It's been a busy 24 hours in the cyber world with significant updates on recent breaches, new malware and exploitation techniques, and some interesting developments in cyber diplomacy and legal battles. Let's take a look:
Workday CRM Breach Linked to ShinyHunters ⚠️
- HR giant Workday disclosed a data breach impacting its third-party CRM platform, confirming attackers accessed business contact information like names, emails, and phone numbers.
- This incident is part of a wider social engineering campaign, strongly linked to the ShinyHunters extortion group, which has targeted numerous high-profile companies (e.g., Adidas, Qantas, Google) by tricking employees into linking malicious OAuth apps to Salesforce instances.
- While Workday states no customer tenants or data within them were impacted, the exposed contact info could be used for further social engineering or vishing scams.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hr-giant-workday-discloses-data-breach-amid-salesforce-attacks/
🗞️ The Record | https://therecord.media/workday-social-engineering-data-breach
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/08/18/workday_crm_breach/
Bragg Gaming Group Suffers Internal Breach 🎲
- Casino game producer Bragg Gaming Group reported a cyber incident where hackers accessed its internal computer environment.
- Preliminary investigations indicate the breach was limited to internal systems, with no personal information affected and no impact on the company's operations or data access.
- Bragg has engaged cybersecurity experts to manage the incident, making them the latest gaming company to face a breach after recent incidents impacting Ainsworth Game Technology and International Game Technology.
🗞️ The Record | https://therecord.media/casino-gaming-company-cyber-incident-bragg
Canadian House of Commons Breached 🇨🇦
- Canada's House of Commons experienced a data breach, with an unknown malicious actor gaining access to employee names, job titles, office locations, email addresses, and government-managed hardware information.
- The Communications Security Establishment (CSE) confirmed the incident and is investigating, noting recent warnings about China, Iran, and Russia increasingly targeting Canadian systems.
- While attribution is pending, the CSE's assessment highlights China's interest in intellectual property, Iran's espionage, and Russia's targeting due to Canada's NATO role and support for Ukraine.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/08/17/cybersecurity_news_roundup/
PipeMagic Backdoor Leverages Zero-Day in Ransomware Attacks 💥
- Microsoft has detailed PipeMagic, a sophisticated modular backdoor used by threat actor Storm-2460, which is being disguised as a ChatGPT desktop application.
- Storm-2460 exploits a Windows Common Log File System Driver (CLFS) zero-day vulnerability (CVE-2025-29824) to escalate privileges before deploying ransomware, with RansomExx and Play ransomware variants observed.
- The malware's design, including its use of a modified GitHub ChatGPT project and dynamic payload injection, makes it difficult to detect, targeting IT, financial, and real estate sectors globally.
🗞️ The Record | https://therecord.media/ransomware-gang-masking-pipemagic-backdoor
ERMAC Android Banking Trojan Source Code Leaked 📱
- The source code for ERMAC v3.0, a prominent Android banking trojan, has been leaked online, exposing its internal architecture and operator infrastructure.
- Discovered in an open directory, the leak includes the malware's backend, frontend panel, exfiltration server, deployment configurations, and builder, revealing expanded targeting capabilities for over 700 banking, shopping, and crypto apps.
- Significant operational security failures by the ERMAC operators, such as hardcoded JWT tokens and default root credentials, have made it easier for researchers to map their infrastructure and for detection solutions to improve.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/ermac-android-malware-source-code-leak-exposes-banking-trojan-infrastructure/
Infostealers Target Russian Crypto Developers via npm 🎣
- Researchers at Safety have uncovered malicious npm packages ("solana-pump-test", "solana-spl-sdk") targeting the Solana cryptocurrency ecosystem, specifically aimed at Russian crypto developers.
- These packages act as infostealers, searching for crypto tokens, password files, exchange credentials, and wallet files, then exfiltrating data to US-linked command and control (C2) servers.
- The use of the familiar "cryptohan" handle provides a veneer of legitimacy, and the targeting of Russian victims, potentially linked to state-backed ransomware groups, raises questions about state-sponsored activity.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/08/18/solana_infostealer_npm_malware/
Kinsing Cryptomining Group Expands to Russia ⛏️
- The Kinsing (H2Miner, Resourceful Wolf) cryptojacking group has launched a large-scale campaign targeting Russian computers for Monero cryptocurrency mining.
- The attacks, observed since April, exploit vulnerabilities in widely-used software, specifically CVE-2017-9841, a critical remote code execution flaw in the PHPUnit testing framework.
- This marks Kinsing's first large-scale activity in Russia, highlighting that criminal groups are not limited by geography and the ongoing need to patch even older vulnerabilities.
🗞️ The Record | https://therecord.media/cryptomining-group-kinsing-hits-russia
New Tool Sni5Gect Sniffs and Exploits 5G Traffic 📡
- Security researchers have released Sni5Gect, an open-source framework capable of real-time sniffing and targeted payload injection in pre-authentication 5G communication without requiring a rogue base station.
- The tool exploits unencrypted messages exchanged between the gNB (base station) and User Equipment (UE) during connection handshaking, enabling uplink/downlink sniffing with over 80% accuracy.
- Sni5Gect facilitates a novel downgrade attack (CVD-2024-0096) from 5G to 4G, allowing for further surveillance and attacks, and its creators have withheld "other serious exploits" for trusted institutions only.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/08/18/sni5gect/
China Slams US Over Chip Tracking as "Surveillance Empire" geopolitics
- Chinese state media has criticised proposed US measures to embed asset tracking tags in GPU shipments to prevent black-market diversions to China, labelling the US an "aspiring surveillance empire."
- This comes amidst ongoing US export controls on advanced chips and semiconductor manufacturing equipment, with Beijing raising concerns about potential remote disabling or "kill switches" in US-made chips.
- The rhetoric highlights escalating tensions over technology control, with China's own extensive surveillance networks and past US accusations against Huawei for backdoors adding layers of irony to the debate.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/08/18/china_gpu_tracking/
Zelle Sued Over Rampant Payment Fraud 💸
- New York State is suing Early Warning Services (EWS), the company behind the bank-owned P2P payment app Zelle, alleging it knowingly enabled widespread fraud.
- The lawsuit claims Zelle lacked critical safety features, allowing scammers to easily mimic brands and trick users into sending payments, with victims often unable to retrieve stolen funds due to the app's rapid payment design.
- Despite over $1 billion in alleged fraud between 2017-2023 and previous complaints from elected officials, EWS reportedly failed to require banks to report scams or timely remove fraudsters' accounts.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/08/17/cybersecurity_news_roundup/
Nuance Settles MOVEit Breach Lawsuit for $8.5M ⚖️
- Microsoft-owned Nuance has agreed to an $8.5 million settlement in a class-action lawsuit stemming from the 2023 MOVEit Transfer mega-breach, affecting approximately 1.225 million people.
- While denying liability, Nuance, a medical transcription and speech recognition provider, was accused of negligence for failing to properly secure personal information siphoned by the Clop ransomware gang.
- This settlement, though modest compared to some MOVEit payouts, highlights the ongoing legal fallout for organisations caught in supply-chain breaches, particularly in the sensitive healthcare sector.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/08/18/nuance_lawsuit/
UK Sentences "Serial Hacker" to 20 Months in Prison 🔒
- A 26-year-old UK national, Al-Tahery Al-Mashriky, has been sentenced to 20 months in prison after pleading guilty to nine charges under the Computer Misuse Act.
- Al-Mashriky, linked to groups like 'Spider Team' and 'Yemen Cyber Army', infiltrated and defaced over 3,000 websites, including Yemeni government sites, an Israeli news outlet, and US/Canadian faith organisations, often posting political or religious messages.
- Forensic evidence also showed he possessed stolen login details for millions of Facebook users and credentials for services like Netflix and PayPal, demonstrating the broad impact of his activities.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/legal/uk-sentences-serial-hacker-of-3-000-sites-to-20-months-in-prison/
US State Department Gutting Cyber Diplomacy Staff 📉
- The US State Department's political appointees are accused of gutting the Bureau of Cyberspace and Digital Policy (CDP) by reorganising offices and significantly reducing staff, despite congressional directives to bolster cyber diplomacy.
- This restructuring has fragmented the CDP's functions, moving critical cyberattack response and strategy teams to other bureaus, and resulted in the firing of at least half a dozen subject matter experts.
- Critics argue this move undermines the US's ability to work with allies on cybersecurity, hold adversaries accountable, and promote secure internet infrastructure, potentially taking years to rebuild lost capabilities.
🤫 CyberScoop | https://cyberscoop.com/state-department-cyber-diplomacy-setback-congress-action-op-ed/
#CyberSecurity #ThreatIntelligence #Ransomware #Malware #ZeroDay #Vulnerability #SocialEngineering #DataBreach #CyberCrime #InfoSec #CyberAttack #IncidentResponse #ThreatActor #CyberDiplomacy #DataPrivacy
BSidesLuxembourg
zenthracore
hsarfaraz
Matthias Schulze
Politico.eu (Unofficial RSS)
Manuel Bissey
SOC Goulash
Mathieu Gitton
Matti Schneider
Joanna Bryson