8 Aug 2025

Week in review

Greetings,

New insights suggests that the recent Qantas data breach impacting an estimated 5.7 million customers may be the work of the notorious ShinyHunters hacking collective, rather than Scattered Spider, as was initially suspected.

Investigators are now drawing connections between ShinyHunters and a growing wave of cyber attacks targeting Salesforce CRM platforms. Recent victims of similar attacks include Allianz Life, LVMH, Adidas, Google and now, potentially, Qantas.

Reports suggest that the threat actors employed vishing techniques (voice phishing) in conjunction with modified versions of Salesforce’s Data Loader tool to extract sensitive customer records. This method demonstrates the group’s ability to combine social engineering with technical exploitation to bypass conventional security measures.

Recent reports also reveal that Google suffered a breach in this same wave of attacks, with ShinyHunters allegedly using identical techniques to access Salesforce data linked to customer support operations. This reinforces the theory that the group is systematically exploiting CRM platforms and supply chain connections across multiple sectors.

The Qantas breach highlights the evolving nature of cyber criminal alliances and the growing risks associated with cloud-based platforms, particularly when combined with sophisticated social engineering campaigns. Organisations using Salesforce and similar CRM systems are being urged to review access controls, monitor for anomalous activity, and strengthen employee awareness programs to reduce the risk of compromise.


Organizations Warned of Vulnerability in Microsoft Exchange Hybrid Deployment
Date: 2025-08-07
Author: Security Week

[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2025.0144/]
Microsoft on Wednesday informed organizations about a high-severity vulnerability affecting hybrid deployments of Exchange Server.
According to Microsoft, the vulnerability, tracked as CVE-2025-53786, can be exploited by an attacker to escalate privileges.
“In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable trace,” Microsoft explained.

Mozilla flags phishing wave aimed at hijacking trusted Firefox add-ons
Date: 2025-08-04
Author: The Register

Mozilla is warning of an ongoing phishing campaign targeting developers of Firefox add-ons.
The browser maker urged devs to "exercise extreme caution and scrutiny" when reviewing seemingly legitimate emails from senders pretending to be Mozilla or AMO (addons.mozilla.org).
Although phishing emails can take many forms, Moz said this campaign usually lures devs into clicking through a malicious link to update their account. Failure to do so, or so the crims claim, would result in the dev losing access to developer features.

Cisco discloses data breach impacting Cisco.com user accounts
Date: 2025-08-05
Author: Bleeping Computer

[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2025.0143/]
Cisco has disclosed that cybercriminals stole the basic profile information of users registered on Cisco.com following a voice phishing (vishing) attack that targeted a company representative.
After becoming aware of the incident on July 24th, the networking equipment giant discovered that the attacker tricked an employee and gained access to a third-party cloud-based Customer Relationship Management (CRM) system used by Cisco.

Perplexity vexed by Cloudflare's claims its bots are bad
Date: 2025-08-05
Author: The Register

AI search biz Perplexity claims that Cloudflare has mischaracterized its site crawlers as malicious bots and that the content delivery network made technical errors in its analysis of Perplexity's operations.

Akira Ransomware Hits SonicWall VPNs, Deploys Drivers to Bypass Security
Date: 2025-08-06
Author: Hack Read

GuidePoint Security uncovers a new Akira ransomware tactic targeting SonicWall VPNs. The group’s use of drivers to disable defenses is a significant threat to businesses.
A new report by cybersecurity firm GuidePoint Security reveals a clever new method used by the Akira ransomware group to attack computer networks. Researchers found that following initial access into systems, the hackers have been using two specific software drivers to secretly disable security tools, a key step before deploying their ransomware.


ESB-2025.5345 – Google Android: CVSS (Max): 8.6*

Google patches critical remote code execution vulnerability in the System component in Android 10, which can be exploited without user interaction or extra privileges.

ESB-2025.5401 – Adobe Experience Manager (AEM) Forms on JEE: CVSS (Max): 10.0

Adobe released a critical security update for Adobe Experience Manager (AEM) Forms on JEE (versions 6.5.23.0 and earlier) to address two severe vulnerabilities: an XXE flaw allowing arbitrary file system reads, and a misconfiguration‑based flaw enabling arbitrary code execution.

ASB-2025.0143 – Salesforce: CVSS (Max): None

Threat actors are impersonating Salesforce IT support via vishing and phishing to trick users into installing malicious connected apps, enabling data exfiltration.
Impacted organizations face delayed extortion attempts and potential lateral movement to cloud services like Microsoft 365 and Okta.

ASB-2025.0144 – Microsoft Exchange Server: CVSS (Max): 8.0

Microsoft has issued a warning about a high-severity vulnerability (CVE‑2025‑53786) affecting hybrid Exchange deployments, where on-premises servers share a service principal with Exchange Online.


Stay safe, stay patched and have a good weekend!

The AUSCERT team