AUSCERT Week in Review for 5th September 2025

Greetings,

We’re excited to release a brand-new episode of the Share Today, Save Tomorrow podcast, Episode 44: Security2Cure – Where Cyber Meets Health Planning.

In this powerful episode, host Bek Cheb speaks with Zane Jarvis, founder of the charity Security2Cure, an initiative born from personal tragedy and driven by a mission to raise awareness around cancer, health planning, and digital preparedness. Zane shares his deeply personal story and explains how core cyber security principles have inspired a unique framework for personal wellbeing and future planning.

With Security2Cure’s upcoming Brisbane conference on the 10th October, this episode offers the perfect opportunity to explore the charity’s mission and learn more about their work.

This is an episode you won’t want to miss, and it’s available on Spotify, Apple Podcasts, and YouTube now.

This week, a widespread supply chain attack linked to Salesloft Drift has impacted hundreds of organisations, including Cloudflare, Zscaler, Palo Alto Networks, PagerDuty, and SpyCloud. While Salesloft initially claimed exposure was limited to Salesforce-integrated customers, Google’s Threat Intelligence Group and Mandiant have warned that any platform integrated with Drift may be compromised.

The attack, attributed to threat group UNC6395, led to the exposure of sensitive customer data such as business emails, phone numbers, support case details, and, in some cases, credentials. While no core products or infrastructure were directly breached, many companies are rotating tokens, tightening security, and investigating potential impacts.

Salesloft announced that Drift will be taken offline to strengthen security and conduct a full review. The incident highlights the growing risks of third-party integrations, with more than 700 organizations potentially affected.

Google warns Salesloft breach impacted some Workspace accounts
Date: 2025-08-28
Author: Bleeping Computer

Google now reports that the Salesloft Drift breach is larger than initially thought, warning that attackers also used stolen OAuth tokens to access a small number of Google Workspace email accounts in addition to stealing data from Salesforce instances.
"Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations,' warns Google.
"We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised."

NIST Enhances Security Controls for Improved Patching
Date: 2025-09-02
Author: Dark Reading

Addressing the ongoing patch management problem requires more finessing, especially to protect the software supply chain. The US National Institute of Standards and Technology (NIST) revised its Security and Privacy Control catalog to help vendors and organizations improve software update and patch release protocols.
Originally published in 2020, the Security and Privacy Control catalog details security and privacy safeguards to help organizations mitigate cyber-risks. Federal information systems are required to implement the controls, but the catalog is intended for the private and public sectors. It covers access, authentication, incident response, and supply chain risk management.

WhatsApp Patches Zero-Click Exploit Targeting iOS and macOS Devices
Date: 2025-08-30
Author: The Hacker News

WhatsApp has addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks.
The vulnerability, CVE-2025-55177 (CVSS score: 8.0 [CISA-ADP]/5.4 [Facebook]), relates to a case of insufficient authorization of linked device synchronization messages. Internal researchers on the WhatsApp Security Team have been credited with discovering and rerating the bug.
The Meta-owned company said the issue "could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target's device."

Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication
Date: 2025-08-29
Author: The Hacker News

Amazon on Friday said it flagged and disrupted what it described as an opportunistic watering hole campaign orchestrated by the Russia-linked APT29 actors as part of their intelligence gathering efforts.
The campaign used "compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft's device code authentication flow," Amazon's Chief Information Security Officer CJ Moses said.

Melbourne dev finds gift card PINs can be brute-forced
Date: 2025-09-03
Author: itnews

Gift cards sold in Australian supermarkets can have their PINs easily guessed, thanks to a vulnerability on the issuer's website, opening them up to redemption by thieves who only need to know the card number to access the stored funds.
The vulnerability was discovered by Melbourne developer Simon Dean who bought two gift cards worth $500 each, which he intended to use to purchase a laptop at JB Hi-Fi with.
After buying the cards, Dean ran into trouble redeeming them as the cards had had the last four digits scratched off them.

ESB-2025.6241 – Ruby

It was discovered that Ruby incorrectly handled certain IO stream methods. A remote attacker could use this issue to cause Ruby to crash, resulting in a denial of service, or possibly obtain sensitive information.

ASB-2025.0156.2 – Salesloft Drift

Several major firms, including ZScaler, Cloudflare, and Palo Alto Networks, confirmed breaches of their Salesforce databases. The incidents stem from a data theft campaign exploiting the third-party Salesloft Drift integration with Salesforce.

ESB-2025.6176 – Google Android

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. The most severe of these issues is a critical security vulnerability in the System component that could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed.

ESB-2025.6205 – Cisco Products

A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, remote attacker to obtain sensitive information from an affected system.

Stay safe, stay patched and have a good weekend!

The AUSCERT team