Cyber Alerts

Google’s Threat Analysis Group has warned of a campaign in which attackers are exploiting OAuth permissions to gain persistent access to Salesforce accounts. Once in, they install malicious applications capable of data theft or malware deployment. What You Should Know: OAuth-based attacks bypass login credentials entirely. Traditional security controls—like MFA or login alerts—don’t detect this. The risk is elevated for any organization with widely used or lightly monitored SaaS platforms. Recommended Actions: - Review and restrict third-party app access in Salesforce - Audit OAuth token logs and scopes for abnormalities - Remove unused or suspicious integrations - Train staff on the risks of app authorization and fake consent screens

China-linked APT41 is leveraging Google Calendar to stealthily deliver malware. Victims receive calendar invites with malicious URLs disguised as event details, leading to second-stage malware. What You Should Know: This method blends into daily workflow and is unlikely to trigger traditional email filters. It’s a reminder that even trusted cloud platforms can be weaponized. Recommended Actions - Monitor for abnormal calendar event creation - Enforce calendar URL scanning and restriction policies - Train staff to flag suspicious event invites - Evaluate G Workspace settings for risk reduction

Threat actors have created a convincing fake Bitdefender website to spread malware. Unsuspecting users who download software from the site receive VenomRAT or a credential-harvesting infostealer. What You Should Know: This campaign targets users seeking legitimate antivirus protection—turning their search into an infection. Malicious downloads bypass some endpoint tools via trusted branding. Recommended Actions - Block impersonation domains and scan installer traffic - Educate users on software sourcing hygiene - Monitor for RAT behavior and credential leaks - Review endpoint protection efficacy against sideloaded threats

New Interlock ransomware is being deployed alongside NodeSnake, a JavaScript-based RAT. This tactic allows threat actors to silently exfiltrate data before executing encryption, increasing the impact and complexity of response. What You Should Know: This threat is a dual-pronged attack. Even with backups in place, stolen data can lead to compliance risks, legal exposure, and leverage for extortion. Detection and prevention must extend beyond traditional ransomware defenses. Recommended Actions: - Strengthen detection rules for JavaScript and fileless malware activity. - Monitor endpoints and cloud workloads for NodeSake behavior. - Enforce DLP policies and inspect outbound traffic for exfiltration signs. - Adapt ransomware response plans to cover data theft before encryption.

CISA has issued a new alert detailing active exploitation of critical vulnerabilities in Commvault software—a widely used backup and recovery platform. Threat actors are leveraging these flaws to gain remote access, exfiltrate data, and move laterally into cloud environments. What You Should Know: These vulnerabilities are actively being exploited in the wild—this is not a drill. If left unaddressed, they create a clear path for attackers to escalate privilege and compromise critical cloud systems. Steps to take now: Patch all exposed Commvault instances—especially those accessible via the internet. Audit cloud and backup integrations for unusual behavior. Strengthen identity controls to prevent lateral movement. Hunt for activity tied to CVE-2025-3928 and related indicators of compromise.

A joint advisory from the U.S., Australia, and Canada highlights a growing ransomware tactic: fast-flux DNS — a technique that rapidly rotates IPs and domains to evade detection and takedown. Cybercriminal groups like LockBit and Black Basta, with links to Russia, are actively using it to target sectors including healthcare, government, and critical infrastructure. Why it matters to you: •Fast-flux makes ransomware attacks harder to trace, contain, and mitigate •Traditional defenses may not detect this level of infrastructure agility •The tactic signals a continued evolution in attacker sophistication 📌 Next steps: Ensure your teams are evaluating DNS-layer defense strategies and securing offline backups.

A critical Windows zero-day vulnerability, identified as ZDI-CAN-25373, is currently being actively exploited by nation-state threat actors. This flaw allows attackers to execute hidden malicious commands via specially crafted Windows shortcut (.lnk) files. The vulnerability has been present for at least eight years, was reported six months ago but remains unpatched by Microsoft. Nation-state actors from North Korea, Iran, Russia, and China are leveraging this exploit to conduct cyber espionage and financial crimes, particularly targeting cryptocurrency platforms and sensitive government data. To mitigate the risk, please take the following immediate actions: •Monitor for suspicious .lnk files: Scan systems for shortcut files that may contain embedded malicious commands. •Restrict execution of unknown shortcuts: Prevent the automatic execution of .lnk files from untrusted sources. •Use endpoint detection and response (EDR) solutions: Deploy advanced security tools to detect anomalous behavior linked to shortcut exploitation. •Educate employees: Train staff to recognize suspicious files and avoid executing unknown shortcuts. Given the severity and active exploitation of ZDI-CAN-25373, it is imperative to assess your exposure and strengthen defenses accordingly.

A critical Windows zero-day vulnerability, identified as ZDI-CAN-25373, is currently being actively exploited by nation-state threat actors. This flaw allows attackers to execute hidden malicious commands via specially crafted Windows shortcut (.lnk) files. The vulnerability has been present for at least eight years, was reported six months ago but remains unpatched by Microsoft. Nation-state actors from North Korea, Iran, Russia, and China are leveraging this exploit to conduct cyber espionage and financial crimes, particularly targeting cryptocurrency platforms and sensitive government data. To mitigate the risk, please take the following immediate actions: •Monitor for suspicious .lnk files: Scan systems for shortcut files that may contain embedded malicious commands. •Restrict execution of unknown shortcuts: Prevent the automatic execution of .lnk files from untrusted sources. •Use endpoint detection and response (EDR) solutions: Deploy advanced security tools to detect anomalous behavior linked to shortcut exploitation. •Educate employees: Train staff to recognize suspicious files and avoid executing unknown shortcuts. Given the severity and active exploitation of ZDI-CAN-25373, it is imperative to assess your exposure and strengthen defenses accordingly.