Cyber Digests

A Lazarus Group subgroup has expanded its toolkit with new cross-platform malware strains, targeting the decentralized finance sector with social engineering and suspected Chrome zero-day exploitation. The group's evolving technical sophistication is demonstrated through its layered tooling approach and persistence in financially motivated operations.

A rare data dump has provided insight into Kimsuky's operations, revealing novel tactics and expanded targeting, with a primary goal of credential harvesting and system persistence. The group employs advanced techniques, including interactive malware development and AiTM phishing, to establish deep system persistence.

CISA has issued an urgent warning regarding an actively exploited zero-day vulnerability in WhatsApp's linked device feature, which allows attackers to manipulate synchronization messages and potentially steal data or install malware. This critical vulnerability poses a significant risk to users globally and must be patched by federal and critical infrastructure organizations by September 23, 2025.

A widespread authentication token theft campaign targeted Salesforce instances via the Salesloft Drift platform, affecting organizations like Palo Alto Networks and Zscaler, with the threat actor exfiltrating data focusing on credentials and sensitive information. The incident highlights the need for enhanced security audits and stronger access controls to mitigate supply chain attacks.

A newly disclosed vulnerability in Apache Jackrabbit Core and JCR Commons allows JNDI injection, potentially leading to remote code execution, as the flaw stems from handling untrusted JNDI URIs in `JndiRepositoryFactory`, enabling deserialization of malicious data. Exploitation can result in arbitrary code execution, data exfiltration, or service disruption, impacting enterprise content management and web systems.

Ransomware group LunaLock has introduced a novel extortion tactic, threatening to release stolen digital art into AI training datasets if victims refuse to pay, exploiting creators' concerns about unauthorized AI scraping and intellectual property. The attack on Artists&Clients involved encrypting files and demanding $50,000 in cryptocurrency, highlighting the immediate operational disruption and unique psychological pressure on victims.

A critical vulnerability in Argo CD allows low-privileged API tokens to retrieve all associated repository credentials, bypassing isolation mechanisms, enabling tokens with even basic 'get' permissions to access sensitive usernames and passwords. Exploitation can lead to cloning private codebases, injecting malicious manifests, and supply chain attacks, affecting all Argo CD versions up to 2.13.0.

The Czech National Cyber and Information Security Agency issued a formal warning regarding products and services transferring user and system data to China, citing legal frameworks that compel data sharing with the state, which enables remote administration and potential misuse by state interests. Threat intelligence indicates a significant increase in intrusion activity and cloud targeting by Chinese operations, highlighting supply chain risks.

A supply-chain attack on Salesloft Drift led to a data breach at Zscaler, exposing customer information, as attackers exploited stolen OAuth tokens to access Salesforce environments, highlighting the persistence and adaptability of threat actors. The breach underscores the need for vigilance against phishing and social engineering attacks, as well as the importance of securing API tokens and customer authentication protocols.

A recent phishing campaign leveraged compromised AWS keys to weaponize Amazon Simple Email Service (SES), demonstrating novel techniques to bypass default restrictions and achieve industrial-scale email delivery, with attackers abusing the `PutAccountDetails` API to push SES accounts into production mode. The campaign utilized programmatic API calls and attempted privilege escalation, indicating sophisticated, automated tradecraft.