Daily Brief

Passwordstate's latest vulnerability affects up to 29,000 organizations and 370,000 IT professionals, including sectors like government, finance, and defense. The flaw allows attackers to exploit an authentication bypass using a "carefully crafted URL," granting full administrator access via the Emergency Access portal. Click Studios has released Passwordstate Build 9972, addressing the vulnerability and a related clickjacking issue, urging immediate updates. The vulnerability is rated "high" due to its ease of exploitation, though email alerts are triggered upon unauthorized access attempts. This is the fourth authentication bypass flaw identified in Passwordstate 9, raising concerns over the software's security posture. To mitigate risks, administrators are advised to restrict Emergency Access portal access by IP address and apply the latest patch. Organizations using Passwordstate should assess their exposure and ensure rapid deployment of security updates to maintain system integrity.

Amazon identified and disrupted a watering hole campaign linked to APT29, a Russian state-sponsored group, targeting Microsoft device code authentication to gather intelligence. The campaign involved compromising legitimate websites to redirect users to malicious domains mimicking Cloudflare, tricking them into authorizing attacker-controlled devices. APT29, also known as Cozy Bear, has been active in targeting Ukrainian entities and leveraging phishing techniques to access Microsoft 365 accounts. The threat actor employed evasion tactics like Base64 encoding and cookie settings to avoid detection and maintain persistence in their operations. Amazon's intervention forced APT29 to shift infrastructure, yet the group continued its efforts by registering new domains to sustain their attack strategy. This incident reflects APT29's adaptive capabilities and persistent focus on expanding their intelligence collection through sophisticated cyber operations. Organizations are urged to enhance monitoring and authentication security to mitigate risks from such advanced persistent threats.

A hijacked server from the Sogou Zhuyin IME software was used in a targeted espionage campaign affecting users in Eastern Asia, with Taiwan being the most impacted. The campaign, named TAOTH, involved sophisticated malware delivery methods, including hijacked software updates and fake cloud storage pages, to collect sensitive data. Threat actors leveraged the abandoned domain sogouzhuyin[.]com to distribute malware families like GTELAM and C6DOOR, enabling remote access and data theft. The attack chain exploited the automatic update feature of Sogou Zhuyin, redirecting users to malicious domains to initiate the malware download process. Phishing tactics were also employed, using decoy documents and booby-trapped URLs to execute multi-stage attacks and gain unauthorized access to cloud services. The operation shares similarities with past activities by ITOCHU, indicating a persistent threat actor focused on reconnaissance and espionage. Organizations are advised to audit and remove unsupported software and scrutinize cloud application permissions to mitigate such threats effectively.

UK officials are summoned to explain incomplete security reforms following a 2021 Afghan data breach, with only 12 of 14 recommendations implemented from a secret review. The review, conducted in 2023, examined 11 major UK data breaches since 2008, including significant incidents involving the Ministry of Defence and police forces. Common issues identified include inadequate controls over downloads and email errors leading to sensitive data exposure, highlighting systemic weaknesses in data handling. The review's recommendations, with deadlines extending to August 2024, focus on enhancing technical controls and improving data protection visibility within government agencies. The Science, Innovation and Technology Committee seeks clarity on the unimplemented recommendations and the rationale for keeping the review secret. Officials stress the need for public trust in government data security to support economic and public sector transformation ambitions. Information Commissioner John Edwards and senior minister Pat McFadden emphasize the urgency of fully implementing the review's recommendations to prevent future breaches.

Generative AI platforms like ChatGPT and Copilot are increasingly integrated into business operations, posing new data leak challenges as sensitive information may be shared inadvertently. Traditional Data Loss Prevention (DLP) tools often fail to detect AI-driven data exchanges, necessitating advanced solutions like Fidelis Network® Detection and Response (NDR) for comprehensive monitoring. NDR technologies focus on network visibility, identifying threats as they traverse the network, even when data is encrypted, thus enhancing data protection strategies. Organizations can implement GenAI DLP solutions using URL-based indicators, real-time alerts, and metadata monitoring to manage AI usage effectively. Monitoring risky file uploads to AI platforms is crucial, especially when dealing with sensitive information, ensuring compliance and data security. A comprehensive AI data protection strategy involves periodic policy reviews and updates to adapt to emerging AI services and business applications. Fidelis NDR exemplifies modern network-based DLP solutions, enabling a balance between AI adoption and robust data protection, maintaining productivity and compliance.

Click Studios has issued a security update for Passwordstate, addressing an authentication bypass vulnerability in its Emergency Access page, enhancing the software's security posture. The vulnerability, not yet assigned a CVE, was patched in Passwordstate 9.9 (Build 9972), released on August 28, 2025, to prevent unauthorized access. The update also includes improved defenses against clickjacking attacks on its browser extension, protecting users from potential data theft on compromised sites. Security researcher Marek Tóth identified the clickjacking threat, which could allow attackers to steal sensitive information, including login credentials and personal data. Passwordstate is utilized by 29,000 customers worldwide, including major enterprises and government agencies, underscoring the importance of timely updates. This patch follows past security incidents, including a 2022 authentication bypass and a 2021 supply chain breach, highlighting ongoing vigilance in securing password management solutions. Organizations using Passwordstate are advised to apply the latest updates to mitigate potential security risks and protect sensitive information.

Sangoma's FreePBX platform faces a zero-day vulnerability, CVE-2025-57819, allowing unauthorized database manipulation and remote code execution through exposed administrator control panels. The flaw, rated with a CVSS score of 10.0, affects versions 16 and 17, particularly those lacking robust IP filtering or access control lists. Exploitation has been active since August 21, 2025, with attackers potentially escalating privileges to root-level access on compromised systems. Sangoma urges users to upgrade to the latest FreePBX versions and restrict public access to the administrator control panel to mitigate risks. Organizations are advised to scan for indicators of compromise and disconnect affected systems immediately to limit potential damage. This vulnerability highlights the persistent threat to PBX platforms, often targeted by ransomware gangs and fraud groups for unauthorized billing activities. Proactive measures and timely patching are critical to safeguarding communication infrastructures against such severe vulnerabilities.

U.S. and Dutch authorities have dismantled VerifTools, a marketplace selling fake IDs, seizing domains and servers in Amsterdam. The FBI led the operation under a U.S. District Court warrant. Despite the takedown, VerifTools operators have relaunched on a new domain, veriftools[.]com, indicating resilience and adaptability in continuing their illicit activities. VerifTools provided counterfeit identification documents for all U.S. states and other countries, facilitating unauthorized access to online accounts and bypassing identity verification systems. The FBI's investigation, initiated in 2022, linked approximately $6.4 million in illicit proceeds to the marketplace, highlighting its significant financial impact. The Department of Justice emphasized the legal consequences for those involved in producing and selling tools for identity fraud, pledging continued efforts to disrupt such operations. The Dutch National Police seized over 21 virtual servers, securing the entire infrastructure for further analysis, underscoring the scale and sophistication of the operation. The platform exploited weaknesses in Know Your Customer (KYC) processes, enabling criminals to commit fraud, including bank helpdesk fraud and phishing, with ease.

Google has identified a broader impact of the Salesloft OAuth breach, affecting all integrations beyond Salesforce, with potential risks to authentication tokens. Attackers exploited stolen OAuth tokens to access a limited number of Google Workspace email accounts, specifically targeting the Drift Email integration. The breach does not compromise Google Workspace or Alphabet; only accounts configured with Salesloft integrations were potentially accessed. Google has revoked affected OAuth tokens, disabled integration functions, and notified impacted users as part of their response strategy. Organizations using Salesloft Drift are advised to review third-party integrations, revoke and rotate credentials, and examine systems for unauthorized access. The attack is linked to a data theft campaign by UNC6395, leveraging compromised OAuth tokens to target Salesforce instances. Salesforce has temporarily disabled all Salesloft integrations, including those with Slack and Pardot, as a precautionary measure.

Cybercriminals are deploying TamperedChef malware through fake PDF editors, deceiving users into downloading a trojanized application that harvests credentials and web cookies. The campaign leverages malvertising techniques, directing victims to fraudulent sites offering a free PDF editor called AppSuite PDF Editor. Once installed, the software covertly communicates with external servers to establish persistence and execute malicious routines upon system reboot. The malware campaign began on June 26, 2025, utilizing at least five Google advertising campaigns to maximize exposure and downloads. From August 21, 2025, the malware activated its data-stealing capabilities, targeting sensitive information by terminating web browsers to access stored credentials. Analysis reveals the malware also functions as a backdoor, potentially turning compromised systems into residential proxies without user consent. Organizations are advised to monitor for unauthorized software installations and employ robust endpoint protection to mitigate such threats.

China's Salt Typhoon espionage campaign has compromised data from millions of Americans, affecting over 80 countries and targeting telecommunications networks since at least 2019. The FBI's cyber division emphasizes the widespread nature of the breach, affecting nearly every American and extending beyond traditional espionage targets. US authorities, alongside international partners, identified three Chinese companies linked to the espionage activities, allegedly supporting China's Ministry of State Security. The campaign's tactics include geo-locating mobile users, monitoring internet traffic, and intercepting communications, impacting over 100 high-profile US officials. This breach is considered one of the most significant espionage incidents in the US, with implications for national security and international cybersecurity norms. The FBI stresses the need for enhanced cybersecurity measures, including system updates and removal of outdated devices, to combat evolving threats from state-sponsored actors. Additional warnings have been issued about other Chinese cyber operations, such as Volt Typhoon and Silk Typhoon, targeting critical infrastructure and sensitive data globally.

Google reported that the Salesloft Drift breach affected a small number of Google Workspace accounts via compromised OAuth tokens, expanding beyond initial assessments. Attackers accessed Salesforce instances using stolen tokens, executing queries to extract sensitive data, including AWS keys and passwords, for potential further exploitation. The breach, tracked as UNC6395, saw attackers using OAuth tokens to access Google Workspace emails linked to Drift, though no broader Google Workspace compromise occurred. Google has revoked the compromised tokens and notified affected customers, while disabling the Drift Email integration with Google Workspace during ongoing investigations. Organizations using Drift are advised to consider all authentication tokens as compromised, urging revocation, rotation, and thorough investigation of connected systems for unauthorized access. Salesloft has engaged cybersecurity firms Mandiant and Coalition to assist with the investigation, and Salesforce has disabled Drift integrations with its platform, Slack, and Pardot. This incident underscores the importance of securing third-party integrations and regularly reviewing authentication tokens to prevent unauthorized data access.

The Department of Homeland Security (DHS) intends to invest over $100 million in Counter-Unmanned Aircraft Systems (C-UAS) to mitigate threats from unauthorized drones. This procurement aims to enhance the detection, tracking, and neutralization of drone threats, safeguarding critical infrastructure and national security. C-UAS technologies under consideration include handheld anti-drone rifles, wearable systems, and truck-mounted units, with potential deployment across diverse environments. The solicitation for these systems is expected to be published on September 8, with contract awards anticipated early next year. The initiative arises amid concerns over drone use in civilian surveillance and incidents like a drone collision with a firefighting aircraft in California. DHS's drone-related activities have sparked legislative actions, with bills proposed to limit drone surveillance on civilians, reflecting broader privacy and security concerns. The strategic move aligns with global trends, as drones increasingly feature in military conflicts and domestic security challenges worldwide.

Vivaldi CEO Jon von Tetzchner announced the company's decision to exclude generative AI from its web browser, citing concerns over user autonomy and data privacy. While tech giants like Google and Microsoft integrate AI into browsers, Vivaldi maintains its focus on user-controlled browsing experiences, resisting trends that may compromise personal data. Von Tetzchner argues that AI-driven browsing diminishes web exploration, potentially reducing the diversity and richness of online content by prioritizing chatbot interactions. The CEO highlights parallels between AI in browsers and social media algorithms, both of which may collect user data to influence content visibility and engagement. Vivaldi supports AI for specific functions, such as translation, without relying on user data, advocating for AI's role in research and pattern recognition. Despite industry pressure, Vivaldi remains committed to developing a user-centric browser, free from the influence of investor-driven AI trends. The stance reflects a broader debate on balancing innovation with privacy, emphasizing the need for transparency and user choice in digital environments.

The FBI and Dutch police successfully seized VerifTools, a major online marketplace for counterfeit identity documents, impacting a network of international criminal activities. VerifTools facilitated the sale of fake IDs, including driver's licenses and passports, for as little as $9, enabling identity theft and fraud. The platform supported scams like fake IT worker employment and bank help-desk fraud, posing significant risks to businesses and individuals. The investigation, initiated in August 2022, uncovered VerifTools' involvement in using stolen identities to access cryptocurrency accounts. Law enforcement seized two domains, a blog, and multiple servers, including 21 virtual servers, at an Amsterdam data center. Approximately $6.4 million in illicit proceeds were linked to the marketplace, highlighting the scale of the operation. This operation marks a significant step in combating digital identity fraud, with further investigations to identify the marketplace's administrators and users.