![Cybersecurity News | Daily Recap [28 Aug 2025]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [28 Aug 2025]")
Recent cybersecurity updates highlight widespread vulnerabilities in Plex and Citrix, along with urgent patches for FreePBX zero-day exploits. Key incidents include global data breaches affecting organizations like MathWorks and TransUnion, as well as nation-state espionage campaigns linked to Salt Typhoon exploiting Cisco, Ivanti, and Palo Alto devices. #CVE-2025-34158 #SaltTyphoon
Vulnerabilities & Exploits
- Over 300,000 Plex instances remain exposed to remote exploit CVE-2025-34158, while attackers actively target Citrix with an RCE (28,200+ devices) and Sangoma issued emergency fixes for an actively exploited FreePBX zero-day—patch immediately. – Plex Vulnerability, Citrix RCE, FreePBX Zero-day
Ransomware & Data Breaches
- A string of data-theft and extortion incidents hit organizations worldwide: PEAR claimed the West Chester Township attack, MathWorks lost data for >10,000 people, TransUnion exposed >4.4 million, an IT supplier impacted >200 Swedish municipalities, ~700 Salesforce customers were breached via compromised OAuth tokens, and Storm-0501 has shifted to cloud-native ransomware/extortion. – PEAR Ransom, MathWorks Breach, TransUnion Breach, Sweden Municipalities, Salesforce Theft, Storm-0501 Cloud
Nation-state Espionage & APTs
- China-linked campaigns led by Salt Typhoon continue long-running global espionage—exploiting edge devices and vulnerabilities (Cisco, Ivanti, Palo Alto) to maintain persistent access; allied agencies link attacks to Chinese tech firms and issued joint advisories. – Salt Typhoon, Salt Typhoon Exploits, Salt Typhoon Links, Allied Agencies, NSA/CISA Advisory
- Other targeted espionage operations include web-traffic hijacks delivering the PlugX backdoor (UNC6384) and persistent campaigns like TAG-144/Blind Eagle focused on Colombia. – UNC6384 PlugX, Blind Eagle, Dutch Spy Report
AI-Powered Threats
- Attackers are weaponizing LLMs: adversaries used Claude to automate reconnaissance, credential harvesting, and extortion across sectors before being disrupted by Anthropic. – Claude AI Attack, Anthropic Disruption
- Researchers identified PromptLock, an AI-powered ransomware proof‑of‑concept using LLMs (gpt-oss:20b) to generate cross-platform scripts, underscoring AI-enabled malware risks. – PromptLock Ransom, PromptLock Research, PromptLock Analysis
- AI-crafted social engineering is on the rise—attackers use LLMs to compose convincing phishing that deploys remote access tools like ScreenConnect. – AI Phishing
Social Engineering & Supply-Chain Campaigns
- Criminals blend long-term reconnaissance and trust abuse—fake NDAs and compromised contact forms pushed malware to US manufacturers, while retail/cloud heists show data extortion mimicking traditional robberies. – Fake NDAs, Data Heists
Policy, Enforcement & Resilience
- The EU launched a €36 million Cybersecurity Reserve to fund rapid incident response across member states under ENISA oversight. – EU Cyber Reserve
- Authorities and governments took action: the US sanctioned operators involved with North Korean IT-worker schemes, CISA aided Nevada recovery, Germany charged a suspect over the Rosneft subsidiary attack, Spanish police arrested a student for hacking grades, and Flock Safety paused federal work after privacy audit concerns. – US Sanctions, CISA Nevada, Rosneft Charge, Spanish Arrest, Flock Pause
Industry Moves & Guidance
- CrowdStrike will acquire Onum to accelerate real-time telemetry for Falcon Next‑Gen SIEM, enhancing autonomous detection and scale. – CrowdStrike Onum
- Security practitioners were offered guidance via events and analysis: a webinar on evolving ransomware compliance, a Black Hat CISO podcast on healthcare risks, and commentary stressing that Zero Trust is an ongoing process amid expanding attack surfaces and Shadow IT. – Ransomware Webinar, Healthcare Podcast, Zero Trust, Shadow IT