CISO

Blogs

Service Provider for Volvo NA, ‘Miljödata’ hit by Ransomware; Critical Data exposed

Third-party supplier Miljödata, for Volvo North America,hit by ransomware disclosed a data breach that exposed the personal data of its employees . The ransomware attack happened in month of August 2025. and impacted at least 25 companies. The ransomware group DataCarry claimed responsibility for the attack on Miljödata and also published allegedly stolen data on its Tor leak site.

Ransomware attacks are increasingly targeting both enterprise of all sizes across all sectors. The attack affected Scandinavian airline SAS, Boliden and included 200 Swedish municipalities. The affected systems were mostly for HR purposes that handled medical certificates, rehabilitation matters, reporting and managing work-related injuries.

The service provider of Volvo, launched an investigation into the incident with the help of cybersecurity experts, enhanced the security of its hosted environment, and is working to prevent similar security breaches in the future.

According to the data breach notification service Have I Been Pwned (HIBP), the leaked data belongs to 870,000 accounts. Exposed data includes email addresses, names, physical addresses, phone numbers, government IDs, dates of birth, and gender.

DataCarry Ransomware Group

The DataCarry ransomware group claimed responsibility for the attack on Miljödata’s Adato system, and has Miljödata’s files available for download on its dark web-based site.

Need of the hour for Enterprise security who are soft target of ransomware attack.

  • Continuously monitor to detect breached credentials, leaked databases, and threat actor’s activites in near real-time before damage gas taken full control.
  • Assessment on cyber attack module as soon as an attack was initiated and do proper full incident review to determine how attackers infiltrated enterprise network and how data exfiltrated and if there is any existing threat.
  • Authenticate backups of data that have been stored currently and if they have been encrypted or stored offline. It is responsibility of enterprise to keep immutable backup solutions to defend against any ransomware attack that may encompass from encryption and deletion attempts by threat actors.
  • Implement threat intelligence for real time alert against any external threat that gets feeder into system . Enterprise security must Include indicators of compromise (IOCs), into company’s XDR platforms for real-time alerting .
  • Include phishing simulations and enforce multi-factor authentication (MFA) across all access points.

While Volvo did not specify the exact scale of its breach, it is one of many large organizations to be caught up in the data raid. As per reports Volvo Group provided the affected individuals with 18 months of free identity protection and credit monitoring services.

Source: Volvo North America disclosed a data breach following a ransomware attack on IT provider Miljödata

Blogs Cybersecurity News

Telecom Network in New York Area Dismantled after Network Threat Detected

The US Secret Service, the agency in charge of security for the United Nations General Assembly, discovered a threatening network of over 300 servers and 10,000 SIM cards across the New York tri-state area.

The network could have “disabled cell phone towers and potentially shut down the cellular network in New York City,” Matt McCool, the special agent in charge of the Secret Service’s New York field office.

Key Points:

The network could also facilitate denial of service attacks and could send up to 30 million text messages per minute. All of the devices were found within 35 miles of the United Nations headquarters in Midtown Manhattan.

Analysis indicates cellular communications between nation-state threat actors and individuals that are known to federal law enforcement the report said.

The investigation into the devices is ongoing, the Secret Service said, but early forensic analysis indicates it was used for communications between “foreign actors” and people already known to federal law enforcement. No arrests have been announced, and investigators are still searching through the equivalent of 100,000 cell phones worth of data.

“This network had the potential to disable cell phone towers and essentially shut down the cellular network in New York City,” Matt McCool, special agent in charge of the Secret Service field office in New York, said in a video statement.

The telecommunications gear was recovered from so-called SIM farms housed in abandoned apartment buildings in at least five undisclosed sites. The devices discovered could be used to conduct a range of telecommunications attacks including disabling cell phone towers, enabling cybersecurity attacks and allowing encrypted communication between criminal groups and threat actors.

According to the Secret Service, the devices could facilitate a wide range of attacks on telecommunications systems, including disabling cell phone towers, enabling denial of service attacks.

This also allowed encrypted, anonymous communication between potential threat actors and criminal enterprises.

The forensic analysis indicates potential links between the network and overseas threat actors, as well as connections to individuals already known to federal law enforcement agencies.

According to Bloomberg, it is still unclear whether the network was connected to earlier incidents this year in which unknown individuals impersonated White House Chief of Staff Susie Wiles and Secretary of State Marco Rubio.

A full forensic review of the seized devices is ongoing as authorities continue to assess the scope and origins of the network.

Investigations started after threats to US officials

According to agents who spoke to the New York Times, the investigation began after anonymous telephonic threats were made against three US government officials earlier this year. One of the officials who was threatened worked with the Secret Service, while the other two were White House staffers.

State of crime

The agency first detected the New York-area SIM farm after it was linked to swatting incidents on Christmas Day in 2023. Those incidents involved Congresswoman Marjorie Taylor Greene and US Senator Rick Scott.

The cases were tied to two Romanian men, Thomasz Szabo and Nemanja Radovanovic, who were working with an American swatter, Alan Filion, also known as “Torswats.” All three have since been convicted on swatting-related charges.

Ben Coon, head of intelligence at cybersecurity firm Unit 221b, believes there was little foreign state involvement, and the operation is based on financial crimes.

Images released by the Secret Service showed racks of neatly arranged telecom equipment, each component numbered and labeled. Cables were carefully laid out and secured, which could mean the operation was handled by well-resourced professionals.

The operation is linked to swatting incidents, organized crime groups, and nation-state actors, with equipment seized across New York and New Jersey.

Sources: https://www.telegraphindia.com/world/us-secret-service-dismantles-telecom-threat-network-in-new-york-ahead-of-un-general-assembly/cid/2124609


Blogs

𝐊𝐓 𝐓𝐞𝐥𝐞𝐜𝐨𝐦 𝐁𝐫𝐞𝐚𝐜𝐡 𝐑𝐞𝐯𝐞𝐚𝐥𝐬 𝐡𝐨𝐰 Illegal 𝐁𝐚𝐬𝐞 𝐒𝐭𝐚𝐭𝐢𝐨𝐧𝐬 Generated for 𝐇𝐚𝐜𝐤 𝐩𝐚𝐲𝐦𝐞𝐧𝐭𝐬 

Imagine you come to know small payments via your mobile phone is being carried out without your knowledge & come to know that payments are directed to small base stations created by hackers linking your service providers.

 Cyber criminals hacked ultra-small base stations accessed the KT communication network and intercepted traffic during an on-site inspection on the 8th sep.

The Telcom giant got hacked in a clever managed systematic way when the hacker has created a similar base station by stealing femtocells that are not used or under-managed. KT has disconnected the base station in question.

To prevent a recurrence, it will upgrade the management system for micro base stations and strengthen a system that monitors abnormal payment types in real time. It will convert about 2,000 stores nationwide into “Safe and Secure Specialty Stores” and provide affected customers with the “KT Safe and Secure Insurance” (tentative name) free of charge for the next three years to compensate for financial fraud linked to communication devices.

This happened when KT, the south Korean telecom provider discovered two additional illegal ultrasmall base stations, or femtocells, that were used to facilitate a large-scale micropayment scam, bringing the confirmed total to four.

The telecom giant said Thursday that the devices had leaked IMSI, IMEI and phone numbers, and that number of confirmed impacted subscribers had risen from 278 to 362 and that funds embezzled through fraudulent charges to gift cards and transit passes had reached 240 million won, or 173-thousand U.S. dollars. 

Attacks on devices

KT said no additional funds have been stolen since it blocked abnormal transactions on September 5, and that all newly confirmed cases predate that date.

In this attack type personal details such as names and birth dates were not leaked via its network and that SIM authentication keys remain secure, meaning perpetrators of the data breach do not have the ability to clone impacted users’ devices.

Mitigation steps by KT

KT said it is reimbursing victims, offering free SIM card replacements and instructing customers via its website and app, as well as text message, to keep an eye out for fraudulent charges and sign up for the carrier’s SIM protection service.

To prevent a recurrence, it will upgrade the management system for micro base stations and strengthen a system that monitors abnormal payment types in real time.

It will convert about 2,000 stores nationwide into “Safe and Secure Specialty Stores” and provide affected customers with the “KT Safe and Secure Insurance” (tentative name) free of charge for the next three years to compensate for financial fraud linked to communication devices.

Security Advisory

Radware Uncovers Server Side Attack Targeting ChatGPT Known as Shadowleak

Researchers at Radware uncovered a server-side data theft attack targeting ChatGPT, termed as ShadowLeak. The experts discovered the zero-click vulnerability in ChatGPT’s Deep Research agent when connected to Gmail and browsing. 

In this attack type ‘Service-side’ pose greater risk as enterprise defenses cannot detect exfiltration because it runs from the provider’s infrastructure.

ShadowLeak a Server side attack

For any normal user there would be no visible signs of data loss as the AI agent acts as a trusted proxy, sending sensitive data to attacker-controlled endpoints. These server-side requests face fewer URL restrictions, letting attackers export data to virtually any destination.

Shadowleak is an uncovered security flaw affecting ChatGPT’s Deep Research Agent. Which can connect to services like Gmail to help users analyze their emails.

Attackers could hide invisible instructions in a regular looking email. When the user asked ChatGPT to review their mailbox contents selecting deep research.

Vulnerability Details 

ChatGPT’s Deep Research Agent was vulnerable because it could be tricked into following hidden instructions that were inside a seemingly ordinary email. When users ask the agent to analyze their inbox, any attacker can craft the message with invisible commands and cause AI to leak private data without warning.

These hidden instructions used tricks to fool the AI and get around its built-in safety checks. Some of those tricks included: 

  • Pretending to Have Permission: The prompt told the agent that it had “full authorization” to access outside websites, even though it didn’t. 
  • Hiding the Real Purpose: It disguised the hacker’s website as something safe sounding, like a “compliance validation system.” 
  • Telling the Agent to Keep Trying: If the AI couldn’t reach the attacker’s website the first time, the prompt told it to try again helping it sneak past any temporary protections. 
  • Creating Urgency: The prompt warned the agent that if it didn’t follow the instructions, it might not complete the report properly pushing it to obey. 
  • Hiding the Stolen Info: The agent was told to encode the personal data using Base64, which made the data harder to spot and helped hide the theft. 

After reading the fake email, the agent would go look through the user’s real emails (like HR messages) and find personal info such as full names and addresses.

Without alerting the user, the AI would send that information to the attacker’s server, happening silently in the background, with no warning or visible signs. 

This attack is not limited only to Gmail, also applies to any data sources Deep Research accesses, including Google Drive, Dropbox, Outlook, Teams and more. Any connected service that feeds text into the agent can pose a risk to hidden prompts, making sensitive business data vulnerable to exfiltration. 

Source: radware.com 

Attack Flow 

Step Description 
Malicious Email Crafting Attackers create a legitimate email embedded with hidden, invisible prompt instructions to extract sensitive data. Use social engineering and obfuscation. 
Email Delivery and Receipt The victim receives the email in Gmail without needing to open it; hidden commands are present in the email’s HTML body. 
User Invokes Deep Research The victim asks ChatGPT’s Deep Research Agent to analyze their inbox or specific emails, triggering the agent’s activity. 
Parsing Hidden Instructions The agent reads and interprets the hidden malicious prompt embedded within the attacker’s email. 
Extraction of Sensitive Data Following the instructions, the agent locates and extracts personal information like names and addresses from real emails. 
Data Exfiltration to Attacker The agent uses internal tools to send the extracted, often Base64-encoded data to an attacker-controlled external server. 
Victim Remains Unaware The entire process happens silently on OpenAI’s servers with no visible alerts or client-side traces for the user or admins. 

Why It’s Effective 

This “zero-click” attack happened entirely on OpenAI’s servers, where traditional security tools couldn’t detect or stop it, and victims never saw any warning. OpenAI was informed by radware security team in June 2025 and OpenAI fully patched the issue by September. 

The attack runs silently in a trusted cloud environment, invisible to users and traditional security tools.

It tricks the AI into repeatedly sending encoded sensitive data, bypassing safety checks and ensuring successful data theft. This stealthy, zero-click nature means no user interaction is required, making detection extremely difficult and allowing the attacker to exfiltrate data unnoticed over extended periods. 

Recommendations

Here are some recommendations below 

  • Email Sanitization: Normalize and strip hidden or suspicious HTML/CSS elements from emails before they are processed by AI agents. This reduces the risk of hidden prompt injections. 
  • Strict Agent Permissions: Limit AI agent access only to the data and tools necessary for its tasks, minimizing exposure to sensitive information. 
  • Behavior Monitoring: Continuously monitor AI agent actions and behavior in real time to detect anomalies or actions deviating from user intent. 
  • Regular Patch Management: Keep AI tools, connectors and integrated systems up to date with the latest security fixes and improvements. 
  • Awareness and Training: Educate users and administrators about the types of attacks AI agents are vulnerable to, fostering vigilance and quick incident response. 

Conclusion 


The ShadowLeak vulnerability underscores the critical risks posed when powerful AI tools operate without sufficient safeguards. By hiding secret commands inside emails, attackers were able to steal personal information without the user knowing.

This case highlights the need for strong safety measures, including limiting AI access to sensitive information, sanitizing inputs to prevent hidden commands, and continuously monitoring agent behavior to detect anomalies.

As more AI tools are used, it’s important to keep strong security controls and oversight to use these technologies safely and protect sensitive data from new threats. 

References

Security Advisory

Jenkins Security Patch Fixed HTTP/2 DoS and Permission Issues  

Security advisory: Jenkins addressed critical security flaws in its built-in HTTP server related to the handling of HTTP/2 connections, where attackers could overwhelm servers causing denial of service. This mainly impacts Jenkins instances running with HTTP/2 enabled, which is not the default setting.

Severity High 
CVSS Score 7.7 
CVEs CVE-2025-5115, CVE-2025-59474, CVE-2025-59475, CVE-2025-59476 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Jenkins, a popular open-source automation server used for building and deploying software, recently patched several high & medium security flaws.

The high severity issue is a Denial-of-Service (DoS) vulnerability that could allow attackers to overwhelm the server and make it stop working properly even without needing to log in.

Other issues included the risk of unauthorized users viewing sensitive configuration information and the possibility of attackers inserting fake log entries to confuse system administrators. Jenkins released updates to fix these issues and strongly recommends users upgrade to the latest versions to stay protected. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
HTTP/2 Denial of Service in bundled Jetty  CVE-2025-5115 Jenkins (bundled Jetty)  High Weekly 2.524+, LTS 2.516.3+ 
Missing permission check – agent names CVE-2025-59474 Jenkins core Medium Weekly 2.528+, LTS 2.516.3+ 
Missing permission check – user profile menu CVE-2025-59475 Jenkins core Medium Weekly 2.528+, LTS 2.516.3+ 
Log Message Injection Vulnerability CVE-2025-59476 Jenkins core Medium Weekly 2.528+, LTS 2.516.3+ 

Technical Summary 

Additionally, permission checks in some user interface areas were incomplete, allowing unauthorized users to access sensitive information such as agent names and configuration details.

There was also a vulnerability in log message processing that could let attackers insert misleading entries to confuse administrators. All the issues are fixed in Jenkins latest version. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-5115 Jenkins instances with embedded Jetty server with HTTP/2 enabled It causes the Jetty server to repeatedly reset HTTP/2 streams (RST_STREAM) in response to malicious or malformed frames, leading to resource exhaustion and potential denial of service.  Denial of service 
CVE-2025-59474 Jenkins automation server Permission check flaw allowing unauthorized users to view Jenkins agent/executor names via the side panel executor’s widget Information Disclosure 
CVE-2025-59475 Jenkins automation server Permission check flaw allowing authenticated users without Overall/Read permission to view sensitive configuration details via the Jenkins user profile dropdown menu. Information Disclosure 
CVE-2025-59476 Jenkins automation server An attacker can inject line breaks into Jenkins log messages, leading to forged or misleading log entries. Misleading administrators 

Remediation

  • Users should immediately install the latest, patched version of Jenkins on all servers: 
  • Weekly Release: Update to Jenkins v2.528 or later. 
  • Long-Term Support (LTS): Update to Jenkins v2.516.3 or later 

Here are some recommendations below. 

  • If immediate upgrade is not possible, users should disable HTTP/2 to mitigate the Denial-of-Service vulnerability. 
  • Always keep Jenkins core and plugins up to date with the latest security patches. 
  • Regularly audit and monitor access logs and system activity 
     

Conclusion: 
These security flaws could seriously impact Jenkins users, especially those relying on it for continuous integration and deployment. The DoS vulnerability is particularly dangerous because it can be triggered by anyone over the internet, even if they don’t have an account.

Enterprise admins & users should upgrade immediately to the patched versions or disable HTTP/2 to reduce the risk. Keeping Jenkins up to date and following good security practices along with restricting user permissions and monitoring logs is essential to prevent attacks and maintain the stability and safety of software delivery pipelines. 

References

Blogs Security Advisory

Shai-Hulud NPM Supply Chain Attack Expands to 470+ Packages 

Summary: A large-scale malicious campaign, nicknamed the Shai-Hulud attack, has impacted the npm ecosystem with over 500 trojanized packages, including those packages maintained by CrowdStrike. The attack originated from a sophisticated phishing campaign that exploited the fundamental trust relationships within the npm ecosystem. 

The JavaScript ecosystem is under a massive threat following a major supply chain attack. Hence, millions of crypto users and developers are now at risk. With more than a billion of these packages downloaded already, thousands of blockchain wallets and applications could be suffer varying exploits.

  • Malicious NPM updates spread malware that steals and replaces crypto addresses.
  • Developers encouraged developer to cease on-chain operation and inspect HD wallets thoroughly.

The attackers injected malicious scripts that

  • Run secret-scanning tools on developer systems, 
  • Steal GitHub, npm and cloud credentials, 
  • Insert persistent GitHub Actions workflows for long-term access, and 
  • Exfiltrate sensitive data to attacker-controlled endpoints. 

This attack is ongoing and all users of npm packages should take immediate steps to secure tokens, audit their environments and verify package integrity. 

Issue Details 

Initial discovery on September 14, 2025, when suspicious versions of @ctrl/tinycolor and ~40 other packages were flagged. By September 16, the attack had spread to include CrowdStrike-namespaced packages and dozens from @ctrl, @nativescript-community, rxnt, @operato, and others. 

Malware behavior 

  • Downloads and runs TruffleHog, a legitimate secret scanner. 
  • Harvests secrets from local machines and CI/CD agents (npm tokens, GitHub PATs, AWS/GCP cloud keys). 
  • Writes malicious workflows into .github/workflows (shai-hulud-workflow.yml). 
  • Continuously exfiltrates findings to a fixed webhook endpoint or pushes them into new GitHub repos under the victim’s account. 

Attack Flow 

Here are some popular packages with affected versions 

Package Version 
@ctrl/ngx-codemirror 7.0.1, 7.0.2 
@ctrl/tinycolor 4.1.1, 4.1.2 
@crowdstrike/foundry-js 0.19.1, 0.19.2 
@crowdstrike/logscale-dashboard 1.205.1, 1.205.2 
@nativescript-community/sqlite 3.5.2 – 3.5.5 
@nativescript-community/text 1.6.9 – 1.6.13 
@nstudio/nativescript-checkbox 2.0.6 – 2.0.9 
@nstudio/angular 20.0.4 – 20.0.6 
eslint-config-crowdstrike 11.0.2, 11.0.3 
remark-preset-lint-crowdstrike 4.0.1, 4.0.2 

Attack Indicators 

Malicious Workflow Filenames 

  • .github/workflows/shai-hulud-workflow.yml 
  • .github/workflows/shai-hulud.yaml 

Exfiltration Endpoint 

  • hxxps://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7 

Hashes of Malicious Payloads 

SHA-256 Hash Notes 
46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09 Large batch, Sept 15–16 
b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777 CrowdStrike-related packages burst (Sept 16) 
de0e25a3e6c1e1e5998b306b7141b3dc4c0088da9d7bb47c1c00c91e6e4f85d6 First observed compromise (Sept 14) 
81d2a004a1bca6ef87a1caf7d0e0b355ad1764238e40ff6d1b1cb77ad4f595c3 Sept 14 small burst 
83a650ce44b2a9854802a7fb4c202877815274c129af49e6c2d1d5d5d55c501e ~25 packages, Sept 14 
4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db Burst of ~17 packages, Sept 14–15 
dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c Multiple reuse across Sept 15–16 

Recommendations

Organizations and developers using npm should take immediate actions: 

  1. Uninstall or downgrade 
    Pin dependencies to known-safe versions until patched releases are confirmed. 
  1. Rotate credentials 
    Immediately revoke and reissue: 
  • npm access tokens 
  • GitHub personal access tokens / org tokens 
  • Cloud credentials (AWS, GCP, Azure) 
  1. Audit systems 
  • Inspect developer machines and CI/CD build agents for signs of the malicious bundle.js. 
  • Check .github/workflows for unauthorized files named “shai-hulud-*”. 
  • Review repositories for suspicious commits or new repos labeled “Shai-Hulud Migration”. 
  1. Monitor and log 
  • Search event logs for unusual npm publish activity. 
  • Investigate GitHub Actions runs designed to exfiltrate secrets. 
  1. Harden pipelines 
  • Pin package versions and use integrity checks (e.g.- lockfiles, checksums). 
  • Limit exposure of sensitive tokens in build environments. 
  • Rotate all build-related secrets regularly. 

 
Conclusion 
This incident is significant compromises in the npm ecosystem, impacting hundreds of widely used packages across various namespaces.

The attackers’ tactics such as credential theft, manipulation of GitHub workflows, and widespread package propagation, highlighting the growing sophistication of modern supply chain attacks.

Developers and organizations are strongly advised to take immediate action by removing affected package versions, rotating any exposed secrets, auditing their build environments and strengthening CI/CD security. Continuous monitoring and rapid response are essential to reducing risk and maintaining trust in open-source software. 

The attack’s browser API-level operation revealed critical blind spots in enterprise security monitoring, particularly for organizations handling cryptocurrency transactions.

References

Security Advisory

Spring Security & Framework Authorization Bypass Vulnerabilities Patched 

Security advisory: Two new security vulnerabilities have been discovered in the Spring Framework and Spring Security components identified as CVE-2025-41248 and CVE-2025-41249.

Severity Medium 
CVSS Score 4.4 
CVEs CVE-2025-41248, CVE-2025-41249 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These issues affect applications that use method-level security annotations like @PreAuthorize to control access to certain methods or features. Under specific conditions when generics are used in parent classes or interfaces, these annotations may not be properly detected, which could allow unauthorized users to access restricted functionality. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Spring Security Authorization Bypass Vulnerability  CVE-2025-41248 Spring Security  Medium 6.5.4 (Open Source) 6.4.10 (Open Source)  
Spring Framework Annotation Detection Vulnerability CVE-2025-41249 Spring Framework Medium 6.2.11 (Open Source) 6.1.23 (Commercial Support) 5.3.45 (Commercial Support)  

Technical Summary 

The vulnerability arises when Spring applications use inheritance (where a class inherits methods from another class) and generics (a way to define methods or classes that can handle different types of data) together. If a secured method, like one marked with the @PreAuthorize annotation (used to enforce security checks), is declared in a generic superclass or interface without clear type definitions, Spring might fail to recognize the security annotation at runtime. This means unauthorized users could potentially access these methods. This issue affects Spring Security versions 6.4.0 to 6.5.3 and Spring Framework versions 5.3.0 to 6.2.10. The Spring team has since released updates to better handle security annotations in such cases, ensuring proper authorization checks. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-41248 Spring Security 6.4.0 – 6.4.9 6.5.0 – 6.5.3 Spring Security may fail to detect method-level security annotations applied to generic superclasses or interfaces, resulting in unauthorized access. Unauthorized access  
CVE-2025-41249 Spring Framework 6.2.0 – 6.2.10 6.1.0 – 6.1.22 5.3.0 – 5.3.44 Older, unsupported versions are also affected.  Spring Framework does not consistently recognize security annotations on methods declared in generic superclasses or interfaces, which can lead to authorization bypass. Authorization bypass. 

Remediation

Users should immediately update to the latest patched versions of Spring Security and Spring Framework: 

Spring Security 
Affected Version Fix Version 
6.5.x 6.5.4 
6.4.x 6.4.10 
Spring Framework 
Affected Version Fix Version 
6.2.x 6.2.11 
6.1.x 6.1.23 
6.0.x N/A (OOS) 
5.3.x 5.3.45 

Conclusion: 
These vulnerabilities cause Spring Security and Spring Framework to sometimes miss detecting method-level security annotations in generic type hierarchies. This can allow unauthorized users to bypass authorization checks, exposing protected functionality. While the severity is medium, it is important to update to the fixed versions promptly and review security annotation usage on generics to maintain proper access control. 

References

 

Security Advisory

VoidProxy PhaaS Uses MFA Bypass, Hijacking Google & Microsoft Logins

Security Advisory

Security researchers from Okta have uncovered a stealthy and sophisticated Phishing-as-a-Service (PhaaS) framework known as VoidProxy.

This has been used to hijack Microsoft, Google and even integrated SSO accounts protected by providers like Okta. Unlike traditional phishing kits, VoidProxy employs Adversary-in-the-Middle (AiTM) tactics to capture real-time credentials, MFA tokens and bypassing several standard authentication protections.

VoidProxy’s infrastructure leverages disposable domains, Cloudflare protections, dynamic DNS which all of mimicking as legitimate enterprise setups becoming extremely difficult to detect, analyze. The attackers are running phishing campaigns with little technical effort, enabling wide-scale compromises that lead to email compromise, fraud and data breaches.

Its attack chain is built to evade modern email security, identity defenses, and analysis tools by leveraging the following:

  • CAPTCHA Filtering: Victims are first shown a CAPTCHA challenge before any phishing content loads. This helps block bots and automated security scanners.
  • Cloudflare Workers: Used to deliver customized phishing pages and smartly direct traffic to the attacker’s backend servers.
  • URL Redirection Chains: The phishing links in emails go through several redirects (often using shortened URLs) before landing on fake login pages. This helps bypass spam filters and security tools.
  • Dynamic DNS: These services let attackers quickly create domain names that point to specific IP addresses, making their infrastructure flexible and harder to track.    

Once a user enters their credentials and MFA tokens, the session is hijacked via a reverse proxy server, allowing the attacker to immediately access the legitimate account.

Here are some shortened url links

Attack Flow

StepDescription
1. DeliveryPhishing emails are sent from compromised accounts on email delivery services (like Postmarkapp or Constant Contact) increasing trust and shortening URL services for bypassing spam filters.
2. Redirecting & FilterClicking the phishing link redirects victims through several short URLs and presents a Cloudflare captcha to ensure human interaction.
3. PhishingVictims land on a fake Microsoft or Google login page using realistic subdomain patterns like “login.<phishing_domain>.<.com/.io>”. Additionally, integrated SSO accounts are redirected to additional fake SSO pages mimicking the login flows.
4. AiTM Session HijackThe backend proxy captures credentials, MFA tokens and session cookies, allowing attackers full account access.
5. ExfiltrationSession cookies and credentials are routed to the attacker’s admin panel in real-time. Integration with bots or webhooks enables instant alerts to the attackers.

Why It’s Effective

AiTM Infrastructure: Unlike static phishing kits, VoidProxy runs a live proxy in the middle of the authentication flow, stealing session tokens or mfa token immediately after login.

CAPTCHA & Cloudflare Layers: These challenges ensure only real human victims reach the phishing payload, filtering out scanners and sandboxes.

Integrated SSO Targeting: Accounts using Okta or other SSO providers are redirected to accurate second-stage phishing pages, increasing the likelihood of a full compromise.

Recommendations:

Here are some recommendations below

  • Harden the authentication by bind sessions to IP addresses (IP Session Binding) to block cookie replay attacks.
  • Block access from rarely used IP ranges or unmanaged devices.
  • Provide user awareness training to help recognize phishing links, suspicious email senders and fake login prompts.
  • Keep monitoring for any indications of suspicious activities.

Conclusion
VoidProxy’s layered architecture, real-time session hijacking and deep evasion mechanisms make it a potential threat even for environments with multi-factor authentication in place. We require a shift from traditional phishing detection toward real-time risk-based access controls, strong authenticators and persistent user education.

References:

Blogs

FBI Issues Alarm as Hackers Group target Salesforce Data Paltform; Releases IOC

FBI issued fresh alert major Hackers group mainly associated with cybercriminal groups tracked as UNC6040 and UNC6395 for orchestrating a string of data theft and extortion attacks on Salesforce stealing data. FBI released indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395.

“The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate Indicators of Compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions,” as per FBI’s advisory.

Federal Bureau of Investigation has issued a urgent alert detailing the activities of two sophisticated cybercriminal groups, UNC6040 and UNC6395, which have been aggressively targeting Salesforce platforms.

These actors, linked to data theft and extortion schemes, exploit vulnerabilities in OAuth tokens and employ social engineering tactics like vishing to breach high-value targets.

Data Exfiltration or Data extraction/Theft

Data exfiltration occurs in two ways, through outsider attacks and via insider threats. Both are major risks, and organizations must ensure their data is protected by detecting and preventing data exfiltration at all times.

An attack from outside the organization occurs when an individual infiltrates a network to steal corporate data and potentially user credentials. This typically is a result of a cyber criminal injecting malware onto a device, such as a computer or smartphone, that is connected to a corporate network. 

Some strands of malware are designed to spread across an organization’s network and infiltrate other devices, searching for sensitive corporate data in an attempt to exfiltrate information. Many malware will lay dormant on a network to avoid detection by organizations’ security systems until data is exfiltrated subversively or information is gradually collected over a period of time.

Attacks can result from malicious insiders stealing their own organization’s data and sending documents to their personal email address or cloud storage services, potentially to sell to cyber criminals. They can also be caused by careless employee behavior that sees corporate data fall into the hands of bad actors.

Threat monitoring through Intrusion Detection System

Intrusion Detection system often network and searches for known threats and suspicious or malicious traffic. When it detects a possible threat, the IDS sends an alert to the organization’s IT and security teams. IDS applications can be either software, which runs on hardware or network security solutions, or cloud-based, which protects data and resources in cloud environments.

Vishing Attack Lashed by Cyber Criminal

Vishing attacks, where perpetrators impersonate trusted IT support personnel to trick employees into granting access or revealing credentials. Once inside, they manipulate connected third-party applications, such as Salesloft’s Drift AI chatbot, to siphon sensitive data.

This method has proven alarmingly effective, as evidenced by the compromise of Google’s corporate Salesforce instance earlier this year, which exposed contact data for small and medium-sized businesses

UNC6040 & UNC6395 attack methodology

UNC6040, often associated with the notorious ShinyHunters collective, has refined a supply-chain attack vector that leverages OAuth token abuse. By compromising tokens from integrated apps, attackers gain persistent access without triggering immediate alarms.

As per FBI UNC6040, threat actors have utilized phishing panels, directing victims to visit from their mobile phones or work computers during the social engineering calls.

On the other hand UNC6395, has been attributed a widespread data theft campaign targeting Salesforce instances in August 2025 by exploiting compromised OAuth tokens for the Salesloft Drift application. They target third party application.

In an update issued this week, Salesloft said the attack was made possible due to the breach of its GitHub account from March through June 2025.

Salesloft has taken has separated the Drift infrastructure and kept in isolation, also taken the artificial intelligence (AI) chatbot application offline. 

Salesloft and Salesforce collaborated to revoke all active access and refresh tokens for the Drift application on August 20, 2025. This action successfully terminated the threat actors’ access to the compromised Salesforce platforms through this specific vector.250912.pdf

Cyber Experts reflect UNC6040’s operations extend beyond Salesforce, potentially linking to broader campaigns involving SaaS-to-SaaS connections.

Cybersecurity firms Proofpoint, SpyCloud, Tanium, and Tenable have confirmed that information in their Salesforce instances was compromised as part of the recent Salesforce–Salesloft Drift attack

Read more on cyber attacks: https://intruceptlabs.com/2025/09/tenable-more-cyber-vendors-impacted-by-third-party-salesforce-breach/

Posts on X from cybersecurity accounts, including shares from The Cyber Security Hub, underscore the real-time buzz around these threats, with users warning of the rapid spread of similar tactics across cloud ecosystems as of September 13, 2025.

IOC released from FBI include extensive list of IOCs, including IP addresses, malicious URLs, and user-agent strings associated with both UNC6040 and UNC6395.

This will assist network defenders detect and block related activity. The agency strongly recommends that organizations take several steps to mitigate the risk of compromise. Initially believed to only impact organizations that used the Drift integration, the campaign was later found to have affected other Salesforce customers as well.

(Sources: https://cybersecuritynews.com/fbi-iocs-salesforce-instances/)

Security Advisory

Angular SSR Vulnerability Allows Cross-Request Data Exposure (CVE-2025-59052) 

Security Advisory: A high security flaw was discovered in Angular’s server-side rendering (SSR) functionality that could lead to cross-request data leakage due to a global race condition. This is identified as CVE-2025-59052, affects multiple versions of Angular’s @angular/platform-server, @angular/ssr and @nguniversal/common packages.

With data breaches at highest, Organizations using vulnerable Angular versions should update immediately or implement recommended workarounds to avoid potential data breaches.

Severity High 
CVSS Score 7.1 
CVEs CVE-2025-59052 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Angular is a popular open-source web application framework developed by Google, used to build dynamic, single-page applications (SPAs) and server-rendered apps using HTML, TypeScript and JavaScript.

When multiple SSR requests are processed concurrently, sensitive state information may be inadvertently shared, potentially exposing user tokens or private data across unrelated sessions. The Angular has released patches across all active branches and urges developers to update immediately. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Race condition vulnerability  CVE-2025-59052 Angular platform-server, ssr  High  v18.2.14, v19.2.15/16, v20.3.0, v21.0.0-next.3 

Technical Summary 

Angular uses a dependency injection (DI) container called the platform injector during SSR to hold request-specific data. This container was implemented as a global module-scoped variable, introducing a race condition when multiple requests were processed simultaneously.

This flaw could cause data meant for one user to be sent in the response to another, potentially leaking authentication tokens, headers, or private content.

Affected APIs include bootstrapApplicationgetPlatform, destroyPlatform. These changes introduce SSR-only breaking changes, with automatic migration schematics available through the Angular CLI update process. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-59052 Angular SSR v16 to v21 Race condition in global DI container during SSR could leak user data across requests Cross-Request Data Leakage 

Recommendations

Upgrade Angular packages to the latest patched versions: 

Package Affected Versions Fixed Versions 
@angular/platform-server >=16.0.0-next.0 <18.2.14 
>=19.0.0-next.0 <19.2.15 
>=20.0.0-next.0 <20.3.0 
>=21.0.0-next.0 <21.0.0-next.3 		18.2.14 
19.2.15 
20.3.0 
21.0.0-next.3 
@angular/ssr >=17.0.0-next.0 <18.2.21 
>=19.0.0-next.0 <19.2.16 
>=20.0.0-next.0 <20.3.0 
>=21.0.0-next.0 <21.0.0-next.3 		18.2.21 
19.2.16 
20.3.0 
21.0.0-next.3 

If Immediate Upgrade is Not Possible, you can follow the recommendations below 

  • Disable SSR via server routes or build configurations 
  • Remove asynchronous behavior from custom bootstrap functions 
  • Eliminate use of getPlatform() in server-side code 
  • Ensure ngJitMode is set to false in production builds 

Conclusion: 
The Angular SSR vulnerability CVE-2025-59052 is the high severity issue with global state management during concurrent request processing, resulting in potential cross-request data exposure.

Though not yet exploited in the wild, the risk is significant for SSR-enabled Angular apps. Developers are urged to apply updates promptly or follow the provided mitigation steps to secure their applications. 

As per reports this vulnerability requires no special privileges or user interaction, making it both easy to exploit and dangerous in high-traffic applications.

References

Hashtags 

#Infosec #CyberSecurity #Angular #SecurityAdvisory #WebSecurity #Vulnerabilitymanagement #DevSecOps #PatchManagement #CISO #CXO #Intrucept 

Scroll to top