All news with #active exploitation tag

Lazarus Group Expands Cross-Platform RATs Against DeFi

🔍 Researchers link a social engineering campaign to the North Korea–linked Lazarus Group that distributed three cross-platform RATs — PondRAT, ThemeForestRAT, and RemotePE — against a decentralized finance (DeFi) organization. Fox-IT observed the actors impersonating an employee on Telegram and using fake Calendly/Picktime pages to arrange meetings and gain a foothold via a loader named PerfhLoader. The intrusion delivered multiple tools (screenshotter, keylogger, credential stealers, Mimikatz, proxy programs) and saw an operational progression from the primitive PondRAT to the in-memory ThemeForestRAT, culminating in the more advanced RemotePE for high-value access.

ICE Reinstates Contract with Paragon Spyware Vendor

🔁 ICE has reinstated a $2m contract with Israeli-founded vendor Paragon Solutions, now owned by US private equity, enabling delivery of hardware and perpetual license software to the agency. The agreement, originally signed on 27 September 2024 and suspended after a White House review on 8 October 2024, was cleared to resume work on 30 August. Paragon has been linked to the Graphite spyware used against European journalists and implicated in Italian government investigations, raising procurement and national security concerns.

Malicious npm Package Masquerades as Nodemailer Library

⚠️ A malicious npm package named nodejs-smtp impersonating the popular nodemailer library was discovered to both send mail and inject malware into Electron-based desktop cryptocurrency wallets. When imported, it unpacked and tampered with Atomic Wallet on Windows, replacing vendor files and repackaging the app to silently redirect transactions to attacker-controlled addresses. Socket's researchers prompted npm to remove the package and suspend the account.

Jaguar Land Rover Cyber Incident Disrupts Sales & Production

🔒 JLR has disclosed a cyber incident that has severely disrupted global sales and production. The company said it proactively shut down systems and is working to restart applications in a controlled manner. At this stage there is no evidence customer data has been stolen, but retail and manufacturing activities remain affected. Tata Motors disclosed related "global IT issues" to investors.

Pennsylvania AG Office Confirms Ransomware Caused Outage

🔒 The Office of the Pennsylvania Attorney General confirmed a ransomware attack is behind a two-week service outage that has taken its public website offline and disrupted email and phone systems. Attorney General David W. Sunday Jr. said the office refused to pay the extortionists and that an active investigation with other agencies is ongoing. Partial recovery of email and phones has allowed staff to work via alternate channels while courts issue filing extensions. No group has claimed responsibility and the office has not yet confirmed any data exfiltration.

Drift–Salesforce OAuth Attack: Rethink SaaS Security

🔒 A sophisticated adversary exploited legitimate OAuth tokens issued to Salesloft's Drift chatbot integration with Salesforce, using the connection to silently exfiltrate customer data between August 8–18, 2025, according to Google Threat Intelligence Group. The campaign, attributed to UNC6395, leveraged trust in third-party integrations and service-to-service tokens to maintain covert access. Organizations should reassess OAuth governance, entitlement controls, and logging for SaaS integrations to reduce exposure.

Silver Fox Abuses Signed WatchDog Driver to Disable AV

🚨 Check Point attributes a BYOVD campaign to the Silver Fox actor that leverages a Microsoft-signed WatchDog kernel driver (amsdk.sys v1.0.600) to neutralize endpoint defenses. The operation uses a dual-driver approach—an older Zemana-based driver on Windows 7 and the WatchDog driver on Windows 10/11—to terminate processes and escalate privileges. An all-in-one loader bundles anti-analysis checks, embedded drivers, AV-killer logic, and a ValleyRAT downloader to establish persistent remote access.

Salesloft token theft exposes wide-ranging integrations

🔐 The mass theft of authentication tokens from Salesloft’s Drift chatbot has exposed integrations across hundreds of customers, according to Google. Attackers stole valid tokens for services including Slack, Google Workspace, Amazon S3, Microsoft Azure and OpenAI. GTIG said the campaign, tracked as UNC6395, siphoned large amounts of Salesforce data and searched the haul for credentials such as AWS keys, VPN logins and Snowflake access. Customers were urged to immediately invalidate and reauthenticate all Salesloft-connected tokens while Salesloft and incident responders investigate.

Silver Fox Abuses Microsoft-Signed Drivers to Deploy RAT

⚠️ A newly discovered campaign attributed to the Silver Fox APT abuses trusted Microsoft-signed drivers to bypass security protections and install a remote access tool. Check Point Research found attackers used the WatchDog driver (amsdk.sys) and an older Zemana-based driver to terminate antivirus and EDR processes, enabling deployment of ValleyRAT. Researchers observed loaders with anti-analysis, persistence, embedded drivers and hardcoded lists of security processes, and warn that timestamp edits can preserve valid signatures while evading hash-based detection.

Weekly Recap: WhatsApp 0-Day, Docker Bug, Breaches

🚨 This weekly recap highlights multiple cross-cutting incidents, from an actively exploited WhatsApp 0‑day to a critical Docker Desktop bug and a Salesforce data-exfiltration campaign. It shows how attackers combine stolen OAuth tokens, unpatched software, and deceptive web content to escalate access. Vendors issued patches and advisories for numerous CVEs; defenders should prioritize patching, token hygiene, and targeted monitoring. Practical steps include auditing MCP integrations, enforcing zero-trust controls, and hunting for chained compromises.

Salesloft Drift Supply-Chain Attacks Also Hit Google

🔒 Google and security vendors say the Salesloft Drift supply-chain campaign is broader than initially reported. Threat actors tracked as UNC6395 harvested OAuth tokens from the Salesloft Drift integration with Salesforce and also accessed a very small number of Google Workspace accounts. Organizations should treat any tokens connected to Drift as potentially compromised, revoke and rotate credentials, review third-party integrations, and investigate connected systems for signs of unauthorized access.

WhatsApp Patches Zero-Click Zero-Day Exploit in iOS

🔒 WhatsApp has patched a critical zero-day (CVE-2025-55177) affecting linked-device synchronization that could allow processing of content from an arbitrary URL on a target device. The vendor says the flaw, when combined with an Apple OS-level out-of-bounds write (CVE-2025-43300), may have been exploited in a targeted, sophisticated zero-click attack. Apple patched the related OS issue on August 20. Users should apply the updated WhatsApp and WhatsApp Business iOS and Mac clients immediately.

Suspected Hacker Arrested for Tampering School Grades

🔒 Spanish police arrested a 21-year-old suspect in Seville accused of accessing the Andalusian Education Ministry's systems to alter high school and university entrance exam grades for himself and several classmates. Authorities say at least 13 university professors' work accounts across Almería, Cádiz, Córdoba, Seville and Jaén were compromised and emails accessed. Seized computer equipment and a notebook listing manipulated grades were recovered during the search, and regional security for the Séneca platform has been tightened.

WhatsApp Emergency Update Fixes Zero-Click iOS/macOS Bug

🔒 WhatsApp has issued emergency updates for iOS and macOS to fix CVE-2025-55177, a high-severity authorization flaw that may have been exploited alongside an Apple ImageIO zero-day (CVE-2025-43300). The bug could allow processing of content from an arbitrary URL on a target device and affects specific iOS, Business iOS, and Mac app versions. Users are urged to update immediately; confirmed targets were advised to perform a full factory reset.

Salt Typhoon APT Expands to Netherlands, Targets Routers

🔒 Salt Typhoon, a persistent Chinese-aligned threat actor, has expanded operations into the Netherlands by compromising routers at smaller ISPs and hosting providers. Intelligence agencies report the group exploits known flaws in Ivanti, Palo Alto Networks, and Cisco devices to obtain long-term access and pivot through trusted provider links. Authorities urge organizations to audit configurations, disable management access, enforce public-key administrative authentication, remove default credentials, and keep vendor-recommended OS versions up to date to reduce exposure.

WhatsApp patches iOS and macOS zero-day vulnerability

🔒 WhatsApp has patched a zero-click vulnerability (CVE-2025-55177) impacting WhatsApp for iOS prior to 2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78. The flaw involved incomplete authorization of linked-device synchronization messages that could trigger processing of content from an arbitrary URL on a target device. WhatsApp said the bug may have been chained with an Apple OS-level zero-day (CVE-2025-43300) and exploited in targeted, sophisticated attacks. Potentially impacted users have been urged to perform a factory reset and keep their operating systems and apps up to date.

WordPress Plugin and Theme Vulnerabilities Surge in 2025

⚠️ Recent investigations show a wave of active attacks against WordPress plugins and themes, including Gravity Forms, the Alone and Motors themes, and Post SMTP. Exploits have enabled remote code execution, administrator account takeover, and mass site compromise, while the Efimer trojan has been distributed from some infected sites. Vendors have issued patches, but many sites remain unpatched—site owners should update immediately and follow hardening best practices.

APT37 Spear-Phishing Campaign Targets South Korean Officials

🛡️ Seqrite attributes a large-scale spear-phishing operation, dubbed Operation HanKook Phantom, to APT37, a North Korea–linked group targeting South Korean government and intelligence personnel. Attackers distributed malicious LNK shortcuts disguised as a legitimate National Intelligence Research Society newsletter and a statement from Kim Yo-jong, which triggered downloads and execution of payloads including RokRAT. The campaign employed in-memory execution, fileless PowerShell, XOR decryption, LOLBins and covert exfiltration techniques to blend with normal traffic and evade detection.

Amazon Disrupts APT29 Watering-Hole Device Code Scam

🛡️ Amazon says its security team detected and disrupted an opportunistic watering-hole campaign attributed to APT29 that redirected visitors from compromised sites to attacker-controlled domains mimicking Cloudflare verification pages. The threat used the Microsoft device code authentication flow to trick users into authorizing attacker-controlled devices. Amazon observed multiple evasion techniques and continued tracking as the actor migrated infrastructure.

Amazon Disrupts APT29 Watering Hole Campaign Targeting Users

🔒 Amazon's threat intelligence team identified and disrupted a watering hole campaign conducted by APT29, a group linked to Russia’s SVR. The actor compromised legitimate websites and injected obfuscated JavaScript to redirect a subset of visitors to attacker-controlled pages that mimicked Cloudflare verification. The campaign aimed to abuse Microsoft's device code authentication flow to trick users into authorizing attacker-controlled devices; Amazon isolated affected EC2 instances and coordinated with partners to disrupt infrastructure and share intelligence.