Daily Brief

ShadowSilk has launched attacks on 36 government targets across Central Asia and APAC, primarily aiming for data exfiltration. The group shares tools and infrastructure with YoroTrooper, SturgeonPhisher, and Silent Lynx, indicating a complex threat landscape. Victims include government entities in Uzbekistan, Kyrgyzstan, Myanmar, Tajikistan, Pakistan, and Turkmenistan, with some impact on energy and manufacturing sectors. ShadowSilk uses spear-phishing emails to deploy loaders that utilize Telegram bots for covert command-and-control communication. The group employs public exploits and a range of tools like Cobalt Strike and Metasploit for lateral movement and data theft. Evidence suggests a bilingual operation with Russian-speaking developers and Chinese-speaking operators, complicating attribution efforts. Ongoing activity signals the need for heightened monitoring to prevent further breaches and protect sensitive government data.

Healthcare Services Group (HSGI) reported a data breach affecting 624,000 individuals, with unauthorized access detected in October 2024 and data exfiltration occurring from late September to early October. The breach involved the exposure of sensitive personal information, although the specific types of data compromised vary among individuals. HSGI, a key provider of support services to U.S. healthcare facilities, has an annual revenue of $1.7 billion, underscoring the potential impact on its operations and reputation. Notifications to affected individuals were delayed, with communications issued nearly ten months after the breach was discovered, raising concerns about response times. HSGI is offering credit monitoring and identity theft protection services for up to 24 months, depending on the severity of the data exposure. The company advises vigilance against phishing and other scams, though there is currently no evidence of misuse of the stolen data. No ransomware group has claimed responsibility for the attack, and further updates are awaited from HSGI regarding the incident.

Attackers accessed Salesforce data by stealing OAuth tokens from the Salesloft Drift app, impacting CRM systems in a widespread campaign. The breach occurred between August 8 and 18, targeting Salesforce databases through unauthorized access to Drift-integrated platforms. Google and Salesloft's investigation revealed attackers sought sensitive credentials, including AWS keys and Snowflake-related tokens. In response, all active access and refresh tokens were revoked, requiring re-authentication for third-party app connections with Salesforce. Salesforce removed the Drift app from AppExchange pending security assurances, while providing indicators of compromise for administrators. Organizations using Drift with Salesforce are urged to consider their data compromised and take immediate remediation actions, such as revoking API keys. The incidents, tracked as UNC6395, differ from other Salesforce-related breaches attributed to the ShinyHunters group. Affected customers were directly notified, and advised to review Salesforce objects for potential exposure of Google Cloud Platform service account keys.

Rapid AI adoption is transforming workplaces, posing new security challenges for CISOs and security leaders who must balance innovation with protection. Visibility into AI usage is crucial; organizations must continuously monitor both standalone and embedded AI tools to mitigate risks associated with shadow AI. Contextual risk assessment is necessary, as not all AI applications present the same level of threat; understanding context helps prioritize security measures. Protecting data is paramount; organizations should implement boundaries and policies to prevent sensitive information from being exposed through AI tools. Implementing strict access controls and guardrails ensures that AI tools are used safely, adhering to a zero-trust model to prevent unauthorized access. Continuous oversight of AI applications is required to adapt to evolving risks, ensuring that security measures remain effective as technology and usage change. By adopting these rules, organizations can harness AI's potential while safeguarding against potential breaches and compliance issues.

Cisco's Duo warns of an "identity crisis" as confidence in identity providers wanes, with only 33% of cybersecurity leaders feeling secure against phishing and AI-assisted attacks. A July report from eSentire noted a 156% increase in attacks targeting user logins, now representing 59% of their investigations, highlighting the focus on credential-based vulnerabilities. Despite 87% of leaders prioritizing phishing-resistant solutions, less than a third are satisfied with their effectiveness, indicating a gap in current identity security measures. Traditional MFA methods face challenges from social engineering and insider threats, while newer solutions like passkeys and biometrics struggle with adoption due to integration and usability concerns. Major tech companies, including Microsoft, Google, and Apple, are pushing for passkeys as default authentication, aiming to enhance security by linking physical devices to digital accounts. Cisco Duo suggests that identity threat detection, unified telemetry, and phishing-resistant MFA solutions are crucial, yet difficult to deploy, for strengthening organizational defenses. The survey indicates a need for integrated, security-first IAM strategies to improve resilience, with rising executive awareness and budget support creating opportunities for transformation.

Hackers exploited Salesloft's Drift AI chat agent to steal OAuth tokens, compromising Salesforce customer data from August 8 to August 18, 2025. The breach, attributed to threat actor UNC6395, targeted Salesforce instances, extracting credentials like AWS keys and Snowflake tokens. Attackers demonstrated operational security by deleting query logs, prompting Google to advise organizations to review logs and revoke API keys. Salesloft revoked Drift-Salesforce connections and notified affected parties, while Salesforce confirmed only a small number of customers were impacted. The incident reveals a potential broader supply chain attack, as many targeted companies were in the security and technology sectors. This campaign's scale and precision suggest a calculated effort to exploit trust relationships within the technology supply chain for further attacks. Organizations are urged to re-authenticate Salesforce connections and enhance monitoring to prevent similar breaches in the future.

Recorded Future Insikt Group identified five activity clusters linked to Blind Eagle, targeting Colombian government entities from May 2024 to July 2025. The threat actor, tracked as TAG-144, employs remote access trojans (RATs), spear-phishing, and dynamic DNS services to compromise targets. Blind Eagle's operations affected sectors including judiciary, tax authorities, financial, petroleum, energy, education, healthcare, and more across Colombia and other South American countries. Attack methods involve spear-phishing lures impersonating government agencies, utilizing URL shorteners and compromised email accounts to distribute malware. Command-and-control infrastructure leverages Colombian ISPs, virtual private servers, and VPN services, enhancing attack success and evasion capabilities. The group uses legitimate internet services like Discord, Dropbox, and GitHub for payload staging, complicating detection and attribution efforts. The consistent targeting of Colombian entities raises questions about Blind Eagle's motivations, suggesting potential state-sponsored espionage alongside financial objectives.

The Border Gateway Protocol (BGP) remains a critical vulnerability in internet infrastructure, with security improvements being a long-standing challenge. Route Origin Validation (ROV) and Resource Public Key Infrastructure (RPKI) have seen significant adoption, with 56% of BGP routes now having a valid Route Origin Authorization (ROA). RPKI allows entities to make cryptographic assertions about routing authorizations, enhancing security without modifying the BGP protocol itself. Despite advancements, BGP remains susceptible to attacks through bogus path advertisements, which ROV alone cannot prevent. BGPsec, a proposed standard for cryptographic signatures in BGP, faces challenges due to high implementation costs and limited adoption. AS Provider Authorization (ASPA) is emerging as a promising approach, offering additional security benefits without adding cryptographic operations to BGP. The ongoing development and deployment of these technologies suggest a positive trend toward improving the robustness of internet routing security.

Google has issued alerts after detecting a state-sponsored cyberattack targeting diplomats in Southeast Asia, believed to be linked to Chinese threat actors. Attackers used compromised edge devices to manipulate captive portals, redirecting users to download malware disguised as an Adobe Plugin update. The malware, known as CANONSTAGER, installs a backdoor called SOGU.SEC, connecting to a command-and-control server for further exploitation. The malicious update was signed by Chengdu Nuoxin Times Technology Co. Ltd., using a valid GlobalSign certificate, indicating a sophisticated operation. Google attributes the attack to UNC6384, associated with groups like Mustang Panda and Silk Typhoon, suggesting alignment with Chinese strategic interests. In response, Google advised users to enable Enhanced Safe Browsing, update devices, and use 2-Step Verification to mitigate risks. The incident underscores the ongoing threat of state-sponsored cyber espionage, highlighting the need for robust cybersecurity measures among targeted entities.

Google plans to implement a Developer Verification system to reduce malware from sideloaded Android apps outside the Google Play Store. The initiative requires developers to verify their identity, aiming to prevent malicious actors from impersonating legitimate developers. Analysis indicates malware from sideloaded sources is over 50 times more prevalent than from Google Play. Starting in 2026, all apps on certified Android devices must originate from verified developers, with early access beginning in October 2023. The mandatory verification will first apply in Brazil, Indonesia, Singapore, and Thailand in September 2026, expanding globally in 2027. Certified devices, such as those from Samsung and Google, will block non-compliant apps, while non-certified devices remain unaffected. The move seeks to enhance user safety by limiting the spread of malware through unverified app installations.

Citrix has addressed three vulnerabilities in NetScaler ADC and Gateway, including a critical remote code execution flaw, CVE-2025-7775, actively exploited as a zero-day. The CVE-2025-7775 vulnerability involves a memory overflow that allows unauthenticated remote code execution on unpatched devices. Citrix advises immediate firmware upgrades, as no mitigations are available for the remote code execution vulnerability. Additional vulnerabilities include a denial-of-service risk, CVE-2025-7776, and improper access control, CVE-2025-8424, both requiring urgent updates. The flaws affect specific NetScaler configurations, and Citrix has provided guidance to identify vulnerable setups. The vulnerabilities were disclosed by researchers from Horizon3.ai, Schramm & Partnerfor, and others, though specific discoveries were not attributed. Previous Citrix vulnerabilities, like "Citrix Bleed 2," have shown the potential for significant exploitation, emphasizing the need for timely patching.

State-sponsored group Silk Typhoon targeted diplomats using advanced adversary-in-the-middle tactics to redirect web traffic to malware-serving sites. Google Threat Intelligence Group attributes the activity to Chinese threat actor TEMP.Hex, also known as Mustang Panda. Attackers compromised edge devices to hijack captive portals, tricking users into downloading malware disguised as an Adobe plugin update. The malware, a variant of PlugX, enables attackers to collect system data, transfer files, and execute remote commands. Chengdu Nuoxin Times Technology Co., Ltd signed the malware, though its involvement remains uncertain; 25 samples have been linked to Chinese clusters. Google has blocked malicious domains and file hashes, issued alerts, and shared detection rules to mitigate the threat. The campaign demonstrates the evolving sophistication of Chinese espionage actors, who adapt quickly to new infrastructure and tactics.

ESET researchers identified PromptLock, a pioneering AI-driven ransomware leveraging OpenAI's gpt-oss-20b model, though it remains a proof-of-concept and not yet active in real-world attacks. PromptLock operates locally via the Ollama API, generating Lua scripts to evade detection and target Windows, Linux, and macOS systems, indicating cross-platform capabilities. The malware uses Lua scripts to enumerate files, exfiltrate data, and perform encryption with SPECK 128-bit, though file destruction features are not yet functional. PromptLock's development illustrates the growing ease with which AI can enhance cybercriminal activities, posing new challenges for cybersecurity defenses. Despite its current inactive status, the discovery serves as a critical alert for cybersecurity teams to prepare for AI-enhanced threats in the near future. ESET has identified both Windows and Linux variants on VirusTotal, emphasizing the need for vigilance and proactive threat detection measures. Organizations should consider strengthening defenses against potential AI-driven threats, ensuring robust detection and response strategies are in place.

Microsoft has introduced new hardware security measures for Azure, featuring integrated hardware security modules (HSM) and Caliptra 2.0 Root of Trust (RoT) modules. The integrated HSMs are designed to accelerate encryption processes and reduce latency issues associated with traditional, centralized HSM systems. Caliptra 2.0 RoT modules, developed with AMD, Google, and Nvidia, ensure the integrity of Azure's compute stack against tampering. The new security architecture includes quantum-safe cryptographic accelerators and open-source key management specifications for enhanced data protection. These advancements are part of Azure's 2025 fleet rollout, aiming to bolster data security across Microsoft's cloud services. The approach mitigates risks from internal threats and potential physical attacks, ensuring data remains secure in various states. Microsoft's adoption of open-source components allows for transparency and collaboration with the security community to identify and address potential vulnerabilities.

A whistleblower complaint claims the Social Security Administration's NUMIDENT database was duplicated in an unauthorized cloud environment, potentially exposing sensitive data of all Americans. The complaint, filed by SSA's Chief Data Officer Charles Borges, accuses DOGE, a cost-cutting unit initiated by former President Trump, of bypassing security protocols. The NUMIDENT database contains critical personal information submitted for U.S. Social Security cards, posing significant identity theft risks if compromised. Allegations include systemic security violations by DOGE, with unauthorized access to SSA's enterprise data warehouse and circumvention of judicial mandates. The Government Accountability Project represents Borges, with the Office of Special Counsel reviewing the complaint, though resolution depends on SSA's internal investigation. The SSA asserts that all personal data is stored securely, but concerns remain about the cloud environment's isolation and security measures. The potential fallout includes widespread identity theft, loss of benefits, and costly re-issuance of Social Security Numbers if data is breached.