Cybersecurity News | Daily Recap [26 Aug 2025]

hendryadrian.com

hendryadrian.com

Data breaches & ransomware

• Qilin ransomware claimed theft of 4 TB of design data from Nissan Japan’s Creative Box Inc., highlighting continuing risks to corporate IP – Nissan Breach
• Farmers Insurance confirmed a third-party Salesforce-linked data theft impacting over 1.1M customers amid wider credential/OAuth attacks tied to groups like Scattered Spider – Farmers Breach, Farmers Report
• Healthcare Services Group notified more than 624,000 people after unauthorized access and copying of files, though no identity-theft evidence has been reported – Healthcare Breach
• French retailer Auchan exposed loyalty account data for hundreds of thousands of customers, with banking details reported unaffected but phishing risks noted – Auchan Breach
• Electronics manufacturer Data I/O took operational systems offline after a ransomware incident that disrupted production and internal services – Data I/O Attack
• A cyberattack disrupted Nevada state websites, phone lines, and some emergency services, prompting investigations and scam warnings for residents – Nevada Outage
• State agencies in Maryland are investigating a cyberattack that affected transit services for disabled residents by disrupting real-time data and scheduling for Mobility services – Maryland Transit
• Sen. Ron Wyden urged an independent review of federal judiciary breaches, accusing negligence and pointing to suspected Russian involvement in recent intrusions – Wyden Probe

Vulnerabilities & patching

• A critical Docker Desktop flaw CVE-2025-9074 (CVSS 9.3) allowed container escapes and host compromise on Windows/macOS and has been patched in recent releases — update immediately – Docker CVE, Docker Fix, Docker Flaw
• CISA added three actively exploited flaws—including a dangerous Git RCE and issues in Citrix—to its KEV catalog and warned organizations to patch to avoid remote code execution and privilege escalation – KEV Additions, Git Warning

Malware & phishing

• The in-memory MixShell malware delivered via legitimate contact forms in the ZipLine campaign targets U.S. supply-chain manufacturers using AI-themed social engineering and weaponized ZIPs – MixShell
• The widespread ShadowCaptcha campaign leverages compromised WordPress sites to push info-stealers, ransomware, and crypto miners using obfuscated scripts, DLL side-loading, and anti-debug tricks – ShadowCaptcha
• A new Android banking trojan variant HOOK now includes ransomware-style overlays, supports 107 remote commands, and broadens targets to finance and crypto apps – HOOK Trojan
• The Android.Backdoor.916.origin backdoor (masquerading as “GuardCB”) targets Russian business executives for surveillance and data theft via abused device permissions – Android Backdoor
• Google removed 77 malicious Android apps with more than 19M installs that delivered adware, Joker, Anatsa and other threats from Google Play — users should review installed apps – Malicious Apps
• Multiple phishing operations use sophisticated lures: the UpCrypter loader in fake voicemail/purchase-order scams, spear-phishing impersonating CoinMarketCap journalists to target crypto execs via Zoom, and spoofed ScreenConnect admin login alerts to steal credentials/MFA for ransomware operations – UpCrypter, CoinMarketCap Scam, ScreenConnect Phish

AI & model security

• Guide to building trustworthy agent systems stresses layered security, context management, human oversight, and continuous validation for agents using GPT-4, Claude, and Gemini – Agent Systems
• Researchers demonstrated image-scaling prompt-injection attacks that hide data-theft prompts in downscaled images and can affect platforms like Gemini CLI and Vertex AI, warning of broad prompt-injection risk – Image Injection, Image Resampling
• The OneFlip attack family can flip bits in model weights to corrupt autonomous driving or facial-recognition models, posing safety and safety-critical integrity risks – OneFlip

Nation-state activity & law enforcement

• China-linked UNC6384 used fake captive portals, valid code-signing, and AitM techniques to hijack web traffic and deploy PlugX and other signed malware against diplomats in Southeast Asia – UNC6384, UNC6384 Report
• South Korea arrested a suspected Chinese hacker accused of leading a ring that stole over $29M from wealthy victims, including celebrities, via telecom-targeted schemes – Hacker Arrest
• The Russian government is weighing a ban on Google Meet as part of a broader foreign-tech crackdown while promoting domestic apps like Max and restricting Western messaging platforms – Russia Ban

Policy & industry

• Beyond compliance, continuous employee training and tools like Passwork can turn GDPR investments into stronger security by addressing basic password and behavior risks – GDPR Training
• The FTC urged major U.S. tech firms to resist foreign demands to weaken encryption, stressing global privacy and security implications – FTC Encryption
• Google will phase in identity verification for all Android developers starting October 2025 (mandatory in phases by Sept 2026) to curb malicious app distribution – Google Verify
• Cyber insurer Coalition criticized peers that deny claims for unpatched vulnerabilities and advocated a risk-based patching approach amid debate over exclusion clauses – Insurer Rules

Reconnaissance & scanning

• GreyNoise observed a surge in coordinated scans targeting Microsoft RDP auth servers and the RDP Web Client, likely probing for credentials or vulnerable endpoints ahead of attacks – RDP Scans

Cybersecurity News | Daily Recap – hendryadrian.com