All news with #active exploitation tag

Pennsylvania AG Office Confirms Ransomware Caused Outage

🔒 The Office of the Pennsylvania Attorney General confirmed a ransomware attack is behind a two-week service outage that has taken its public website offline and disrupted email and phone systems. Attorney General David W. Sunday Jr. said the office refused to pay the extortionists and that an active investigation with other agencies is ongoing. Partial recovery of email and phones has allowed staff to work via alternate channels while courts issue filing extensions. No group has claimed responsibility and the office has not yet confirmed any data exfiltration.

Drift–Salesforce OAuth Attack: Rethink SaaS Security

🔒 A sophisticated adversary exploited legitimate OAuth tokens issued to Salesloft's Drift chatbot integration with Salesforce, using the connection to silently exfiltrate customer data between August 8–18, 2025, according to Google Threat Intelligence Group. The campaign, attributed to UNC6395, leveraged trust in third-party integrations and service-to-service tokens to maintain covert access. Organizations should reassess OAuth governance, entitlement controls, and logging for SaaS integrations to reduce exposure.

Silver Fox Abuses Signed WatchDog Driver to Disable AV

🚨 Check Point attributes a BYOVD campaign to the Silver Fox actor that leverages a Microsoft-signed WatchDog kernel driver (amsdk.sys v1.0.600) to neutralize endpoint defenses. The operation uses a dual-driver approach—an older Zemana-based driver on Windows 7 and the WatchDog driver on Windows 10/11—to terminate processes and escalate privileges. An all-in-one loader bundles anti-analysis checks, embedded drivers, AV-killer logic, and a ValleyRAT downloader to establish persistent remote access.

Salesloft token theft exposes wide-ranging integrations

🔐 The mass theft of authentication tokens from Salesloft’s Drift chatbot has exposed integrations across hundreds of customers, according to Google. Attackers stole valid tokens for services including Slack, Google Workspace, Amazon S3, Microsoft Azure and OpenAI. GTIG said the campaign, tracked as UNC6395, siphoned large amounts of Salesforce data and searched the haul for credentials such as AWS keys, VPN logins and Snowflake access. Customers were urged to immediately invalidate and reauthenticate all Salesloft-connected tokens while Salesloft and incident responders investigate.

Silver Fox Abuses Microsoft-Signed Drivers to Deploy RAT

⚠️ A newly discovered campaign attributed to the Silver Fox APT abuses trusted Microsoft-signed drivers to bypass security protections and install a remote access tool. Check Point Research found attackers used the WatchDog driver (amsdk.sys) and an older Zemana-based driver to terminate antivirus and EDR processes, enabling deployment of ValleyRAT. Researchers observed loaders with anti-analysis, persistence, embedded drivers and hardcoded lists of security processes, and warn that timestamp edits can preserve valid signatures while evading hash-based detection.

Weekly Recap: WhatsApp 0-Day, Docker Bug, Breaches

🚨 This weekly recap highlights multiple cross-cutting incidents, from an actively exploited WhatsApp 0‑day to a critical Docker Desktop bug and a Salesforce data-exfiltration campaign. It shows how attackers combine stolen OAuth tokens, unpatched software, and deceptive web content to escalate access. Vendors issued patches and advisories for numerous CVEs; defenders should prioritize patching, token hygiene, and targeted monitoring. Practical steps include auditing MCP integrations, enforcing zero-trust controls, and hunting for chained compromises.

Salesloft Drift Supply-Chain Attacks Also Hit Google

🔒 Google and security vendors say the Salesloft Drift supply-chain campaign is broader than initially reported. Threat actors tracked as UNC6395 harvested OAuth tokens from the Salesloft Drift integration with Salesforce and also accessed a very small number of Google Workspace accounts. Organizations should treat any tokens connected to Drift as potentially compromised, revoke and rotate credentials, review third-party integrations, and investigate connected systems for signs of unauthorized access.

WhatsApp Patches Zero-Click Zero-Day Exploit in iOS

🔒 WhatsApp has patched a critical zero-day (CVE-2025-55177) affecting linked-device synchronization that could allow processing of content from an arbitrary URL on a target device. The vendor says the flaw, when combined with an Apple OS-level out-of-bounds write (CVE-2025-43300), may have been exploited in a targeted, sophisticated zero-click attack. Apple patched the related OS issue on August 20. Users should apply the updated WhatsApp and WhatsApp Business iOS and Mac clients immediately.

Suspected Hacker Arrested for Tampering School Grades

🔒 Spanish police arrested a 21-year-old suspect in Seville accused of accessing the Andalusian Education Ministry's systems to alter high school and university entrance exam grades for himself and several classmates. Authorities say at least 13 university professors' work accounts across Almería, Cádiz, Córdoba, Seville and Jaén were compromised and emails accessed. Seized computer equipment and a notebook listing manipulated grades were recovered during the search, and regional security for the Séneca platform has been tightened.

WhatsApp Emergency Update Fixes Zero-Click iOS/macOS Bug

🔒 WhatsApp has issued emergency updates for iOS and macOS to fix CVE-2025-55177, a high-severity authorization flaw that may have been exploited alongside an Apple ImageIO zero-day (CVE-2025-43300). The bug could allow processing of content from an arbitrary URL on a target device and affects specific iOS, Business iOS, and Mac app versions. Users are urged to update immediately; confirmed targets were advised to perform a full factory reset.

Salt Typhoon APT Expands to Netherlands, Targets Routers

🔒 Salt Typhoon, a persistent Chinese-aligned threat actor, has expanded operations into the Netherlands by compromising routers at smaller ISPs and hosting providers. Intelligence agencies report the group exploits known flaws in Ivanti, Palo Alto Networks, and Cisco devices to obtain long-term access and pivot through trusted provider links. Authorities urge organizations to audit configurations, disable management access, enforce public-key administrative authentication, remove default credentials, and keep vendor-recommended OS versions up to date to reduce exposure.

WhatsApp patches iOS and macOS zero-day vulnerability

🔒 WhatsApp has patched a zero-click vulnerability (CVE-2025-55177) impacting WhatsApp for iOS prior to 2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78. The flaw involved incomplete authorization of linked-device synchronization messages that could trigger processing of content from an arbitrary URL on a target device. WhatsApp said the bug may have been chained with an Apple OS-level zero-day (CVE-2025-43300) and exploited in targeted, sophisticated attacks. Potentially impacted users have been urged to perform a factory reset and keep their operating systems and apps up to date.

WordPress Plugin and Theme Vulnerabilities Surge in 2025

⚠️ Recent investigations show a wave of active attacks against WordPress plugins and themes, including Gravity Forms, the Alone and Motors themes, and Post SMTP. Exploits have enabled remote code execution, administrator account takeover, and mass site compromise, while the Efimer trojan has been distributed from some infected sites. Vendors have issued patches, but many sites remain unpatched—site owners should update immediately and follow hardening best practices.

APT37 Spear-Phishing Campaign Targets South Korean Officials

🛡️ Seqrite attributes a large-scale spear-phishing operation, dubbed Operation HanKook Phantom, to APT37, a North Korea–linked group targeting South Korean government and intelligence personnel. Attackers distributed malicious LNK shortcuts disguised as a legitimate National Intelligence Research Society newsletter and a statement from Kim Yo-jong, which triggered downloads and execution of payloads including RokRAT. The campaign employed in-memory execution, fileless PowerShell, XOR decryption, LOLBins and covert exfiltration techniques to blend with normal traffic and evade detection.

Amazon Disrupts APT29 Watering-Hole Device Code Scam

🛡️ Amazon says its security team detected and disrupted an opportunistic watering-hole campaign attributed to APT29 that redirected visitors from compromised sites to attacker-controlled domains mimicking Cloudflare verification pages. The threat used the Microsoft device code authentication flow to trick users into authorizing attacker-controlled devices. Amazon observed multiple evasion techniques and continued tracking as the actor migrated infrastructure.

Amazon Disrupts APT29 Watering Hole Campaign Targeting Users

🔒 Amazon's threat intelligence team identified and disrupted a watering hole campaign conducted by APT29, a group linked to Russia’s SVR. The actor compromised legitimate websites and injected obfuscated JavaScript to redirect a subset of visitors to attacker-controlled pages that mimicked Cloudflare verification. The campaign aimed to abuse Microsoft's device code authentication flow to trick users into authorizing attacker-controlled devices; Amazon isolated affected EC2 instances and coordinated with partners to disrupt infrastructure and share intelligence.

State-Sponsored Hackers Behind Majority of Exploits

🔐 Recorded Future’s Insikt Group reports that 53% of attributed vulnerability exploits in H1 2025 were carried out by state-sponsored actors, driven largely by geopolitical aims such as espionage and surveillance. Chinese-linked groups accounted for the largest share, with UNC5221 exploiting numerous flaws—often in Ivanti products. The study found 161 exploited CVEs, 69% of which required no authentication and 48% were remotely exploitable. It also highlights the rise of social-engineering techniques like ClickFix and increasing EDR-evasion methods used by ransomware actors.

Critical FreePBX Zero-Day Under Active Exploitation

🚨 The Sangoma FreePBX project has issued an advisory for an actively exploited zero-day (CVE-2025-57819) that allows unauthenticated access to the Administrator control panel, enabling arbitrary database manipulation and remote code execution. The flaw stems from insufficiently sanitized user input in the commercial endpoint module and impacts FreePBX 15, 16, and 17 prior to their listed patched releases. Administrators should apply the emergency updates immediately, restrict public ACP access, and scan for indicators of compromise.

Joint Advisory Reveals Salt Typhoon APT Techniques Worldwide

🔍 Salt Typhoon, a Chinese state-aligned APT also tracked as Operator Panda/RedMike, is the subject of a joint advisory from intelligence and cybersecurity agencies across 13 countries. The report links the group to Chinese entities tied to the PLA and MSS and documents repeated exploitation of n-day flaws in network edge devices from vendors such as Ivanti, Palo Alto Networks and Cisco. It details persistence via ACL modifications, tunneled proxies, credential capture via RADIUS/TACACS+, and exfiltration over peering and BGP, and urges telecoms to hunt for intrusions, patch quickly and harden management interfaces.

Google warns Salesloft breach hit some Workspace accounts

🔒 Google warns that the Salesloft Drift compromise is larger than first reported and included theft of OAuth tokens beyond the Salesforce integration. Threat actors used stolen tokens tied to the Drift Email integration to access a very small number of Google Workspace email accounts on August 9. Google says the tokens have been revoked, the Drift–Workspace integration is disabled, and affected customers were notified. Organizations using Drift should revoke and rotate all connected authentication tokens and review integrations for exposed secrets.