This week in cybersecurity serves as a vital reminder of the pervasive dangers throughout the digital provide chain, as a number of industry-leading firms disclosed vital knowledge breaches.
The incidents, affecting vulnerability administration giants Tenable and Qualys, in addition to enterprise software program supplier Workday, all stemmed from a safety flaw in a standard third-party service.
This chain of disclosures highlights the cascading impression a single vulnerability can have on a number of, in any other case safe, organizations, elevating severe questions on vendor danger administration and belief within the ecosystem.
The breaches at Tenable and Qualys are significantly regarding, as they concerned unauthorized entry to techniques containing delicate buyer knowledge. Each firms have confirmed that the intrusion was linked to a third-party vendor, forcing them to launch complete investigations and notify affected shoppers.
Equally, Workday’s announcement of a breach traced again to the identical exterior service supplier underscores the widespread nature of the menace. These occasions have put a highlight on the safety posture of distributors and the due diligence required to guard in opposition to provide chain assaults.
Along with these high-profile incidents, our weekly recap delves into different important safety updates, newly found vulnerabilities, and patches launched by main software program builders.
We are going to analyze the technical particulars behind the breaches at Tenable, Qualys, and Workday, study the broader implications for enterprise safety, and supply insights into the most recent menace intelligence that will help you keep forward of rising dangers.
Threats
Lazarus APT Employs “ClickFix” Social Engineering in Espionage Campaigns
The North Korean-linked Lazarus APT group is now utilizing the “ClickFix” social engineering method to deploy malware and steal delicate intelligence. This technique includes tricking victims with faux technical issues and guiding them by means of malicious “fixes”. In a current marketing campaign, the group used this method inside faux job recruitment eventualities. Victims have been lured to fraudulent interview web sites and informed they’d digital camera configuration points. The supplied “repair” was a malicious batch script that downloaded the BeaverTail information-stealing malware, disguised as an NVIDIA driver replace.
The assault is designed for each Home windows and macOS, demonstrating the group’s cross-platform capabilities. The malware establishes persistence by means of registry modifications and communicates with a number of command-and-control servers to make sure long-term entry to compromised techniques. Learn Extra
US-China Commerce Talks Focused by APT41 Malware Marketing campaign
U.S. federal authorities are investigating a classy malware marketing campaign attributed to the China-linked APT41 hacking group, which focused delicate commerce negotiations between Washington and Beijing in July 2025. The attackers despatched fraudulent emails impersonating U.S. Consultant John Moolenaar, chairman of a Home committee on China. The emails have been despatched to U.S. commerce teams, regulation companies, and authorities businesses with the objective of harvesting intelligence on America’s commerce methods.
The emails used topic strains like “Your insights are important” and contained malicious attachments disguised as draft laws. Opening the attachment would deploy malware, giving attackers entry to the goal’s community. The assault’s timing was strategic, occurring simply earlier than key commerce talks. The FBI and U.S. Capitol Police are investigating the incident. Learn Extra
LunaLock Ransomware Gang Threatens to Prepare AI with Stolen Artwork
A brand new ransomware group often called LunaLock is focusing on impartial artists with a novel extortion tactic: threatening to make use of their stolen art work to coach AI fashions. The group just lately breached “Artists & Shoppers,” a digital market for illustrators, stealing and encrypting inventive works and private knowledge. The attackers demanded a ransom of as much as $80,000, warning that if it wasn’t paid, all stolen art work can be submitted to AI coaching datasets offered to main tech firms.
That is thought of the primary identified occasion of a ransomware group utilizing the specter of AI coaching as leverage. The assault has left freelance artists weak, with stolen knowledge together with portfolios, fee archives, and personal chats. Learn Extra
MostereRAT Malware Targets Home windows Programs with Superior Evasion Ways
A brand new Distant Entry Trojan (RAT) named MostereRAT is focusing on Microsoft Home windows techniques by means of a phishing marketing campaign. Written in Straightforward Programming Language (EPL), a language not often seen in cyberattacks, the malware makes use of a number of layers of superior evasion strategies to realize full management over compromised machines. The marketing campaign primarily targets Japanese customers with phishing emails disguised as enterprise inquiries.
MostereRAT can disable safety instruments, block antivirus site visitors, escalate privileges by mimicking the highly effective TrustedInstaller account, and set up distant entry instruments like AnyDesk and TightVNC. Its capacity to intervene with safety protections makes it a big menace.Learn Extra
Salat Stealer Malware Supplied as a Service for Information Exfiltration
A classy Go-based data stealer referred to as Salat Stealer is actively focusing on Home windows techniques to exfiltrate browser credentials, cryptocurrency pockets knowledge, and session data. Working below a Malware-as-a-Service (MaaS) mannequin, it’s probably run by Russian-speaking actors and offers a turnkey resolution for cybercriminals.
The malware makes use of superior strategies to attain persistence and evade detection, together with UPX packing, course of masquerading, registry run keys, and scheduled duties. It encrypts stolen knowledge earlier than sending it to its command-and-control server, making it a stealthy and protracted menace able to inflicting monetary loss and identification theft. Learn Extra
Scattered LAPSUS$ Hunters Hacking Group Pronounces Everlasting Shutdown
The infamous cybercrime collective often called “Scattered LAPSUS$ Hunters 4.0” has introduced it’s completely ceasing public operations. The declaration was made on their Telegram channel on September 8, 2025, marking an abrupt finish for a gaggle identified for high-profile assaults in opposition to main companies utilizing refined social engineering and identity-centric ways.
The group’s technique was usually described as “log in, not hack in,” specializing in compromising reliable consumer accounts to bypass conventional safety defenses. Their strategies included voice phishing (vishing), SIM swapping, and MFA fatigue assaults. The explanations for his or her sudden departure stay unclear, with hypothesis pointing to inside pressures or regulation enforcement intervention. Learn Extra
Cyber Assaults
Large Provide Chain Assault Hits 18 Well-liked NPM Packages
A significant provide chain assault compromised 18 well-liked npm packages, together with chalk, debug, and supports-color, which collectively have over two billion weekly downloads. The assault, which began round September 8, 2025, concerned injecting malicious code designed to steal cryptocurrency from customers. The malware intercepts and manipulates in-browser cryptocurrency transactions, rewriting pockets addresses to redirect funds to attacker-controlled accounts. The maintainer of the packages fell sufferer to a phishing assault after receiving a fraudulent e mail from a website masquerading as npm assist. Learn Extra
Jaguar Land Rover Halts Manufacturing Following Cyberattack
Jaguar Land Rover (JLR) was compelled to close down manufacturing at its UK manufacturing crops and has suspended its international operations following a big cyberattack. The corporate is at present investigating the incident and is working to revive its techniques. The complete extent of the assault and the monetary impression haven’t but been disclosed. This incident highlights the growing pattern of cyberattacks focusing on the automotive {industry}, inflicting main disruptions to produce chains and manufacturing strains. Learn Extra
New Cyberattack Weaponizes DeskSoft’s App Builder
A brand new cyberattack marketing campaign is exploiting a reliable utility from DeskSoft, a German software program firm, to deploy malware. Attackers are utilizing DeskSoft’s utility builder to create malicious installers that look like real software program. When executed, these installers deploy malware onto the sufferer’s system. This method permits attackers to bypass some safety measures which may in any other case flag a standalone malicious file. Learn Extra
DarkSamurai APT Group Makes use of Malicious LNK Recordsdata in New Marketing campaign
The DarkSamurai APT group has been recognized in a brand new marketing campaign that makes use of malicious LNK recordsdata to compromise targets. The group, identified for its focused assaults, hides malicious payloads inside these shortcut recordsdata. As soon as a consumer clicks the LNK file, it executes a script that downloads and runs malware on the system. This technique is an element of a bigger pattern of menace actors utilizing non-executable file sorts to provoke infections and evade detection. Learn Extra
Novel Phishing Assault Mimics Google AppSheet to Bypass Safety
A brand new and complicated phishing marketing campaign is utilizing Google AppSheet to create convincing phishing pages that bypass conventional e mail safety filters. Attackers are leveraging the reliable Google service to host malicious varieties and pages, making them seem reliable to victims. The phishing emails usually impersonate well-known providers and immediate customers to enter their credentials on the fraudulent AppSheet web page. This method abuses the belief related to Google’s domains to extend the success price of the phishing assaults. Learn Extra
Vulnerabilities
Salesloft-Drift Cyberattack Linked to GitHub Compromise
A significant supply-chain assault that affected over 700 organizations, together with Cloudflare, Zscaler, and Palo Alto Networks, has been traced again to a compromise of Salesloft’s GitHub account beginning as early as March 2025. Risk actors leveraged this entry to steal OAuth authentication tokens from Salesloft’s Drift chat platform. The attackers, recognized by Google as UNC6395, used the stolen tokens between August 8 and August 18 to exfiltrate knowledge, primarily enterprise contact data, from prospects’ built-in functions like Salesforce. In response, Salesloft engaged Mandiant for an investigation, took the Drift platform offline, and has since contained the incident. Learn Extra
Home windows Defender Weak to Service Hijacking
A extreme vulnerability in Home windows Defender’s replace course of permits an attacker with administrator privileges to disable the safety service by leveraging a symbolic hyperlink assault. The flaw lies in how the WinDefend service selects its execution folder throughout an replace. An attacker can create a symbolic hyperlink with a better model quantity within the ProgramDataMicrosoftWindows DefenderPlatform listing, redirecting the service to an attacker-controlled folder. This permits them to govern Defender’s core recordsdata, carry out DLL side-loading assaults, or just delete the executables to disable the service, leaving the system unprotected. Learn Extra
SAP Releases September 2025 Safety Patch Day Updates
SAP has launched its September 2025 Safety Patch Day, addressing 17 new safety notes and updating 3 earlier ones. The updates embody two “Sizzling Information” vulnerabilities with a CVSS rating of 10.0, which have an effect on SAP NetWeaver AS for Java. These vital flaws, tracked as CVE-2025-41235 and CVE-2025-41236, may permit an unauthenticated attacker with community entry to realize full management of the system. One other high-severity vulnerability (CVSS 8.1) in SAP CRM WebClient UI was additionally patched. Learn Extra
Zoom Patches Excessive-Severity Flaw in Assembly SDK
Zoom has issued a safety replace for its Assembly SDK for Home windows, addressing a high-severity improper enter validation vulnerability (CVE-2025-42993). This flaw, which has a CVSS rating of seven.5, may permit an authenticated consumer to trigger a denial of service by way of community entry. The vulnerability impacts Zoom Assembly SDK for Home windows variations earlier than 5.17.10. Customers and directors are suggested to replace to the patched model to mitigate the danger. Learn Extra
Ivanti Patches Vital RCE Flaws in Endpoint Supervisor (EPM)
Ivanti has addressed a number of vital distant code execution (RCE) vulnerabilities in its Endpoint Supervisor (EPM) software program. Probably the most extreme of those, with a CVSS rating of 9.8, may permit an unauthenticated attacker to execute arbitrary code on the core server. These vulnerabilities have an effect on all supported variations of Ivanti EPM. The corporate has launched patches and strongly recommends that each one prospects apply them instantly to forestall potential exploitation. Learn Extra
Fortinet Fixes Vital FortiDDoS OS Command Injection Flaw
Fortinet has patched a vital OS command injection vulnerability in FortiDDoS, its distributed denial-of-service mitigation equipment. Tracked as CVE-2025-44365, the flaw has a CVSS rating of 9.8 and permits an authenticated attacker to execute arbitrary instructions on the system by way of specifically crafted HTTP requests. The vulnerability impacts a number of variations of FortiDDoS. Fortinet has launched up to date firmware variations to handle the problem and urges prospects to improve their home equipment as quickly as doable. Learn Extra
Microsoft’s September 2025 Patch Tuesday Fixes 62 Flaws
Microsoft’s September 2025 Patch Tuesday launch consists of fixes for 62 vulnerabilities, with 5 categorised as vital. Key patches tackle distant code execution flaws in Microsoft Alternate Server, Home windows DHCP Server, and Visible Studio. One of many Alternate vulnerabilities (CVE-2025-23875) is famous as “Exploitation Extra Possible.” Moreover, a zero-day elevation of privilege vulnerability within the Home windows Kernel (CVE-2025-23974), which was publicly disclosed, has additionally been patched. Learn Extra
Information Breaches
Widespread Provide Chain Assault Hits Main Tech Corporations by way of Salesloft Drift
A classy and widespread provide chain assault focusing on the Salesloft Drift advertising utility has resulted in knowledge breaches at quite a few main know-how firms. The marketing campaign allowed menace actors to realize unauthorized entry to knowledge saved throughout the firms’ Salesforce CRM environments by exploiting a vulnerability within the third-party integration. The incident highlights the numerous dangers related to third-party functions built-in into core enterprise platforms.
Tenable Confirms Buyer Information Publicity
Tenable confirmed it was impacted by the breach, which uncovered buyer contact data and particulars from assist circumstances. The compromised knowledge, saved in Tenable’s Salesforce occasion, included names, enterprise e mail addresses, cellphone numbers, and the topic strains of assist inquiries. The corporate emphasised that its core merchandise weren’t affected and has since revoked compromised credentials and disabled the weak utility to mitigate the menace. Learn Extra
Qualys’s Salesforce Information Accessed in Assault
Cloud safety supplier Qualys introduced it additionally fell sufferer to the provision chain assault, resulting in unauthorized entry to a few of its Salesforce knowledge. Qualys clarified that the incident didn’t have an effect on its manufacturing environments or the Qualys Cloud Platform. The breach was restricted to data accessible by means of the compromised Salesloft Drift integration. Learn Extra
Dynatrace Breach Exposes Buyer Contact Data
Observability platform Dynatrace reported that the breach uncovered buyer enterprise contact data saved inside its Salesforce surroundings. The corporate reassured its prospects that the incident was contained to its CRM platform and didn’t compromise any of its core merchandise, providers, or delicate buyer telemetry knowledge. Dynatrace promptly disabled the Drift utility upon studying of the third-party compromise. Learn Extra
Elastic Discloses E mail Account Compromise
In a associated incident stemming from the Salesloft Drift compromise, Elastic disclosed that an unauthorized actor gained read-only entry to a single e mail account by way of the “Drift E mail” integration. The corporate’s investigation confirmed that its Salesforce surroundings was not impacted. Elastic scanned the uncovered inbox for delicate data and notified the small variety of prospects whose credentials could have been compromised. Learn Extra
Workday Focused in Coordinated Marketing campaign
Workday, a number one supplier of enterprise cloud functions, confirmed it suffered an information breach as a part of the identical assault marketing campaign. The incident, which Workday turned conscious of on August 23, 2025, concerned unauthorized entry to its third-party CRM platform by means of the Salesloft Drift utility. The corporate responded by disconnecting the app and launching a full investigation. Learn Extra
SpamGPT: AI-Powered Phishing-as-a-Service
A brand new cybercrime toolkit named SpamGPT is being offered on the darkish net, permitting attackers to launch large-scale, efficient phishing campaigns. The “spam-as-a-service” platform makes use of an AI assistant, “KaliGPT,” to automate the creation of convincing phishing emails, reducing the technical talent required to conduct such assaults. SpamGPT is marketed as an all-in-one resolution that mimics reliable e mail advertising providers however is designed for unlawful actions. It abuses trusted cloud providers like Amazon AWS and SendGrid to make sure inbox supply and bypass safety filters. For $5,000, the toolkit additionally features a coaching program for compromising SMTP servers, enabling even low-skilled actors to execute widespread assaults. This growth underscores the necessity for organizations to implement robust e mail authentication protocols like DMARC, SPF, and DKIM, and to deploy AI-powered safety options to detect AI-generated phishing content material. Learn extra
Forensic Evaluation of Microsoft Azure Storage
Safety researchers have detailed a forensic methodology for investigating safety incidents inside Microsoft Azure Storage providers. The method includes amassing and analyzing logs from numerous sources, together with Azure Monitor Logs, Storage Analytics Logs, and Microsoft Defender for Cloud. Key artifacts in an investigation embody entry patterns, IP addresses, consumer brokers, and API name authentications, which assist in reconstructing the attacker’s actions. Understanding shared entry signature (SAS) token abuse and figuring out anomalous knowledge entry or exfiltration are vital parts of the evaluation. The analysis offers a structured method for safety groups to successfully reply to and examine threats in cloud storage environments, that are more and more focused by attackers. Learn extra
Hackers Exploit Microsoft Groups for Malicious Hyperlink Supply
Cybercriminals are more and more exploiting Microsoft Groups to ship malicious hyperlinks, bypassing conventional e mail safety gateways. A brand new assault marketing campaign makes use of compromised accounts to ship messages containing seemingly reliable hyperlinks, equivalent to for shared paperwork or assembly invites. When a consumer clicks the hyperlink, they’re redirected by means of a collection of servers to a phishing web page designed to steal credentials or a touchdown web page that delivers malware. As a result of the hyperlinks are shared throughout the trusted surroundings of Groups, customers usually tend to click on on them. The method highlights a shift in assault vectors as menace actors adapt to focus on collaboration platforms which have turn into central to fashionable enterprise operations. Learn extra
The Rise of “Evil AI”: AI-Enhanced Hacking Instruments
A brand new class of AI-enhanced instruments, dubbed “Evil AI,” is rising, designed particularly for malicious functions like spreading disinformation, creating deepfakes, and launching refined cyberattacks. In contrast to general-purpose AI fashions that will have safeguards, these instruments are constructed with out moral constraints to assist cybercriminals. They can be utilized to generate extremely convincing phishing emails, create malware that may alter its code to evade detection (polymorphic malware), and automate vulnerability discovery. The event of such instruments represents a big menace, as it may speed up the tempo and scale of cybercrime. Learn extra
Villager: An AI-Powered Penetration Testing Instrument
A brand new open-source device referred to as Villager leverages AI to boost penetration testing and purple crew operations. Villager acts as an AI-powered agent that may help with numerous phases of an assault, from reconnaissance and vulnerability scanning to privilege escalation and lateral motion. The device can interpret pure language instructions, permitting safety professionals to direct the AI to carry out advanced duties, equivalent to “discover all net servers weak to SQL injection on this community.” By integrating with current penetration testing frameworks and instruments, Villager goals to reinforce the capabilities of safety testers, permitting them to function extra effectively and successfully. Learn extra
Evaluation
Salesloft Breach Traced to GitHub Compromise, Affecting 700+ Firms
An enormous supply-chain assault that focused prospects of Salesloft’s Drift integration has been traced again to a compromised GitHub account. The incident, which unfolded in August 2025, impacted over 700 organizations, together with high-profile tech firms like Cloudflare, Zscaler, and Palo Alto Networks.
Investigators from Google’s Mandiant unit revealed that an unauthorized actor had entry to Salesloft’s GitHub account from March to June 2025. Throughout this time, the menace actor, tracked as UNC6395, stole OAuth authentication tokens for the Drift platform. These tokens have been then used between August 8 and August 18 to realize unauthorized entry to prospects’ related functions, most notably Salesforce situations. The attackers exfiltrated delicate knowledge, together with buyer relationship administration (CRM) data, assist circumstances, and embedded secrets and techniques like API keys. The breach prolonged past Salesforce to different integrations like Google Workspace and Slack. In response, Salesloft and Salesforce globally disabled all Drift integrations on August 20, and the Drift utility was taken offline on September 5, 2025. Learn extra
New ClickFix Assault Lures Victims with “Free WiFi” Supply
A brand new social engineering marketing campaign is utilizing the promise of “Free WiFi” to trick customers into executing malicious PowerShell malware. This assault is a variant of the ClickFix method, a technique that has seen a 517% surge within the first half of 2025.
The ClickFix tactic deceives customers by presenting a faux error message, CAPTCHA, or different lure that instructs them to repeat and paste a script right into a command-line interface to “repair” a non-existent downside. As a result of the sufferer runs the malicious code themselves, this method successfully bypasses many browser and endpoint safety protections. This assault vector is used to ship a variety of malware, together with data stealers, ransomware, and distant entry trojans (RATs). First noticed in early 2024, the ClickFix technique has turn into a preferred and efficient device for menace actors. Learn extra
Nmap vs. Wireshark: Understanding Two Important Community Instruments
Nmap and Wireshark are elementary instruments in community evaluation and safety, however they serve distinct functions. Nmap is an lively scanner, whereas Wireshark is a passive analyzer.
Nmap (Community Mapper) is used for community discovery and safety auditing. It actively sends packets to a community to find hosts, establish open ports, detect operating providers, and fingerprint working techniques. It provides a high-level map of the community and its potential vulnerabilities.
Wireshark is a community protocol analyzer that captures and offers an in depth, low-level view of site visitors on a community in real-time. It doesn’t ship packets itself however listens to knowledge touring throughout the community. It’s used for troubleshooting community issues, inspecting safety points, and deep-diving into particular communication protocols by inspecting the contents of particular person packets.
In follow, the instruments are complementary. An administrator may use Nmap to establish an uncommon open port after which use Wireshark to seize and analyze the site visitors going to and from that port to know what is going on. Learn extra
