Weekly Recap: Drift Breach Chaos, Zero-Days Active, Patch Warnings, Smarter Threats & More

Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it’s knowing which risks matter most right now. That’s what this digest is here for: a clear, simple briefing to help you focus where it counts.

This week, one story stands out above the rest: the Salesloft–Drift breach, where attackers stole OAuth tokens and accessed Salesforce data from some of the biggest names in tech. It’s a sharp reminder of how fragile integrations can become the weak link in enterprise defenses.

Alongside this, we’ll also walk through several high-risk CVEs under active exploitation, the latest moves by advanced threat actors, and fresh insights on making security workflows smarter, not noisier. Each section is designed to give you the essentials—enough to stay informed and prepared, without getting lost in the noise.

⚡ Threat of the Week

Salesloft to Take Drift Offline Amid Security Incident — Salesloft announced that it has taken Drift temporarily offline effective September 5, 2025, at 6 a.m. ET, as multiple companies have been caught up in a far-reaching supply chain attack spree targeting the marketing software-as-a-service product, resulting in the mass theft of authentication tokens. “This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality,” the company said. “As a result, the Drift chatbot on customer websites will not be available, and Drift will not be accessible. To date, Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, and Zscaler have confirmed they were impacted by the hack. The activity has been attributed to a threat cluster tracked by Google and Cloudflare as UNC6395 and GRUB1, respectively.

🔔 Top News

Sitecore Flaw Under Active Exploitation in the Wild — Unknown miscreants are exploiting a configuration vulnerability in multiple Sitecore products to achieve remote code execution via a publicly exposed key and deploy snooping malware on infected machines. The ViewState deserialization vulnerability, CVE-2025-53690, has been used to deploy malware and additional tooling geared toward internal reconnaissance and persistence across one or more compromised environments. The attackers targeted the “https://thehackernews.com/sitecore/blocked.aspx” endpoint, which contains an unauthenticated ViewState form, with HTTP POST requests containing a crafted ViewState payload. Mandiant said it disrupted the intrusion midway, which prevented it from gaining further insights into the attack lifecycle and determining the attackers’ motivations.
Russian APT28 Deploys “NotDoor” Outlook Backdoor — The Russian state-sponsored hacking group tracked as APT28 has been attributed to a new Microsoft Outlook backdoor called NotDoor (aka GONEPOSTAL) in attacks targeting multiple companies from different sectors in NATO member countries. NotDoor “is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word,” S2 Grupo’s LAB52 threat intelligence team said. “When such an email is detected, it enables an attacker to exfiltrate data, upload files, and execute commands on the victim’s computer.”
New GhostRedirector Actor Hacks 65 Windows Servers in Brazil, Thailand, and Vietnam — A previously undocumented threat cluster dubbed GhostRedirector has managed to compromise at least 65 Windows servers primarily located in Brazil, Thailand, and Vietnam. The attacks, per Slovak cybersecurity company ESET, led to the deployment of a passive C++ backdoor called Rungan and a native Internet Information Services (IIS) module codenamed Gamshen. The threat actor is believed to be active since at least August 2024. “While Rungan has the capability of executing commands on a compromised server, the purpose of Gamshen is to provide SEO fraud as-a-service, i.e., to manipulate search engine results, boosting the page ranking of a configured target website,” the company said.
Google Fixes 2 Actively Exploited Android Flaws — Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks. One of them, CVE-2025-38352, is a privilege escalation vulnerability in the upstream Linux Kernel component. The second shortcoming is a privilege escalation flaw in Android Runtime (CVE-2025-48543). Benoît Sevens of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the upstream Linux Kernel flaw, suggesting that it may have been abused as part of targeted spyware attacks.
Threat Actors Claim to Weaponize HexStrike AI in Real-World Attacks — Threat actors are attempting to leverage a newly released artificial intelligence (AI) offensive security tool called HexStrike AI to exploit recently disclosed security flaws. “This marks a pivotal moment: a tool designed to strengthen defenses has been claimed to be rapidly repurposed into an engine for exploitation, crystallizing earlier concepts into a widely available platform driving real-world attacks,” Check Point said.
Iranian Hackers Linked to Attacks Targeting European Embassies — An Iran-nexus group conducted a “coordinated” and “multi-wave” spear-phishing campaign targeting the embassies and consulates in Europe and other regions across the world. The activity has been attributed by Israeli cybersecurity company Dream to Iranian-aligned operators connected to broader offensive cyber activity undertaken by a group known as Homeland Justice. “Emails were sent to multiple government recipients worldwide, disguising legitimate diplomatic communication,” the company said. “Evidence points toward a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension.”

🔥 Trending CVEs

Hackers move fast — often exploiting new flaws within hours. A missed update or a single unpatched CVE can open the door to serious damage. Here are this week’s high-risk vulnerabilities making headlines. Review, patch quickly, and stay ahead.

This week’s list includes — CVE-2025-53690 (SiteCore), CVE-2025-42957 (SAP S/4HANA), CVE-2025-9377 (TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9), CVE-2025-38352 (Linux Kernel/Google Android), CVE-2025-48543 (Google Android), CVE-2025-29927 (Next.js), CVE-2025-52856, CVE-2025-52861 (QNAP QVR), CVE-2025-0309 (Netskope Client for Windows), CVE-2025-21483, CVE-2025-27034 (Qualcomm), CVE-2025-6203 (HashiCorp Vault), CVE-2025-58161 (MobSF), CVE-2025-5931 (Dokan Pro plugin), CVE-2025-53772 (Web Deploy), CVE-2025-9864 (Google Chrome), CVE-2025-9696 (SunPower PVS6), CVE-2025-57833 (Django), CVE-2025-24204 (Apple macOS), CVE-2025-55305 (Electron framework), CVE-2025-53149 (Microsoft Kernel Streaming WOW Thunk Service Driver), CVE-2025-6519, CVE-2025-52549, CVE-2025-52548 (Copeland E2 and E3), CVE-2025-58782 (Apache Jackrabbit), CVE-2025-55190 (Argo CD), CVE-2025-1079, CVE-2025-4613, and a client-side remote code execution (no CVE) (Google Web Designer).

📰 Around the Cyber World

New AI Waifu RAT Disclosed — Cybersecurity researchers have discovered a potent Windows-based remote access trojan (RAT) called AI Waifu RAT that uses the power of a large language model to pass commands. “A local agent runs on the victim’s machine, listening for commands on a fixed port,” a researcher by the name ryingo said. “These commands, originating from the LLM, are passed through a web UI and sent to the local agent as plaintext HTTP requests.” The malware specifically targets LLM role-playing communities, capitalizing on their interest in the technology to offer AI characters the ability to read local files for “personalized role-playing” and direct “Arbitrary Code Execution” capabilities.
DoJ: “Not all heroes wear capes. Some have YouTube channels” — The U.S. Department of Justice (DoJ) said two YouTube channels named Scammer Payback and Trilogy Media played a crucial role in unmasking and identifying members of a giant scam network that stole more than $65 million from senior citizens. The 28 alleged members of the Chinese organized crime ring allegedly used call centers based in India to call the elderly, posing as government officials, bank employees, and tech support agents. “Once connected, the scammers used scripted lies and psychological manipulation to gain the victims’ trust and often remote access to their computers,” the DoJ said. “The most common scheme involved convincing victims they had received a mistaken refund and pressuring – or threatening – them to return the supposed excess funds via wire transfer, cash, or gift cards.” Those sending cash were instructed to use overnight or express couriers, addressing packages to fake names tied to false IDs. These were sent to short-term rentals in the U.S. used by conspirators, including the indicted defendants, to collect the fraud proceeds. The network has operated out of Southern California since 2019.
Analysis of BadSuccessor Patch — Microsoft, as part of its August 2025 Patch Tuesday update, addressed a security flaw called BadSuccessor (CVE-2025-53779) that abused a loophole in dMSA, causing the Key Distribution Center (KDC) to treat a dMSA linked to any account in Active Directory as the successor during authentication. As a result, an attacker could create a dMSA in an Organizational Unit (OU) and link it to any target — even domain controllers, Domain Admins, Protected Users, or accounts marked “sensitive and cannot be delegated” – and compromise them. An analysis of the patch has revealed that patch enforcement was implemented in the KDC’s validation. “The attribute can still be written, but the KDC won’t honor it unless the pairing looks like a legitimate migration,” Akamai security researcher Yuval Gordon said. “Although the vulnerability can be patched, BadSuccessor still lives on as a technique; that is, the KDC’s verification removes the pre-patch escalation path, but doesn’t mitigate the entire problem. Because the patch didn’t introduce any protection to the link attribute, an attacker can still inherit another account by linking a controlled dMSA and a target account.”
Phishers Pivot to Ramp and Dump Scheme — Cybercriminal groups advertising sophisticated phishing kits that convert stolen card data into mobile wallets have shifted their focus to targeting customers of brokerage services and using compromised brokerage accounts to manipulate the prices of foreign stocks as part of what’s called a ramp and dump scheme.
Popular C2 Frameworks Exploited by Threat Actors — Sliver, Havoc, Metasploit, Mythic, Brute Ratel C4, and Cobalt Strike (in that order) have emerged as the most frequently used command-and-control (C2) frameworks in malicious attacks in Q2 2025, per data from Kaspersky. “Attackers are increasingly customizing their C2 agents to automate malicious activities and hinder detection,” the company said. The development came as the majority (53%) of attributed vulnerability exploits in the first half of 2025 were conducted by state-sponsored actors for strategic, geopolitical purposes, according to Recorded Future’s Insikt Group. In all, 23,667 CVEs were published in H1 2025, a 16% increase compared to H1 2024. Attackers actively exploited 161 vulnerabilities, and 42% of those exploited flaws had public PoC exploits.
Fake PDF Converters Deliver JSCoreRunner macOS Malware — Apps posing as PDF converters are being used to deliver malware called JSCoreRunner. Once downloaded from sites like fileripple[.]com, the malware establishes connections with a remote server and hijacks a user’s Chrome browser by modifying its search engine settings to default to a fraudulent search provider, thereby tracking user searches and redirecting them to bogus sites, further exposing them to data and financial theft, per Mosyle. The attack unfolds over two stages: The initial package (whose signature has since been revoked by Apple), which deploys an unsigned secondary payload from the same domain that, in turn, executes the main malicious payload.
Copeland Releases Fixes for Frostbyte10 Flaws — American tech company Copeland has released a firmware update to fix ten vulnerabilities in Copeland E2 and E3 controllers. The chips are used to manage energy efficiency inside HVAC and refrigeration systems. The ten vulnerabilities have been collectively named Frostbyte10. “The flaws discovered could have allowed unauthorized actors to remotely manipulate parameters, disable systems, execute remote code, or gain unauthorized access to sensitive operational data,” Armis said. “When combined and exploited, these vulnerabilities can result in unauthenticated remote code execution with root privileges.” The most severe of the flaws is CVE-2025-6519, a case of a default admin user “ONEDAY” with a daily generated password that can be predictably generated. In a hypothetical attack scenario, an attacker could chain CVE-2025-6519 and CVE-2025-52549 with CVE-2025-52548, which can enable SSH and Shellinabox access via a hidden API call, to facilitate remote execution of arbitrary commands on the underlying operating system.
Over 1,000 Ollama Servers Exposed — A new study from Cisco found over 1,100 exposed Ollama servers, with approximately 20% actively hosting models susceptible to unauthorized access. Out of the 1,139 exposed servers, 214 were found to be actively hosting and responding to requests with live models—accounting for approximately 18.8% of the total scanned population, with Mistral and LLaMA representing the most frequently encountered deployments. The remaining 80% of detected servers, while reachable via unauthenticated interfaces, did not have any models instantiated. Although dormant, these servers remain susceptible to exploitation via unauthorized model uploads or configuration manipulation. The findings “highlight the urgent need for security baselines in LLM deployments and provide a practical foundation for future research into LLM threat surface monitoring,” the company said.
Tycoon Phishing Kit Evolves — The Tycoon phishing kit has been updated to support URL-encoding techniques to hide malicious links embedded in fake voicemail messages to bypass email security checks. Attackers have also been observed using the Redundant Protocol Prefix technique for similar reasons. “This involves crafting a URL that is only partially hyperlinked or that contains invalid elements — such as two ‘https’ or no ‘//’ — to hide the real destination of the link while ensuring the active part looks benign and legitimate and doesn’t arouse suspicion among targets or their browser controls,” Barracuda said. “Another trick is using the ‘@’ symbol in a web address. Everything before the ‘@’ is treated as ‘user info’ by browsers, so attackers put something that looks reputable and trustworthy in this part, such as ‘office365.’ The link’s actual destination comes after the ‘@.'”
U.S. State Department Offers Up to $10M for Russian Hackers — The U.S. Department of State is offering a bounty of up to $10 million for information on three Russian Federal Security Service (FSB) officers involved in cyberattacks targeting U.S. critical infrastructure organizations on behalf of the Russian government. The three individuals, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, are part of the FSB’s Center 16 or Military Unit 71330, which is tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Koala Team, and Static Tundra. They have been accused of targeting 500 energy companies in 135 countries. In March 2022, the three FBS officers were also charged for their involvement in a campaign that took place between 2012 and 2017, targeting U.S. government agencies.
XWorm Malware Uses Sneaky Methods to Evade Detection — A new XWorm malware campaign is using deceptive and intricate methods to evade detection and increase the success rate of the malware. “The XWorm malware infection chain has evolved to include additional techniques beyond traditional email-based attacks,” Trellix said. “While email and .LNK files remain common initial access vectors, XWorm now also leverages legitimate-looking .EXE filenames to disguise itself as harmless applications, exploiting user and system trust.” The attack chain uses LNK files to initiate a complex infection. Executing the .LNK triggers malicious PowerShell commands that deliver a .TXT file and download a deceptively-named binary called “discord.exe.” The executable then drops “main.exe” and “system32.exe,” with the latter being the XWorm malware payload. “Main.exe,” on the other hand, is responsible for disabling the Windows Firewall and checking for the presence of -third-party security applications. XWorm, besides meticulously conducting reconnaissance to acquire a comprehensive profile of the machine, runs anti-analysis checks to ascertain the presence of a virtualized environment, and, if so, ceases execution. It also incorporates backdoor functionality by contacting an external server to execute commands, shut down the system, download files, open URLs, and launch DDoS attacks. Recent campaigns distributing the malware through a new crypter-as-a-service offering known as Ghost Crypt. “Ghost Crypt delivers a zipped archive to the victim containing a PDF Reader application, a DLL, and a PDF file,” Kroll said. “When the user opens the PDF, the ma…

Original article can be found here

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.