Svoboda Cybersecurity Brief August 27, 2025
Aug 27, 2025bulletproof VPN - stay anonymous
Salesloft Breach Leads to Salesforce Data Theft via Stolen OAuth Tokens
Hackers breached Salesloft to steal OAuth and refresh tokens used for its Drift-Salesforce integration, enabling unauthorized access to customer Salesforce instances. The attackers focused on stealing AWS access keys, passwords, and Snowflake-related access tokens between August 8-18, 2025. Google Threat Intelligence links this to UNC6395, while ShinyHunters claims responsibility.
Impact: Credential theft and potential downstream cloud breaches.
Mitigation: Rotate credentials, audit Salesforce logs for suspicious queries, and reauthenticate Drift integrations.
Source: BleepingComputer
Citrix NetScaler Zero-Day Exploited in Active Attacks (CVE-2025-7775)
Citrix patched a critical RCE flaw (CVE-2025-7775) in NetScaler ADC/Gateway, confirming exploitation in the wild. The vulnerability affects configurations with Gateway, AAA, or LB virtual servers bound to IPv6 services. Two additional flaws (CVE-2025-7776, CVE-2025-8424) were also fixed.
Impact: Remote code execution and DoS on unpatched systems.
Mitigation: Upgrade to NetScaler ADC/Gateway 14.1-47.48, 13.1-59.22, or later; no workarounds exist.
Source: The Hacker News
Nevada State IT Systems Down for Days After Cyberattack
A cyberattack disrupted Nevada’s government websites, phone lines, and online services starting August 24, forcing state offices to close. Emergency services remain operational, but officials warn of potential intermittent outages during recovery. No evidence of data theft has been found yet.
Source: The Register
Git Arbitrary Code Execution Flaw Exploited (CVE-2025-48384)
CISA added CVE-2025-48384 to its KEV catalog after observing exploitation. The Git flaw allows RCE via malicious submodule paths with trailing carriage returns, affecting macOS/Linux systems. Attackers can craft repositories to execute code during cloning.
Impact: Compromise of developer workstations and CI/CD pipelines.
Mitigation: Update to Git 2.43.7+ or disable recursive submodule clones from untrusted sources.
Source: SecurityWeek
Farmers Insurance Exposes 1M Customers via Third-Party Vendor Breach
Farmers Insurance disclosed a May 2025 breach affecting 1M+ customers, with stolen data including names, SSN fragments, and driver’s license numbers. The incident originated at an unnamed vendor; ShinyHunters claims it’s part of their Salesforce campaign.
Source: The Record
Docker Desktop Container Escape Vulnerability (CVE-2025-9074)
A critical flaw in Docker Desktop for Windows/macOS allows privileged container creation via unauthorized Docker Engine API access, enabling host file system modification. Patched in v4.44.3.
Impact: Full host compromise via malicious containers.
Mitigation: Update Docker Desktop immediately; restrict container permissions.
Source: SecurityWeek
Iranian Hackers Target Israeli Kosher Internet Provider
Iranian group “Promised Revenge” disrupted Internet Rimon, a filtered ISP for religious communities, on August 23. The attack caused partial disconnections, with services restored after mitigation efforts.
Source: Israel National News
Auchan Retailer Breach Exposes Hundreds of Thousands of Loyalty Accounts
French retailer Auchan notified customers of a breach exposing loyalty program data (names, emails, phone numbers). No financial data was compromised. The incident follows a similar breach in November 2024.
Source: BleepingComputer
HOOK Android Trojan Adds Ransomware Overlays
HOOK malware now includes ransomware overlays and supports 107 remote commands, including fake NFC scans and PIN theft. Distributed via phishing sites and GitHub, it targets banking apps and crypto wallets.
Impact: Data theft and extortion via mobile devices.
Mitigation: Avoid sideloading APKs; use app vetting tools.
Source: The Hacker News
Google Mandates Developer Verification for Android Apps
Google will require identity verification for all Android developers (including sideloaded apps) starting in Brazil, Indonesia, Singapore, and Thailand (September 2026). The move aims to curb impersonation and malware.
Source: The Hacker News
Share this brief: https://svo.bz/WAZB
If you want to support us, you can donate here: Donate