Major Incidents or Breaches

  • TransUnion Data Breach: TransUnion reported a data breach impacting 4.4 million individuals. The breach was linked to a third-party application used for US consumer support operations. No further details on the application were disclosed.
  • Nevada Ransomware Attack: The state of Nevada confirmed a ransomware attack that resulted in office closures, service disruptions, and data theft. Nevada is working with CISA and law enforcement to restore affected systems.
  • Google Workspace Accounts Compromised: Google confirmed that the OAuth token compromise, previously associated with Salesforce data theft, also enabled attackers to access a limited number of Google Workspace accounts via the Salesloft Drift integration.
  • VerifTools Marketplace Takedown: US and Dutch authorities dismantled the VerifTools marketplace, which sold fraudulent identity documents used to bypass KYC checks and facilitate online fraud. Operators relaunched the service on a new domain after the takedown.
  • Sogou Zhuyin Update Server Hijack: An abandoned update server for the Sogou Zhuyin IME was hijacked and weaponised in a Taiwan-focused espionage campaign, delivering multiple malware families.
  • Iranian Ships Hacked: Communications for dozens of Iranian ships were disrupted in a cyber operation, details of which were not attributed to any specific actor.

Newly Discovered Vulnerabilities

  • WhatsApp Zero-Click Vulnerability: WhatsApp patched a security vulnerability in its iOS and macOS clients, reportedly exploited in zero-day attacks in conjunction with a recently disclosed Apple flaw.
  • FreePBX Zero-Day: Sangoma issued an emergency patch for an actively exploited zero-day vulnerability in FreePBX systems with exposed administrator control panels.
  • Sitecore Experience Platform Flaws: Three new vulnerabilities in the Sitecore Experience Platform were disclosed, enabling cache poisoning, information disclosure, and remote code execution.
  • Passwordstate Authentication Bypass: Click Studios released a security update for Passwordstate to address an authentication bypass vulnerability affecting the emergency access page.

Notable Threat Actor Activity

  • APT29 Watering Hole Campaign: Amazon identified and disrupted a watering hole campaign by Russia-linked APT29 actors, which abused Microsoft device code authentication for intelligence gathering.
  • Storm-0501 Ransomware Tactics: Storm-0501 exploited hybrid cloud environments to gain full Azure control in enterprise attacks, focusing on data exfiltration and deletion without deploying file-encrypting malware.
  • North Korean IT Worker Facilitation: The US Treasury sanctioned a Russian national and a Chinese company for assisting North Korean IT workers in exploiting stolen identities, AI, and malware to generate illicit funds for North Korea.

Trends, Tools, or Tactics of Interest

  • AI-Driven Exploit Generation: Security researchers noted the increasing use of AI and large language models to rapidly generate proof-of-concept exploits, significantly reducing the time required to weaponise vulnerabilities.
  • Attacker Adaptation to macOS Protections: Analysis revealed how threat actors are bypassing or deceiving users to circumvent macOS built-in security mechanisms, including social engineering and exploiting user trust.
  • Cloud-Native Ransomware Tactics: Ransomware groups are leveraging cloud-native features for attack operations, including data exfiltration and deletion, rather than traditional file encryption.
  • Generative AI Data Leak Risks: The proliferation of generative AI platforms (e.g., ChatGPT, Gemini, Copilot, Claude) in organisations is increasing concerns about data leakage and the need for improved network visibility and controls.
  • Secure Coding Gaps: Ongoing concerns were highlighted regarding the lack of secure coding education in cybersecurity curricula, despite its importance in reducing vulnerabilities.

Regulatory or Policy Developments

  • Microsoft Azure MFA Enforcement: Microsoft will mandate multi-factor authentication for all Azure resource management actions starting in October, aiming to enhance protection against unauthorised access.
  • US Sanctions Related to North Korean Cyber Activity: The US imposed sanctions on entities facilitating North Korean cyber operations, specifically targeting those supporting illicit IT worker activities and related financial schemes.
  • Android Developer Verification: Only applications from verified developers will be permitted to run on Android devices, as part of Google’s efforts to improve the security of the app ecosystem.