Free technical content sponsored by Wiz
 2025 Gartner® Market Guide for CNAPP Gartner just released its 2025 Market Guide for Cloud-Native Application Protection Platforms (CNAPP) and it’s packed with insights on how cloud security is evolving. Download Now: https://www.sans.org/info/233570 | |
|
|
Salesloft GitHub Account Accessed by Threat Actor for Four Months
(September 6, 7, & 8, 2025)
Salesloft has posted a September 6 update to the Salesloft+Drift Trust Portal describing the results of Mandiant's investigation into the cause and scope of the widespread August 2025 Salesforce data theft attacks abusing stolen OAuth tokens for the Drift AI chatbot. Mandiant found that a threat actor compromised and maintained access to the Salesloft GitHub account from March to June 2025, conducting reconnaissance in the Salesloft and Drift application environments, downloading multiple repositories' content, adding a guest user, and establishing workflows. The threat actor stole OAuth tokens from Drift's Amazon Web Services environment, then using them to bypass normal authentication including MFA and access organizations' data through Drift integrations, primarily targeting access keys, credentials, and tokens. Mandiant believes that the incident is contained and has validated that Salesloft took the Drift application offline, isolated its infrastructure and code, rotated impacted credentials for both Drift and Salesloft, hardened the Salesloft environment against known attack methods, and segmented Salesloft and Drift applications and infrastructure environments. As of this writing, the latest update to the Salesloft+Drift Trust Portal is a September 7 post stating that integration between Salesloft and Salesforce has been restored. The total number of companies affected by Drift OAuth token compromise is unknown and continues to grow.
Editor's Note
[Honan]
It's no longer enough to hand suppliers and third-party vendors a checklist of security questions and hope for the best. Supply chain risk management today demands increased scrutiny. Organisations need to identify what access each vendor truly has, consider the impact if those vendors are compromised, then put controls in place to minimise that risk. Restrict access, ramp up monitoring, build resilience. Security today means being proactive, not just ticking boxes. | |
|
|
npm Library Supply Chain Attack
(September 8, 2025)
A phishing attack on a developer resulted in nearly 20 widely-downloaded JavaScript code packages being compromised with malware. The attack was quickly detected and mitigated and appears to have been launched with a goal of stealing cryptocurrency. In a September 8 blog post, Belgian security company Aikido wrote that their "intel feed alerted [them] to a series packages being pushed to npm, which appeared to contain malicious code." The 18 affected npm packages are collectively downloaded over two billion times each week. Aikido notified the maintainer, who has begun to clean up compromised packages. | |
|
|
Patch SAP S/4HANA for Actively Exploited Critical Flaw
(September 4 & 5, 2025)
Researchers at SecurityBridge urge users to immediately patch all private cloud and on-premises SAP S/4HANA releases, because a critical flaw disclosed in June 2025 and patched by SAP in August is currently under active exploitation. CVE-2025-42957, CVSS score 9.9, allows an attacker with low-level credentials to bypass essential authorization checks and inject arbitrary ABAP (Advanced Business Application Programming) code into the system by exploiting a vulnerability in the function module exposed via RFC. SecurityBridge emphasizes that the possible consequences of exploitation are severe: "Successful exploitation gives access to the operating system and complete access to all data in the SAP system. This includes, but is not limited to: Deleting and inserting data directly in the SAP Database; Creating SAP users with SAP_ALL; Downloading of password hashes; [and] Modifications to business processes," also noting, "this vulnerability effectively functions as a backdoor." SecurityBridge has verified abuse of this flaw in the wild, and offers mitigation steps in addition to their directive to patch immediately: users should "consider implementing SAP UCON to restrict RFC usage and review and restrict access to authorization object S_DMIS activity 02," as well as monitoring logs for suspicious RFC calls, new admin users, and ABAP code changes, and hardening defenses through segmentation, backups, and SAP-specific monitoring.
Read more in:
- securitybridge.com: Critical SAP S/4HANA code injection vulnerability (CVE-2025-42957) exploited in the wild - patch immediately
- www.theregister.com: Critical, make-me-super-user SAP S/4HANA bug under active exploitation
- www.bleepingcomputer.com: Critical SAP S/4HANA vulnerability now exploited in attacks | |
|
|
|
|
|
|
|
Sponsored Links
Webcast | 2025 Attack Surface & Vulnerability Management Survey: Hackers Don’t Wait—Why Should We? | Wednesday, October 22, 2025 at 10:30 AM ET
Uncover how attackers see your organization and learn actionable strategies to shrink your exposure before adversaries strike. https://www.sans.org/info/233575
Webcast | SANS CloudSecNext Summit Solutions Track 2025 | Friday, October 3, 2025 at 10:00AM MT
Dive into real-world solutions from cloud leaders and discover the breakthrough approaches driving secure transformation at scale. https://www.sans.org/info/233580
Webcast | Modernizing OT Security: How Frenos Uses Digital Twin Technology, AI and Threat Emulation to Transform Security Posture & Compliance | Wednesday, October 1, 2025 at 10:30AM ET
See how digital twins, AI, and threat emulation are reshaping OT security - turning compliance requirements into powerful resilience gains. https://www.sans.org/info/233585 | |
|
|
|
|
Microsoft Azure Enters Phase 2 of MFA Implementation
(September 5, 2025)
Microsoft has published a blog post describing their ongoing effort first announced in May 2024 to implement mandatory MFA for Azure users, now reaching its second phase. Microsoft has been rolling out MFA enforcement gradually, beginning with users who were signing in to administer resources, then telling Entra global admins to enable MFA for all tenants by October 2024, and as of March 2025, "multifactor enforcement for Azure Portal sign-ins was rolled out for 100% of Azure tenants." Microsoft describes Phase 2, beginning October 1, 2025, as encompassing "Gradual enforcement for MFA requirement for users performing Azure resource management operations through any client (including but not limited to: Azure Command-Line Interface (CLI), Azure PowerShell, Azure Mobile App, REST APIs, Azure Software Development Kit (SDK) client libraries, and Infrastructure as Code (IaC) tools)." The gradual enforcement of Phase 2 will be applied via Azure Policy. Microsoft's post instructs administrators to enable MFA for users by October 1, 2025; apply a built-in Azure Policy definition in audit or enforcement mode; ensure your tenants are using current Azure CLI and Azure Powershell versions; communicate with tenants' Global Administrator if the enforcement date must be postponed; and monitor notification channels for ongoing communication.
Editor's Note
[Murray]
Better late than never. If Microsoft can do it for Windows, it can do it for Azure. | |
|
|
PACER Court Document System is Struggling with MFA Rollout
(August 6, 7, 14, & 28 and September 8, 2025)
The Public Access to Court Electronic Records (PACER) system is reportedly experiencing a bumpy start to its multi-factor authentication (MFA) rollout, including long wait times on call center help lines. In May 2025, PACER announced that MFA would be mandatory for accounts that are configured to allow them to file documents and for all case management accounts. At that time, enrollment in MFA was voluntary; the US Courts website noted that "users with Case Management/Electronic Case Files (CM/ECF) level access who do not voluntarily enroll will be randomly selected to do so beginning in August. By the end of 2025, everyone with CM/ECF-level access will be required to use MFA when logging in." Users who access PACER simply to view court documents are "strongly encouraged" to enroll in MFA but are not required to do so. Last month, the US federal Judiciary confirmed a breach of their Case Management System; Politico reported that "the incident is known to affect the judiciary’s federal core case management system, which includes two overlapping components: Case Management/Electronic Case Files, or CM/ECF, which legal professionals use to upload and manage case documents; and PACER." The court document systems faced scrutiny earlier this year: in June, The Honorable Michael Y. Scudder Jr., Chair of the Committee on Information Technology of the Judicial Conference of the United States told the US House of Representatives Judiciary Subcommittee on Courts, Intellectual Property, Artificial Intelligence, and the Internet that CM/ECF and PACER "are outdated, unsustainable due to cyber risks, and require replacement."
Editor's Note
[Murray]
While it is a one-time problem, user participation in setup of strong authentication is an issue. Preparation and education can help. | |
|
|
Argo CD CVSS 10.0 Flaw Exposes Repository Credentials
(September 4 & 5, 2025)
Argo CD, an open-source "GitOps continuous delivery tool for Kubernetes," has published a security bulletin disclosing a maximum-severity vulnerability in Argo CD versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12, and 3.1.0-rc1 through 3.1.1. While as Argo CD notes, "API tokens should require explicit permission to access sensitive credential information, [and] standard project permissions should not grant access to repository secrets," CVE-2025-55190, CVSS score 10.0, allows an authenticated user to use any API token with project get permissions and no explicit access to secrets to retrieve repository usernames and passwords through the project details API endpoint. ArgoCD is used for "large-scale, mission-critical deployments" by companies such as Adobe, Google, IBM, Intuit, Red Hat, Capital One, and BlackRock. Users must update to versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2 to patch the flaw. | |
|
|
More Information About Issuance of Unauthorized 1.1.1.1 Certificates
(September 4, 2025)
Cloudflare has looked into the unauthorized issuance of 1.1.1.1 TLS certificates that came to light last week; 1.1.1.1 is one of the IP addresses that Cloudflare uses for its public DNS resolver service. The certificate authority (CA) responsible for the unauthorized certificates, Fina CA, told Ars Technica that they were "issued for internal testing of the certificate issuance process in the production environment. An error occurred during the issuance of the test certificates due to incorrect entry of IP addresses. As part of the standard procedure, the certificates were published on Certificate Transparency log servers." In addition, between February 2024 and August 2025, Fina CA issued a dozen certificates for 1.1.1.1, not just the three that were initially reported. All have since been revoked.
Read more in:
- blog.cloudflare.com: Addressing the unauthorized issuance of multiple TLS certificates for 1.1.1.1
- arstechnica.com: The number of mis-issued 1.1.1.1 certificates grows. Here’s the latest. | |
|
|
July eMails Spoofed to Appear to Come from US Legislator Spread Spyware
(September 8, 2025)
The Wall Street Journal reported that hackers with ties to China's government are behind spyware-laden emails spoofed to appear to come from chairman of the US House Committee on the Chinese Communist Party Rep. John Moolenaar (R-Michigan). The emails were sent in July to US trade groups, law firms and government agencies, just ahead of US-China trade talks that took place in Sweden this summer. The messages urged readers to offer feedback on proposed sanctions against China. They also included an attachment that purported to be a document, but which is actually spyware that has been traced to a Chinese state-sponsored cyberthreat group. (The Wall Street Journal article is behind a paywall.)
Read more in:
- www.axios.com: Chinese cyber spies impersonated key U.S. lawmaker
- www.securityweek.com: Chinese Spies Impersonated US Lawmaker to Deliver Malware to Trade Groups: Report
- www.wsj.com: Chinese Hackers Pretended to Be a Top U.S. Lawmaker During Trade Talks (paywall) | |
|
|
Qantas Executive Management Team Financially Penalized Over July Breach
(September 5, 2025)
The Qantas Airlines executive management team has had their bonuses reduced by 15 percent following a cybersecurity breach that compromised information belonging to millions of individuals. A breach of a third-party Qantas call center database in July of this year compromised information of 5.7 million individuals; of those approximately 4 million are confirmed to have been exposed. Penalizing executives "reflects their shared accountability," according to Qantas Group Chairman John Mullen; it is uncommon for breach responsibility to be assigned to CEOs. The company posted a pre-tax profit of AU$2.39 billion (US$1.56 billion) in the last fiscal year.
Editor's Note
[Honan]
This is an interesting move, although not the first time a CEO has been penalised financially subsequent to a breach, and may serve as a warning shot to other CEOs that cybersecurity can no longer be treated as an IT problem but is a key business risk and needs to be managed accordingly.
[Murray]
At least some accountability. Executives take heed.
Read more in:
- therecord.media: Qantas penalizes executives for July cyberattack
- www.scworld.com: Qantas trims CEO’s bonus following July cybersecurity incident
- www.scmp.com: Australia’s Qantas Airways penalises CEO over data breach with bonus cut
- www.aerotime.aero: Qantas cuts CEO and executive bonuses after cyberattack exposed customer data | |
|
|
Wealthsimple Breach
(September 5 & 8, 2025)
On August 30, 2025, Canadian financial firm Wealthsimple "learned that a specific software package that was written by a trusted third party had been compromised. This resulted in personal data belonging to less than 1% of [their] clients being accessed without authorization for a brief period." The company notified all affected customers by email last week; they note that if customers have not received email about the incident, their data were not compromised. In addition to notifying affected individuals, Wealthsimple is offering credit monitoring and has informed relevant government regulators.
Read more in:
- www.cbc.ca: Wealthsimple client data, including SINs, accessed in security breach
- www.securityweek.com: Fintech Firm Wealthsimple Says Supply Chain Attack Resulted in Data Breach
- www.bleepingcomputer.com: Financial services firm Wealthsimple discloses data breach
- www.infosecurity-magazine.com: Wealthsimple Confirms Data Breach After Supply Chain Attack
- help.wealthsimple.com: An Important Security Update For Our Clients | |
|
|
|
|
|
|
|
|
|
SANS Internet Storm Center StormCast Monday, September 8, 2025
YARA to Debugger Offsets; SVG JavaScript Phishing; FreePBX Patches
https://isc.sans.edu/podcastdetail/9602
From YARA Offsets to Virtual Addresses
Xavier explains how to convert offsets reported by YARA into offsets suitable for the use with debuggers.
https://isc.sans.edu/diary
Phishing via JavaScript in SVG Files
Virustotal uncovered a Colombian phishing campaign that takes advantage of JavaScript in SVG files.
https://blog.virustotal.com
FreePBX Patches
FreePBX released details regarding two vulnerabilities patched last week. One of these vulnerabilities was already actively exploited.
https://github.com/FreePBX | |
|
|
|
