Red Hat in the news, £5.5B in Bitcoin recovered from scammer, more Breaches
Hello! ArvinF is your editor of the F5 SIRT This Week in Security, covering 28 September to 4 October 2025. This week, Red Hat is in the news for their Consulting GitLab instance breach and an "Important" rated vulnerability in their OpenShift AI Service product. A win - UK's Metropolitan police have arrested a scammer and recovered £5.5B (!) in Bitcoin. Then came the breach disclosures from Alianz, Westjet, Motility and a "US tech company”. Finally, the ransomware and extortion gangs - Scattered LAPSUS$ Hunters 1B Salesforce record under ransom and Radiant Group's extortion attempt getting slammed by another extortion group. Let’s get to it! Red Hat's Consulting GitLab instance has been breached by an extortion group named Crimson Collective. The group initially bragged about the breach on Telegram, showing file listings and other sensitive data in Customer Engagement Reports (CERs) that are related to Redhat customers environments. Redhat published a security incident advisory: We recently detected unauthorized access to a GitLab instance used for internal Red Hat Consulting collaboration in select engagements. Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities. Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance. Crimson Collective threat group notes that they found authentication tokens inside these repos and have “already used these to compromise downstream Red Hat customers.” In an advisory from the Belgian government, it notes the incident is “High Risk” for Belgian organizations and has “potential supply chain impact if service providers or IT partners worked with Red Hat Consulting” From the same advisory, it provided recommendations: Revoke & Rotate all tokens, keys, and credentials shared with Red Hat or used in integrations. Engage Third-Parties – ask your IT providers or partners whether they have used Red Hat Consulting and assess your potential exposure. Contact Red Hat for guidance on your specific exposure. Increase monitoring of authentication events, API calls, and system access for anomalies. https://www.theregister.com/2025/10/03/red_hat_gitlab_breach/ https://www.redhat.com/en/blog/security-update-incident-related-red-hat-consulting-gitlab-instance https://www.theregister.com/2025/10/02/cybercrims_claim_raid_on_28000/ https://ccb.belgium.be/news/hackers-crimson-collective-use-leaked-authentication-tokens-access-customer-systems From standard user to Full Cluster Admin in Red Hat Openshift AI Service via CVE-2025-10725 Red Hat OpenShift AI Service has a 9.9 out of 10 CVSS Score CVE, tracked as CVE-2025-10725, thinly avoiding a 10 out of 10, due to a requirement of a Low-Privileged attacker. https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H In the advisory: A flaw was found in Red Hat OpenShift AI Service. A low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator. This allows for the complete compromise of the cluster’s confidentiality, integrity, and availability. The attacker can steal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it. To resolve the vulnerability, upgrade to RHOAI 2.16.3 or if Kueue features are not required, the Kueue component management state can be set to “Removed” in the RHOAI DataScienceCluster resource. For RHOAI 2.19+, a workaround is Prevent the RHOAI operator from managing the kueue-batch-user-rolebinding then Disable the ClusterRoleBinding by updating its subject to a different, non-existent, group. Once updates providing fixes have been applied, it's recommended to remove the clusterrolebinding. This “Important” rated CVE came out approx the same time as the Red Hat Consulting GitLab breach. https://www.theregister.com/2025/10/01/critical_red_hat_openshift_ai_bug/ https://access.redhat.com/security/cve/cve-2025-10725#cve-affected-packages £5.5B in Bitcoin recovered from scammer A scammer caught by the London Metropolitan Police after a seven-year investigation and recovered a record-busting Bitcoin seizure worth £5.5B. .. carried out what the police describe as a "large-scale fraud in China" between 2014 and 2017, and then attempted to launder the significant proceeds after arriving in the UK. The three-year fraud affected more than 128,000 people and netted 61,000 Bitcoin, which at current prices is worth more than £5.5 billion ($7.4 billion). At the point the crypto tokens were seized, they would have been worth around $404 million. The scammer fled using false documents and entered the UK and attempted to launder the stolen money by buying property, said the Met. An associate helped in attempting to cash in on the laundering by buying properties in the UK and Dubai. This associate was caught last year and was jailed/sentenced. The scammer may get additional time if they fail to pay up and return more than £3.1 million. The Crown Prosecution Service said the associate benefited by £3.5 million (c $4.7 million) from the fraud, led by the scammer, and the £3.1 million figure was the total sum of her available assets at the time. Reforms to crime legislation under the previous Conservative government aimed to make it easier for the UK authorities to seize, freeze and recover crypto assets, external. The changes would also allow some victims to apply for the release of their assets held in accounts. https://www.theregister.com/2025/09/30/met_police_bitcoin_fraud/ https://www.bbc.com/news/articles/cy0415kk3rzo https://news.met.police.uk/news/woman-convicted-following-worlds-largest-seizure-501569 https://www.gov.uk/government/news/new-powers-to-seize-cryptoassets-used-by-criminals-go-live 3.7M breach notification letters - The mailman and mail servers will be busy sending breach notification letters. From the Maine AG breach disclosure pages on affected persons: Insurance biz Allianz Life - 1,497,036 WestJet - 1.2 million Motility - 766670 From the news ... "US tech company" - 250,000 The Impact: Allianz Life - The attackers accessed the data of the insurer's customers, staff, and financial professionals WestJet - affected its online services and mobile app, exposed customer data - could include names, contact details, information and documents provided in connection with their reservation and travel, and data regarding victims' Motility Software Solutions - "unauthorized actor deployed malware that encrypted a portion of our systems. Although the malware primarily restricted our access to internal data, the forensic evidence suggests that, before encryption, the actor may have removed limited files containing customers' personal data ... could include full names, home and email addresses, telephone numbers, dates of birth, SSNs, and driver's license numbers." That’s a lot of names, SSNs, CCs, email addresses, addresses, IDs. All three businesses offered identity protection and credit monitoring services – Allianz Life and WestJet two years of coverage, Motility 12 months. https://www.theregister.com/2025/10/01/north_american_data_breaches/ Scattered LAPSUS$ Hunters 1B Salesforce Records under ransom Scattered LAPSUS$ Hunters gave Salesforce until October 10, a deadline to negotiate payment or leak their customer’s data. Scattered LAPSUS$ Hunters are 3 threat / ransomware groups - Scattered Spider, ShinyHunters, and Lapsus$ - that had a moment of solidarity "to break into businesses' networks, steal their data, and force an extortion payment." Per Salesforce advisory: "We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities," "Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support," "At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology." In August of 2025, there was the Salesloft drift breach that affected Salesforce customers. https://www.theregister.com/2025/10/03/scattered_lapsus_hunters_latest_leak/ https://www.theregister.com/2025/09/14/in_brief_infosec/ https://www.theregister.com/2025/09/08/drift_breach_entry_salesloft_github/ https://www.theregister.com/2025/08/12/scattered_spidershinyhunterslapsus_cybercrime_collab/ https://status.salesforce.com/generalmessages/20000224?locale=en-US Radiant Group extortion gang crosses the line and gets schooled by other ransomware groups Radiant Group stole data from Kido International, a school for young children with branches in the UK, US, and India. They then posted unblurred pictures of 10 children, along with their addresses, parents’ names, and other personal data, and threatened to expose more if a ransom wasn't paid. Parents of some children claimed to have received threatening calls after Radiant published the data. London's Metropolitan Police investigators are following up on the case. But now, Radiant says it removed the child data it had posted after receiving pressure from other ransomware groups. It seems they crossed a line in the criminal world and backed down when called out for it. Rebecca Taylor, a threat intelligence knowledge manager at security biz Sophos, tells The Register that the crew was called out by the well-established ransomware-as-a-service Nova gang on the Russian Anonymous Market Place (RAMP), an online souk for cybercriminals. One of Nova's affiliate members, going under the handle BlackBeard, told Radiant, "reputation important, don't attack child right." "We have disabled any attacks relating to them, is not allowed anymore," Radiant answered, and added, "Any data relating to under 18s who attended have been deleted." BlackBeard congratulated them and wished the extortionists good luck for the future and Nova offered to help in future raids. Radiant claimed to have information on over 8,000 children enrolled at Kido, as well as their family, teachers, and staff. Taylor told us that the Radiant Group seems to be new script kiddies on the block and have overstepped themselves, and are now trying to make nice with the rest of the criminal community. https://www.theregister.com/2025/10/02/ransomware_radiant_delete_kids_info/ https://www.theregister.com/2025/09/25/ransomware_gang_publishes_toddlers_images/ https://www.theguardian.com/technology/2025/oct/02/kido-nursery-hackers-say-they-have-deleted-stolen-data Outro The amount of breach news from this week was something - the leaked personal and financial information will surely be the foundation of future breaches and extortions. These breaches were perpetrated by ransomware and extortion gangs that utilized social engineering and known and unknown vulnerabilities in their campaigns. As defenders, we should advise our organizations to keep our systems updated, implement levels and layers of security defenses and keep ourselves and our peers educated on good security practices. The silver lining is the recovery of the £5.5B worth of Bitcoin from scammers caught in the UK. The many victims of scammers have an opportunity to recover their lost assets. Credit to the original source and posts! I hope the news I picked is informative and educational. Till next time - Stay Safe and Secure! As always, if this is your first TWIS, you can always read past editions. We also encourage you to check out all of the content from the F5 SIRT.Mobile Security: Current Challenges & A Vision For The Future
In today’s hyper-connected world, smartphones are far more than communication devices. They are personal assistants, financial hubs, health trackers, and corporate gateways. With over billions of smartphone users globally, these devices have become indispensable tools for work, entertainment, and daily life. However, their commonness has not gone unnoticed by cybercriminals, making mobile security one of the most pressing challenges of our time. From malicious apps to phishing attacks and zero-day vulnerabilities, threats targeting mobile devices are evolving rapidly. This article will explore the current mobile security landscape, the future of this field, and best practices for safeguarding mobile devices against growing cyber risks. The Current Mobile Threat Landscape Mobile devices have become lucrative targets for attackers, owing to their use in both personal and professional capacities. Nowadays, threats targeting mobile devices are more sophisticated, leveraging advanced technologies such as AI and automation. 1. Mobile Malware and Spyware: Malicious software crafted for smartphones has surged in recent years. Attacks like FluBot and Joker malware have compromised thousands of mobile devices globally. They steal sensitive information such as banking credentials and personal data. Spyware, such as Pegasus, has shown how attackers can exploit zero-day vulnerabilities to take control of a device remotely and exfiltrate information, including encrypted communications. 2. Smishing & Phishing Attacks: Phishing attacks have migrated from email to mobile messaging. Smishing (SMS phishing) and phishing through messaging apps like WhatsApp, Telegram, or Facebook Messenger are highly effective because users tend to trust these platforms. Attackers use tactics like fake package delivery notifications or password reset requests to trick victims into revealing sensitive information. 3. Mobile Payments Under Siege: The widespread adoption of mobile payment platforms (Google Pay, Apple Pay, PayPal) and QR-code-based payments has introduced unprecedented convenience. However, these systems are now lucrative targets for attackers. For example, malicious QR codes redirect users to phishing sites or download malware to compromise financial accounts. 4. IoT and 5G Vulnerabilities: As smartphones increasingly function as controllers for IoT ecosystems (smart homes, wearables, connected cars), attackers see an opportunity to exploit vulnerabilities across interconnected devices. With the rise of 5G networks, data is being transmitted faster than ever. This speed also introduces risks related to network attacks, unauthorized access, and greater attack surfaces. 5. Emerging AI-Powered Threats: Artificial intelligence has revolutionized how attackers create and execute cyberattacks. AI can be used to automate phishing campaigns, generate realistic text for scams, or even create deepfake audio and video to impersonate individuals in real time. These hyperrealistic attacks are harder to detect and even more effective at deceiving victims. Future of Mobile Security The challenges we face today are only the beginning. As mobile technology advances and becomes further integrated with every facet of human life, mobile security will define the frontlines of cybersecurity. 1. AI-Enhanced Defenses Just as attackers leverage AI for malicious purposes, defenders are increasingly using AI for anomaly detection and behavioral analytics. Machine learning tools can analyze user behavior in real time. They can detect unusual patterns such as unauthorized app activity or data exfiltration attempts. As AI improves, it will play a central role in combating AI-generated threats and various forms of malware. 2. Quantum-Safe Cryptography While quantum computing is still in its early stages, its eventual application will have profound implications for data encryption. Organizations are already exploring post-quantum cryptography. This ensures that mobile communications and sensitive information remain secure against the enormous processing power of quantum computers. 3. Zero-Trust Architecture for Mobile Devices Zero Trust principles, which by default trust no device, application, or user regardless of their network location, are being used more on mobile devices. Continuous verification, device posture checks, and contextual information (e.g., user behavior, location) will further tighten security for mobile endpoints accessing sensitive systems. 4. Hardware-Backed Security By 2025, most modern devices will come pre-equipped with secure enclaves (such as Apple’s Secure Enclave or Android’s Titan M chips). These hardware modules are isolated from the operating system. This keeps sensitive data like cryptographic keys, payment information, and biometric data secure from OS-level exploits. 5. Stricter Regulation and Compliance Privacy regulations like GDPR, CCPA, and other global frameworks will continue to evolve, ensuring that users' data is handled responsibly. Mobile app developers will embed compliance-by-design practices. They will focus on transparency, limited data collection, and permission management to align with user rights. 6. Interconnected Ecosystems and Broader Risks As IoT ecosystems mature, the smartphone will act as the central controller for a growing range of devices. Cybersecurity solutions for mobile devices will need to address the cascading risks posed by compromised IoT devices, interconnected networks, and 5G-enabled technologies. Best Practices to Protect Mobile Devices Both individuals and organizations must adopt proactive mobile security strategies. Here are some of the best practices for reducing exposure to threats: For Individuals: Enable Biometric, and Multi-Factor Authentication (MFA): Use biometrics like fingerprints or facial recognition alongside MFA for critical accounts such as banking, email, and corporate logins. Keep Devices and Apps Updated: Regularly update operating systems and apps to patch critical vulnerabilities. Many attacks target older, unpatched versions of software. Review App Permissions Carefully: Avoid granting unnecessary permissions to apps, especially for access to sensitive data like location, contacts, or storage. Use Trusted App Stores: Stick to verified marketplaces like Google Play and Apple’s App Store to avoid downloading malicious apps. Adopt Secure Communication Tools: Use encrypted messaging apps like Signal or WhatsApp for confidential communication. Beware of Smishing and Phishing Attacks: Avoid clicking on suspicious links in SMS or messaging apps. If something seems too urgent or too good to be true, validate its authenticity via official channels. Use Mobile VPNs: A Virtual Private Network (VPN) ensures secure browsing, especially on public Wi-Fi networks. Install Anti-Malware Apps: Consider a trustworthy mobile security app to monitor your device for malware and other threats. For Organizations: Adopt Mobile Threat Defence (MTD): Deploy MTD solutions that integrate with Mobile Device Management (MDM) and Enterprise Mobility Management (EMM) platforms. These tools provide real-time monitoring of mobile endpoints and threat mitigation. Implement Zero Trust Network Access (ZTNA): Use a zero-trust approach for mobile device access to corporate networks, continually verifying devices for access permissions. Enforce App Containerization: Use tools that separate corporate data from personal applications on mobile devices to prevent cross-contamination of information. Train Employees on Mobile Security: Regular awareness campaigns and training on recognizing smishing scams, fake apps, and account takeover attempts are critical. Monitor for SIM-Swap Attacks: Leverage tools capable of detecting and flagging suspicious account activity associated with SIM-swapping fraud. Restrict BYOD Access: For Bring Your Own Device (BYOD) policies, enforce strict security policies, such as requiring up-to-date OS and apps, to minimize risks. Conclusion There is no doubt that the future of cybersecurity is mobile-centric. As smartphones continue to act as gateways to digital assets, IoT ecosystems, and corporate networks, they will remain a primary battleground for attackers and defenders alike. The good news is that both individuals and organizations are empowered to improve their resilience. By adopting stronger authentication measures, AI-powered defenses, zero trust principles, and remaining vigilant with updates and monitoring, mobile security can evolve to meet even the most sophisticated challenges ahead. In the race to safeguard the digital future, proactive preparation, collaboration, and innovation in mobile security ensures that technology continues to empower, not endanger its users.Apple’s MIE, Fake Chrome Ext, and C2PA Content Credentials in Google Pixel
Notable security news for the week of Sept 7-13th, 2025, brought to you by the F5 Security Incident Response Team. This week, your editor is Dharminder. In this edition, I have security news covering Apple's new built-in memory safety system called Memory Integrity Enforcement, the emergence of fake Chrome extensions used to hijack Meta business accounts, Google's introduction of Trusted Photography with C2PA Content Credentials in Google Pixel a significant step towards digital media transparency and CISA's alert regarding the actively exploited Dassault DELMIA Apriso RCE vulnerabilityF5 Threat Report - September 10th, 2025
To learn more about the F5 Threat Report click here Critical Flaws in NVIDIA NeMo AI Curator Allow System Takeover NVIDIA has released a critical update for its NeMo Curator software, version 25.07, to address a high-severity code injection vulnerability tracked as CVE-2025-23307. This flaw, affecting all previous versions across Windows, Linux, and macOS, originates from insufficient validation of user-supplied inputs prior to dynamic code evaluation (CWE-94). With a base severity score of 7.8, the vulnerability enables an attacker to achieve remote code execution, privilege escalation, unauthorized information disclosure, or data tampering by crafting a malicious file that the Curator environment processes. While requiring low privileges and local file manipulation, no user interaction is necessary for exploitation. Users are urged to upgrade to Curator version 25.07, which includes input sanitization and stricter evaluation controls, to mitigate this risk. Severity:Critical Sources https://cyberpress.org/flaws-in-nvidia-nemo-ai-curator-allow-system-takeover/ Threat Details and IOCs CVEs: CVE-2025-23307 Victim Industries: Automotive, Manufacturing, Healthcare, Retail, Financial Services, Technology, Government, Telecommunications Victim Technologies: NVIDIA NeMo Curator, Linux, Microsoft Windows, Apple macOS Mitigation Advice Use asset inventory systems, software management tools, or manual checks to identify all instances of NVIDIA NeMo Curator running on company assets, including servers and developer workstations. For all identified instances of NVIDIA NeMo Curator, immediately upgrade the software to version 25.07 or newer from the official NVIDIA NeMo GitHub repository. Compliance Best Practices Implement or enhance a software asset management (SAM) program to maintain a continuously updated inventory of all deployed software, including specialized AI/ML frameworks. Review and enforce the principle of least privilege for user and service accounts, particularly those associated with data processing and AI/ML environments, to minimize the impact of potential code execution vulnerabilities. Establish a formal vulnerability management program that includes subscribing to vendor security advisories (like NVIDIA's PSIRT) and performing regular, authenticated vulnerability scans across all assets. Provide secure coding training to development teams that focuses on input validation (CWE-94) and the secure handling of external data, especially within applications that process complex file formats. s1ngularity Supply Chain Attack Leaks Secrets on GitHub: Everything You Need to Know On August 26, 2025, multiple malicious versions of the widely used Nx build system package were published to the npm registry, initiating a supply chain attack. These versions, including specific releases of `@nrwl/nx`, `nx`, `@nx/devkit`, `@nx/enterprise-cloud`, `@nx/eslint`, `@nx/js`, `@nx/key`, `@nx/node`, and `@nx/workspace`, contained a post-installation malware script named `telemetry.js`. This payload, active on Linux and macOS systems, systematically harvested sensitive developer assets such as cryptocurrency wallets, GitHub and npm tokens, SSH keys, and `.env` files. A notable aspect of the attack involved weaponizing installed AI command-line tools (including Claude, Gemini, and Q) by prompting them with dangerous flags for reconnaissance. The malware also attempted system lockout by appending `sudo shutdown -h 0` to `~/.bashrc` and `~/.zshrc`. Exfiltrated data was triple-base64 encoded and uploaded to publicly accessible attacker-controlled GitHub repositories named `s1ngularity-repository`, `s1ngularity-repository-0`, or `s1ngularity-repository-1` within victims’ GitHub accounts, leading to the exposure of over a thousand valid GitHub tokens, dozens of cloud and npm credentials, and approximately twenty thousand files. The compromise affected developer machines, often via the NX VSCode extension, and CI/CD pipelines like GitHub Actions. Immediate remediation requires removing malicious Nx versions, upgrading to clean releases, manually removing malicious shell entries, and deleting `/tmp/inventory.txt` and its backup. Security teams should audit GitHub accounts for the specific repository names, review audit logs for anomalous API usage, and monitor developer endpoints and CI/CD pipelines for suspicious activity. Crucially, all potentially leaked credentials, including GitHub tokens, npm tokens, SSH keys, API keys, and environment variable secrets, must be revoked and regenerated, and cryptocurrency funds transferred if exposed. Severity:Critical Sources https://www.wiz.io/blog/s1ngularity-supply-chain-attack Threat Details and IOCs Attacker Hashes: 3905475cfd0e0ea670e20c6a9eaeb768169dc33d Victim Industries: Financial Services Victim Technologies: Nx, Google Gemini, Apple macOS, Microsoft Visual Studio Code, Amazon Q, Anthropic Claude, Node.js, Linux, GitHub, npm Mitigation Advice Scan all developer endpoints and CI/CD environments to identify the malicious versions of the Nx packages listed in the article. Remove them by deleting the 'node_modules' directory and then run 'npm cache clean --force' before installing a safe version. On all Linux and macOS developer endpoints, inspect `~/.bashrc` and `~/.zshrc` files for the entry 'sudo shutdown -h 0' and remove it. Also, delete the files `/tmp/inventory.txt` and `/tmp/inventory.txt.bak` if they exist. Audit all company-managed GitHub organizations and developer user accounts for any repositories named 's1ngularity-repository', 's1ngularity-repository-0', or 's1ngularity-repository-1'. Review GitHub audit logs for repository creation events by unexpected actors or automation. Immediately revoke all GitHub and npm tokens for all developers and service accounts. Force users to regenerate new tokens with the minimum required permissions. Initiate a company-wide rotation of all SSH keys and any other API keys or secrets stored in developer environment files that could have been compromised. In your SIEM or network monitoring tools, search for and create alerts on outbound API calls from developer endpoints or CI/CD runners to 'api.github.com' targeting '/user/repos' or '/repos/*/contents/results.b64'. Compliance Best Practices Implement a software composition analysis (SCA) tool to automatically scan npm dependencies for known vulnerabilities and malicious packages before they are used in development or build pipelines. Configure CI/CD pipelines to run in ephemeral, isolated environments with strict egress filtering that only allows network connections to approved package registries and services, preventing unauthorized data exfiltration. Establish and enforce a policy for credential management that mandates the use of short-lived, narrowly-scoped access tokens for CI/CD pipelines and developer environments, instead of long-lived personal access tokens. Develop and implement a corporate policy governing the use of AI command-line tools on developer endpoints, specifically restricting or monitoring the use of permissive flags like '--dangerously-skip-permissions' or '--trust-all-tools'. Implement a recurring security awareness training program for all developers focusing on supply chain attack risks, recognizing suspicious package behavior, and best practices for credential security. Citrix Patches Three NetScaler Zero Days as One Sees Active Exploitation Citrix has released patches for three critical zero-day vulnerabilities in NetScaler ADC and Gateway, identified as CVE-2025-7775 (CVSS 9.2), CVE-2025-7776 (CVSS 8.8), both memory overflows, and CVE-2025-8424 (CVSS 8.7), an improper access control flaw on the management interface. CVE-2025-7775, a pre-authentication remote code execution vulnerability, was actively exploited in the wild to deploy webshells on unmitigated appliances, with campaigns commencing prior to patch availability. As of August 26, 2025, 84% of scanned appliances were vulnerable to CVE-2025-7775, and the Shadowserver Foundation identified at least 28,000 unpatched instances. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-7775 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies apply patches by August 28. Affected systems include NetScaler ADC and Gateway versions 14.1 before 14.1-47.48, 13.1 before 13.1-59.22, 13.1-FIPS/NDcPP before 13.1-37.241, and 12.1-FIPS/NDcPP before 12.1-55.330, alongside Secure Private Access deployments. Citrix urged users to upgrade to specific patched versions, as no other workarounds exist, and noted that versions 12.1 and 13.0 are now End-of-Life. Security experts caution that patching alone is insufficient, emphasizing the critical need to investigate for signs of prior compromise, as sophisticated actors often exploit such memory corruption vulnerabilities, and future attacks may combine initial access flaws like CVE-2025-7775 with secondary vulnerabilities such as CVE-2025-8424 to compromise management interfaces. Severity:Critical Sources https://www.infosecurity-magazine.com/news/citrix-patch-netscaler-zero-days/ Threat Details and IOCs Malware: Webshell, Backdoor Malware CVEs: CVE-2025-6543, CVE-2025-7775, CVE-2025-8424, CVE-2025-7776 Victim Industries: Government, Healthcare, Financial Services, Information Technology Victim Technologies: NetScaler Gateway, NetScaler ADC Victim Countries: United States Mitigation Advice Immediately patch all vulnerable Citrix NetScaler ADC and Gateway appliances to the recommended versions (14.1-47.48+, 13.1-59.22+, etc.) to remediate CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. Initiate a threat hunt on all Citrix NetScaler appliances to look for indicators of compromise, such as webshells, unauthorized accounts, or unusual outbound network traffic, to identify and remediate existing backdoors. Identify and prioritize the immediate upgrade or decommissioning of all NetScaler appliances running end-of-life (EOL) versions 12.1 and 13.0, as they cannot be patched against these vulnerabilities. Compliance Best Practices Review and reconfigure network firewall rules to ensure that the NetScaler Management Interface is not exposed to the public internet and is only accessible from a secure, isolated management network segment. Implement a comprehensive asset lifecycle management program to track all hardware and software, ensuring that systems are upgraded or replaced before they reach end-of-life (EOL) to avoid exposure to unpatchable vulnerabilities. Docker Desktop Vulnerability Allowed Host Takeover on Windows, macOS A critical vulnerability, CVE-2025-9074, was identified and patched in Docker Desktop for Windows and macOS, allowing malicious containers to escape their isolated environments and achieve administrator-level control over the host system. Rated 9.3 out of 10 for severity, this flaw stemmed from an unauthenticated exposure of the Docker Engine's internal HTTP API, enabling a malicious container to create new privileged containers and access or modify host files, even when Enhanced Container Isolation (ECI) was active. The vulnerability, which could lead to full system takeover on Windows by overwriting critical files, was resolved in Docker Desktop version 4.44.3, released on August 20, 2025. Users are strongly advised to update to this version immediately, avoid overly permissive container configurations like the `--privileged` command, restrict container access, and maintain continuous system monitoring to mitigate risks. Severity:Critical Sources https://hackread.com/docker-desktop-vulnerability-host-takeover-windows-macos/ Threat Details and IOCs CVEs: CVE-2025-9074 Victim Industries: Information Technology Victim Technologies: Apple macOS, Microsoft Windows, Docker Desktop Mitigation Advice Update all Docker Desktop installations on Windows and macOS endpoints to version 4.44.3 or newer. Use asset inventory or vulnerability scanning tools to identify all corporate devices running versions of Docker Desktop vulnerable to CVE-2025-9074. Compliance Best Practices Establish and enforce a security policy that prohibits running Docker containers with the '--privileged' flag, implementing an exception process for documented and approved use cases. Implement a container runtime security solution to monitor for and alert on suspicious activities, such as unexpected process execution or network connections originating from containers. Enforce a policy of least privilege for all container configurations, ensuring they are granted only the specific capabilities, file system access, and network permissions required for their function. Widespread Data Theft Campaign Strikes Salesforce via Salesloft Drift A widespread data theft campaign, active between August 8 and 18, 2025, saw threat actor UNC6395 compromise numerous Salesforce customer instances by leveraging stolen OAuth tokens associated with the Salesloft Drift application. The attackers utilized valid OAuth credentials to execute structured SOQL queries, exfiltrating significant volumes of corporate data from Salesforce objects such as User, Account, Case, and Opportunity, with a specific focus on discovering secrets like AWS access keys, passwords, and Snowflake access tokens. UNC6395 demonstrated operational security by deleting query jobs and employing anonymizing infrastructure, including Tor exit nodes, and automation tools like python-requests/2.32.4 and aiohttp/3.12.15. In response, Salesloft and Salesforce revoked all active tokens for the Drift app on August 20 and temporarily removed it from the Salesforce AppExchange. This incident follows earlier Salesforce-related attacks in June and July 2025 by UNC6040, which used vishing to authorize rogue connected apps, and subsequent extortion by UNC6240 (ShinyHunters). Organizations using Drift with Salesforce are advised to audit for exposed credentials, revoke and rotate API keys, review logs for suspicious SOQL queries tied to the Drift app, and enforce strict access controls for connected applications, including IP restrictions and limited scopes. Severity:Critical Sources https://cyberinsider.com/widespread-data-theft-campaign-strikes-salesforce-via-salesloft-drift/ Threat Details and IOCs Threat Actors: ShinyHunters, UNC6240, UNC6040, UNC6395 Attacker Emails: shinycorp@tuta.com Victim Industries: Retail, Financial Services, Travel & Hospitality Victim Technologies: Salesloft Drift, Salesforce, Snowflake, Amazon Web Services (AWS) Victim Countries: United Kingdom, Germany, United States, France, Denmark, Netherlands Mitigation Advice Review all Salesforce logs between August 8 and August 18, 2025, for unusual SOQL queries originating from the Drift connected application, paying special attention to data exports from User, Account, Case, and Opportunity objects. Immediately audit all Salesforce objects and custom fields to identify any stored AWS access keys or other cloud service provider credentials. Immediately audit all Salesforce objects and custom fields to identify any stored Snowflake tokens or other database credentials. Immediately revoke and rotate any secrets, API keys, or passwords discovered during the audit of Salesforce data. Follow vendor guidance to securely re-authenticate the Drift to Salesforce integration to restore service with new, secure tokens. Compliance Best Practices For all third-party Salesforce connected applications, configure IP Login Ranges to only permit access from the application vendor's known IP addresses. Conduct a comprehensive security review of all Salesforce connected applications to ensure each one operates with the minimum required OAuth scopes and object permissions necessary for its function. Modify Salesforce user profiles to remove the 'API Enabled' permission by default, and grant it only to a limited number of dedicated integration user accounts or specific administrators via permission sets. Implement a Data Loss Prevention (DLP) policy and toolset to continuously scan Salesforce objects and fields to detect and alert on any hardcoded secrets, passwords, or API keys. Implement a recurring security awareness training program that educates employees on identifying and reporting social engineering attempts, specifically including vishing and consent phishing for cloud applications. Click here to sign up for the F5 Threat ReportPost-Quantum Cryptography, OpenSSH, & s1ngularity supply chain attack
This week in security: PQC by default, and a supply-chain gut check. At F5, we are publishing a forward‑looking series of blog posts which help security and IT leaders anticipate tomorrow’s risks and capitalize on emerging tech. Think of it as a field guide to future threats—and how to stay resilient as they arrive. We are about half way through the series, here are some of the highlights from my point of view.
