The 15th August was a busy day in the cyber world with significant updates on major breaches, evolving nation-state tactics, new vulnerabilities, and shifts in the regulatory landscape:

SAP Zero-Day Exploitation Widens
- A zero-day vulnerability (CVE-2025-31324) in SAP NetWeaver, initially exploited by Chinese state-linked actors (Salt Typhoon, Volt Typhoon comparisons), is now being leveraged by ransomware gangs.
- The flaw, affecting the middleware layer, grants full remote access, allowing data modification, deletion, exfiltration, and even code execution, similar to the SolarWinds Orion attacks.
- Over 580 victims, primarily in the US, UK, and Saudi Arabia, including critical infrastructure, have been identified, with exploitation traced back to January 2025, indicating a significant dwell time.
CyberScoop | https://cyberscoop.com/sap-cyberattack-widens-drawing-salt-typhoon-and-volt-typhoon-comparisons/

Scattered Spider Targets US Retailers with DragonForce Ransomware
- The notorious Scattered Spider (UNC3944) gang, after a hiatus, has expanded its attacks from UK retailers (M&S, Co-op, Harrods) to major US retail organisations.
- The group is now deploying DragonForce ransomware, a new development as they previously relied on ALPHV/BlackCat and RansomHub.
- Organisations are experiencing disruption not just from direct ransomware deployment but also from self-inflicted outages as they take defensive measures like freezing authentication servers.
The Register | https://go.theregister.com/feed/www.theregister.com/2025/05/15/cyber_scum_attacking_uk_retailers/
The Register | https://go.theregister.com/feed/www.theregister.com/2025/05/15/dragonforce_ransomware_uk_retail_attacks/

Coinbase Extortion and Insider Threat
- Coinbase is facing a $20 million extortion demand after cybercriminals bribed overseas support staff to steal customer data and internal documentation.
- While no private keys or funds were directly accessed, the stolen data (including names, addresses, masked SSNs, bank account numbers, and government IDs for up to 1% of customers) has been used in social engineering attacks to defraud users.
- Coinbase refused to pay the ransom, instead offering a $20 million bounty for information leading to the attackers' arrest and conviction, and plans to reimburse scammed customers, with total costs estimated between $180M-$400M.
The Register | https://go.theregister.com/feed/www.theregister.com/2025/05/15/coinbase_extorted_for_20m_support/
Bleeping Computer | https://www.bleepingcomputer.com/news/security/coinbase-discloses-breach-faces-up-to-400-million-in-losses/

Nova Scotia Power Data Breach
- Nova Scotia Power, a major Canadian utility, confirmed a data breach where sensitive customer information was stolen, including full names, phone numbers, email/mailing addresses, program participation, DOB, account history, driver's license numbers, SINs, and some bank account numbers.
- The breach was discovered on April 28, 2025, but forensic analysis revealed initial unauthorised access occurred on March 19, 2025, leading to a nearly two-month delay in customer notification.
- While no misuse of data has been detected, the company is offering two years of free credit monitoring to affected individuals and advises vigilance against phishing.
Bleeping Computer | https://www.bleepingcomputer.com/news/security/nova-scotia-power-confirms-hackers-stole-customer-data-in-cyberattack/

North Korea's Cyber Syndicate
- A new DTEX Systems report characterises North Korea's cyber operations as a "mafia syndicate," driven by survivalist, profit-driven motivations, blurring lines between state-sponsored espionage and cybercrime.
- The regime employs a rigid hierarchy, including "Research Center 227" (an AI-driven cyber warfare unit), and uses false identities for operatives who infiltrate global companies, with hundreds successfully gaining remote work at Fortune 500 firms.
- This unique model involves money flowing upwards to the government, with internal competition and familial/school networks ensuring operational continuity and talent development, including AI-powered tools for phishing and exploitation.
CyberScoop | https://cyberscoop.com/north-korea-cybercrime-dtex-research-center-227/

Fancy Bear's Webmail Espionage Campaign
- Russia's APT28 (Fancy Bear/Sednit) has been conducting an ongoing cyberespionage campaign, "Operation RoundPress," since 2023, targeting high-ranking Ukrainian officials and defence contractors globally.
- The campaign leverages spear-phishing emails with malicious JavaScript payloads that exploit zero-day (CVE-2024-11182 in MDaemon) and n-day XSS vulnerabilities in webmail clients like Roundcube, Horde, MDaemon, and Zimbra.
- Victims simply opening the email can trigger credential theft, 2FA bypass, and exfiltration of email content, contacts, and login history, with targets including governments and military entities in Ukraine, Greece, Cameroon, Serbia, Ecuador, Bulgaria, and Romania.
CyberScoop | https://cyberscoop.com/russia-fancy-bear-gru-ukrainian-military-contractors/
Bleeping Computer | https://www.bleepingcomputer.com/news/security/government-webmail-hacked-via-xss-bugs-in-global-spy-campaign/

AI-Generated Deepfake Phishing Attacks
- The FBI warns that cybercriminals are using AI-generated audio deepfakes and smishing (SMS phishing) to impersonate senior US officials, targeting current and former government personnel and their contacts.
- These attacks aim to establish rapport before tricking victims into clicking malicious links to gain access to personal accounts, which are then used for further social engineering to steal sensitive information or transfer funds.
- This highlights the increasing sophistication of social engineering, where AI enables highly convincing and scalable attacks, making vigilance and multi-factor authentication critical.
Bleeping Computer | https://www.bleepingcomputer.com/news/security/fbi-us-officials-targeted-in-voice-deepfake-attacks-since-april/
CyberScoop | https://cyberscoop.com/fbi-warns-of-ai-deepfake-phishing-impersonating-government-officials/

Malicious NPM Package Uses Unicode Steganography
- A malicious NPM package, 'os-info-checker-es6', has been found using invisible Unicode characters for steganography to hide malicious code and Google Calendar links for C2 communication.
- The package, downloaded over 1,000 times, appears benign but contains obfuscated install scripts and a sophisticated C2 mechanism that fetches a final payload via redirects from a Google Calendar short link.
- This technique allows the attacker to evade detection by security tools, and the package is also a dependency for four other NPM packages, posing as accessibility and developer tools.
Bleeping Computer | https://www.bleepingcomputer.com/news/security/malicious-npm-package-uses-unicode-steganography-to-evade-detection/

Pwn2Own Berlin Day 1 Highlights Zero-Days
- On the first day of Pwn2Own Berlin 2025, researchers earned $260,000 by demonstrating zero-day exploits against Windows 11, Red Hat Linux, and Oracle VirtualBox.
- Exploits included local privilege escalations on Red Hat Linux (integer overflow, use-after-free) and Windows 11 (use-after-free, integer overflow, out-of-bounds write, type confusion) to gain SYSTEM privileges.
- Successful virtual machine escapes were also demonstrated against Oracle VirtualBox (integer overflow) and Docker Desktop (use-after-free), allowing code execution on the underlying OS.
Bleeping Computer | https://www.bleepingcomputer.com/news/security/windows-11-and-red-hat-linux-virtualbox-hacked-on-first-day-of-pwn2own/

Google Chrome High-Severity Flaw Fixed
- Google has released emergency security updates for a high-severity vulnerability (CVE-2025-4664) in Chrome's Loader component, which has a public exploit and could lead to full account takeover.
- The flaw involves insufficient policy enforcement, allowing remote attackers to leak cross-origin data via maliciously crafted HTML pages, specifically by exploiting the Link header's ability to set a referrer-policy to 'unsafe-url' and capture sensitive query parameters (e.g., in OAuth flows).
- Users are urged to update to Chrome versions 136.0.7103.113 (Windows/Linux) or 136.0.7103.114 (macOS) immediately.
Bleeping Computer | https://www.bleepingcomputer.com/news/security/google-fixes-high-severity-chrome-flaw-with-public-exploit/

Cybercriminals Reinvesting in Legitimate Businesses
- Sophos X-Ops research reveals cybercriminals are increasingly laundering illicit gains by investing in seemingly ordinary businesses like pizza shops, construction, and even cybersecurity companies.
- Discussions on dark web forums show brazen collaboration, with criminals sharing guides on diversifying crypto into fiat, establishing shell companies, and even proposing selling spyware to pentesters or offering "protective services" after finding vulnerabilities.
- This trend raises concerns about insider threats and the potential for criminal motivations to infiltrate legitimate security sectors, highlighting the need to track money flow beyond initial compromise.
CyberScoop | https://cyberscoop.com/what-cybercriminals-do-with-their-money-sophos/

Tor Releases Oniux for Linux App Anonymisation
- The Tor Project has introduced Oniux, a new command-line utility for Linux that routes any application's network traffic securely through the Tor network for enhanced anonymisation.
- Unlike older methods like torsocks, Oniux uses Linux namespaces to create a fully isolated network environment at the kernel level, preventing data leaks even from malicious or misconfigured applications.
- While still experimental, Oniux offers true isolation by forcing all app traffic through Tor via a virtual interface and custom DNS, making it a promising tool for privacy-conscious users and researchers.
Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-tor-oniux-tool-anonymizes-any-linux-apps-network-traffic/