🕵🏻‍♂️ [InfoSec MASHUP] 36/2025

🔓 BREACHES & SECURITY INCIDENTS

🇺🇸 Attackers used stolen OAuth tokens from the Salesloft/Drift breach to access Palo Alto Networks' Salesforce CRM and steal customer and support ticket data. The stolen records included contacts, case notes, and secrets like passwords, AWS keys, and tokens that could enable further cloud breaches. Palo Alto says it contained the incident, revoked tokens, disabled the app, and is notifying affected customers while its products and services were not impacted.

🇺🇸 Attackers used the Salesloft Drift compromise to access Zscaler's Salesforce and steal customer data, including support case contents. Zscaler says no products were affected, has revoked integrations and rotated tokens, and urges customers to watch for phishing. Google and researchers link this to OAuth token theft and social‑engineering attacks that hit many companies.

🇺🇸 📧 Reports claimed Gmail had been massively hacked — Google says those claims are false and that Gmail's security is "strong and effective". The real issues were a limited June breach of a corporate Salesforce server that exposed public business contact info and a spike in phishing attempts.

• SaaS giant Workiva discloses data breach after Salesforce attack

🇺🇸 ⚖️ Texas sued PowerSchool after a December breach exposed the data of about 62 million students, including over 880,000 Texans. Attackers used stolen subcontractor credentials, demanded ransom, and later extorted school districts with stolen personal and medical information. Texas says PowerSchool misled customers and failed to protect sensitive data, and the accused hacker has pleaded guilty.

♟️ Chess.com disclosed a June 2025 data breach of a third-party file transfer app. About 4,500 users' personal data may have been accessed, but no financial information was exposed. Chess.com says its systems were not affected, has notified law enforcement, and is offering free credit monitoring.

🇯🇵 🇺🇸 Bridgestone Americas is investigating a cyberattack that disrupted some North American tire factories. The company says its quick response contained the attack and that customer data were not compromised. Production and supply chains may be affected, and it is unclear if ransomware was used.

🇧🇷 Hackers breached Sinqia, Evertec’s Brazilian unit, and tried to steal $130 million via the Pix instant-payments system. Sinqia halted Pix transactions, the central bank revoked its access, and some funds have been recovered. Attackers used stolen vendor credentials; no personal data is known to be exposed, but the full impact is still unknown.

🇬🇧 Jaguar Land Rover says a cyberattack forced it to shut down systems — Production and retail were severely disrupted, including work at the Solihull plant. 
The company says no customer data appears stolen and is working to restart systems, but gave no timeline.

🇺🇸 The Pennsylvania Attorney General's Office says a ransomware attack caused a two-week outage of its website, email, and phone systems. The office refused to pay the attackers and is working with other agencies in an active investigation. Some services are partially restored, courts granted case extensions, and it is unknown if data was stolen or who carried out the attack.

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇺🇸 💰 🇷🇺 The U.S. State Department is offering up to $10 million for information on three Russian FSB officers accused of hacking U.S. critical infrastructure. They are tied to FSB Unit 71330 (Berserk Bear) and to past attacks on U.S. agencies and energy firms and to recent breaches using a Cisco device vulnerability. If you have information, contact Rewards for Justice via its Tor tip channel for a possible reward and relocation.

☁️ Amazon disrupted a Russian state-linked APT29 watering-hole campaign that redirected Microsoft users from compromised websites to attacker-controlled domains. Visitors were tricked into logging into fake Cloudflare pages and authorizing Microsoft devices, letting attackers harvest credentials and access accounts. The group used randomized redirects, encoded code and fast infrastructure moves, and AWS says its systems were not compromised.

🇷🇺 🇺🇸 A Russian national, Ianis Antropenko, was arrested in California for allegedly running Zeppelin ransomware and laundering ransom payments. Prosecutors say he hit many victims and moved money through crypto services. He violated release terms and admitted drug use, yet remains free on bail, which has surprised experts.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇷🇺 Moscow says it has hired three or four young hackers who earlier attacked the city’s Electronic School. Officials gave no names or details, so it’s unclear which breaches they caused. Hiring hackers is not unprecedented; governments and companies often recruit or pay them to find security flaws.

🍪 💰 France fined Google $379 million and Shein $175 million for placing advertising cookies without valid user consent. CNIL said users were pushed to accept personalized ads and ordered Google to fix its systems within six months or face heavy daily fines. The report also notes U.S. privacy actions, including a $425 million jury verdict against Google and FTC penalties for Disney and a toy maker over children’s data.

🇺🇸 🇨🇳 The U.S. Justice Department sued toy maker Apitor for letting a Chinese third party collect children's location data without telling parents or getting consent. The complaint says the app used the JPush SDK to gather precise geolocation from kids under 13, violating COPPA. A proposed settlement would force Apitor to comply with COPPA, delete the data, notify parents, and pay a $500,000 penalty now on hold due to its claimed financial troubles.

🇺🇸 📺 The FTC says Disney mislabeled kids’ YouTube videos, letting YouTube collect data and show targeted ads to children under 13. Disney will pay $10 million to settle the claims. The deal also requires Disney to notify parents and fix its labeling so kids’ videos are marked "Made for Kids."

🇺🇸 🇮🇱 ICE reactivated a $2 million contract with Israeli spyware maker Paragon after lifting a stop-work order. The deal had been paused under a Biden executive order over commercial spyware and human-rights concerns. Paragon says it is ethical, but its spyware has been tied to hacks of journalists and activists, raising questions about the partnership.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🇷🇺 🔙 🚪 Russian state‑linked APT28 deployed a new Outlook VBA backdoor called NotDoor against companies in NATO countries. It is delivered via OneDrive DLL side‑loading, disables macro protections, watches emails for trigger words, and can run commands and steal files. Attackers use cloud services and rotating C2 infrastructure to hide activity and evade detection.

💸 A fake npm package called nodejs-smtp mimicked Nodemailer to slip into developer projects — On Windows it unpacks Atomic and Exodus app.asar files and injects code that replaces recipient addresses to steal BTC, ETH, USDT, XRP and SOL. The package still worked as a mailer to avoid detection and was downloaded 347 times before removal.

🇨🇳 Silver Fox abused a Microsoft‑signed WatchDog driver (amsdk.sys) to disable security software and install the ValleyRAT remote‑access trojan. Their BYOVD attack uses a dual‑driver loader with anti‑analysis checks, and attackers flip one byte in the signed driver timestamp to bypass hash blocklists. They target Chinese users and organizations via phishing, fake apps, and cloud‑hosted payloads to steal data and commit financial fraud.

📲 Cybercriminals used fake TradingView ads on Meta to deliver the Brokewell Android malware — The campaign ran since July with about 75 localized ads targeting mobile crypto users. The fake app tricks Android users into granting accessibility and the lockscreen PIN, then steals wallets and 2FA codes, records activity, intercepts messages, and can remotely control the device.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🤖 Attackers hide malicious links in the tiny "From:" field of video ads to evade X's filters. They ask Grok about the post, Grok reads that field and posts a clickable harmful link that boosts reach and trust. A researcher reported the abuse to X and recommends scanning all fields and adding link filtering to Grok.

🧑‍🧑‍🧒‍🧒 💬 OpenAI announced parental controls for ChatGPT after reports that it failed to help teens in crisis and a related lawsuit. It will send sensitive mental-health chats to special models. Soon parents can link to teen accounts, set age-appropriate rules, disable features like memory, and get alerts if a teen seems distressed.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Google Patches High-Severity Chrome Vulnerability in Latest Update

🔓 💥 A critical SAP S/4HANA command‑injection bug (CVE‑2025‑42957, CVSS 9.9) is being actively exploited — A low‑privileged user can inject ABAP to create superusers, steal data, or deploy ransomware and fully compromise systems. Patch immediately, monitor for suspicious RFC calls or new admin accounts, and restrict RFC access (use SAP UCON and review S_DMIS activity 02).

👨🏻‍💻 📲 Apple is accepting applications for its 2026 Security Research Device Program until October 31. Accepted white‑hat researchers receive a loaned iPhone preconfigured for security research with shell access and special tools. Discovered bugs qualify for Apple’s bug bounty, and SRDP researchers have received large payouts in the past.

🐛 🗓️ A critical Sitecore zero-day came from public ASP.NET machine keys included in deployment docs. Attackers used those keys to run ViewState deserialization attacks that enabled remote code execution, persistence, and data theft. Sitecore and researchers urge customers to rotate keys, hunt for compromises, and never use sample keys in production.

🛑 Cloudflare blocked a record DDoS of 11.5 Tbps — The UDP flood mainly came from Google Cloud and reached 5.1 billion packets per second for about 35 seconds. Cloudflare says it mitigated 27.8 million DDoS attacks in the first half of 2025.

🍎 WhatsApp revealed a zero-day (CVE-2025-55177) was used in targeted attacks on Apple users — Attackers chained it with an Apple ImageIO flaw (CVE-2025-43300) in zero-click spyware, and both bugs were patched. About 200 people were notified, highlighting how attackers target widely used devices for high-value surveillance.

🛰️ ICS, OT & IoT

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.