This Week in Cybersecurity #18
Fourth-party fallout, patch-now priorities, and resilience under fire — your weekend brief.
Good morning, security gang,
This week proves (again) that our biggest risks aren’t always zero-days—they’re the trusted pipes we forget to monitor. The SalesLoft/Drift → Salesforce OAuth storm rippled into Google, TransUnion, Zscaler, Palo Alto Networks, and Cloudflare, while ransomware reminded Nevada, Sweden, and manufacturers what weak resilience really costs.
On the nation-state front, APT29’s watering holes and Salt Typhoon’s ISP footholds showed how quietly access gets staged, as record DDoS bursts and active-exploited bugs in WhatsApp, Git, FreePBX, Android, Sitecore, and Docker tightened the patch window. We’ve organized everything by category so you can skim fast, brief the team, and act with purpose—then finish with a punch-list to close the gaps.
Supply Chain & SaaS Fallout
Salesforce/Drift OAuth campaign (Google, TransUnion, Zscaler, Palo Alto Networks, Cloudflare): Attackers abused the SalesLoft–Drift integration to steal OAuth/refresh tokens, then pivoted into Salesforce and adjacent systems. Data sought included AWS keys, Snowflake tokens, mailbox contents, and passwords in support cases. Multiple vendors revoked tokens, rotated secrets, and confirmed core products weren’t touched. Tooling appeared automated, with Tor and log deletion used to hinder forensics. This is a fourth-/fifth-party risk event, not a Salesforce platform compromise.
Ransomware & Operational Disruption
Nevada state outage (confirmed ransomware): Agency sites and VoIP went down statewide; life-safety systems were prioritized and CISA joined recovery. The incident exposed weak comms redundancy across agencies. Restoration remains phased due to interdependent systems. Expect months of DFIR and control hardening.
Pennsylvania Attorney General (3-week outage): Phones, email, and website were offline, signaling limited segmentation and immature recovery planning. Rebuild efforts suggest a need for golden images and validated backups. Communication gaps amplified public impact. Post-incident governance reviews are likely.
Jaguar Land Rover (global IT disconnects): Cyberattack forced separation of IT systems, halting manufacturing and retail in multiple regions. Tight IT/OT coupling raised the blast radius from ERP to plant lines. Recovery requires staged re-trust of production networks. Supplier coordination will be a critical path.
Sweden municipalities (shared vendor ransomware): A software provider serving 80% of municipalities was hit, knocking >200 regions’ services offline. Citizen-facing systems (payroll, HR, local portals) were disrupted. Centralized SaaS concentration created systemic risk. Data-leak pressure adds extortion leverage.
Data I/O (semiconductor supply chain): Ransomware halted production, shipping, and manufacturing support at a small but strategic vendor. Downstream impact could hit EV charging, automotive modules, and consumer devices. With limited revenue and unclear cyber coverage, prolonged downtime is plausible. Customers may need alternate sourcing.
Governance, Fraud & Accountability
Baltimore vendor-fraud loss ($1.5M): Another ACH redirection succeeded after “paper” fixes from prior incidents. Missing dual control and out-of-band callbacks enabled the swap. Treasury and AP processes need attestation and segregation of duties. Insurance subrogation may be contentious due to repeat failures.
FEMA IT shakeup (24 leaders fired): DHS cited patch neglect, audit resistance, and waste despite ~$500M in IT/cyber budget. The move sets precedent for federal accountability on hygiene basics. Expect aggressive POA&M timelines and external validation. Other DHS components are on notice.
DoD ends “digital escorts” for code: Foreign, uncleared coders previously contributed to sensitive defense cloud with nominal escorts. Program ended due to backdoor and IP risk. FedRAMP High systems will face tighter supply-chain assurances. Expect broader code provenance requirements.
Nation-State & Espionage
APT29/Midnight Blizzard watering holes: Device-code prompts tricked users into authorizing M365 access via OAuth/device flow. Targets included EU/Ukraine entities and policy orgs. This sidesteps password prompts and MFA fatigue. Conditional Access and consent governance are the counters.
Salt Typhoon in Dutch ISP/hosting routers: Operators used edge/router access for upstream visibility without breaching core networks. Router hygiene and management-plane exposure were weak points. The foothold enables traffic shaping and future intrusion staging. Small ISPs are now clearly in-scope.
German energy sabotage case: A local actor linked to pro-Russia ops caused €10M in damage and exfiltrated 20TB. Highlights insider/near-insider risks at utilities. Legal framing as espionage elevates sentencing. Sector guidance will likely stress monitoring and least privilege.
Vulnerabilities & Patch Watch
WhatsApp zero-day (CVE-2025-55177, iOS/macOS): Abused device-sync messages to trigger malicious URL handling. Already exploited; patch is available. Corporate BYOD fleets are at risk due to ubiquity. MDM-enforced version floors recommended.
Git path/submodule bug (CVE-2025-48384): Actively exploited on macOS/Linux to write files outside expected paths. CI/CD agents and developer laptops are prime targets. Update Git and audit repos for suspicious submodules. Lock down developer privileges and signing policies.
FreePBX RCE (CVE-2025-57819, CVSS 10): In-the-wild exploitation against v15/16/17 enables DB manipulation and code exec. Call centers/MSPs often expose panels to the internet. Patch and restrict admin panel access immediately. Review CDR/VoIP logs for anomalous admin actions.
Android Sept bulletin (111 CVEs, 2 suspected 0-days): Kernel and runtime flaws likely tied to spyware chains. Patch Android 13–16 promptly via EMM. High-risk personas should receive priority. Monitor for post-patch exploitation reports.
IBM WatsonX blind SQLi (CVE-2025-0165): Authenticated attackers can manipulate backend DB in Cloud Pak for Data. Upgrade affected cartridge versions. Scope access and rotate DB secrets. Review logs for anomalous queries.
Sitecore deserialization RCE (CVE-2025-53690): Legacy deployments still using sample machine keys are being exploited. Patch/upgrade and rotate keys. Hunt for WeepSteel tradecraft (tunneling, recon). Harden CM/CD role trust.
Docker Desktop escape (CVE-2025-9074): High-severity, patched in 4.44.3; dev workstations are primary risk. Update across Mac/Windows fleets. Reassess container privilege and socket exposure. Consider sandboxing policies.
Cloud, Telecom & DDoS
Cloudflare 11.5 Tbps DDoS blocked: Short, hyper-volumetric UDP blasts sourced from cloud and IoT nodes. Matches a trend of brief but massive bursts to overwhelm scrubbing. Ensure auto-mitigation and pre-staged rules. Validate upstream/provider limits.
Spain cancels Huawei gov network contract: Contract shifted to RedIRIS, aligning with EU/ally de-risking. Motivations include China’s 2017 intel law and supply-chain assurance. Expect ripple effects to regional and municipal procurements. Transition risk must be managed.
Financial Crime, Enforcement & Policy
TransUnion breach (4.46M, monitoring): Consumer support systems hit via Drift token abuse; core credit DBs untouched. PII includes names, SSNs, DOBs. Notification and monitoring extend exposure timelines. Fraud rings will weaponize overlaps with prior breaches.
Brazil PIX heist foiled ($130M attempt): Attackers reached instant payment rails via a fintech partner. Controls stopped outbound flow in time. Instant-payments (PIX, FedNow, UPI) remain high-value targets. Transaction anomaly detection is essential.
VerifTools fake-ID market seized: U.S./Dutch action took down domains and servers. Takedown yields intel on buyers/sellers. Expect successor sites quickly. KYC fraud waves often follow.
Google fined €325M in France: Gmail in-inbox promos and cookie consent deemed coercive marketing. Six-month compliance clock with daily penalties possible. Signals stricter EU enforcement on “dark patterns.” Enterprises should re-review consent UX.
EU court upholds Data Privacy Framework: Stabilizes U.S.–EU data transfers after Schrems II uncertainty. Reduces immediate legal risk for cross-border SaaS. Still requires SCCs and vendor diligence. Advocacy groups may continue appeals.
FTC warns on foreign censorship: Says enforcing foreign speech restrictions on Americans could violate Section 5. Puts U.S. platforms on notice re: UK/EU demands. Expect policy push-pull; legal risk joins reputational risk. Build decision logs for moderation choices.
Ads, Packages & Long-Con
Google Ads → TamperedChef infostealer: Fake PDF tools bought via ads lead to credential theft and proxy enrollment. >50 domains and multiple cert issuers used for rotation. Block malvertising domains and disable self-install. Educate staff on “too-polished” utility ads.
Malicious NPM crypto clipper (NodeMailer lookalike): Low download count but effective wallet-address hijacking (BTC/ETH/XRP). Shows how typosquatting hunts developer trust. Pin, verify, and monitor sensitive package namespaces. Add build-time SCA gates.
ScreenConnect long-con phishing: Weeks-long, NDA-backed pretexting to deploy remote-control tools. Bypasses “spot-the-typo” training entirely. Require approvals for remote-support installs. Instrument EDR to flag new RMM agents.
If there’s a throughline to this week, it’s simple: every integration is a privileged account, and resiliency isn’t a slide—it’s muscle you build before impact. Treat tokens like keys, patch like it’s a competitive advantage, segment to shrink the blast radius, and rehearse recovery until it’s boring. Share this brief with your IR, IT, and finance leaders, knock out the action items, and keep your board focused on governance that actually moves risk. I’ll see you back live Monday at 9 a.m. Eastern with the next round.
Until then—stay cyber safe.