Daily Brief

Cybercriminals launched the ZipLine phishing campaign, targeting critical US manufacturers and supply-chain companies to steal sensitive data and deploy ransomware. Attackers bypassed traditional email filters by initiating contact through public "Contact Us" forms, engaging victims in prolonged communication before delivering malicious payloads. The campaign primarily affected industrial manufacturing (46%), with additional impacts on hardware, semiconductors, and consumer goods sectors. Attackers used old, reputable domains to gain trust, hosting fake websites with identical content and layouts, including a misleading image of White House butlers. The malicious ZIP archive contained legitimate-looking files and a harmful LNK file, executing a PowerShell script to deploy MixShell, enabling deep network access. MixShell facilitated stealthy command-and-control communication, allowing attackers to perform data theft, ransomware extortion, and other malicious activities. The campaign's evolution included AI-themed lures, indicating attackers' adaptability and the need for organizations to reassess their phishing defense strategies. The campaign serves as a reminder that seemingly harmless communication channels like Contact Us forms can be exploited for cyberattacks.

Salesloft experienced a breach where OAuth and refresh tokens were stolen from its Drift chat agent integration with Salesforce, impacting customer data security. ShinyHunters, an extortion group, claimed responsibility, using the tokens to access Salesforce instances and exfiltrate sensitive data between August 8 and August 18, 2025. The attack targeted credentials such as AWS access keys, passwords, and Snowflake tokens, leveraging SOQL queries to extract sensitive information from Salesforce. Salesloft, in coordination with Salesforce, revoked all active tokens for the Drift application, requiring customers to re-authenticate to secure their integrations. Google's Threat Intelligence team (Mandiant) identified the threat actor as UNC6395, noting their use of Tor and various hosting providers to obscure their activities. Affected organizations are advised to rotate credentials and review Salesforce logs for evidence of data exposure, utilizing Google's provided IP addresses and user-agent strings. The incident is part of a broader campaign by ShinyHunters, linked to social engineering attacks targeting Salesforce and other major companies for data theft and extortion.

Nevada state offices closed following a cyberattack that disrupted websites, phone systems, and online platforms, beginning early Sunday morning. The Governor's Technology Office reported a network issue at 1:52 AM PT, impacting IT systems and prompting a comprehensive recovery effort. Despite service disruptions, 911 and emergency services remained operational, ensuring public safety was not compromised. The state has not confirmed if ransomware is involved, but prolonged disruptions suggest potential ransomware activity. No evidence currently indicates theft of personally identifiable information, although investigations and recovery efforts are ongoing. Nevada is collaborating with local, tribal, and federal agencies to investigate and mitigate the incident's impact. Residents are advised to remain vigilant against unsolicited communications requesting sensitive information.

Citrix has issued patches for three vulnerabilities in NetScaler ADC and Gateway, including CVE-2025-7775, which is actively exploited in the wild. The vulnerabilities require specific conditions to be met for exploitation, with Citrix providing no workarounds, urging immediate patching. Discoveries were credited to security researchers from Horizon3.ai, Schramm & Partnerfor, and independent expert François Hämmerli. CVE-2025-7775 follows recent vulnerabilities like CVE-2025-5777 and CVE-2025-6543, marking a trend of rapid exploitation in Citrix products. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added related flaws to its Known Exploited Vulnerabilities catalog, indicating significant risk. Organizations using NetScaler products should prioritize updates to mitigate potential threats and ensure system security. This incident highlights the critical need for timely vulnerability management and collaboration with cybersecurity researchers.

Researchers at Singapore University of Technology and Design have developed Sni5Gect, an attack that downgrades 5G connections to 4G without using a rogue base station. The attack leverages unencrypted messages exchanged between base stations and user equipment, allowing message sniffing and injection during the initial connection phase. Sni5Gect exploits vulnerabilities in the 5G protocol, particularly before the authentication process, enabling attackers to crash modems or downgrade connections. The attack was tested on five smartphone models, achieving high success rates in message injection and sniffing from distances up to 20 meters. The Global System for Mobile Communications Association (GSMA) has recognized the attack and assigned it identifier CVD-2024-0096, highlighting its significance. This research underscores the need for enhanced security measures in 5G networks, particularly at the protocol level, to prevent such downgrade attacks. The findings build on previous research identifying flaws in 5G modem firmware, emphasizing ongoing vulnerabilities in mobile network security.

Citrix has issued patches for three NetScaler vulnerabilities, CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424, which were exploited as zero-days before the vendor's updates. The most critical flaw, CVE-2025-7775, allows pre-auth remote code execution and has been actively exploited to deploy webshells and backdoors on affected systems. Organizations using NetScaler ADC and Gateway appliances are urged to apply patches immediately, as these systems are critical components in enterprise networks. Citrix's advisory lacks detailed mitigation strategies, stressing the urgency of patching, especially for those on end-of-life versions like NetScaler 12.0 or 13.0. The vulnerabilities affect on-prem and hybrid deployments of Secure Private Access, impacting organizations' zero-trust strategies. Security experts warn of potential persistent access risks, necessitating thorough incident response measures for affected organizations. The rapid exploitation of these flaws underscores the need for proactive vulnerability management and timely patch application to prevent breaches.

CISA has issued a warning about an actively exploited code execution vulnerability in the Git version control system, now added to its Known Exploited Vulnerabilities catalog. The Git flaw, tracked as CVE-2025-48384, arises from mishandling carriage return characters, allowing attackers to execute arbitrary code via crafted repositories. Git has released patches for the vulnerability in multiple versions, urging users to update or adopt alternative protective measures if updates are not feasible. CISA also added two Citrix Session Recording vulnerabilities, CVE-2024-8068 and CVE-2024-8069, to the KEV catalog, both of which have medium-severity scores. The Citrix vulnerabilities allow privilege escalation and limited remote code execution, affecting multiple product versions; patches are available and required by September 15th. Federal agencies have been given a deadline to apply these security patches by September 15th to mitigate potential exploitation risks. Organizations are advised to review and implement the necessary updates or consider discontinuing the use of affected products to ensure security compliance.

Despite significant investment, many businesses struggle with basic password security, risking GDPR fines and reputational damage due to employee negligence. In 2024, European regulators imposed over €1.2 billion in fines for data protection failures, highlighting the financial stakes of non-compliance. Traditional GDPR training methods often fail to engage employees, resulting in a "tick-the-box" mentality and persistent security vulnerabilities. Effective password security training should be integrated into daily workflows, promoting a culture of security and accountability across the organization. Passwork offers an enterprise-grade password manager, aiding businesses in safeguarding sensitive information and meeting GDPR requirements. Tailored training approaches, such as role-based content and interactive workshops, can significantly enhance employee engagement and security awareness. Continuous monitoring and real-time feedback through tools like Passwork can help reinforce secure password practices and ensure compliance with GDPR Article 32. A strategic focus on password management can transform compliance efforts into a competitive advantage, strengthening customer trust and operational resilience.

Remy Ra St Felix, leader of a violent international crime ring, received an additional six years and ten months for assaulting a witness. St Felix's original 47-year sentence stemmed from a series of robberies, including a violent home invasion targeting cryptocurrency assets. The attack on the witness occurred at a North Carolina detention center, where St Felix assaulted the individual, calling him "a rat." The Justice Department emphasized the critical role of witness testimony in ensuring fair trials and vowed to prosecute retaliation efforts. St Felix will serve 36 months of the new sentence concurrently, with the remaining 46 months consecutive to his original term. The gang leader's actions included threatening victims with extreme violence to access over $150,000 in cryptocurrency. Eleven gang members received a collective 191-year sentence, highlighting the extensive criminal network dismantled by law enforcement. St Felix is required to pay over $524,000 in restitution, reflecting the financial impact of his criminal activities.

Nissan Japan reported a data breach at its subsidiary, Creative Box Inc., after unauthorized access by the Qilin ransomware group, resulting in the theft of four terabytes of sensitive data. Stolen data includes 3D vehicle design models, internal reports, financial documents, and VR design workflows, potentially impacting Nissan's competitive edge. The breach was detected on August 16, 2025, prompting immediate emergency measures by Creative Box Inc., such as blocking server access and notifying law enforcement. Qilin ransomware listed Creative Box Inc. on its dark web portal, threatening to release the stolen data publicly, which could benefit competitors. Nissan confirmed the data breach affects only its operations, as Creative Box Inc. exclusively serves Nissan, with no external clients or partners impacted. Investigations are ongoing, with Nissan and Creative Box Inc. committed to taking further protective actions as necessary to mitigate risks. Qilin ransomware has previously targeted high-profile organizations, exploiting vulnerabilities in widely used software to execute unauthorized code.

Check Point Research identified a campaign targeting U.S. supply chain manufacturers with MixShell, an in-memory malware, using company contact forms for initial engagement. Attackers engage in professional exchanges, often involving fake NDAs, before delivering a weaponized ZIP file containing the MixShell malware. Targets include industrial manufacturing, hardware, semiconductors, biotechnology, and pharmaceuticals, with additional attacks observed in Singapore, Japan, and Switzerland. The campaign employs DNS-based command-and-control channels, leveraging legitimate services like Heroku to mask malicious activities within normal network traffic. MixShell's PowerShell variant features advanced anti-debugging, sandbox evasion, and persistence techniques, posing significant risks of intellectual property theft and financial fraud. The use of legitimate business workflows and AI-themed lures highlights the evolving sophistication of social engineering tactics in cybercrime. Organizations are urged to adopt AI-driven defenses and foster a culture of vigilance against increasingly innovative phishing strategies.

Farmers Insurance experienced a data breach affecting over 1.1 million customers due to a third-party vendor compromise, exposing personal information such as names, addresses, and partial Social Security numbers. The breach affected customers of Farmers Insurance Exchange, Farmers Group, and affiliates, with 40,000 linked to Farmers New World Life Insurance Co. The incident was detected on May 30, a day after the breach occurred, but customer notifications were delayed until August 22, raising concerns about response timing. Speculation points to Salesforce as the compromised vendor, with intruders exploiting OAuth tokens and misconfigured integrations, impacting various industries globally. The ShinyHunters extortion group is suspected of orchestrating the attack, known for large-scale data theft operations, including previous attacks on Snowflake. Farmers Insurance briefly posted an advisory online, later removed, possibly to adjust language or align with regulatory communications, though this has led to increased speculation. Customers are advised to remain vigilant against potential phishing and fraud attempts, as the breach could lead to further exploitation of their personal data.

Over 100 WordPress sites have been compromised in a campaign named ShadowCaptcha, redirecting users to fake CAPTCHA pages to deploy ransomware, info stealers, and crypto miners. The campaign uses ClickFix social engineering tactics to trick users into downloading malicious files, leading to credential theft, data exfiltration, and ransomware outbreaks. Attackers leverage living-off-the-land binaries and multi-stage payloads, employing anti-debugger techniques and DLL side-loading for stealthy persistence in targeted systems. Affected sectors include technology, hospitality, legal/finance, healthcare, and real estate, with sites primarily located in Australia, Brazil, Italy, Canada, Colombia, and Israel. Mitigation strategies include user training on ClickFix campaigns, network segmentation, and securing WordPress sites with updates and multi-factor authentication. The campaign's adaptability is demonstrated by using Pastebin URLs for dynamic mining configurations and deploying vulnerable drivers for enhanced crypto mining efficiency. The broader context involves the Help TDS system, which has been active since 2017, facilitating various malicious schemes through compromised WordPress plugins and PHP code templates.

The HOOK Android trojan, a variant of the ERMAC banking malware, now includes ransomware-style overlays to extort victims, expanding its threat capabilities significantly. This new variant can display full-screen warnings with ransom demands, dynamically controlled by its command-and-control server, adding a layer of coercion to its operations. HOOK's evolution includes 107 remote commands, with 38 new ones, enabling actions such as screen streaming, SMS sending, and capturing sensitive user data. The malware is distributed through phishing sites and fake GitHub repositories, indicating a widespread campaign targeting Android users globally. The convergence of banking trojan, spyware, and ransomware tactics in HOOK presents increased risks to financial institutions, enterprises, and individual users. Concurrently, the Anatsa trojan has expanded its target list to over 831 financial services, employing advanced evasion techniques to avoid detection. Anatsa's updated version utilizes malicious apps on Google Play, with over 19 million installations, highlighting the persistent threat of mobile malware.

Zscaler's ThreatLabz identified 77 malicious apps on Google Play Store, downloaded over 19 million times, bypassing Google's security measures. The apps include an updated version of the Anatsa banking trojan, featuring a keylogger, SMS interception, and anti-detection capabilities. Anatsa targets 831 global financial institutions, including crypto exchanges and traditional banks, posing significant financial threats. The malware employs advanced evasion techniques, such as dynamic code loading and APK ZIP obfuscation, complicating detection and analysis. Google claims it addressed the security flaws before Zscaler's report, but questions about the effectiveness of its security processes remain. Joker malware, another persistent threat, accounts for a quarter of infections, focusing on credential harvesting via SMS. The incident raises concerns about app store security, stressing the need for enhanced detection and response strategies to protect users.