{"id":20523,"date":"2025-09-08T11:28:18","date_gmt":"2025-09-08T09:28:18","guid":{"rendered":"https:\/\/kordon.app\/?p=20523"},"modified":"2025-09-08T11:31:16","modified_gmt":"2025-09-08T09:31:16","slug":"cybersecurity-news-worth-your-attention-this-week-summarised-2025-09-08","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/cybersecurity-news-worth-your-attention-this-week-summarised-2025-09-08\/","title":{"rendered":"Cybersecurity News Worth Your Attention This Week Summarised &#8211; 2025-09-08"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>The anti-hero of the week<\/strong> is a classic <strong>Word marco <\/strong>that was used to spear phish 50 embassies, ministries and international organisations. We also have the <strong>French threatening Google with a 100 000\u20ac\/ day fine<\/strong> if they don&#8217;t fix their cookie business. <\/p>\n\n\n\n<p>And haven&#8217;t done this in a while but at the very end <strong>I also included a &#8220;long form&#8221; article<\/strong>. If you&#8217;re in information security, <strong>I think it&#8217;s a good article to share as part of your regular awareness training. <\/strong>Simple, relatable stories around phishing.<\/p>\n\n\n\n<p><em>P.S. If you like you can get this news summary to your inbox every Monday. Scroll down to subscribe.<\/em><\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">1. Iran\u2019s MOIS-Linked \u2018Homeland Justice\u2019 APT Phishes 50+ Diplomatic Missions Worldwide<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">In August, <strong>Iran\u2019s Ministry of Intelligence\u2013aligned Homeland Justice APT<\/strong> used 104 compromised email accounts to <strong>spear-phish more than 50 embassies, ministries and international organizations across six continents<\/strong>. The attackers sent <strong>macro-embedded Word documents<\/strong> from legitimate addresses\u2014routed through a NordVPN exit node\u2014to deploy an infostealer with simple evasion techniques. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Emails originated from hijacked official accounts (e.g., Oman MFA in Paris like @fm.gov.com)  via a Jordan VPN exit node.<\/li>\n\n\n\n<li>Targets included <strong>~50 embassies, consulates, ministries, UN agencies, African Union, World Bank and NGOs.<\/strong><\/li>\n\n\n\n<li><strong>Malicious VBA macros <\/strong>used \u201cvbHide\u201d and multi-loop \u201claylay\u201d delays; final payload \u201csysProcUpdate\u201d harvested system metadata.<\/li>\n\n\n\n<li>Campaign ran only days in August; researchers report the attackers\u2019 C2 <strong>infrastructure now appears offline.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Block or sandbox macro-enabled documents from external senders<\/strong>.<\/li>\n\n\n\n<li><strong>Search logs for connections to known C2 domains<\/strong> (e.g., screenai.online) and unusual outbound VPN traffic.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/iran-mois-50-embassies-ministries-intl-orgs\">Dark Reading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. CISA Orders Patch for Actively Exploited Sitecore Zero-Day<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>The Cybersecurity and Infrastructure Security Agency has mandated all federal civilian agencies to remediate a critical deserialization flaw in Sitecore products by September 25, 2025.<\/strong> Attackers exploited a publicly documented ASP.NET machine key to perform ViewState deserialization, gain RCE, deploy reconnaissance malware, and escalate privileges in compromised environments.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The flaw (<strong>CVE-2025-53690, CVSS 9.0)<\/strong> hinges on default machine keys included in <strong>Sitecore guides published before 2017.<\/strong><\/li>\n\n\n\n<li>Mandiant disrupted an in-the-wild attack where exposed keys enabled a ViewState payload (.NET assembly \u201cWEEPSTEEL\u201d) for system reconnaissance.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Apply Sitecore security bulletin KB1003865 before Sept. 25.<\/strong><\/li>\n\n\n\n<li><strong>Rotate and encrypt all ASP.NET <code>machineKey<\/code><\/strong> values in <code>web.config<\/code> files.<\/li>\n\n\n\n<li><strong>Monitor logs<\/strong> for anomalous <code>__VIEWSTATE<\/code> POST requests.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/support.sitecore.com\/kb?id=kb_article_view&amp;sysparm_article=KB1003865\">Sitecore Support<\/a>, <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2025\/09\/04\/cisa-adds-three-known-exploited-vulnerabilities-catalog\">CISA<\/a>, <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/viewstate-deserialization-zero-day-vulnerability\">Mandiant<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Salesloft Drift Supply-Chain Breach Exposes Customer Data at Cloudflare, Zscaler and Palo Alto Networks<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">A threat actor tracked as UNC6395 <strong>exploited stolen OAuth tokens from the Salesloft Drift chatbot integration to access and exfiltrate data from Salesforce instances at hundreds of organizations, including Cloudflare, Zscaler and Palo Alto Networks.<\/strong> <strong> Stolen data\u2014ranging from business contact details to support-ticket contents and potentially embedded secrets<\/strong>\u2014has prompted all three firms to disable the Drift integration, rotate credentials and notify affected customers. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Attack window: August 8\u201318, 2025;<\/strong> reconnaissance began August 9.<\/li>\n\n\n\n<li><strong>Cloudflare found 104 API tokens in support-ticket text fields; <\/strong>none showed misuse but were rotated.<\/li>\n\n\n\n<li><strong>Zscaler and Palo Alto Networks confirmed exposure<\/strong> of customer names, emails, phone numbers, case metadata and some commercial licensing details.<\/li>\n\n\n\n<li><strong>No core services or infrastructure at the breached vendors were compromised<\/strong>\u2014only their <strong>Salesforce CRM data<\/strong> was accessed via the third-party integration.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Disconnect Salesloft Drift integrations immediately.<\/strong><\/li>\n\n\n\n<li><strong>Rotate OAuth tokens, API keys<\/strong> and any shared credentials.<\/li>\n\n\n\n<li><strong>Review Salesforce login history<\/strong> and bulk-API audit logs for unusual activity.<\/li>\n\n\n\n<li><strong>Strengthen third-party SaaS governance <\/strong>and enforce token expiration policies.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/therecord.media\/salesloft-drift-breach-cloudflare-zscaler-palo-alto-networks\">The Record<\/a>, <a href=\"https:\/\/blog.cloudflare.com\/response-to-salesloft-drift-incident\/\">Cloudflare Blog<\/a>, <a href=\"https:\/\/www.zscaler.com\/blogs\/company-news\/salesloft-drift-supply-chain-incident-key-details-and-zscaler-s-response\">Zscaler Blog<\/a>, <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2025\/09\/salesforce-third-party-application-incident-response\/\">Palo Alto Networks Blog<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Jaguar Land Rover Production and Retail Halted by Cyber Incident<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Jaguar Land Rover proactively shut down global IT systems to contain a cyberattack, leading to multi-day stoppages in car production at Halewood and retail operations. <\/strong>No customer data appears compromised.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Halewood <strong>plant staff told not to work from Monday through Wednesday.<\/strong><\/li>\n\n\n\n<li><strong>Production<\/strong> at Solihull and dealer systems also <strong>affected<\/strong>.<\/li>\n\n\n\n<li><strong>No evidence of customer data exfiltration;<\/strong> incident type undisclosed.<\/li>\n\n\n\n<li>JLR revenue ~\u00a329 billion; <strong>automotive downt<\/strong>ime can cost ~\u00a31.6 million per hour.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/therecord.media\/jaguar-land-rover-disruption-cyber-incident\">The Record<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/jaguar-land-rover-says-cyberattack-severely-disrupted-production\/\">Bleeping Computer<\/a>, <a href=\"https:\/\/cybersecuritynews.com\/jaguar-land-rover-it-systems\/\">Cybersecurity News<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Cloudflare Mitigates Record 11.5 Tbps UDP Flood DDoS Attack<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Cloudflare\u2019s automated defenses stopped a hyper-volumetric UDP flood that peaked at 11.5 Tbps and 5.1 billion packets per second in a 35-second burst, preventing any customer-facing disruption. <strong>The record attack\u2014sourced from a mix of compromised IoT devices and multiple cloud providers<\/strong>.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Largest of hundreds of hyper-volumetric attacks blocked by Cloudflare in recent weeks.<\/strong><\/li>\n\n\n\n<li>Attack mixed IoT-based botnets with traffic from several public cloud platforms.<\/li>\n\n\n\n<li><strong>Volumetric DDoS account for about 75% of all DDoS attack types.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/cloudflare-ddos-attacks-new-heights\">Dark Reading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6. GhostRedirector Uses Malicious IIS Module for SEO Fraud on 65 Windows Servers<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>A China-aligned group dubbed GhostRedirector has infected at least 65 Windows servers<\/strong> since August 2024 with two custom tools\u2014Rungan, a C++ backdoor, and Gamshen, a malicious IIS module\u2014<strong>to manipulate Google search rankings for gambling sites without affecting normal visitors.<\/strong> <strong>By serving altered responses only to Googlebot, attackers create artificial backlinks that can damage the compromised sites\u2019 SEO reputation.<\/strong> Security teams should immediately review IIS modules, tighten administrative access, and monitor for unusual crawler responses.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Victims<\/strong> span healthcare, retail, transportation, education, and tech in <strong>Brazil, Thailand, Vietnam, the US, Peru, Canada, and Europe.<\/strong><\/li>\n\n\n\n<li><strong>Initial entry likely via SQL injection,<\/strong> followed by PowerShell downloads from \u201c868id[.]com.\u201d<\/li>\n\n\n\n<li>Rungan backdoor supports remote commands; <strong>Gamshen injects SEO payloads only when detecting Googlebot.<\/strong><\/li>\n\n\n\n<li>Attackers used EfsPotato and BadPotato exploits to create <strong>persistent administrator accounts.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Audit all IIS modules; <strong>remove or re-sign unauthorized extensions.<\/strong><\/li>\n\n\n\n<li><strong>Enforce MFA and least-privilege<\/strong> for IIS and database accounts.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/ghostredirector-poisons-windows-servers-backdoors-side-potatoes\/\">ESET<\/a>, <a href=\"https:\/\/therecord.media\/seo-scheme-windows-malware-gambling-sites-ghostredirector\">The Record<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">7. US Offers $10M Reward for Info on FSB Hackers Exploiting Cisco Flaw<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>The U.S. Department of State is offering up to $10 million for information on three FSB officers accused of exploiting CVE-2018-0171 in end-of-life Cisco Smart Install devices to breach U.S. critical infrastructure and more than 500 foreign energy firms.  <\/strong>These state-sponsored actors have installed backdoors and conducted industrial control systems reconnaissance across government and energy networks. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reward targets<strong> Marat Tyukov, Mikhail Gavrilov, and Pavel Akulov of FSB\u2019s Center 16 (aka Berserk Bear, Blue Kraken).<\/strong><\/li>\n\n\n\n<li><strong>Victims<\/strong> include the <strong>U.S. Nuclear Regulatory Commission and Wolf Creek Nuclear Operating Corp.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/us-offers-10-million-bounty-for-info-on-russian-fsb-hackers\/\">BleepingComputer<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">8. CNIL Fines Google \u20ac325M and Shein \u20ac150M for Cookie Consent Violations. Warns 100 000\u20ac\/Day If Not Fixed<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">France\u2019s data protection regulator (CNIL) has slapped <strong>Google<\/strong> with a <strong>\u20ac325 million fine<\/strong> and fast-fashion retailer <strong>Shein<\/strong> with <strong>\u20ac150 million for deploying advertising cookies and in - Gmail ads without valid user consent, breaching the French Data Protection Act and the Postal and Electronic Communications Code.<\/strong> Both firms must comply with <strong>revised consent flows within six months or face up to \u20ac100,000 daily penalties.<\/strong> <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Google pushed default targeted-ad cookies during account setup<\/strong> and injected ads into Gmail <strong>\u201cPromotions\u201d <\/strong>and <strong>\u201cSocial\u201d <\/strong>tabs without clear opt-outs.<\/li>\n\n\n\n<li>CNIL found over 74 million affected Google accounts and ruled that consent was neither informed nor freely given.<\/li>\n\n\n\n<li><strong>Shein\u2019s cookie banners lacked complete information and gave users inadequate refusal options; <\/strong>the retailer has since updated its platform but will appeal.<\/li>\n\n\n\n<li><strong>CNIL warns of \u20ac100,000\/day fines if systems aren\u2019t aligned<\/strong> with French cookie-consent rules by March 2026.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit all cookies and their cookie-consent banners<\/strong> for clarity and granular opt-in controls<\/li>\n\n\n\n<li>Validate compliance<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2025\/09\/google-fined-379-million-by-french.html\">The Hacker News<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">9. GhostAction Supply Chain Attack Steals Over 3,300 Secrets from Hundreds of GitHub Repositories<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>On September 2\u20135, attackers inserted malicious GitHub Actions workflows into 817 repositories to harvest 3,325 CI\/CD secrets<\/strong> \u2014 including npm, PyPI, DockerHub tokens and AWS credentials \u2014 and exfiltrate them to an external server. <strong>GitGuardian discovered the \u201cGhostAction\u201d campaign,<\/strong> alerted 573 maintainers, and prompted platforms to lock affected projects and monitor for unauthorized package releases and cloud access.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Attackers personalized each commit<\/strong> by matching existing secret names in Python, JavaScript, Rust and Go repos.<\/li>\n\n\n\n<li><strong>Exfiltration server pointed to IP 45.139.104.115 <\/strong>under the \u201cplesk.page\u201d domain until September 5.<\/li>\n\n\n\n<li>No malicious package releases confirmed yet, <strong>but 9 npm and 15 PyPI projects still have compromised tokens.<\/strong><\/li>\n\n\n\n<li><strong>Some stolen credentials were already used <\/strong>to probe AWS environments and database services.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n<ul class=\"wp-block-list\">\n<li>Scan workflows for unexpected \u201cGithub Actions Security\u201d commits.<\/li>\n<li>Rotate and revoke all exposed CI\/CD tokens immediately.<\/li>\n<li>Monitor npm, PyPI and cloud accounts for unauthorized publishes or logins.<\/li>\n<\/ul>\n<p><strong>Read more at <\/strong><a href=\"https:\/\/hackread.com\/ghostaction-attack-steals-github-projects-secrets\/\">Hackread.com<\/a><\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/><!-- \/wp:post-content --><!-- wp:heading -->\n<h2 class=\"wp-block-heading\">10: Long form Recommendation: Examples of High-stakes Phising Campaigns<!-- \/wp:heading --><!-- wp:verse --><\/h2>\n<pre class=\"wp-block-verse\">It's a good article with very specific examples that anyone non-techy can relate to about phising, fishing. It's a good one to share as part of regular security awareness trainings. <\/pre>\n<p><!-- \/wp:verse --><br \/><!-- wp:paragraph --><\/p>\n<p><strong>Read more at <\/strong><a title=\"\" href=\"https:\/\/www.csoonline.com\/article\/4051570\/you-should-be-aware-of-these-latest-social-engineering-trends.html\">CSO Online: You should be aware of these latest social engineering trends <\/a><\/p>\n<p><!-- \/wp:paragraph --><br \/><!-- wp:separator --><\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\" \/><!-- \/wp:separator -->\n\n\n<!-- wp:heading -->\n<h2 class=\"wp-block-heading\">Subscribe<\/h2>\n<!-- \/wp:heading -->\n\n<!-- wp:paragraph -->\n<p>Subscribe to receive weekly cybersecurity news summary to your inbox every Monday.<\/p>\n<!-- \/wp:paragraph -->\n\n                <div class=\"ml-embedded\" data-form=\"pKq7EM\"><\/div>\n            ","protected":false},"excerpt":{"rendered":"<p>The anti-hero of the week is a classic Word marco that was used to spear phish 50 embassies, ministries and international organisations. We also have the French threatening Google with a 100 000\u20ac\/ day fine if they don\u2019t fix their cookie business.<\/p>\n<p>And haven\u2019t done this in a while but at the very end I also included a \u201clong form\u201d article. If you\u2019re in information security, I think it\u2019s a good article to share as part of your regular awareness training. Simple, relatable stories around phishing.<\/p>","protected":false},"author":1,"featured_media":20552,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-20523","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20523","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=20523"}],"version-history":[{"count":30,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20523\/revisions"}],"predecessor-version":[{"id":20554,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20523\/revisions\/20554"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/20552"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=20523"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=20523"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=20523"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}