August 30, 2025

Hello all,

The unofficial end of summer is here – Labor Day – observed by the United States and Canada, and nothing is different in the world of cyber security. Evil people are still perpetrating their vile crimes, earning themselves a toasty place in hades, and defenders are still diligently at their mostly thankless jobs, doing their best to keep the hordes of dirtbags out, protecting what has been entrusted to them. This past week was rather busy with quite a few zero days and other vulnerabilities revealed. And, while the activity of attackers and defenders is primarily unchanged, this week heralded a shift in the technology used as the first known AI-powered ransomware was uncovered. More on that in a moment.

Headline NEWS:

• Citrix NetScaler ADC and NetScaler Gateway have had several patches released to plug actively exploited defects. As of mid-week last week, there were 21,000 unpatched systems accessible on the internet. CISA ordered that all agencies of the US Government patch theirs by August 28. If you have either of these in your environment, patch immediately, and check for signs of compromise.
• Docker released updates to fix a container escape defect. This critical bug allows a threat actors to break out of the Docker container and access the underlying engine to start additional containers that the threat actor controls. They could then be used to access files on the host system. If you use Docker on Windows or MacOS, patch soon.
• Google Chrome released a critical update, again. Make sure that you update your browser If you have not done so recently.
• HikVision has released patches for the HikCentral product suite. The most serious is in HikCentral Professional, which allows an unauthenticated remote attacker to achieve administrative level permission. If for some reason you’ve ignored the US Government’s warning to not use these cameras, then at least make sure that you patch their software and follow the guidance of the article to “implement comprehensive network segmentation” which should limit the blast radius.
• WhatsApp has released updates to fix a vulnerability that dovetails with last week’s Apple iOS zero-day patch. Threat actors had weaponized the image processing flaw and were using WhatsApp to target specific individuals. Note, WhatsApp recommends in their notice, sent to known affected individuals, that if they were targeted they should, “perform a device factory reset”.

In Ransomware, Malware, and Vulnerabilities News:

• The first AI-powered ransomware has been discovered — “PromptLock” uses local AI to foil heuristic detection and evade API tracking. In a significant stepping up of the adversary war, the use of local AI, to dynamically generate code to evade defenses and prevent needing to reach out to Command and Control once deployed, is genius level evil. Well played – dirtbag. Hopefully, our defensive systems catch on quickly.

In Other News Events of Note and Interest:

• A new Coast Guard rule puts cybersecurity front and center for maritime operators,. The article describes upcoming changes that ports, shipping lines, cruise lines, and more, that are US based or American flagged, will need to comply with. Some are already in effect, and others will come into play within the next couple of years. It is well past time that this vital infrastructure was required to adhere to reasonable and necessary standards for cybersecurity.

Musings:

It is Labor Day weekend. As an American (or Canadian) worker, I’m supposed to be taking it easy. Instead, I’m doing this… Ah, the life of a cyber defender. However, I’m going to stop writing now so that I can enjoy the lovely evening.

Keep the shields up!

Viscount Jan Broucinek
Red Dot Security News

Headline NEWS

• Citrix Patches Three NetScaler Flaws, Confirms Active Exploitation of CVE-2025-7775
• New Citrix NetScaler Zero-Day Vulnerability Exploited in the Wild
• Over 21,000 Citrix systems vulnerable to active attacks
• Docker Fixes CVE-2025-9074, Critical Container Escape Vulnerability With CVSS Score 9.3
• Google Chrome – Critical Use After Free Vulnerability Let Attackers Execute Arbitrary Code
• Multiple Hikvision Vulnerabilities Let Attackers Execute Malicious Commands
• Hackers chained Apple and WhatsApp flaws in spyware campaign
• WhatsApp 0-Day Vulnerability Exploited to Hack Mac and iOS Users 

Ransomware, Malware, and Vulnerabilities News

• CISA Adds Three Exploited Vulnerabilities to KEV Catalog Affecting Citrix and Git
• Governments, tech companies meet in Tokyo to share tips on fighting North Korea IT worker scheme
• FBI Announces Joint Cybersecurity Advisory Related to Salt Typhoon
• FBI cyber cop: Salt Typhoon pwned ‘nearly every American’
• FTC Chair Warns Tech Giants to Protect Encryption
• FCC bans more than 1K robocall service providers from U.S. networks
• US sanctions fraud network used by North Korean ‘remote IT workers’ to seek jobs and steal money
• Russia-based Yandex employee oversees open-source software approved for DOD use
• Google is getting ready to ‘hack back’ as US considers shifting from cyber defense to offense — new ‘Scam Farms’ bill opens up new retaliatory hacking actions
• Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication
• PoC Exploit & Vulnerability Analysis Released for Apple 0-Day RCE Vulnerability
• PoC Exploit Released for Chrome 0-Day Vulnerability Exploited in the Wild
• Perplexity’s AI-powered Comet browser leaves users vulnerable to phishing scams and malicious code injection
• PoC Code in 15 Minutes? AI Turbocharges Exploitation
• Cisco Nexus 3000 and 9000 Series Vulnerability Let Attackers Trigger DoS Attack
• Arch Linux Project Responding to Week-Long DDoS Attack
• Researchers Warn of Sitecore Exploit Chain Linking Cache Poisoning and Remote Code Execution
• FIxing BGP’s security problems is not proving to be easy
• How Exposed TeslaMate Instances Leak Sensitive Tesla Data
• Shadow IT Is Expanding Your Attack Surface. Here’s Proof
• 4 ways hackers can break 2FA—and why you should still use it anyway
• Anthropic’s auto-clicking AI Chrome extension raises browser-hijacking concerns
• Google to Verify All Android Developers in 4 Countries to Block Malicious Apps
• Threat Actors Weaponizing Windows Scheduled Tasks to Establish Persistence Without Requiring Extra Tools
• Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling
• Mosyle identifies new Mac malware that evades detection through fake PDF conversion tool
• Hackers Abuse Microsoft Teams to Gain Remote Access With PowerShell-based Malware
• Threat Actors Weaponize PDF Editor With New Trojan to Turn Device Into Proxy
• Hackers Using PUP Advertisements to Silently Drop Windows Malware
• Malicious Bing Ads deploy Weaponized PuTTY to Exploit Kerberos and Attack Active Directory services
• Hackers Leverage Google Classroom in Phishing Attack Targeting Over 13,500 Organizations
• Surge in coordinated scans targets Microsoft RDP auth servers
• WinRAR 0-Day Vulnerabilities Exploited in Wild by Hackers
• New Zip Slip Vulnerability Allows Attackers to Manipulate ZIP Files During Decompression
• Discord scraping service targets 35M users
• Gmail users face sophisticated attacks, with rise in voice phishing
• New Sni5Gect Attack Crashes Phones and Downgrades 5G to 4G without Rogue Base Station
• Hackers can now crash phones and downgrade 5G to 4G networks with a toolkit exploiting unencrypted pre-authentication messages
• MixShell Malware Delivered via Contact Forms Targets U.S. Supply Chain Manufacturers
• Report declares ‘identity crisis’ amid rising login attacks
• Hackers are looking to steal Microsoft logins using some devious new tricks
• New BruteForceAI Tool Automatically Detects Login Pages and Executes Smart Brute-Force Attacks
• Hackers Weaponize Trust with AI-Crafted Emails to Deploy ScreenConnect
• Phishing Campaign Uses UpCrypter in Fake Voicemail Emails to Deliver RAT Payloads
• Phishing Emails Are Now Aimed at Users and AI Defenses
• WHAT THE TECH? How bad guys use USPS Informed Delivery to steal your mail
• AWS Trusted Advisor Tricked Into Showing Unprotected S3 Buckets as Secure
• ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners
• New Attack Tricks AI Summaries Into Pushing Malware
• Unpacking Passkeys Pwned: Possibly the most specious research in decades
• New Stealthy Malware Exploiting Cisco, TP-Link and Other Routers to Gain Remote Control
• Chinese APT Hackers Using Proxy and VPN Service to Anonymize Infrastructure
• Global Salt Typhoon hacking campaigns linked to Chinese tech firms
• FBI says China’s Salt Typhoon hacked at least 200 US companies
• China’s Salt Typhoon Hacked Critical Infrastructure Globally for Years
• A hacker used AI to automate an ‘unprecedented’ cybercrime spree, Anthropic says
• The first AI-powered ransomware has been discovered — “PromptLock” uses local AI to foil heuristic detection and evade API tracking
• New cybersecurity law to support Texas small businesses during breaches
• Tencent Cloud sites breached to expose valuable data – here’s what we know
• Farmers Insurance data breach impacts 1.1M people after Salesforce attack
• Michigan Rural Health System Notifies 140,000 About Hacking Incident
• Healthcare Services Group Data Breach Impacts 624,000
• 90K exposed after sleep therapy provider data breach
• TransUnion says hackers stole 4.4 million customers’ personal information
• Nissan confirms design studio data breach claimed by Qilin ransomware
• Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data
• Google warns Salesloft breach impacted some Workspace accounts
• Google issues another warning for Gmail users to secure their accounts
• Ransomware Actor Deletes Data and Backups Post-Exfiltration on Azure
• Cyberattack disrupts MTA systems; core services remain active
• Cephalus ransomware abuses SentinelOne executable for DLL sideloading
• Hackers Cripple Over 60 Iranian Oil Tankers in Massive Cyberattack
• Ransomware gang takedowns causing explosion of new, smaller groups
• Underground Ransomware Gang With New Tactics Against Organizations Worldwide
• Data I/O Becomes Latest Ransomware Attack Victim
• Luzerne County ‘data security event’ may have caused breach
• IT system supplier cyberattack impacts 200 municipalities in Sweden
• Paul cyberattack: Computer systems slowly return to life
• Nevada state agencies pause in-person services over ‘network security incident’
• Nevada forced to close state government offices following wide-ranging ‘network security incident’
• Nevada cyberattack confirmed as ransomware, state services disrupted amid investigation
• Storm-0501 Exploits Entra ID to Exfiltrate and Delete Azure Data in Hybrid Cloud Attacks
• TablePress WordPress Plugin Vulnerability Affects 700,000+ Sites 

Other News Events of Note and Interest

• Cool Tool: Flyoobe, a lightweight patching utility to remove Windows 11 install restrictions
• LibreOffice kills 32-bit Windows builds, offers better MS Office compatibility with 25.8
• A new Coast Guard rule puts cybersecurity front and center for maritime operators
• Open the pod bay doors, Claude
• Anthropic settles AI book-training lawsuit with authors
• Google Could Get Broken Up This Week for Antitrust Violations. Here’s What It Would Mean.
• Cyber unicorn Cato Networks in advanced talks to acquire Aim Security for $350-400 million
• Inside human-like bot farms driving political echo chambers worldwide
• The Rise of Biometric Authentication: How Secure Is Your Face ID or Fingerprint?
• Your Word documents will be saved to the cloud automatically on Windows going forward
• How Windows 11 can now repair itself after a boot failure
• Microsoft Teams Flaw Prevents Users From Accessing Embedded Office Files
• New Microsoft 365 Admin Feature Let Admins Control Link Creation Policies
• Microsoft brings big update to how Windows 11 connects to your phone on new build
• Microsoft confirms Windows 11 KB5063878 AutoCAD admin request issue, OBS NDI audio video lag
• Microsoft announces VM Conversion tool
• Threads in Microsoft Teams channels
• Microsoft urges to limit CLI tools as phishing rages
• Microsoft shares new details about open-sourcing Windows 11’s UI
• Microsoft adds updates to the Windows OOBE for enterprises
• Microsoft Copilot Agent Policy Flaw Lets Any User Access AI Agents
• Windows Terminal gets massive update with a new windowing architecture and a lot more
• Windows 10’s extended support option is taking its sweet time to roll out
• Microsoft fixes bug behind Windows certificate enrollment errors
• A recent Windows 11 update broke a popular streaming method on OBS but a temporary fix is now here
• Microsoft finally releases out-of-band patch for Windows Server issue open since 2022
• Windows 11 tests Cross Device Resume for Android apps
• Windows 11 KB5064081 update clears up CPU usage metrics in Task Manager
• Microsoft Finally Fixed Windows 10 Free One-Year Extended Security Updates Enrollment Issues
• Hate Windows 11? Windows 10’s extended updates Enroll button is slowly rolling out, says Microsoft
• Windows 11 now has better Bluetooth quality for game chat and voice calls
• Microsoft says recent Windows update didn’t kill your SSD
• Phison Dismisses Reports of Windows 11 Updates Bricking SSDs, Runs Rigorous Tests Involving 4500 Hours on Drives But Unable To Reproduce Errors