Alright team, it's been a busy 24 hours! We've got a slew of new breach details, a critical actively exploited WordPress vulnerability, insights into new botnet tactics, AI's growing role in attacks and defence, and a look at SaaS security challenges. Let's dive in:

Recent Cyber Attacks or Breaches

Discord Breach Details Emerge ⚠️
- Discord confirmed a breach of a third-party Zendesk support system, affecting users who interacted with customer support.
- While hackers claimed 5.5 million users and 2.1 million government IDs were exposed, Discord states approximately 70,000 users had government ID photos compromised, primarily for age verification.
- The attackers reportedly gained access via a compromised outsourced support agent account, leveraging a support application (Zenbar) to access user data and perform API queries, leading to 1.6TB of data theft, including partial payment info. Discord refused a $3.5-$5 million ransom demand, leading to threats of public data leaks.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-claim-discord-breach-exposed-data-of-55-million-users/
🗞️ The Record | https://therecord.media/discord-government-docs-exposed-breach

SonicWall Admits All Cloud Backup Customers Affected 🔒
- SonicWall has walked back its initial claim that less than 5% of customers were affected by a September breach, now confirming all customers who used its cloud backup service had their firewall configuration files accessed.
- These files contain encrypted credentials and configuration data (firewall rules, routing configs), which, despite encryption, could significantly aid targeted attacks or offline cracking of weak passwords.
- The incident was a direct hit on SonicWall's internal infrastructure via a brute-force attack on a customer-facing system, not an exploitation of their firewall devices themselves. Customers are urged to delete existing cloud backups, change MySonicWall credentials, rotate shared secrets/passwords, and recreate backups locally.
🤫 CyberScoop | https://cyberscoop.com/sonicwall-customer-firewall-configurations-exposed/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/09/sonicwall_breach_hits_every_cloud/
📰 The Hacker News | https://thehackernews.com/2025/10/hackers-access-sonicwall-cloud-firewall.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/sonicwall-firewall-configs-stolen-for-all-cloud-backup-customers/

Clop Exploits Oracle E-Business Suite Zero-Day 🚨
- The Clop ransomware group has been targeting Oracle E-Business Suite customers since July 2025, exploiting a zero-day vulnerability (CVE-2025-61882) and at least four other defects to achieve pre-authenticated remote code execution.
- This campaign has impacted dozens of organisations, with Clop stealing "massive amounts of data" for extortion, with demands reaching up to $50 million.
- Many Oracle EBS instances remain vulnerable, with Shadowserver identifying 576 potentially exposed instances, primarily in the US. Organisations should patch immediately and be aware of the use of multi-stage fileless malware.
🤫 CyberScoop | https://cyberscoop.com/oracle-customers-attacks-clop-google-mandiant/

"Payroll Pirate" Hackers Target Universities 💰
- A cybercrime group, Storm-2657, is actively targeting US universities with "payroll pirate" attacks since March 2025, aiming to divert employee salary payments.
- Attackers use sophisticated phishing emails (e.g., COVID-19 warnings, classroom misconduct allegations) with adversary-in-the-middle (AITM) links to steal MFA codes and compromise Workday accounts.
- Once in, they create inbox rules to delete Workday notifications, alter payment configurations, and even enrol their own devices for MFA to maintain persistence, highlighting a critical need for phishing-resistant MFA.
🗞️ The Record | https://therecord.media/universities-phishing-payroll-pirates
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-target-university-hr-employees-in-payroll-pirate-attacks/

Vulnerabilities

Critical WordPress Theme Exploit Under Active Attack 🛡️
- A critical authentication bypass vulnerability (CVE-2025-5947, CVSS 9.8) in the Service Finder WordPress theme's bundled plugin is being actively exploited.
- This flaw allows unauthenticated attackers to gain admin access by bypassing cookie validation in an account switching function (service_finder_switch_back()).
- Exploitation has been observed since August 1, 2025, with over 13,800 attempts detected. All versions prior to 6.1 are affected.
📰 The Hacker News | https://thehackernews.com/2025/10/critical-exploit-lets-hackers-bypass-authentication-in-wordpress-service-finder-theme.html

New Threat Research

RondoDox Botnet Leverages "Exploit Shotgun" Tactic 🔫
- A new large-scale botnet, RondoDox, is actively targeting 56 n-day vulnerabilities across over 30 distinct devices, including DVRs, NVRs, CCTV systems, and web servers.
- The botnet employs an "exploit shotgun" strategy, using numerous exploits simultaneously, including weaponising flaws demonstrated at Pwn2Own events (e.g., CVE-2023-1389 in TP-Link Archer AX21).
- Many targeted flaws are older or in EoL equipment, highlighting the ongoing risk of unpatched devices. Organisations should prioritise firmware updates and network segmentation.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/rondodox-botnet-targets-56-n-day-flaws-in-worldwide-attacks/

Hackers Abusing Velociraptor DFIR Tool in Ransomware Attacks ⚙️
- Threat actors, potentially the China-based Storm-2603 (linked to Warlock ransomware and LockBit affiliation), are now using the legitimate Velociraptor DFIR tool in LockBit and Babuk ransomware campaigns.
- They leverage an outdated, vulnerable version of Velociraptor (0.73.4.0, CVE-2025-6264) for privilege escalation and arbitrary command execution, maintaining persistence even after host isolation.
- Observed TTPs include creating local admin accounts, accessing VMware vSphere, disabling Defender, running Impacket smbexec-style commands, and using fileless PowerShell encryptors for data exfiltration and encryption.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-now-use-velociraptor-dfir-tool-in-ransomware-attacks/

Russia Weaponises AI in Cyber Attacks Against Ukraine 🤖
- Ukraine's SSSCIP reports a significant increase in Russian hackers using AI in cyberattacks during H1 2025, moving beyond phishing message generation to AI-generated malware.
- Examples include UAC-0219's WRECKSTEEL malware (likely AI-developed) and various phishing campaigns distributing stealers like HOMESTEEL, GIFTEDCROOK, Amatera Stealer, and Strela Stealer.
- APT28 (UAC-0001) is exploiting XSS flaws in Roundcube and Zimbra webmail for zero-click attacks to steal credentials and forward emails. Sandworm (UAC-0002) continues hybrid warfare, targeting energy and defence sectors.
📰 The Hacker News | https://thehackernews.com/2025/10/from-phishing-to-malware-ai-becomes-russias-new-cyber-weapon-in-war-on-ukraine.html

Pro-Russian Hacktivists Pivot to Critical Infrastructure Disruption 🏭
- The pro-Russian hacktivist group TwoNet has evolved from DDoS attacks to targeting critical infrastructure, as demonstrated by their compromise of a research honeypot water treatment facility.
- In a 26-hour window, they gained initial access via default credentials, enumerated databases, created a new user, and exploited an old XSS (CVE-2021-26829) to display a "Hacked by Barlati" message.
- Crucially, they attempted disruptive actions, disabling real-time updates by removing PLCs from data sources and changing HMI setpoints, focusing on the web application layer without underlying host exploitation.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hacktivists-target-critical-infrastructure-hit-decoy-plant/

LLM Poisoning Easier Than Expected, Anthropic Warns 🧠
- New research by Anthropic and partners reveals that poisoning large language models (LLMs) to output gibberish with a trigger phrase is "trivially easy," requiring only 250 specially crafted documents.
- This small dataset (0.00016% of a 13B parameter model's training data) was sufficient to compromise models like Llama 3.1 and GPT 3.5-Turbo, regardless of their size.
- While focused on denial-of-service, this highlights a significant vulnerability in AI training data. Defenders need to implement robust data filtering and backdoor detection mechanisms throughout the training pipeline.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/09/its_trivially_easy_to_poison/

Threat Landscape Commentary

Token Theft: The Achilles' Heel of SaaS Security 🔑
- Token theft (OAuth, API, session tokens) is a leading cause of SaaS breaches, often bypassing MFA and traditional security controls due to SaaS sprawl and hidden token trust relationships.
- Recent incidents (Slack, CircleCI, Cloudflare/Okta, Salesloft/Drift) demonstrate how a single stolen token can grant persistent access, enable lateral movement, and compromise sensitive data across integrated platforms.
- Organisations lack visibility into numerous third-party app integrations and their associated tokens, creating an ungoverned attack surface. Stronger "token hygiene" – discovery, control, and monitoring – is crucial.
📰 The Hacker News | https://thehackernews.com/2025/10/saas-breaches-start-with-tokens-what.html

Regulatory Issues or Changes

US Senate Seeks to Renew Expired Cyber Threat Information-Sharing Law 🏛️
- Senator Gary Peters has introduced the Protecting America from Cyber Threats (PACT) Act to extend and rename the expired Cybersecurity and Information Sharing Act of 2015 (CISA 2015).
- The new bill aims to provide long-term liability protections for organisations sharing cyber threat data with each other and the federal government, making it retroactive to cover the lapse since October 1.
- The lapse is causing increasing nervousness among organisations, with industry groups calling CISA 2015 vital for cyber defence, highlighting the need for stable, long-term policy.
🤫 CyberScoop | https://cyberscoop.com/gary-peters-cyber-threat-information-sharing-law-rand-paul/

#CyberSecurity #ThreatIntelligence #Ransomware #DataBreach #Vulnerability #ZeroDay #Botnet #AI #MachineLearning #SaaS #TokenTheft #CriticalInfrastructure #Hacktivism #IncidentResponse #InfoSec

🚨 Salesloft breach fallout worsens.
✔️ Tokens for Salesforce, Slack, Google Workspace, AWS & Azure stolen
✔️ Google GTIG: orgs should assume compromise
✔️ Exfiltration ongoing since Aug 8
✔️ Salesforce now blocks Salesloft Drift
💬 Is “authorization sprawl” the Achilles heel of SSO/cloud identity?
🔔 Follow @technadu for threat intel breakdowns.

#SalesloftBreach #OAuthCompromise #AIChatbotSecurity #Drift #EnterpriseSecurity #TokenTheft #SaaSRisk

Key Points:
➡️ Malicious PyPi package 'pycord-self' targets Discord developers, stealing authentication tokens and creating a backdoor for remote control.
➡️ Introduced in June 2024, downloaded 885 times.
➡️ Token theft and backdoor installation are the primary malicious functions.
➡️ Developers should verify package sources, review code, and use scanning tools to enhance security.

https://news.lavx.hu/article/malicious-pypi-package-poses-threat-to-discord-developers-a-deep-dive

#PyPI #DiscordAPI #CyberSecurity #TokenTheft #Backdoor #Malware #DevOps #Python

RT by @SwiftOnSecurity: Microsoft Entra ID Token Protection is a security feature within Microsoft Entra’s Conditional Access that aims to mitigate token theft by ensuring that a token can only be used from the device it was issued to. This is achieved through a process called token binding, which creates a cryptographically secure link between the token and the device.

If a threat actor were to steal a token, without the corresponding client secret from the device, the token would be rendered useless.

This protection is particularly important because token theft, while relatively rare, can lead to significant security breaches if the threat actor impersonates the victim until the token expires or is revoked.

Do you want to learn more about token protection and how to enforce it in Microsoft Entra ID? Read my latest blog post! 👇👇

https://www.cswrld.com/2024/04/microsoft-entra-id-token-protection-explained/

#entraid #authentication #tokenprotection #tokentheft #conditionalaccess #cybersecurity #tips

🐦🔗: https://nitter.oksocial.net/lukasberancz/status/1778023275303469466#m

[2024/04/10 11:32]

Microsoft Entra ID Token Protection is a security feature within Microsoft Entra's Conditional Access that aims to mitigate token theft by ensuring that a token can only be used from the device it was issued to. This is achieved through a process called token binding, which creates a cryptographically secure link between the token and the device.

If a threat actor were to steal a token, without the corresponding client secret from the device, the token would be rendered useless.

This protection is particularly important because token theft, while relatively rare, can lead to significant security breaches if the threat actor impersonates the victim until the token expires or is revoked.

Do you want to learn more about token protection and how to enforce it in Microsoft Entra ID? Read my latest blog post! 👇👇

https://www.cswrld.com/2024/04/microsoft-entra-id-token-protection-explained/

#entraid #authentication #tokenprotection #tokentheft #conditionalaccess #cybersecurity #tips

I'd like to point out this really interesting article on the topic: 𝐓𝐨𝐤𝐞𝐧 𝐓𝐡𝐞𝐟𝐭 𝐓𝐚𝐥𝐤.

Key points and topics covered:

- Primary Refresh Tokens (PRT) on all operating system platforms have been hardened against theft from day one. The level of protection depends on operated system capabilities, with Windows offering the strongest protection.

- First line of defense against token theft is protecting your devices by deploying endpoint protections, device management, MFA (and moving towards phishing-resistant credentials), and antimalware

You can reduce token theft by carefully orchestrating Entra ID security products:

▶Addressing token theft of sign-in session artifacts: Conditional Access: Token protection policy offers cryptographic protection against replay of stolen tokens.

▶Addressing token theft of app session artifacts: block usage of stolen access tokens and workload cookies outside of your corporate network by using Conditional Access.

▶Detecting token theft: enable risk detections with Microsoft Entra ID Protection to elevate user risk when token theft is suspected.

https://techcommunity.microsoft.com/t5/microsoft-entra-blog/addressing-data-exfiltration-token-theft-talk/ba-p/3915337

#microsoft #microsoftsecurity #entraid #azuread #azure #idp #token #tokentheft #cloudsecurity #identity #prt #cookies #identityprotection #mfa #cae #conditionalaccess #refreshtoken #token

Microsoft has been published a very good summary about #AzureAD security trends in 2023 which considered post authentication attacks, such as #TokenTheft: https://microsoft.com/en-us/security/blog/2023/01/26/2023-identity-security-trends-and-solutions-from-microsoft/

If you are interested to learn more about Token replay attacks, check the following blogs:

🔗 Token tactics: How to prevent, detect, and respond to cloud token theft by Microsoft DART team: https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-to-prevent-detect-and-respond-to-cloud-token-theft/

This article describes Adversary-in-the-middle (AitM) phishing/Pass-the-cookie attack scenarios and recommendations.

🔗 Abuse and replay of Azure AD refresh token from Microsoft Edge in macOS Keychain:
https://www.cloud-architekt.net/abuse-and-replay-azuread-token-macos/

I've written this blog post about token replay on #macOS devices last year. It covers an attack scenario to exfiltrate tokens from Keychain which is used to store cached Azure AD tokens for “logged in” Edge profiles on macOS devices.

🔗 Azure AD Attack & Defense: Replay of Primary Refresh (PRT) and other issued tokens from an Azure AD joined device:
https://github.com/Cloud-Architekt/AzureAD-Attack-Defense/blob/main/ReplayOfPrimaryRefreshToken.md

A comprehensive overview about attack and defense scenarios primary refresh token (PRT) & other tokens on Windows has been published by Sami Lamppu and and me. The article includes many references and links to other community resources around this topic.