Svoboda Cybersecurity Brief August 07, 2025

Aug 07, 2025

Google Confirms Data Breach via Salesforce Phishing Campaign

Google disclosed a June breach of its Salesforce instance by threat actor UNC6040, stealing contact details of SMB clients. The group used voice phishing (vishing) to access Salesforce environments for extortion, with ShinyHunters allegedly involved in subsequent ransom demands.
Source: DataBreaches.net

Akira Ransomware Abuses Intel Driver to Disable Microsoft Defender

Akira ransomware exploits ThrottleStop’s rwdrv.sys driver (BYOVD attack) to load hlpdrv.sys, which disables Defender via registry manipulation. Attacks also target SonicWall VPNs, potentially via a zero-day, and deploy Bumblebee malware via trojanized IT tools like ManageEngine OpManager.
Impact: Kernel-level Defender bypass, ransomware execution.
Mitigation: Block known IoCs, restrict driver loading, monitor for regedit.exe abuse.
Source: BleepingComputer

Five CVEs (e.g., CVE-2025-24919) in Dell’s ControlVault3 firmware allow persistent firmware implants and Windows login bypass via physical access. Vulnerable models include Latitude and Precision laptops.
Impact: Credential theft, biometric auth bypass, stealthy persistence.
Mitigation: Apply Dell patches, disable unused security peripherals, enable chassis intrusion detection.
Source: BleepingComputer

Ghost Calls: New C2 Tactic Abuses Zoom/Teams TURN Servers

Attackers leverage WebRTC TURN servers to tunnel C2 traffic through trusted conferencing apps (Zoom, Teams) via TURNt tool. Traffic blends with legitimate video calls, evading firewalls/TLS inspection.
Impact: Covert C2, bypassing network defenses.
Mitigation: Monitor TURN traffic, restrict TURN credential usage, enforce MFA.
Source: BleepingComputer

Trend Micro Apex One Zero-Days Exploited in Attacks (CVE-2025-54948/54987)

Critical pre-auth RCE flaws in Apex One Management Console allow remote code execution. Exploited in the wild, with patches due mid-August 2025; mitigations disable Remote Install Agent functionality.
Impact: Full system compromise via unauthenticated attacks.
Mitigation: Apply fix tool, restrict console access, await patches.
Source: SecurityWeek

CyberArk Conjur Flaws Allow Unauthenticated RCE, Secrets Theft

Five vulnerabilities (e.g., CVE-2025-49828) in CyberArk Conjur enable IAM bypass and RCE, potentially exposing stored credentials and certificates. Patches released in July.
Impact: Secrets compromise, lateral movement.
Mitigation: Update Conjur, enforce least-privilege access.
Source: SecurityWeek

ShinyHunters’ Salesforce Campaign Hits Adidas, Cisco, Luxury Brands

UNC6040/ShinyHunters targeted Salesforce instances via vishing, exfiltrating data for extortion. Victims include Adidas, Cisco, LVMH subsidiaries (Dior, Louis Vuitton), with one firm paying $400K ransom.
Source: BleepingComputer

XSS Forum Admin Arrested in Europol-Led Operation

A 38-year-old Kiev resident, linked to hacker handle “Toha,” was arrested for administering the XSS cybercrime forum (50K+ members). Forum hosted REvil, LockBit, and Conti affiliates.
Source: KrebsOnSecurity

AI-Powered Fake VPN/Spam Blocker Apps Linked to VexTrio Scams

VexTrio-operated apps (e.g., Spam Shield block) on Google Play/App Store trick users into fraudulent subscriptions, generating millions in ad revenue. Apps mimic VPNs, RAM cleaners, and dating services.
Source: The Hacker News

DaVita Discloses Ransomware Attack Affecting 1M+ Patients

Interlock ransomware breached DaVita Labs, stealing 1.5TB of sensitive health/financial data (SSNs, medical records). Costs hit $13.5M, excluding business interruption.
Source: SecurityWeek

Share this brief: https://svo.bz/HjQv

If you want to support us, you can donate here: Donate