Drift Breach Chaos, Zero-Days Active, Patch Warnings, Smarter Threats & More

Cyber Security / By

Cybersecurity is an ever-evolving field, with new threats and vulnerabilities emerging every week. For security and IT teams, the challenge lies in staying informed and prioritizing the most critical risks. This digest aims to provide a clear, concise briefing to help focus on what matters most.

This week, the spotlight is on the Salesloft–Drift breach, where attackers stole OAuth tokens and gained access to Salesforce data from major tech companies. This incident serves as a stark reminder of the vulnerabilities that integrations can introduce into enterprise defenses.

In addition, we’ll delve into several high-risk CVEs currently being actively exploited, recent activities by advanced threat actors, and insights on streamlining security workflows to be more efficient. Each section is designed to provide essential information to help you stay prepared and informed without getting overwhelmed by the noise.

âš¡ Threat of the Week

Salesloft to Take Drift Offline Amid Security Incident — Following a supply chain attack targeting the marketing software-as-a-service Drift, Salesloft has announced plans to temporarily take Drift offline to review the application thoroughly and enhance its security. The breach resulted in the theft of authentication tokens, affecting companies such as Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, and others. The attack has been attributed to threat clusters UNC6395 and GRUB1 by Google and Cloudflare, respectively.

🔔 Top News

🔥 Trending CVEs

Hackers move quickly, exploiting new flaws within hours. Missing a single update or leaving a CVE unpatched can lead to significant damage. Here are this week’s high-risk vulnerabilities making headlines:

This week’s list includes CVE-2025-53690 (SiteCore), CVE-2025-42957 (SAP S/4HANA), CVE-2025-9377 (TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9), CVE-2025-38352 (Linux Kernel/Google Android), CVE-2025-48543 (Google Android), CVE-2025-29927 (Next.js), CVE-2025-52856, CVE-2025-52861 (QNAP QVR), CVE-2025-0309 (Netskope Client for Windows), CVE-2025-21483, CVE-2025-27034 (Qualcomm), CVE-2025-6203 (HashiCorp Vault), CVE-2025-58161 (MobSF), CVE-2025-5931 (Dokan Pro plugin), CVE-2025-53772 (Web Deploy), CVE-2025-9864 (Google Chrome), CVE-2025-9696 (SunPower PVS6), CVE-2025-57833 (Django), CVE-2025-24204 (Apple macOS), CVE-2025-55305 (Electron framework), CVE-2025-53149 (Microsoft Kernel Streaming WOW Thunk Service Driver), CVE-2025-6519, CVE-2025-52549, CVE-2025-52548 (Copeland E2 and E3), CVE-2025-58782 (Apache Jackrabbit), CVE-2025-55190 (Argo CD), CVE-2025-1079, CVE-2025-4613 (Google Web Designer).

📰 Around the Cyber World

  • New AI Waifu RAT Disclosed — Researchers have uncovered a potent Windows-based remote access trojan called AI Waifu RAT that leverages a large language model to receive and execute commands, targeting LLM role-playing communities to offer AI characters personalized role-playing capabilities and arbitrary code execution.

  • DoJ: \”Not all heroes wear capes. Some have YouTube channels\” — The U.S. Department of Justice credited YouTube channels Scammer Payback and Trilogy Media for their role in identifying and dismantling a multinational fraud ring that stole over $65 million from senior citizens through scam activities conducted by a Chinese organized crime ring.

  • Analysis of BadSuccessor Patch — Microsoft’s August 2025 Patch Tuesday update addressed the BadSuccessor vulnerability (CVE-2025-53779) that exploited a loophole in dMSA, allowing attackers to manipulate and compromise critical accounts in Active Directory by creating a dMSA linked to any target account.

  • Phishers Pivot to Ramp and Dump Scheme — Cybercriminal groups are now targeting brokerage accounts to manipulate foreign stock prices as part of a ramp and dump scheme, leveraging phishing kits that convert stolen card data into mobile wallets.

  • Popular C2 Frameworks Exploited by Threat Actors — Sliver, Havoc, Metasploit, Mythic, Brute Ratel C4, and Cobalt Strike have emerged as the most frequently used command-and-control frameworks in malicious attacks, with attackers customizing C2 agents to automate malicious activities and evade detection.

  • Fake PDF Converters Deliver JSCoreRunner macOS Malware — Malicious apps posing as PDF converters are delivering macOS malware called JSCoreRunner, which establishes connections with remote servers, modifies Chrome browser settings, and exposes users to data and financial theft.

  • Copeland Releases Fixes for Frostbyte10 Flaws — Copeland has issued a firmware update to address ten vulnerabilities in Copeland E2 and E3 controllers, collectively named Frostbyte10, which could have allowed unauthorized actors to remotely manipulate parameters, execute remote code, and gain access to sensitive operational data.

  • Over 1,000 Ollama Servers Exposed — A study by Cisco found over 1,100 exposed Ollama servers, with approximately 20% hosting models vulnerable to unauthorized access, highlighting the need for security baselines in LLM deployments.

  • Tycoon Phishing Kit Evolves — The Tycoon phishing kit has been updated to support URL-encoding techniques for hiding malicious links in fake voicemail messages, bypassing email security checks by targeting brokerage services and using compromised accounts to manipulate foreign stock prices.

  • U.S. State Department Offers Up to $10M for Russian Hackers — The U.S. Department of State is offering a bounty of up to $10 million for information on three Russian FSB officers involved in cyberattacks targeting U.S. critical infrastructure organizations on behalf of the Russian government.

  • XWorm Malware Uses Sneaky Methods to Evade Detection — XWorm malware is using deceptive techniques to evade detection and increase its success rate, leveraging a PowerShell script to drop a cryptocurrency miner called NBMiner through an AutoIt loader.

  • 2 E-Crime Groups Use Stealerium Stealer in New Campaigns — Two cybercriminal groups have conducted phishing campaigns using the Stealerium information stealer to target senior employees and compromise their credentials, impersonating legitimate brands and engaging in subscription fraud.

  • Czechia Issues Warning Against Chinese Tech in Critical Infrastructure — NÚKIB, the Czech Republic’s cybersecurity agency, has issued a bulletin warning against technology systems transferring data to or remotely managed from China, citing risks of influencing critical infrastructure operations.

  • Google Chrome 140 Gains Support for Cookie Prefixes — Google Chrome version 140 has introduced support for cookie prefixes, a security feature designed to protect server-set cookies from client-side modifications by adding a text prefix before cookie names to prevent unauthorized changes.

  • New Ransomware Strains Detailed — New ransomware groups LunaLock and Obscura have emerged, with LunaLock extorting a global art-commissioning portal and Obscura targeting victims with a Go-based ransomware variant that terminates security tools.

  • E.U. Court Backs Data Transfer Deal Agreed by U.S. and E.U. — The General Court of the Court of Justice of the European Union has dismissed a lawsuit seeking to annul the E.U. and U.S. Data Privacy Framework, ruling that the treaty adequately safeguards the personal data of E.U. citizens.

  • Microsoft to Move to Phase 2 of MFA Enforcement in October 2025 — Microsoft announced plans to enforce multi-factor authentication (MFA) for Azure Portal sign-ins across all tenants, with the next phase starting on October 1, 2025, mandating MFA for users performing Azure resource management operations through various tools.

  • Surge in Scanning Activity Targeting Cisco ASA — GreyNoise detected two scanning surges against Cisco ASA devices in August 2025, with the activity originating from multiple IP addresses mainly located in Brazil, Argentina, and the U.S.

  • LinkedIn Expands Verification to Combat Job-Themed Scams — LinkedIn has introduced new measures to strengthen trust and ensure users interact with verified individuals, including verified Premium Company Pages and workplace verification requirements for high-level titles.

  • Hotelier Accounts Targeted in Malvertising and Phishing Campaign — A large-scale phishing campaign has targeted senior employees in the hotel industry, using deceptive tactics to trick victims into sharing corporate credentials through fake OneDrive document-sharing notifications.

  • DamageLib Emerges After XSS Forum Takedown — A new cybercrime forum called DamageLib has seen significant growth following the takedown of the XSS forum in July 2025, attracting over 33,000 users and becoming a hub for cybercriminal activities.

  • GhostAction Supply Chain Attack Steals 3,325 Secrets — The GhostAction supply chain attack injected a malicious GitHub workflow to exfiltrate 3,325 secrets from 327 GitHub users across 817 repositories, highlighting the risks posed by supply chain attacks.

  • New Campaign Abuses Simplified AI to Steal Microsoft 365 Credentials — A phishing campaign has leveraged the Simplified AI platform to develop malicious chatbots impersonating legitimate brands, tricking users into revealing their Microsoft 365 credentials through deceptive interactions.

  • AI-Powered Android Vulnerability Discovery and Validation Tool — Researchers have developed an AI vulnerability identification system called A2 that validates Android vulnerabilities through a combination of agentic vulnerability discovery and validation phases, using AI models to simulate human bug hunting tactics.

  • Spotify DM Feature Carries Doxxing Risks — The new messaging feature on Spotify has raised concerns over user privacy, as it suggests friends based on shared links, potentially revealing users’ real names and surfacing personal information.

  • Spear-Phishing Campaign Targets C-Suite for Credential Theft — A sophisticated

Related Posts