channels.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Attack chain moves from low-privilege AD foothold to root ESXi control in five phases.<\/li>\n\n\n\n<li>Two-step <strong>phone fraud tricks help desk <\/strong>into resetting standard then admin AD credentials.<\/li>\n\n\n\n<li>Teleport open-source tool<strong> establishes encrypted SSH channels, bypassing firewalls.<\/strong><\/li>\n\n\n\n<li>Offline disk detachment of VMs steals Active Directory database and disrupts backups.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enforce multi-factor verification<\/strong> for all help desk password resets.<\/li>\n\n\n\n<li><strong>Restrict and audit Teleport or similar SSH tooling<\/strong> on vSphere hosts.<\/li>\n\n\n\n<li>Regularly test immutable backup restores from isolated snapshots.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/hackread.com\/scattered-spider-ransomware-hijack-vmware-systems-google\/\">Hackread: Scattered Spider Launching Ransomware on Hijacked VMware Systems<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/defending-vsphere-from-unc3944\">Google Cloud Blog: Defending vSphere from UNC3944<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Critical \u201cMan-in-the-Prompt\u201d Vulnerability Lets Malicious Extensions Hijack AI Prompts<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Researchers have uncovered a flaw in how AI assistants like ChatGPT, Google Gemini, Copilot and others integrate with browsers, allowing any basic browser extension to inject or alter prompts via the DOM and exfiltrate sensitive data\u2014all without special permissions.<\/strong> This \u201cMan-in-the-Prompt\u201d attack affects billions of users and evades traditional security tools, exposing enterprises to IP theft, regulatory compliance failures, and undetected data leakage.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Attack works through DOM manipulation <\/strong>in prompt input fields by malicious extensions.<\/li>\n\n\n\n<li>Impacts 5 billion monthly ChatGPT visits, 400 million Gemini users; <strong>99% of enterprises vulnerable.<\/strong><\/li>\n\n\n\n<li><strong>Proof-of-concepts opened background tabs, injected prompts, exfiltrated responses, and erased histories.<\/strong><\/li>\n\n\n\n<li>Existing CASBs, SWGs and DLP tools lack visibility into real-time DOM-level interactions.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Disable installation of unauthorized browser extensions<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/cybersecuritynews.com\/man-in-the-prompt-attack\/\">Cybersecurity News<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Critical RCE in Alone Charity WordPress Theme Actively Exploited<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">A critical remote code execution flaw (CVE-2025-5394, CVSS 9.8) in the <strong>Alone charity-focused WordPress theme<\/strong> (\u22647.8.3) is being actively exploited to <strong>deploy webshells and gain full site control. <\/strong>Over 120,900 attack attempts have been blocked since July 12, underscoring the need for immediate updates and forensic review.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Vulnerability in alone_import_pack_install_plugin AJAX action<strong> allows unauthenticated plugin installs.<\/strong><\/li>\n\n\n\n<li>Attackers deliver obfuscated backdoors<strong> via malicious ZIPs<\/strong> (e.g., wp-classic-editor.zip).<\/li>\n\n\n\n<li>Top offending IPs: 193.84.71.244 (39,900+ requests), 87.120.92.24 (37,100+ requests).<\/li>\n\n\n\n<li><strong>Alone theme v7.8.5 (released July 14) patches the flaw<\/strong>; Wordfence firewall rules available since May 30.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Upgrade the Alone theme<\/strong> to version 7.8.5 or later immediately.<\/li>\n\n\n\n<li><strong>Scan <code>\/wp-content\/plugins<\/code> and <code>\/wp-content\/upgrade<\/code> <\/strong>for unfamiliar installs.<\/li>\n\n\n\n<li><strong>Review access logs for admin-ajax?action=alone_import_pack_install_plugin <\/strong>requests.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/cybersecuritynews.com\/wordpress-theme-rce-vulnerability-exploited\/\">CybersecurityNews.com<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Lazarus Group Plants 234 Malicious Packages in npm and PyPI to Spy on Developers<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Between January and July 2025, North Korea\u2019s Lazarus Group deployed 234 weaponized packages across npm and PyPI, <strong>exposing over 36,000 developers to malware that steals credentials, profiles hosts, and establishes persistent backdoors.<\/strong> By hiding espionage implants in everyday dependencies and leveraging CI\/CD workflows, the campaign turns trusted open source components into long-term attack vectors against critical infrastructure.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Packages masqueraded as legitimate developer tools<\/strong> on npm and PyPI.<\/li>\n\n\n\n<li>Campaign duration: <strong>January\u2013July 2025<\/strong>, identified by Sonatype analysts.<\/li>\n\n\n\n<li><strong>Multi-stage payloads used dormant code<\/strong>, activating during development tasks.<\/li>\n\n\n\n<li><strong>Stealthy backdoors exfiltrated API tokens, credentials, and proprietary code.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Audit and block unverified or suspicious npm\/PyPI packages.<\/li>\n\n\n\n<li>Enforce cryptographic signature checks and maintain an SBOM for all dependencies.<\/li>\n\n\n\n<li>Isolate CI\/CD agents in ephemeral, sandboxed environments to contain threats.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/cybersecuritynews.com\/lazarus-hackers-weaponized-234-packages\/\">Cybersecurity News<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.sonatype.com\/blog\/sonatype-uncovers-global-espionage-campaign-in-open-source-ecosystems\">Sonatype Blog<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Attackers Leverage Proofpoint and Intermedia Link Wrappers to Evade Phishing Detection<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Cybercriminals have begun embedding malicious URLs inside Proofpoint Protect and Intermedia LinkSafe wrappers to bypass email gateways and deliver credential-harvesting pages. <strong>By exploiting how these services validate or ignore signature mismatches, attackers slip phishing links past sandbox and URL-reputation checks, targeting finance, legal, and higher-ed sectors<\/strong>.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Since August 1, over 180,000 wrapped-link phishing emails hit financial services, law firms, and universities.<\/strong><\/li>\n\n\n\n<li>Proofpoint uses a base64 \u201cu=\u201d parameter plus an HMAC \u201ck=\u201d token but still forwards on signature mismatch.<\/li>\n\n\n\n<li><strong>Intermedia\u2019s LinkSafe lacks any integrity token<\/strong>, allowing unvalidated redirects to attacker sites.<\/li>\n\n\n\n<li>Standard sandbox detonations and static URL-reputation checks are bypassed until the user\u2019s session resolves the link.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Configure gateways to strip or rewrap Proofpoint\/LinkSafe URLs before user delivery.<\/strong><\/li>\n\n\n\n<li>Hunt for base64 \u201cu=\u201d parameters that decode to external domains in email logs.<\/li>\n\n\n\n<li>Enforce on-endpoint URL detonations and block suspicious redirects at browser level.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/cybersecuritynews.com\/threat-actors-abuse-proofpoints-link-wrapping-features\/\" target=\"_blank\" rel=\"noopener\" title=\"\">Cybersecurity News<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.cloudflare.com\/en-gb\/threat-intelligence\/research\/report\/attackers-abusing-proofpoint-intermedia-link-wrapping-to-deliver-phishing-payloads\/\">Cloudflare Threat Intelligence<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">16. Luxembourg Probes Cyberattack on Huawei-Based Routers That Caused Nationwide Telecom Outage<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Luxembourg\u2019s government is investigating a deliberate cyberattack on POST Luxembourg\u2019s Huawei-supplied routers<\/strong> that knocked out 4G\/5G networks for over three hours, overloading fallback systems and preventing many emergency calls. <strong>Officials say the incident exploited a vulnerability in a standardised software component and is now accelerating a national resilience review and exploring multi-operator failover regulations.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Outage on July 23 lasted 3+ hours; 2G fallback overloaded, blocking emergency services calls.<\/li>\n\n\n\n<li>Attackers targeted a \u201cstandardised software component\u201d in Huawei VRP OS\u2013based routers.<\/li>\n\n\n\n<li>National alert system also failed, as it relies on the same mobile infrastructure.<\/li>\n\n\n\n<li>CSIRT and public prosecutor conducting forensic and legal investigations.<\/li>\n\n\n\n<li>Authorities accelerating critical-infrastructure resilience review and fallback procedures.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/therecord.media\/luxembourg-telecom-outage-reported-cyberattack-huawei-tech\">The Record<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Minnesota Activates National Guard to Assist St. Paul&#8217;s Cyberattack Response<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Governor Tim Walz has deployed National Guard cyber units to support the City of St. Paul after a persistent attack disabled online payments and disrupted library and recreation services. The incident, which began on Friday and surpassed both internal and vendor response capacities, has left critical systems offline while emergency services remain unaffected.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Attack onset Friday persists through weekend, impacting digital services and critical systems.<\/li>\n\n\n\n<li>Online payments and some library\/recreation services are down; emergency response remains operational.<\/li>\n\n\n\n<li>City teams are coordinating with Minnesota IT Services and an external cybersecurity vendor.<\/li>\n\n\n\n<li>An executive order notes the incident exceeded the city\u2019s internal and commercial response capabilities.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/minnesota-activates-national-guard-after-st-paul-cyberattack\/\">BleepingComputer<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Subscribe?<\/h2>\n\n\n                <div class=\"ml-embedded\" data-form=\"pKq7EM\"><\/div>\n            \n","protected":false},"excerpt":{"rendered":"<p>Summary of Latest cybersecurity news August 2025.<\/p>","protected":false},"author":1,"featured_media":20184,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-20178","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20178","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=20178"}],"version-history":[{"count":9,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20178\/revisions"}],"predecessor-version":[{"id":20260,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20178\/revisions\/20260"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/20184"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=20178"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=20178"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=20178"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}