F5 Threat Report - September 17th, 2025
Akira Ransomware Exploiting Critical SonicWall SSLVPN Bug Again The Akira ransomware group is actively exploiting CVE-2024-40766, a critical-severity access control vulnerability in SonicWall SSL VPN devices, to gain unauthorized access to target networks. This flaw, which allows unauthorized resource access and can cause firewall crashes, was patched by SonicWall in August of the previous year, with a strong recommendation for users to reset passwords for locally managed SSLVPN accounts after applying the update to prevent threat actors from leveraging exposed credentials. Despite the patch, Akira began actively exploiting the vulnerability in September 2024, with recent alerts from the Australian Cyber Security Centre and observations from Rapid7 indicating a resurgence in attacks, likely due to incomplete remediation. SonicWall has confirmed that the current activity is linked to CVE-2024-40766, not a new zero-day, and has investigated up to 40 related security incidents. The vulnerability impacts SonicWall firewall versions including Gen 5 (5.9.2.14-12o and older), Gen 6 (6.5.4.14-109n and older), and Gen 7 (7.0.1-5035 and older), necessitating updates to firmware version 7.3.0 or later, rotation of SonicWall account passwords, enforcement of multi-factor authentication, mitigation of SSLVPN Default Groups risk, and restriction of Virtual Office Portal access to trusted networks. Severity:High Source https://www.bleepingcomputer.com/news/security/akira-ransomware-exploiting-critical-sonicwall-sslvpn-bug-again/ Threat Details and IOCs CVEs: CVE-2024-40766 Technologies: SonicWall SonicOS Threat Actors: Akira, Everest, Fog, GoldSahara, GOLDSAHARA, PunkSpider, ScatteredLapsusHunters, Storm-1567, UNC4487 Attacker Countries: Russia Victim Industries: Manufacturing, Education, Financial Services, Healthcare, Transportation, Business Services, Retail, Technology, Critical Infrastructure, Construction Victim Countries: Australia Mitigation Advice Immediately patch all vulnerable SonicWall devices (Gen 5, 6, and 7) to the latest recommended firmware version to remediate CVE-2024-40766. Force an immediate password rotation for all locally managed user accounts on SonicWall SSLVPN devices. Configure firewall access control lists to restrict access to the SonicWall SSLVPN and Virtual Office Portal interfaces to only trusted IP address ranges. Compliance Best Practices Develop and execute a plan to enforce mandatory multi-factor authentication (MFA) for all users accessing the SonicWall SSLVPN. Perform a configuration audit of SonicWall devices to identify and remediate overly permissive settings, specifically focusing on mitigating risks associated with the 'SSLVPN Default Groups'. Review and enhance the existing vulnerability management program to ensure timely patching of all internet-facing infrastructure and include a verification step to confirm all required mitigations, such as password resets or configuration changes, are completed. From Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover A cloud email service takeover campaign in May 2025 leveraged compromised AWS access keys to bypass Amazon Simple Email Service (SES) restrictions and launch large-scale phishing operations. Attackers, after obtaining an access key with SES permissions, performed reconnaissance using GetCallerIdentity, GetSendQuota, and GetAccount API calls. They then rapidly issued multi-regional PutAccountDetails requests to transition the SES account from sandbox to production mode, providing a generic justification that was approved by AWS support. Although attempts to programmatically increase email quotas via CreateCase API and escalate IAM privileges failed, the default 50,000-emails-per-day production quota was sufficient. Subsequently, the attackers verified multiple domains, including attacker-owned and legitimate domains with weak DMARC, and created email identities (e.g., admin@, billing@). This infrastructure was used for a phishing campaign targeting various organizations with fake 2024 tax forms, linking to a credential theft site hidden behind a commercial redirect service. Such SES abuse poses significant reputational, compromise, and operational risks, indicating broader credential compromise. To mitigate this, organizations should restrict SES where unused, regularly audit and rotate access keys, enforce least privilege for SES permissions, and diligently log and alert on SES API calls, especially PutAccountDetails, and monitor for sudden spikes in service usage or unusual sender additions. Severity:High Source https://www.wiz.io/blog/wiz-discovers-cloud-email-abuse-campaign Threat Details and IOCs Technologies: Amazon Web Services, Amazon Simple Email Service Attacker Domains: managed7.com, street7news.org, street7market.net, docfilessa.com, irss.securesusa.com Victim Industries: Accounting, Energy, Financial Services, Healthcare, Manufacturing Victim Countries: United States Mitigation Advice Block the following domains at the web proxy, DNS filter, and email gateway: managed7.com, street7news.org, street7market.net, docfilessa.com, and irss.securesusa.com. Conduct an immediate audit of all IAM user access keys, focusing on identifying and disabling keys that have been inactive for over 90 days and have suddenly shown activity, or keys used from geographically anomalous locations. Create a CloudTrail alert to trigger on multiple `ses:PutAccountDetails` API calls originating from the same IAM principal across different AWS regions within a short time window, such as 5 minutes. Configure a CloudTrail alert to trigger on any non-console invocation of the `support:CreateCase` API, especially when related to service quota increases. Immediately review your AWS SES configuration in all regions to verify that no unauthorized domains or email addresses have been added as sending identities and that the account has not been unexpectedly moved from the sandbox to "production" mode. Compliance Best Practices Implement and enforce a mandatory 90-day rotation policy for all IAM user access keys and establish a process to automatically disable keys that have not been used for more than 90 days. Initiate a project to review and refactor all IAM policies to adhere to the principle of least privilege, specifically restricting permissions for sensitive SES actions like `ses:PutAccountDetails` and `ses:CreateEmailIdentity` to a minimal number of dedicated administrative roles. Use AWS Organizations and Service Control Policies (SCPs) to explicitly deny access to the Amazon SES service in all AWS accounts that do not have a legitimate business requirement to send bulk email. Develop and execute a phased plan to implement DMARC for all company-owned domains, starting with a `p=none` policy for monitoring and progressively moving to `p=quarantine` and `p=reject` to prevent unauthorized email spoofing. Enable AWS CloudTrail logging for all regions in all accounts, forwarding logs to a central security information and event management (SIEM) system. Specifically, enable SES data events within CloudTrail for granular visibility into email sending activity. Configure AWS CloudWatch anomaly detection on key service metrics, such as SES `SendEmail` volume and S3 `PutObject` counts, to automatically detect and alert on significant deviations from established baselines. GONEPOSTAL Malware Exploits Outlook for Stealthy Command-and-Control A sophisticated espionage campaign employs GONEPOSTAL, a novel malware attributed to the Russian state-sponsored group KTA007, also known as Fancy Bear or APT28, which transforms Microsoft Outlook into a stealthy command and control channel. Discovered by Kroll, GONEPOSTAL operates via a two-stage attack: a malicious DLL disguised as `SSPICLI.dll` initiates a PowerShell sequence that copies a `testtemp.ini` file to `VbaProject.OTM` in the Outlook profile directory, while also performing victim identification via DNS lookups and HTTP requests to services like webhook.site. Persistence is achieved through critical registry modifications to `Software\Microsoft\Office\16.0\Outlook`, specifically setting `LoadMacroProviderOnBoot` to enable automatic macro loading, `Level` to allow unrestricted macro execution, and `PONT_STRING` to suppress security warnings, all facilitating the core functionality housed within the obfuscated, password-protected `VbaProject.OTM` VBA macros. Upon Outlook startup, the malware initializes and monitors incoming emails for specific command signatures, supporting `cmd` for command execution with output, `cmdNo` for silent execution, `upload` for writing files, and `download` for reading and exfiltrating files, processing base64-encoded payloads and exfiltrating data by base64 encoding and chunking files into approximately 3.15-megabyte segments for email attachments, before cleaning up forensic evidence by removing processed emails. Severity:Critical Source https://gbhackers.com/gonepostal-malware/ Threat Details and IOCs Technologies: Microsoft Office, Microsoft Outlook, Microsoft Windows Threat Actors: APT28, APT32, FancyBear, KTA007, KTA488, PawnStorm Attacker Countries: Russia Attacker Domains: webhook.site, oast.fun Victim Industries: Government, Aerospace & Defense, Non-Governmental Organization Victim Countries: United States, Norway, Switzerland, Ukraine, France Mitigation Advice Use your endpoint detection and response (EDR) tool to scan all endpoints for the file 'VbaProject.OTM' within the '%APPDATA%\Microsoft\Outlook\' directory. Audit the Windows Registry on all endpoints for unauthorized changes to the 'LoadMacroProviderOn', 'Level', and 'PONT_STRING' values under the 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security' key. Add 'webhook.site' and 'oast.fun' to your DNS blocklist and web proxy filter to disrupt the malware's victim identification callback. Use your EDR or system management tools to identify any instances of 'SSPICLI.dll' that are not digitally signed by Microsoft or are located outside of the expected System32 directory. Search available PowerShell logs for command-line activity involving the copying of files to the Outlook profile directory, specifically looking for the creation of 'VbaProject.OTM'. Compliance Best Practices Implement a Group Policy (GPO) to set the Microsoft Office macro security level to 'High' or 'Vey High', which disables all macros except those that are digitally signed by a trusted publisher. Enable PowerShell Script Block Logging and Module Logging across all endpoints and forward these logs to a centralized SIEM for monitoring and alerting on suspicious script execution. Configure your Endpoint Detection and Response (EDR) solution to generate alerts when Microsoft Office applications, such as Outlook.exe, spawn child processes like PowerShell.exe or Cmd.exe. Deploy an application control technology, such as Windows Defender Application Control (WDAC) or AppLocker, to enforce a policy that only allows authorized and signed DLLs and scripts to execute. Enable registry auditing on endpoints for critical Microsoft Office security keys and forward these events to a SIEM to create alerts for unauthorized modifications. Amazon Disrupts Russian APT29 Hackers Targeting Microsoft 365 Researchers disrupted an operation by the Russian state-sponsored threat group Midnight Blizzard, also known as APT29, which sought to access Microsoft 365 accounts and data. This group employed a watering hole campaign, compromising legitimate websites to redirect a small percentage of visitors to malicious infrastructure mimicking Cloudflare verification pages, such as findcloudflare[.]com or cloudflare[.]redirectpartners[.]com. The objective was to trick users into authorizing attacker-controlled devices through Microsoft's device code authentication flow, thereby gaining access to credentials and intelligence. Amazon's threat intelligence team identified the campaign, isolated the threat actor's EC2 instances, and collaborated with Cloudflare and Microsoft to disrupt the identified domains, continuing to track and disrupt the group's attempts to shift infrastructure. This campaign reflects an evolution in APT29's technical approach, moving away from AWS impersonation or social engineering for MFA bypass. Users are advised to verify device authorization requests, enable multi-factor authentication, and avoid executing commands copied from webpages, while administrators should consider disabling unnecessary device authorization flows, enforcing conditional access policies, and closely monitoring for suspicious authentication events. Severity:Critical Source https://www.bleepingcomputer.com/news/security/amazon-disrupts-russian-apt29-hackers-targeting-microsoft-365/ Threat Details and IOCs Technologies: Cloudflare, Microsoft Entra ID, Microsoft Windows Threat Actors: APT29, MidnightBlizzard, UNC2452 Attacker Countries: Russia Attacker Domains: findcloudflare.com, cloudflare[.]redirectpartners.com Victim Industries: Government, Information Technology Victim Countries: United States, Germany Mitigation Advice Add the domains 'findcloudflare[.]com' and 'cloudflare[.]redirectpartners[.]com' to your web filter, DNS sinkhole, and firewall blocklists. In Microsoft Entra ID, create a Conditional Access policy to block the 'Device code flow' authentication flow for all users, unless there is a specific business requirement for it. Review Microsoft Entra ID sign-in logs for all authentication events that used the 'Device code' flow. Investigate any successful authentications from unfamiliar locations or devices. Send a security advisory to all employees warning them to be suspicious of any unexpected prompts to authorize a new device sign-in for their Microsoft 365 account, especially if it originates from a web browser. Compliance Best Practices Initiate a project to review and strengthen all Microsoft Entra ID Conditional Access policies to enforce location-based, device-based, and risk-based access controls for all cloud applications. Implement and enforce phishing-resistant Multi-Factor Authentication (MFA), such as FIDO2 security keys or certificate-based authentication, for all users, prioritizing privileged accounts. Implement a continuous security awareness training program that includes phishing simulations specifically designed to mimic modern threats like consent phishing and device authorization abuse. Integrate Microsoft Entra ID sign-in and audit logs into your SIEM to develop specific detection rules and alerts for anomalous authentication patterns, such as an unusual volume of device code authentications or sign-ins from non-compliant devices. Fileless Malware Deploys Advanced RAT via Legitimate Tools A sophisticated fileless malware campaign has been identified, leveraging legitimate system tools to deploy AsyncRAT, a powerful remote access Trojan. The attack initiates through a compromised ScreenConnect client, establishing an interactive session via `relay.shipperzone[.]online`. A VBScript, `Update.vbs`, then executes a PowerShell command to download two payloads, `logs.ldk` and `logs.ldr`, to `C:\Users\Public\`. These payloads are loaded directly into memory using reflection, bypassing disk-based detection. The infection chain proceeds with a first-stage .NET assembly, `Obfuscator.dll`, which includes classes to initialize the runtime, establish persistence via a "Skype Updater" scheduled task, and disable Windows security logging. The final payload, `AsyncClient.exe`, functions as the command-and-control engine, communicating with domains like `3osch20[.]duckdns[.]org` using TCP-based protocols. This AsyncRAT variant performs system reconnaissance, executes commands, and exfiltrates sensitive data, including operating system details, privilege levels, antivirus status, active window titles, browser extensions like MetaMask and Phantom, and conducts keylogging with context capture. Severity:Critical Source https://thehackernews.com/2025/09/asyncrat-exploits-connectwise.html Threat Details and IOCs CVEs: CVE-2024-1709, CVE-2024-1708 Attacker Domains: 3osch20.duckdns[.]org, relay.shipperzone[.]online Technologies: ConnectWise ScreenConnect, Microsoft Windows Victim Industries: Financial Services, Cryptocurrency Victim Countries: United States Mitigation Advice Block the domains `relay.shipperzone[.]online` and `3osch20[.]duckdns[.]org` at the network perimeter firewall and in the corporate DNS filtering solution. Use your Endpoint Detection and Response (EDR) or system management tools to scan all endpoints for the existence of `logs.ldk` and `logs.ldr` in the `C:\Users\Public\` directory. Scan all Windows systems for a scheduled task named 'Skype Updater' and investigate any machines where this task is found. Immediately audit all on-premise and cloud ScreenConnect instances to ensure they are patched to the latest version, review user accounts for unauthorized additions, and enforce multi-factor authentication for all remote access. In your SIEM or EDR, hunt for instances of `WScript.exe` executing `PowerShell.exe` to download files, which matches the technique described in the article. Compliance Best Practices Enable PowerShell Script Block Logging and Module Logging via Group Policy and forward these logs to your SIEM to create detections for obfuscated scripts and suspicious in-memory execution. Deploy an application control policy, such as Windows Defender Application Control (WDAC) or AppLocker, to restrict the execution of unauthorized scripts and binaries from non-standard locations like `C:\Users\Public\`. Establish a formal policy and technical standard for all remote access software, requiring tools to be centrally managed, configured with multi-factor authentication, and have their session logs forwarded to the SIEM for monitoring. Work with your EDR vendor or internal team to create and enable behavioral detection rules that alert on processes attempting to disable security logging or perform in-memory .NET assembly loading from a scripting engine. For user groups that do not have a business need for scripting, use Group Policy to disable Windows Script Host (`WScript.exe`) and set the PowerShell execution policy to 'Restricted'.F5 Threat Report - September 10th, 2025
To learn more about the F5 Threat Report click here Critical Flaws in NVIDIA NeMo AI Curator Allow System Takeover NVIDIA has released a critical update for its NeMo Curator software, version 25.07, to address a high-severity code injection vulnerability tracked as CVE-2025-23307. This flaw, affecting all previous versions across Windows, Linux, and macOS, originates from insufficient validation of user-supplied inputs prior to dynamic code evaluation (CWE-94). With a base severity score of 7.8, the vulnerability enables an attacker to achieve remote code execution, privilege escalation, unauthorized information disclosure, or data tampering by crafting a malicious file that the Curator environment processes. While requiring low privileges and local file manipulation, no user interaction is necessary for exploitation. Users are urged to upgrade to Curator version 25.07, which includes input sanitization and stricter evaluation controls, to mitigate this risk. Severity:Critical Sources https://cyberpress.org/flaws-in-nvidia-nemo-ai-curator-allow-system-takeover/ Threat Details and IOCs CVEs: CVE-2025-23307 Victim Industries: Automotive, Manufacturing, Healthcare, Retail, Financial Services, Technology, Government, Telecommunications Victim Technologies: NVIDIA NeMo Curator, Linux, Microsoft Windows, Apple macOS Mitigation Advice Use asset inventory systems, software management tools, or manual checks to identify all instances of NVIDIA NeMo Curator running on company assets, including servers and developer workstations. For all identified instances of NVIDIA NeMo Curator, immediately upgrade the software to version 25.07 or newer from the official NVIDIA NeMo GitHub repository. Compliance Best Practices Implement or enhance a software asset management (SAM) program to maintain a continuously updated inventory of all deployed software, including specialized AI/ML frameworks. Review and enforce the principle of least privilege for user and service accounts, particularly those associated with data processing and AI/ML environments, to minimize the impact of potential code execution vulnerabilities. Establish a formal vulnerability management program that includes subscribing to vendor security advisories (like NVIDIA's PSIRT) and performing regular, authenticated vulnerability scans across all assets. Provide secure coding training to development teams that focuses on input validation (CWE-94) and the secure handling of external data, especially within applications that process complex file formats. s1ngularity Supply Chain Attack Leaks Secrets on GitHub: Everything You Need to Know On August 26, 2025, multiple malicious versions of the widely used Nx build system package were published to the npm registry, initiating a supply chain attack. These versions, including specific releases of `@nrwl/nx`, `nx`, `@nx/devkit`, `@nx/enterprise-cloud`, `@nx/eslint`, `@nx/js`, `@nx/key`, `@nx/node`, and `@nx/workspace`, contained a post-installation malware script named `telemetry.js`. This payload, active on Linux and macOS systems, systematically harvested sensitive developer assets such as cryptocurrency wallets, GitHub and npm tokens, SSH keys, and `.env` files. A notable aspect of the attack involved weaponizing installed AI command-line tools (including Claude, Gemini, and Q) by prompting them with dangerous flags for reconnaissance. The malware also attempted system lockout by appending `sudo shutdown -h 0` to `~/.bashrc` and `~/.zshrc`. Exfiltrated data was triple-base64 encoded and uploaded to publicly accessible attacker-controlled GitHub repositories named `s1ngularity-repository`, `s1ngularity-repository-0`, or `s1ngularity-repository-1` within victims’ GitHub accounts, leading to the exposure of over a thousand valid GitHub tokens, dozens of cloud and npm credentials, and approximately twenty thousand files. The compromise affected developer machines, often via the NX VSCode extension, and CI/CD pipelines like GitHub Actions. Immediate remediation requires removing malicious Nx versions, upgrading to clean releases, manually removing malicious shell entries, and deleting `/tmp/inventory.txt` and its backup. Security teams should audit GitHub accounts for the specific repository names, review audit logs for anomalous API usage, and monitor developer endpoints and CI/CD pipelines for suspicious activity. Crucially, all potentially leaked credentials, including GitHub tokens, npm tokens, SSH keys, API keys, and environment variable secrets, must be revoked and regenerated, and cryptocurrency funds transferred if exposed. Severity:Critical Sources https://www.wiz.io/blog/s1ngularity-supply-chain-attack Threat Details and IOCs Attacker Hashes: 3905475cfd0e0ea670e20c6a9eaeb768169dc33d Victim Industries: Financial Services Victim Technologies: Nx, Google Gemini, Apple macOS, Microsoft Visual Studio Code, Amazon Q, Anthropic Claude, Node.js, Linux, GitHub, npm Mitigation Advice Scan all developer endpoints and CI/CD environments to identify the malicious versions of the Nx packages listed in the article. Remove them by deleting the 'node_modules' directory and then run 'npm cache clean --force' before installing a safe version. On all Linux and macOS developer endpoints, inspect `~/.bashrc` and `~/.zshrc` files for the entry 'sudo shutdown -h 0' and remove it. Also, delete the files `/tmp/inventory.txt` and `/tmp/inventory.txt.bak` if they exist. Audit all company-managed GitHub organizations and developer user accounts for any repositories named 's1ngularity-repository', 's1ngularity-repository-0', or 's1ngularity-repository-1'. Review GitHub audit logs for repository creation events by unexpected actors or automation. Immediately revoke all GitHub and npm tokens for all developers and service accounts. Force users to regenerate new tokens with the minimum required permissions. Initiate a company-wide rotation of all SSH keys and any other API keys or secrets stored in developer environment files that could have been compromised. In your SIEM or network monitoring tools, search for and create alerts on outbound API calls from developer endpoints or CI/CD runners to 'api.github.com' targeting '/user/repos' or '/repos/*/contents/results.b64'. Compliance Best Practices Implement a software composition analysis (SCA) tool to automatically scan npm dependencies for known vulnerabilities and malicious packages before they are used in development or build pipelines. Configure CI/CD pipelines to run in ephemeral, isolated environments with strict egress filtering that only allows network connections to approved package registries and services, preventing unauthorized data exfiltration. Establish and enforce a policy for credential management that mandates the use of short-lived, narrowly-scoped access tokens for CI/CD pipelines and developer environments, instead of long-lived personal access tokens. Develop and implement a corporate policy governing the use of AI command-line tools on developer endpoints, specifically restricting or monitoring the use of permissive flags like '--dangerously-skip-permissions' or '--trust-all-tools'. Implement a recurring security awareness training program for all developers focusing on supply chain attack risks, recognizing suspicious package behavior, and best practices for credential security. Citrix Patches Three NetScaler Zero Days as One Sees Active Exploitation Citrix has released patches for three critical zero-day vulnerabilities in NetScaler ADC and Gateway, identified as CVE-2025-7775 (CVSS 9.2), CVE-2025-7776 (CVSS 8.8), both memory overflows, and CVE-2025-8424 (CVSS 8.7), an improper access control flaw on the management interface. CVE-2025-7775, a pre-authentication remote code execution vulnerability, was actively exploited in the wild to deploy webshells on unmitigated appliances, with campaigns commencing prior to patch availability. As of August 26, 2025, 84% of scanned appliances were vulnerable to CVE-2025-7775, and the Shadowserver Foundation identified at least 28,000 unpatched instances. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-7775 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies apply patches by August 28. Affected systems include NetScaler ADC and Gateway versions 14.1 before 14.1-47.48, 13.1 before 13.1-59.22, 13.1-FIPS/NDcPP before 13.1-37.241, and 12.1-FIPS/NDcPP before 12.1-55.330, alongside Secure Private Access deployments. Citrix urged users to upgrade to specific patched versions, as no other workarounds exist, and noted that versions 12.1 and 13.0 are now End-of-Life. Security experts caution that patching alone is insufficient, emphasizing the critical need to investigate for signs of prior compromise, as sophisticated actors often exploit such memory corruption vulnerabilities, and future attacks may combine initial access flaws like CVE-2025-7775 with secondary vulnerabilities such as CVE-2025-8424 to compromise management interfaces. Severity:Critical Sources https://www.infosecurity-magazine.com/news/citrix-patch-netscaler-zero-days/ Threat Details and IOCs Malware: Webshell, Backdoor Malware CVEs: CVE-2025-6543, CVE-2025-7775, CVE-2025-8424, CVE-2025-7776 Victim Industries: Government, Healthcare, Financial Services, Information Technology Victim Technologies: NetScaler Gateway, NetScaler ADC Victim Countries: United States Mitigation Advice Immediately patch all vulnerable Citrix NetScaler ADC and Gateway appliances to the recommended versions (14.1-47.48+, 13.1-59.22+, etc.) to remediate CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. Initiate a threat hunt on all Citrix NetScaler appliances to look for indicators of compromise, such as webshells, unauthorized accounts, or unusual outbound network traffic, to identify and remediate existing backdoors. Identify and prioritize the immediate upgrade or decommissioning of all NetScaler appliances running end-of-life (EOL) versions 12.1 and 13.0, as they cannot be patched against these vulnerabilities. Compliance Best Practices Review and reconfigure network firewall rules to ensure that the NetScaler Management Interface is not exposed to the public internet and is only accessible from a secure, isolated management network segment. Implement a comprehensive asset lifecycle management program to track all hardware and software, ensuring that systems are upgraded or replaced before they reach end-of-life (EOL) to avoid exposure to unpatchable vulnerabilities. Docker Desktop Vulnerability Allowed Host Takeover on Windows, macOS A critical vulnerability, CVE-2025-9074, was identified and patched in Docker Desktop for Windows and macOS, allowing malicious containers to escape their isolated environments and achieve administrator-level control over the host system. Rated 9.3 out of 10 for severity, this flaw stemmed from an unauthenticated exposure of the Docker Engine's internal HTTP API, enabling a malicious container to create new privileged containers and access or modify host files, even when Enhanced Container Isolation (ECI) was active. The vulnerability, which could lead to full system takeover on Windows by overwriting critical files, was resolved in Docker Desktop version 4.44.3, released on August 20, 2025. Users are strongly advised to update to this version immediately, avoid overly permissive container configurations like the `--privileged` command, restrict container access, and maintain continuous system monitoring to mitigate risks. Severity:Critical Sources https://hackread.com/docker-desktop-vulnerability-host-takeover-windows-macos/ Threat Details and IOCs CVEs: CVE-2025-9074 Victim Industries: Information Technology Victim Technologies: Apple macOS, Microsoft Windows, Docker Desktop Mitigation Advice Update all Docker Desktop installations on Windows and macOS endpoints to version 4.44.3 or newer. Use asset inventory or vulnerability scanning tools to identify all corporate devices running versions of Docker Desktop vulnerable to CVE-2025-9074. Compliance Best Practices Establish and enforce a security policy that prohibits running Docker containers with the '--privileged' flag, implementing an exception process for documented and approved use cases. Implement a container runtime security solution to monitor for and alert on suspicious activities, such as unexpected process execution or network connections originating from containers. Enforce a policy of least privilege for all container configurations, ensuring they are granted only the specific capabilities, file system access, and network permissions required for their function. Widespread Data Theft Campaign Strikes Salesforce via Salesloft Drift A widespread data theft campaign, active between August 8 and 18, 2025, saw threat actor UNC6395 compromise numerous Salesforce customer instances by leveraging stolen OAuth tokens associated with the Salesloft Drift application. The attackers utilized valid OAuth credentials to execute structured SOQL queries, exfiltrating significant volumes of corporate data from Salesforce objects such as User, Account, Case, and Opportunity, with a specific focus on discovering secrets like AWS access keys, passwords, and Snowflake access tokens. UNC6395 demonstrated operational security by deleting query jobs and employing anonymizing infrastructure, including Tor exit nodes, and automation tools like python-requests/2.32.4 and aiohttp/3.12.15. In response, Salesloft and Salesforce revoked all active tokens for the Drift app on August 20 and temporarily removed it from the Salesforce AppExchange. This incident follows earlier Salesforce-related attacks in June and July 2025 by UNC6040, which used vishing to authorize rogue connected apps, and subsequent extortion by UNC6240 (ShinyHunters). Organizations using Drift with Salesforce are advised to audit for exposed credentials, revoke and rotate API keys, review logs for suspicious SOQL queries tied to the Drift app, and enforce strict access controls for connected applications, including IP restrictions and limited scopes. Severity:Critical Sources https://cyberinsider.com/widespread-data-theft-campaign-strikes-salesforce-via-salesloft-drift/ Threat Details and IOCs Threat Actors: ShinyHunters, UNC6240, UNC6040, UNC6395 Attacker Emails: shinycorp@tuta.com Victim Industries: Retail, Financial Services, Travel & Hospitality Victim Technologies: Salesloft Drift, Salesforce, Snowflake, Amazon Web Services (AWS) Victim Countries: United Kingdom, Germany, United States, France, Denmark, Netherlands Mitigation Advice Review all Salesforce logs between August 8 and August 18, 2025, for unusual SOQL queries originating from the Drift connected application, paying special attention to data exports from User, Account, Case, and Opportunity objects. Immediately audit all Salesforce objects and custom fields to identify any stored AWS access keys or other cloud service provider credentials. Immediately audit all Salesforce objects and custom fields to identify any stored Snowflake tokens or other database credentials. Immediately revoke and rotate any secrets, API keys, or passwords discovered during the audit of Salesforce data. Follow vendor guidance to securely re-authenticate the Drift to Salesforce integration to restore service with new, secure tokens. Compliance Best Practices For all third-party Salesforce connected applications, configure IP Login Ranges to only permit access from the application vendor's known IP addresses. Conduct a comprehensive security review of all Salesforce connected applications to ensure each one operates with the minimum required OAuth scopes and object permissions necessary for its function. Modify Salesforce user profiles to remove the 'API Enabled' permission by default, and grant it only to a limited number of dedicated integration user accounts or specific administrators via permission sets. Implement a Data Loss Prevention (DLP) policy and toolset to continuously scan Salesforce objects and fields to detect and alert on any hardcoded secrets, passwords, or API keys. Implement a recurring security awareness training program that educates employees on identifying and reporting social engineering attempts, specifically including vishing and consent phishing for cloud applications. Click here to sign up for the F5 Threat Report
