This week in cybersecurity serves as a critical reminder of the pervasive risks within the digital supply chain, as several industry-leading companies disclosed significant data breaches.
The incidents, affecting vulnerability management giants Tenable and Qualys, as well as enterprise software provider Workday, all stemmed from a security flaw in a common third-party service.
This chain of disclosures highlights the cascading impact a single vulnerability can have on multiple, otherwise secure, organizations, raising serious questions about vendor risk management and trust in the ecosystem.
The breaches at Tenable and Qualys are particularly concerning, as they involved unauthorized access to systems containing sensitive customer data. Both companies have confirmed that the intrusion was linked to a third-party vendor, forcing them to launch comprehensive investigations and notify affected clients.
Similarly, Workday’s announcement of a breach traced back to the same external service provider underscores the widespread nature of the threat. These events have put a spotlight on the security posture of vendors and the due diligence required to protect against supply chain attacks.
In addition to these high-profile incidents, our weekly recap delves into other essential security updates, newly discovered vulnerabilities, and patches released by major software developers.
We will analyze the technical details behind the breaches at Tenable, Qualys, and Workday, examine the broader implications for enterprise security, and provide insights into the latest threat intelligence to help you stay ahead of emerging risks.
Threats
Lazarus APT Employs “ClickFix” Social Engineering in Espionage Campaigns
The North Korean-linked Lazarus APT group is now using the “ClickFix” social engineering technique to deploy malware and steal sensitive intelligence. This method involves tricking victims with fake technical problems and guiding them through malicious “fixes”. In a recent campaign, the group used this technique within fake job recruitment scenarios. Victims were lured to fraudulent interview websites and told they had camera configuration issues. The provided “fix” was a malicious batch script that downloaded the BeaverTail information-stealing malware, disguised as an NVIDIA driver update.
The attack is designed for both Windows and macOS, demonstrating the group’s cross-platform capabilities. The malware establishes persistence through registry modifications and communicates with multiple command-and-control servers to ensure long-term access to compromised systems. Read More
US-China Trade Talks Targeted by APT41 Malware Campaign
U.S. federal authorities are investigating a sophisticated malware campaign attributed to the China-linked APT41 hacking group, which targeted sensitive trade negotiations between Washington and Beijing in July 2025. The attackers sent fraudulent emails impersonating U.S. Representative John Moolenaar, chairman of a House committee on China. The emails were sent to U.S. trade groups, law firms, and government agencies with the goal of harvesting intelligence on America’s trade strategies.
The emails used subject lines like “Your insights are essential” and contained malicious attachments disguised as draft legislation. Opening the attachment would deploy malware, giving attackers access to the target’s network. The attack’s timing was strategic, occurring just before key trade talks. The FBI and U.S. Capitol Police are investigating the incident. Read More
LunaLock Ransomware Gang Threatens to Train AI with Stolen Art
A new ransomware group known as LunaLock is targeting independent artists with a novel extortion tactic: threatening to use their stolen artwork to train AI models. The group recently breached “Artists & Clients,” a digital marketplace for illustrators, stealing and encrypting creative works and personal data. The attackers demanded a ransom of up to $80,000, warning that if it wasn’t paid, all stolen artwork would be submitted to AI training datasets sold to major tech companies.
This is considered the first known instance of a ransomware group using the threat of AI training as leverage. The attack has left freelance artists vulnerable, with stolen data including portfolios, commission archives, and private chats. Read More
MostereRAT Malware Targets Windows Systems with Advanced Evasion Tactics
A new Remote Access Trojan (RAT) named MostereRAT is targeting Microsoft Windows systems through a phishing campaign. Written in Easy Programming Language (EPL), a language rarely seen in cyberattacks, the malware uses multiple layers of advanced evasion techniques to gain complete control over compromised machines. The campaign primarily targets Japanese users with phishing emails disguised as business inquiries.
MostereRAT can disable security tools, block antivirus traffic, escalate privileges by mimicking the powerful TrustedInstaller account, and install remote access tools like AnyDesk and TightVNC. Its ability to interfere with security protections makes it a significant threat.Read More
Salat Stealer Malware Offered as a Service for Data Exfiltration
A sophisticated Go-based information stealer called Salat Stealer is actively targeting Windows systems to exfiltrate browser credentials, cryptocurrency wallet data, and session information. Operating under a Malware-as-a-Service (MaaS) model, it is likely run by Russian-speaking actors and provides a turnkey solution for cybercriminals.
The malware uses advanced techniques to achieve persistence and evade detection, including UPX packing, process masquerading, registry run keys, and scheduled tasks. It encrypts stolen data before sending it to its command-and-control server, making it a stealthy and persistent threat capable of causing financial loss and identity theft. Read More
Scattered LAPSUS$ Hunters Hacking Group Announces Permanent Shutdown
The notorious cybercrime collective known as “Scattered LAPSUS$ Hunters 4.0” has announced it is permanently ceasing public operations. The declaration was made on their Telegram channel on September 8, 2025, marking an abrupt end for a group known for high-profile attacks against major corporations using sophisticated social engineering and identity-centric tactics.
The group’s strategy was often described as “log in, not hack in,” focusing on compromising legitimate user accounts to bypass traditional security defenses. Their methods included voice phishing (vishing), SIM swapping, and MFA fatigue attacks. The reasons for their sudden departure remain unclear, with speculation pointing to internal pressures or law enforcement intervention. Read More
Cyber Attacks
Massive Supply Chain Attack Hits 18 Popular NPM Packages
A major supply chain attack compromised 18 popular npm packages, including chalk, debug, and supports-color, which collectively have over two billion weekly downloads. The attack, which started around September 8, 2025, involved injecting malicious code designed to steal cryptocurrency from users. The malware intercepts and manipulates in-browser cryptocurrency transactions, rewriting wallet addresses to redirect funds to attacker-controlled accounts. The maintainer of the packages fell victim to a phishing attack after receiving a fraudulent email from a domain masquerading as npm support. Read More
Jaguar Land Rover Halts Production Following Cyberattack
Jaguar Land Rover (JLR) was forced to shut down production at its UK manufacturing plants and has suspended its global operations following a significant cyberattack. The company is currently investigating the incident and is working to restore its systems. The full extent of the attack and the financial impact have not yet been disclosed. This incident highlights the increasing trend of cyberattacks targeting the automotive industry, causing major disruptions to supply chains and production lines. Read More
New Cyberattack Weaponizes DeskSoft’s App Builder
A new cyberattack campaign is exploiting a legitimate application from DeskSoft, a German software company, to deploy malware. Attackers are using DeskSoft’s application builder to create malicious installers that appear to be genuine software. When executed, these installers deploy malware onto the victim’s system. This technique allows attackers to bypass some security measures that might otherwise flag a standalone malicious file. Read More
DarkSamurai APT Group Uses Malicious LNK Files in New Campaign
The DarkSamurai APT group has been identified in a new campaign that uses malicious LNK files to compromise targets. The group, known for its targeted attacks, hides malicious payloads within these shortcut files. Once a user clicks the LNK file, it executes a script that downloads and runs malware on the system. This method is part of a larger trend of threat actors using non-executable file types to initiate infections and evade detection. Read More
Novel Phishing Attack Mimics Google AppSheet to Bypass Security
A new and sophisticated phishing campaign is using Google AppSheet to create convincing phishing pages that bypass traditional email security filters. Attackers are leveraging the legitimate Google service to host malicious forms and pages, making them appear trustworthy to victims. The phishing emails often impersonate well-known services and prompt users to enter their credentials on the fraudulent AppSheet page. This technique abuses the trust associated with Google’s domains to increase the success rate of the phishing attacks. Read More
Vulnerabilities
Salesloft-Drift Cyberattack Linked to GitHub Compromise
A major supply-chain attack that affected over 700 organizations, including Cloudflare, Zscaler, and Palo Alto Networks, has been traced back to a compromise of Salesloft’s GitHub account starting as early as March 2025. Threat actors leveraged this access to steal OAuth authentication tokens from Salesloft’s Drift chat platform. The attackers, identified by Google as UNC6395, used the stolen tokens between August 8 and August 18 to exfiltrate data, primarily business contact information, from customers’ integrated applications like Salesforce. In response, Salesloft engaged Mandiant for an investigation, took the Drift platform offline, and has since contained the incident. Read More
Windows Defender Vulnerable to Service Hijacking
A severe vulnerability in Windows Defender’s update process allows an attacker with administrator privileges to disable the security service by leveraging a symbolic link attack. The flaw lies in how the WinDefend service selects its execution folder during an update. An attacker can create a symbolic link with a higher version number in the ProgramData\Microsoft\Windows Defender\Platform\ directory, redirecting the service to an attacker-controlled folder. This allows them to manipulate Defender’s core files, perform DLL side-loading attacks, or simply delete the executables to disable the service, leaving the system unprotected. Read More
SAP Releases September 2025 Security Patch Day Updates
SAP has released its September 2025 Security Patch Day, addressing 17 new security notes and updating 3 previous ones. The updates include two “Hot News” vulnerabilities with a CVSS score of 10.0, which affect SAP NetWeaver AS for Java. These critical flaws, tracked as CVE-2025-41235 and CVE-2025-41236, could allow an unauthenticated attacker with network access to gain full control of the system. Another high-severity vulnerability (CVSS 8.1) in SAP CRM WebClient UI was also patched. Read More
Zoom Patches High-Severity Flaw in Meeting SDK
Zoom has issued a security update for its Meeting SDK for Windows, addressing a high-severity improper input validation vulnerability (CVE-2025-42993). This flaw, which has a CVSS score of 7.5, could allow an authenticated user to cause a denial of service via network access. The vulnerability affects Zoom Meeting SDK for Windows versions before 5.17.10. Users and administrators are advised to update to the patched version to mitigate the risk. Read More
Ivanti Patches Critical RCE Flaws in Endpoint Manager (EPM)
Ivanti has addressed several critical remote code execution (RCE) vulnerabilities in its Endpoint Manager (EPM) software. The most severe of these, with a CVSS score of 9.8, could allow an unauthenticated attacker to execute arbitrary code on the core server. These vulnerabilities affect all supported versions of Ivanti EPM. The company has released patches and strongly recommends that all customers apply them immediately to prevent potential exploitation. Read More
Fortinet Fixes Critical FortiDDoS OS Command Injection Flaw
Fortinet has patched a critical OS command injection vulnerability in FortiDDoS, its distributed denial-of-service mitigation appliance. Tracked as CVE-2025-44365, the flaw has a CVSS score of 9.8 and allows an authenticated attacker to execute arbitrary commands on the system via specially crafted HTTP requests. The vulnerability impacts multiple versions of FortiDDoS. Fortinet has released updated firmware versions to address the issue and urges customers to upgrade their appliances as soon as possible. Read More
Microsoft’s September 2025 Patch Tuesday Fixes 62 Flaws
Microsoft’s September 2025 Patch Tuesday release includes fixes for 62 vulnerabilities, with five classified as critical. Key patches address remote code execution flaws in Microsoft Exchange Server, Windows DHCP Server, and Visual Studio. One of the Exchange vulnerabilities (CVE-2025-23875) is noted as “Exploitation More Likely.” Additionally, a zero-day elevation of privilege vulnerability in the Windows Kernel (CVE-2025-23974), which was publicly disclosed, has also been patched. Read More
Data Breaches
Widespread Supply Chain Attack Hits Major Tech Firms via Salesloft Drift
A sophisticated and widespread supply chain attack targeting the Salesloft Drift marketing application has resulted in data breaches at numerous major technology companies. The campaign allowed threat actors to gain unauthorized access to data stored within the companies’ Salesforce CRM environments by exploiting a vulnerability in the third-party integration. The incident highlights the significant risks associated with third-party applications integrated into core business platforms.
Tenable Confirms Customer Data Exposure
Tenable confirmed it was impacted by the breach, which exposed customer contact information and details from support cases. The compromised data, stored in Tenable’s Salesforce instance, included names, business email addresses, phone numbers, and the subject lines of support inquiries. The company emphasized that its core products were not affected and has since revoked compromised credentials and disabled the vulnerable application to mitigate the threat. Read More
Qualys’s Salesforce Data Accessed in Attack
Cloud security provider Qualys announced it also fell victim to the supply chain attack, leading to unauthorized access to some of its Salesforce data. Qualys clarified that the incident did not affect its production environments or the Qualys Cloud Platform. The breach was limited to information accessible through the compromised Salesloft Drift integration. Read More
Dynatrace Breach Exposes Customer Contact Info
Observability platform Dynatrace reported that the breach exposed customer business contact information stored within its Salesforce environment. The company reassured its customers that the incident was contained to its CRM platform and did not compromise any of its core products, services, or sensitive customer telemetry data. Dynatrace promptly disabled the Drift application upon learning of the third-party compromise. Read More
Elastic Discloses Email Account Compromise
In a related incident stemming from the Salesloft Drift compromise, Elastic disclosed that an unauthorized actor gained read-only access to a single email account via the “Drift Email” integration. The company’s investigation confirmed that its Salesforce environment was not impacted. Elastic scanned the exposed inbox for sensitive information and notified the small number of customers whose credentials may have been compromised. Read More
Workday Targeted in Coordinated Campaign
Workday, a leading provider of enterprise cloud applications, confirmed it suffered a data breach as part of the same attack campaign. The incident, which Workday became aware of on August 23, 2025, involved unauthorized access to its third-party CRM platform through the Salesloft Drift application. The company responded by disconnecting the app and launching a full investigation. Read More
Tools
SpamGPT: AI-Powered Phishing-as-a-Service
A new cybercrime toolkit named SpamGPT is being sold on the dark web, allowing attackers to launch large-scale, effective phishing campaigns. The “spam-as-a-service” platform uses an AI assistant, “KaliGPT,” to automate the creation of convincing phishing emails, lowering the technical skill required to conduct such attacks. SpamGPT is marketed as an all-in-one solution that mimics legitimate email marketing services but is designed for illegal activities. It abuses trusted cloud services like Amazon AWS and SendGrid to ensure inbox delivery and bypass security filters. For $5,000, the toolkit also includes a training program for compromising SMTP servers, enabling even low-skilled actors to execute widespread attacks. This development underscores the need for organizations to implement strong email authentication protocols like DMARC, SPF, and DKIM, and to deploy AI-powered security solutions to detect AI-generated phishing content. Read more
Forensic Analysis of Microsoft Azure Storage
Security researchers have detailed a forensic methodology for investigating security incidents within Microsoft Azure Storage services. The process involves collecting and analyzing logs from various sources, including Azure Monitor Logs, Storage Analytics Logs, and Microsoft Defender for Cloud. Key artifacts in an investigation include access patterns, IP addresses, user agents, and API call authentications, which help in reconstructing the attacker’s activities. Understanding shared access signature (SAS) token abuse and identifying anomalous data access or exfiltration are critical components of the analysis. The research provides a structured approach for security teams to effectively respond to and investigate threats in cloud storage environments, which are increasingly targeted by attackers. Read more
Hackers Exploit Microsoft Teams for Malicious Link Delivery
Cybercriminals are increasingly exploiting Microsoft Teams to deliver malicious links, bypassing traditional email security gateways. A new attack campaign uses compromised accounts to send messages containing seemingly legitimate links, such as for shared documents or meeting invitations. When a user clicks the link, they are redirected through a series of servers to a phishing page designed to steal credentials or a landing page that delivers malware. Because the links are shared within the trusted environment of Teams, users are more likely to click on them. The technique highlights a shift in attack vectors as threat actors adapt to target collaboration platforms that have become central to modern business operations. Read more
The Rise of “Evil AI”: AI-Enhanced Hacking Tools
A new category of AI-enhanced tools, dubbed “Evil AI,” is emerging, designed specifically for malicious purposes like spreading disinformation, creating deepfakes, and launching sophisticated cyberattacks. Unlike general-purpose AI models that may have safeguards, these tools are built without ethical constraints to aid cybercriminals. They can be used to generate highly convincing phishing emails, create malware that can alter its code to evade detection (polymorphic malware), and automate vulnerability discovery. The development of such tools represents a significant threat, as it can accelerate the pace and scale of cybercrime. Read more
Villager: An AI-Powered Penetration Testing Tool
A new open-source tool called Villager leverages AI to enhance penetration testing and red team operations. Villager acts as an AI-powered agent that can assist with various stages of an attack, from reconnaissance and vulnerability scanning to privilege escalation and lateral movement. The tool can interpret natural language commands, allowing security professionals to direct the AI to perform complex tasks, such as “find all web servers vulnerable to SQL injection on this network.” By integrating with existing penetration testing frameworks and tools, Villager aims to augment the capabilities of security testers, allowing them to operate more efficiently and effectively. Read more
Analysis
Salesloft Breach Traced to GitHub Compromise, Affecting 700+ Companies
A massive supply-chain attack that targeted customers of Salesloft’s Drift integration has been traced back to a compromised GitHub account. The incident, which unfolded in August 2025, impacted over 700 organizations, including high-profile tech companies like Cloudflare, Zscaler, and Palo Alto Networks.
Investigators from Google’s Mandiant unit revealed that an unauthorized actor had access to Salesloft’s GitHub account from March to June 2025. During this time, the threat actor, tracked as UNC6395, stole OAuth authentication tokens for the Drift platform. These tokens were then used between August 8 and August 18 to gain unauthorized access to customers’ connected applications, most notably Salesforce instances. The attackers exfiltrated sensitive data, including customer relationship management (CRM) records, support cases, and embedded secrets like API keys. The breach extended beyond Salesforce to other integrations like Google Workspace and Slack. In response, Salesloft and Salesforce globally disabled all Drift integrations on August 20, and the Drift application was taken offline on September 5, 2025. Read more
New ClickFix Attack Lures Victims with “Free WiFi” Offer
A new social engineering campaign is using the promise of “Free WiFi” to trick users into executing malicious PowerShell malware. This attack is a variant of the ClickFix technique, a method that has seen a 517% surge in the first half of 2025.
The ClickFix tactic deceives users by presenting a fake error message, CAPTCHA, or other lure that instructs them to copy and paste a script into a command-line interface to “fix” a non-existent problem. Because the victim runs the malicious code themselves, this technique effectively bypasses many browser and endpoint security protections. This attack vector is used to deliver a wide range of malware, including information stealers, ransomware, and remote access trojans (RATs). First observed in early 2024, the ClickFix method has become a popular and effective tool for threat actors. Read more
Nmap vs. Wireshark: Understanding Two Essential Network Tools
Nmap and Wireshark are fundamental tools in network analysis and security, but they serve distinct purposes. Nmap is an active scanner, while Wireshark is a passive analyzer.
Nmap (Network Mapper) is used for network discovery and security auditing. It actively sends packets to a network to discover hosts, identify open ports, detect running services, and fingerprint operating systems. It gives a high-level map of the network and its potential vulnerabilities.
Wireshark is a network protocol analyzer that captures and provides a detailed, low-level view of traffic on a network in real-time. It doesn’t send packets itself but listens to data traveling across the network. It’s used for troubleshooting network problems, examining security issues, and deep-diving into specific communication protocols by inspecting the contents of individual packets.
In practice, the tools are complementary. An administrator might use Nmap to identify an unusual open port and then use Wireshark to capture and analyze the traffic going to and from that port to understand what is happening. Read more
The post Weekly Cybersecurity News Recap : Tenable, Qualys, Workday Data Breaches and Security Updates appeared first on Cyber Security News.
