Salesloft disclosed that hackers gained access to its GitHub account as early as March, leading to a massive supply-chain attack that compromised hundreds of organizations in August. The threat group, tracked as UNC6395 by Google, spent months lurking in Salesloft's systems before accessing Drift's AWS environment and stealing OAuth tokens to infiltrate customer data.

The company took Drift offline Friday and rotated security credentials, but many questions remain unanswered. Salesloft hasn't explained how attackers initially accessed GitHub or obtained the OAuth tokens. Security analysts criticize the company's lack of transparency, with some suggesting Drift's reputation may be permanently damaged by the breach.

Source: CyberScoop

Tenable confirmed hackers accessed customer contact details and support case information through a sophisticated supply chain attack exploiting Salesforce-Salesloft Drift integrations. The breach exposed business emails, phone numbers, and support ticket descriptions but didn't compromise Tenable's core products.

This wasn't an isolated incident—the same campaign hit major tech companies including Palo Alto Networks, Zscaler, Google, Cloudflare, and PagerDuty. Attackers specifically targeted vulnerabilities in the integration between Salesforce and the popular sales platform Salesloft Drift.

Tenable responded by revoking compromised credentials, disabling the Drift application, and hardening their Salesforce environment. The company found no evidence the stolen data has been misused yet.

Source: Cybersecurity News

CISA issued an urgent alert Thursday about a high-severity Android zero-day vulnerability (CVE-2025-48543) being actively exploited by attackers. The use-after-free bug in Android Runtime allows hackers to escape Chrome's security sandbox and gain elevated device permissions, potentially installing malware or accessing sensitive data.

The vulnerability was added to CISA's Known Exploited Vulnerabilities catalog on September 4, 2025, confirming real-world attacks are underway. Federal agencies must patch by September 25 or stop using affected products.

Google addressed the flaw in its September 1 security bulletin. All Android users should immediately check Settings > System > System update and install available patches to protect against this serious threat.

Source: Cybersecurity News

Jaguar Land Rover has told factory workers to stay home until at least September 9 following a devastating cyber attack that hit the company Sunday. Production has stopped at major facilities in Halewood, Solihull, and Wolverhampton, affecting the UK's biggest car manufacturer during peak sales season.

The hack has severely disrupted global operations, forcing JLR to shut down systems as a precaution. While no customer data appears stolen, thousands of customers can't get new vehicles and repairs are stalled since dealerships can't order parts online.

English-speaking hackers linked to recent UK retail attacks claimed responsibility Wednesday. The same group previously cost Marks & Spencer £300m during a six-week shutdown.

Source: The Guardian

Tire giant Bridgestone confirmed a cyberattack disrupted operations at North American manufacturing facilities in South Carolina and Quebec this week. The company says it quickly contained the breach and prevented customer data theft, with operations now back to normal.

Bridgestone hasn't revealed attack details or whether ransomware was involved. No group has claimed responsibility yet, though the LockBit gang previously hit Bridgestone in March 2022. Security experts note manufacturers face rising ransomware threats—attacks jumped 57% from July to August.

The incident highlights supply chain vulnerabilities, as even contained attacks can halt production lines and create product shortages.

Source: Industrial Cyber

A critical zero-day vulnerability in Sitecore (CVE-2025-53690) is being actively exploited by attackers using exposed machine keys from old documentation. The flaw affects Sitecore Experience Manager, Platform, and Commerce products through ViewState deserialization attacks.

Mandiant discovered attackers leveraging sample machine keys that Sitecore included in deployment guides from 2017 and earlier to execute remote code on servers. This continues a troubling trend of ViewState attacks in 2024, including breaches at ConnectWise and vulnerabilities in Microsoft SharePoint.

While these attacks appear unrelated, they highlight a persistent problem: organizations using default or sample keys instead of generating secure ones. Sitecore urges customers to rotate machine keys, encrypt web.config files, and monitor for suspicious activity targeting the /sitecore/blocked.aspx page.

Source: Dark Reading

Palo Alto Networks researchers discovered a dangerous new attack called 'Model Namespace Reuse' that exploits AI supply chains. Attackers register names of deleted or transferred AI models on platforms like Hugging Face, then upload malicious versions that developers unknowingly download.

The team successfully demonstrated attacks against Google's Vertex AI and Microsoft's Azure AI Foundry, gaining access to underlying infrastructure by deploying weaponized models. They also found thousands of vulnerable open source repositories.

Google now performs daily scans for orphaned models, but the core problem remains widespread. Security experts recommend pinning models to specific versions and storing them in trusted locations rather than fetching by name alone.

Source: Security Week

Texas Attorney General Ken Paxton filed a lawsuit against California-based PowerSchool after hackers breached the company's systems in December 2024, exposing personal information of over 880,000 Texas students and teachers. The stolen data included Social Security numbers, medical records, disability information, and even bus stop locations.

A hacker used a subcontractor's account to transfer massive amounts of unencrypted data to a foreign server. PowerSchool, which serves over 90 of America's 100 largest school districts including Dallas ISD, allegedly failed to implement basic security measures like multi-factor authentication despite advertising "state-of-the-art" protection.

Paxton seeks fines and stronger security requirements, warning that children's credit could be compromised for years.

Source: CBS News Texas

Amazon's threat intelligence team successfully disrupted a sophisticated credential theft campaign by APT29, the Russian intelligence-linked hacking group behind the 2020 SolarWinds attack. The operation compromised legitimate websites to inject malicious code that redirected 10% of visitors to fake Cloudflare verification pages.

Once there, users were tricked into entering email addresses and authorizing attackers' devices to access their Microsoft accounts through a rare "device code authentication" technique. APT29 used Amazon EC2 instances and other cloud infrastructure to blend with legitimate traffic.

Despite the group's attempts to migrate infrastructure after detection, Amazon continued tracking and disrupting their operations. Security experts recommend organizations review Microsoft's device authentication guidance and consider disabling the feature if unnecessary.

Source: Dark Reading

Jaguar Land Rover has shut down its global manufacturing and retail operations following a severe cyber incident that forced workers at its Halewood plant to stay home Monday morning. Britain's largest carmaker proactively closed all systems to prevent further damage, though it says no customer data appears stolen.

The timing couldn't be worse for JLR, which is already struggling with a 49% profit drop and delayed electric vehicle launches. The attack comes during one of the busiest weeks for car dealers, preventing them from registering new 75-plate vehicles. Cybersecurity experts say the speed of the shutdown suggests attackers may have targeted operational systems rather than just data.

Source: The Guardian