Good Morning Security Gang!
It’s Tuesday, September 2nd, 2025, and welcome back after Labor Day weekend. I hope you all had some rest because today’s CyberHub Podcast is a packed one.
We’re talking about the Salesforce/SalesLoft Drift fallout now pulling in cybersecurity giants like Palo Alto Networks and Zscaler, an active WhatsApp zero-day on Apple devices, brute-force campaigns traced back to Ukrainian infrastructure, a new IBM Watson X blind SQL injection flaw, Google Ads being abused to spread infostealers, crypto wallet tampering in NPM packages, and Spain finally kicking Huawei out of its government networks. Espresso in hand, let’s get right into it.
🔐 Zscaler Confirms Breach via SalesLoft Drift Supply Chain Attack
Zscaler confirmed its Salesforce environment was breached as part of the SalesLoft Drift supply chain attack. Attackers stole OAuth tokens used by the Drift AI chat agent, which integrates into Salesforce. Stolen data includes customer names, job titles, business emails, phone numbers, licensing info, and some support case content. Zscaler stressed its core products and services were unaffected, but this highlights the risk of fourth- and fifth-party integrations most orgs overlook.
“Somewhere here, we lost track of supply chain governance—and the attackers found it.” James Azar
🛡 Palo Alto Networks Also Impacted
Palo Alto Networks disclosed that it too was compromised via the SalesLoft Drift integration. Data accessed included business contacts, sales contact info, and customer support case details—but again, no product or internal systems were impacted. Palo Alto revoked tokens and rotated credentials after detection. Investigators noted attackers used automated tools, deleted logs, and leveraged Tor for obfuscation. This breach now joins the list of Google, Cisco, Farmers Insurance, Workday, Adidas, Allianz, Dior, Louis Vuitton, Qantas, and more impacted by the same campaign.
📱 WhatsApp Zero-Day Actively Exploited on Apple Devices
WhatsApp patched CVE-2025-55177, a zero-day affecting iOS, iPadOS, and macOS clients. The flaw allowed attackers to abuse device sync messages and bypass authorization checks, enabling malicious URL processing. It’s being actively exploited, making updates urgent for all Apple device users.
🌍 Ukrainian IP Infrastructure Used for Brute Force Attacks
Researchers traced widespread brute-force and password-spraying attacks against SSL VPNs and RDP services to Ukraine-based AS FDN3 and shell companies tied to networks in Seychelles. These infrastructures have been active since 2021 and are frequently abused to host spam, malware C2, and attack platforms. Ukraine remains a launchpad for cyber operations, regardless of the ongoing Russia-Ukraine war.
🧠 IBM Watson X Blind SQL Injection Flaw
IBM disclosed CVE-2025-0165, a blind SQL injection in Watson X Orchestrate Cartridge within IBM Cloud Pak for Data. Versions 4.8.4–4.8.5 and 5.0.0–5.2 are affected, allowing authenticated attackers to manipulate backend databases. Admins should upgrade to patched versions immediately.
📢 Google Ads Used to Push “Tampered Chef” Infostealer
Threat actors are buying Google Ads to distribute fake PDF editing apps that deliver the TamperedChef info-stealing malware. Once installed, it exfiltrates credentials, maps networks, and sometimes registers victims as residential proxies. Over 50 fraudulent domains tied to four certificate issuers were identified. This shows again how Google Ads remains a trusted but risky attack vector.
💰 Malicious NPM Package Targets Crypto Wallets
A package called Node.js SMTP impersonated the legitimate NodeMailer library but injected malicious code to hijack transactions in wallets like Atomic and Exodus. Downloads were low (~350) before takedown, but the package functioned as a crypto clipper, redirecting BTC, ETH, XRP, and more to attacker-controlled wallets.
🇪🇸 Spain Cancels Huawei Government Network Contract
Spain canceled an €11.7M Huawei contract for government networks, awarding it instead to RedIRIS. This marks a significant shift, as Spain had previously resisted EU-wide restrictions on Huawei. The decision reflects pressure from allies to remove Chinese vendors from critical infrastructure, citing Beijing’s 2017 intelligence law and national security risks.
"Good news there - at least countries are waking up to the fact that China should be nowhere near our telecom critical infrastructure." James Azar
🧠 James Azar’s CISO Take
The Drift/Salesforce supply chain attack is this year’s Snowflake moment. Salesforce itself wasn’t breached, just like Snowflake wasn’t last year. The weakness was in token management and oversight of integrations. The lesson: treat integrations as privileged accounts and continuously validate their security posture. CISOs can’t just look at tier-1 vendors—they must evaluate downstream dependencies.
The other clear theme is trust and geopolitics. WhatsApp zero-days, Ukrainian brute-force infrastructure, and Spain finally moving away from Huawei all point to the same conclusion: adversaries exploit trusted platforms, whether SaaS, ads, or vendors. Our defenses don’t fail on technology—they fail on governance, oversight, and resilience. CISOs must elevate these discussions to the board so security decisions aren’t left to vendor contracts and “checkbox” audits.
✅ Action Items
🔑 Revoke and rotate OAuth tokens tied to Salesforce integrations.
📊 Treat SaaS integrations as privileged accounts; enforce MFA and least privilege.
📱 Patch WhatsApp on iOS, iPadOS, and macOS immediately.
🌍 Monitor for brute-force traffic tied to FDN-III and Seychelles ASNs.
🧠 Upgrade IBM Watson X Orchestrate to patched versions.
📢 Block malicious Google Ads domains; educate staff on fake software campaigns.
💾 Audit NPM package dependencies; monitor for crypto-targeting packages.
🇨🇳 Track telecom/vendor sourcing policies—remove risky suppliers from critical infra.
We'll be back tomorrow at 9 AM Eastern with the latest updates. Have a great rest of your day, y'all, and most importantly, stay cyber safe.
