{"id":20658,"date":"2025-10-06T05:24:00","date_gmt":"2025-10-06T03:24:00","guid":{"rendered":"https:\/\/kordon.app\/?p=20658"},"modified":"2025-10-05T22:26:35","modified_gmt":"2025-10-05T20:26:35","slug":"summaries-of-cybersecurity-news-worth-your-attention-this-week-2025-05-10","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/summaries-of-cybersecurity-news-worth-your-attention-this-week-2025-05-10\/","title":{"rendered":"Summaries of Cybersecurity News Worth Your Attention this Week &#8211; 2025-05-10"},"content":{"rendered":"<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>If you&#8217;ve ever needed examples of what could happen with cyber attacks in &#8220;traditional&#8221; non-techy companies, this week has two examples. Actually they are good cautionary tales in any industry. <\/p>\n\n\n\n<p>The UK goverment, needed to underwrite a \u00a31.5 B loan to help Jaguar restore it&#8217;s supply chain because it was not properly insured against cyber attacks and the japanese beer giant Asahi needed to close down 30 factories and postpone the launch of new products. <\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">1. Salesforce Blackmailed With 1 Billion Customer Records<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Scattered Spider launched a dark-web leak site listing dozens of major organizations, including Salesforce itself, claiming to hold over 1 billion stolen records and demanding a ransom by October 10. <\/strong>\"At this time, <strong>there is no indication that the Salesforce platform has been compromised, <\/strong>nor is this activity related to any known vulnerability in our technology,\u201d the spokesperson said.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Scattered Spider claims to hold &gt;1 billion records<\/strong> and threatens to share data publicly if Salesforce doesn\u2019t pay.<\/li>\n\n\n\n<li>The leak site lists dozens of firms across airlines, retail, insurance and tech, plus Salesforce.<\/li>\n\n\n\n<li>Salesforce says no platform vulnerability is implicated and has engaged law enforcement and external experts.<\/li>\n\n\n\n<li><strong>Google\u2019s threat intelligence group links thefts to voice-phishing <\/strong>(vishing) attacks, not a Salesforce breach.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/therecord.media\/salesforce-scattered-spider-extortion-site\">The Record<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. Microsoft Flags AI-Generated Phishing Campaign Embedded in SVG Files<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Microsoft Threat Intelligence detected and blocked an August 18 credential-<strong>phishing campaign that used AI-crafted code hidden inside .svg files disguised as business dashboards to steal log-in credentials<\/strong>. By embedding payloads with common business terms and leveraging Large Language Models for obfuscation, attackers bypassed traditional filters\u2014only to be caught by Defender for Office 365\u2019s AI behavioral analysis.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>The .svg attachment appeared to be a 6-page PDF but contained scriptable elements and embedded JavaScript.<\/strong><\/li>\n\n\n\n<li>Malicious payload encoded using business terms like \u201crevenue,\u201d \u201coperations,\u201d and \u201crisk\u201d to blend into analytics dashboard structure.<\/li>\n\n\n\n<li><strong>Attackers used a compromised small-business email account, sending self-addressed messages with real targets BCC\u2019d.<\/strong><\/li>\n\n\n\n<li>Microsoft\u2019s Security Copilot flagged the code as AI-generated due to over-engineered structure and verbose naming.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Block or quarantine incoming .svg attachments by default<\/strong><\/li>\n\n\n\n<li>Implement email rules to flag self-addressed messages with hidden BCC recipients<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/hackread.com\/microsoft-ai-phishing-attack-hiding-svg-files\/\">HackRead.com<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Microsoft Outlook Blocks Inline SVG Images to Curb Phishing Risk<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Starting mid-October 2025, Outlook for Web and the new <strong>Outlook<\/strong> for Windows <strong>will no longer render inline SVG images,<\/strong> showing blank spaces instead, to mitigate cross-site scripting and phishing attacks that abuse SVG\u2019s scriptable nature. <strong>Classic SVG attachments remain viewable, and the change impacts fewer than 0.1% of all images, fitting into Microsoft\u2019s broader effort to tighten attachment security.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Rollout began early September<\/strong> and completes for all customers by mid-October 2025.<\/li>\n\n\n\n<li><strong>Inline SVGs often used by PhaaS platforms<\/strong> (Tycoon2FA, Mamba2FA, Sneaky2FA) to host phishing forms or malware.<\/li>\n\n\n\n<li><strong>SVG attachments sent as classic files remain supported and viewable from the attachment well.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-outlook-stops-displaying-inline-svg-images-used-in-attacks\/\">BleepingComputer<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4. Third-Party Support Breach Exposes Discord User PII and Photo IDs<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">A compromised customer-support vendor allowed attackers to steal names, emails, support chats, IP addresses, partial billing details and a small number of scanned government-issued IDs from users who contacted Discord.<br>Discord\u2019s core systems and full payment data remain secure.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Breach origin:<\/strong> unauthorized access to third-party ticketing system (reported via Zendesk).<\/li>\n\n\n\n<li><strong>Data accessed:<\/strong> full names, usernames, emails, support messages, IPs, payment type, last four CC digits.<\/li>\n\n\n\n<li><strong>Sensitive IDs:<\/strong> small subset of driver\u2019s licenses and passports submitted for age verification.<\/li>\n\n\n\n<li><strong>Unaffected data:<\/strong> full credit card numbers, CCV codes, account passwords, private platform chats.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce MFA and session timeouts for all third-party integrations.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/cybersecuritynews.com\/discord-data-breach\/\">Cybersecurity News<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/discord-discloses-data-breach-after-hackers-steal-support-tickets\/\">BleepingComputer<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Red Hat Confirms Breach of Consulting GitLab Environment, 28,000 Private Repos Exposed<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Red Hat confirmed a security incident after a threat actor accessed its self-managed GitLab instance used for consulting engagements,<\/strong> <strong><span style=\"text-decoration: underline;\">allegedly<\/span><\/strong> <strong>compromising 28,000 private repositories, <\/strong>including customer engagement reports. The company says core services and software supply chain remain intact, but the breach carries significant supply chain and credential risks for consulting clients. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Threat actor group<strong> \u201cCrimson Collective\u201d claims exfiltration of 28,000 private repos and CERs.<\/strong><\/li>\n\n\n\n<li>CERs may include network diagrams, configurations, authentication tokens, and customer audit data.<\/li>\n\n\n\n<li>Red Hat revoked access, isolated the instance, and implemented additional hardening measures.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/application-security\/red-hat-widespread-breaches-private-gitlab-repositories\">Dark Reading<\/a>, <a href=\"https:\/\/ccb.belgium.be\/news\/hackers-crimson-collective-use-leaked-authentication-tokens-access-customer-systems\">Centre for Cybersecurity Belgium<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6. UK Government Guarantees \u00a31.5 B Loan to Stabilize JLR Supply Chain<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">The UK is underwriting up to \u00a31.5 billion of a commercial loan to Jaguar Land Rover under its Export Development Guarantee program, to restore its supply chain after a catastrophic cyberattack forced the automaker to halt production. <strong>This allows the company to secure a significantly larger loan, typically at better terms, than it could obtain on its own after a significant event like JLR is currently dealing with.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>JLR employs 34,000 directly and underpins around 120,000 supply-chain roles<\/li>\n\n\n\n<li><strong>Company lacked finalized cyber insurance<\/strong> when the attack occurred<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reassess<\/strong> and secure comprehensive<strong> cyber insurance coverage<\/strong><\/li>\n\n\n\n<li>Monitor supplier financial health and reinforce critical partners<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/uk-govt-backs-jlr-with-15-billion-loan-guarantee-after-cyberattack\/\">Bleeping Computer<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Japanese Beer Giant Asahi Cyberattack Idles 30 Factories, Delays 12 New Products<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>A cyberattack has crippled Asahi\u2019s Japanese operations since Monday<\/strong>, forcing shutdowns of order processing, shipping and call centers and <strong>leaving most of its 30 domestic factories idle<\/strong>. The incident has also pushed back the mid-October launch of a dozen new beverages and consumer goods, raising risks of supply shortages and revenue loss for Japan\u2019s leading brewer.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Shutdown affects order processing, logistics and call centers nationwide<\/li>\n\n\n\n<li><strong>Twelve product launches, including soft drinks and cough drops, are postponed<\/strong><\/li>\n\n\n\n<li><strong>No confirmed customer data leaks<\/strong>; police notified of potential ransomware<\/li>\n\n\n\n<li><strong>Shares fell 2.6%<\/strong> as outage entered a fourth day<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Review ransomware incident response playbook<\/li>\n\n\n\n<li>Validate network segmentation and backup integrity<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/therecord.media\/asahi-japan-cyberattack-limits-shipping-call-centers\">The Record<\/a>, <a href=\"https:\/\/www.ft.com\/content\/bb86349f-0ad8-432b-a62a-fdd63b3b76ab\">Financial Times<\/a>, <a href=\"https:\/\/newsdig.tbs.co.jp\/articles\/-\/2203898?display=1\">TBS News<\/a>, <a href=\"https:\/\/www.asahi-gf.co.jp\/company\/newsrelease\/2025\/1001_2\/\">Asahi Statement<\/a>, <a href=\"https:\/\/www.nikkei.com\/article\/DGXZQOUC017JJ0R01C25A0000000\/\">Nikkei<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">8. CometJacking Prompt Injection Enables One-Click Data Exfiltration via Comet AI Browser<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">LayerX researchers have revealed <strong>\u201cCometJacking,\u201d a prompt-injection attack<\/strong> <strong>that hijacks<\/strong> <strong>Perplexity\u2019s Comet AI browser<\/strong> <strong>via a single malicious URL click, <\/strong>instructing the agent to pull Gmail, Calendar, and other connected data and exfiltrate it using Base64 encoding. <strong>This exploit bypasses Comet\u2019s memory-separation safeguards<\/strong> without stealing credentials.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Attack leverages the URL\u2019s \u201ccollection\u201d parameter to force memory access<\/li>\n\n\n\n<li><strong>Base64 encoding masks exfiltrated data to evade Comet\u2019s export checks<\/strong><\/li>\n\n\n\n<li><strong>No credentials are stolen<\/strong>, the browser\u2019s existing service tokens are abused<\/li>\n\n\n\n<li><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">LayerX disclosed the flaw on August 27; Perplexity deemed it \u201cno security impact\u201d<\/mark><\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Review use<\/strong> of the Comet Browser<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2025\/10\/cometjacking-one-click-can-turn.html\">The Hacker News<\/a>, <a href=\"https:\/\/layerxsecurity.com\/blog\/cometjacking-how-one-click-can-turn-perplexitys-comet-ai-browser-against-you\/\">LayerX Security<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Subscribe<\/h2>\n\n\n\n<p>Subscribe to receive weekly cybersecurity news summary to your inbox every Monday.<\/p>\n\n\n                <div class=\"ml-embedded\" data-form=\"pKq7EM\"><\/div>\n            \n\n\n<p><\/p>","protected":false},"excerpt":{"rendered":"<p>Summaries of cybersecurity news from first week of October 2025.<\/p>","protected":false},"author":1,"featured_media":20677,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-20658","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20658","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=20658"}],"version-history":[{"count":17,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20658\/revisions"}],"predecessor-version":[{"id":20676,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20658\/revisions\/20676"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/20677"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=20658"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=20658"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=20658"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}