September 6, 2025

Header image for the Red Dot Weekly Cyber Security News https://reddotsecurity.news

Hello all,

This past week was busy, even into the weekend, with reports of hundreds of companies compromised via Salesloft Drift, Microsoft being forced to reroute traffic stemming from several Red Sea cables being cut, Google dodging a bullet in court and also patching a couple of zero-days in Android, and Cloudflare having blocked the largest DDoS on record. And if that wasn’t enough, this coming Tuesday is Patch Tuesday where Microsoft and a cadre of other vendors unleash their increasingly unstable fixes for defects in their products. As my friend Will says, “fun times.”

Headline NEWS:

  • CISA Warns of Android 0-Day. On September first Google released updates to fix 120 vulnerabilities, with two of those being actively exploited zero-days. If you own a Google Pixel, then you should have already been presented with the update. Unfortunately, for most of the Android ecosystem, updates are controlled by the device manufacturers or cellular carriers. A fortunate few will eventually see this security update offered, such as Samsung, Motorola, OnePlus, and a smattering of others. Sadly, the majority of Android based phones never see more than a few stability updates after release, such as a gorgeous Umidigi phone that I had to retire due to a lack of security updates. If you’re like me and have an Android phone that is not receiving security updates, now is the time to retire it and consider a brand that will receive regular security updates throughout its useful life.
  • Google Antitrust Ruling comes down mostly in Google’s favor, with the US Government not forcing them to sell off Chrome. However, the ruling provides some bitter-pill requirements that may prove quite hard to swallow. Google must share their hard-won indexing data and user interaction information with other companies. This is akin to forcing Coca Cola to publish their secret formula. In my opinion, this amounts to intellectual property theft. Google is evaluating the 230-page decision and may decide to appeal.
  • Google Chrome version 140 came out this week with fixes for six known defects. If you use chrome, update soon.
  • Django is a Python based system that helps developers rapidly create web applications by acting as the middleman between the web and the database. A critical vulnerability was recently discovered that requires patching. If you use this, patch quickly.
  • Microsoft gives US students a free year of Microsoft 365 Personal. On the surface, this is a phenomenal deal, providing desktop versions of Microsoft’s productivity suite of products. The unknown item is what happens after one year? By then the student will be well immersed into the Microsoft ecosystem, making switching away to other options difficult. There are only two industries that call consumers, “users”. They share a brilliant marketing strategy, offer the product for free until they are hooked, then tell them they must pay. If this was truly benevolence for students from Microsoft, it would be free for their entire term as students.
  • Salesloft Drift is a chatbot that integrates with Salesforce and other back-end systems such as Goggle Workspace, Slack, and various cloud storage services. Drift’s OAuth tokens were compromised by a threat actor designated UNC6395 (“GRUB1”). Since these OAuth connections were inherently trusted, Grub got access to anything the OAuth user at the connected organization could access. In many cases it was Salesforce database information. Hundreds of companies had data stolen during the August 8 – 18 crime spree by Grub. The ones that we currently know about are BeyondTrust, Cato Networks, Cloudflare, CyberArk, Google, Palo Alto Networks, PagerDuty, Proofpoint, Salesforce, SpyCloud, Tanium, Tenable, and Zscaler. Depending on what was exfiltrated from the estimated 700 affected organizations, this supply-chain breach could be of the most significant to date, surpassing MOVEit, Snowflake, and SolarWinds.
  • SAP S/4HANA Critical Vulnerability. Last month SAP patched a 9.9 CVSS defect that enabled remote code injection, bypassing authentication checks. In other words, a successful threat actor could fully compromise a system, with minimal effort. Active exploitation of the flaw is now underway. Patch immediately.

In Ransomware, Malware, and Vulnerabilities News:

  • Hackers Reportedly Demand Google Fire Two Employees, Threaten Data Leak. I’m not sure if I would consider it a back-handed compliment or outright terrorism to have a dirt-bag hacker group demand that my employer fire me and cease any investigation of them. However, I believe that this actual naming of employees is a scary trend that will continue to increase as threat actors become more brazen and closer affiliated with evil organized criminal organizations that have no qualms actually carrying out physical harm to achieve their goals. The rules of the game are changing, and I suspect that a time may soon come where anonymity for the defenders will be required for them to be able to safely perform their jobs.

In Other News Events of Note and Interest:

  • CISA, NSA and 19 International Partners Release Shared Vision of Software Bill of Materials for Cybersecurity Guide. It is surprising that it is 2025 and we still don’t have a decent SBOM, or ingredients list, for our various software and hardware systems. Our food and clothing has had ingredient and materials lists for quite some time. If you’ve been in this industry for a while you’ll recall having your Christmas vacation ruined by Log4Shell, a critical remote code execution (RCE) vulnerability that was found in a Java library that was widely used in applications, devices, and cloud systems. You had to search to identify if your enterprise had a vulnerable version anywhere since it was rare to see a list of included libraries in anything. It was no fun. If we’d had a comprehensive list of all included libraries, and dependencies, our jobs would have been significantly simpler. Well, a coalition of international security agencies wants to make that happen. “An SBOM is a formal record detailing the components and supply chain relationships used in building software. SBOMs act as a software “ingredients list” providing organizations with essential visibility into software dependencies, enabling them to identify components, assess risks, and take proactive measures to mitigate vulnerabilities.” I for one applaud this effort and hope it becomes reality quickly.

Musings:

Artificial Intelligence is doing an admirable job automating many entry level positions, resulting in great efficiencies for companies which allows them to reduce staff that would have been doing those functions. However, there’s a growing concern that we are not training up the next generation of mid-level and higher-level people. If you don’t have a reliable system to bring on inexperienced people, and train them through experiential learning, who will fill the positions of the higher-level people when they leave your company or invariably retire? AI may eventually catch up and achieve some level of actual creative thought by the time the great grayout happens, when the gray haired and bearded people retire. But what if it doesn’t?

Visc. Jan Broucinek

Keep the shields up!

Viscount Jan Broucinek
Red Dot Security News

Headline NEWS

Ransomware, Malware, and Vulnerabilities News

Other News Events of Note and Interest

 

Tags
Share this with: