Ticker feed

Cybercriminals are using AI to create sophisticated malware disguised as legitimate productivity apps, infecting hundreds of organizations across manufacturing, government, and healthcare sectors in the US, UK, Germany, India, and beyond. The "EvilAI" campaign uses fake apps like Recipe Maker and Manual Finder that actually work as advertised while secretly mapping victim networks and disabling security software.

What makes this campaign particularly dangerous is its professional appearance. The malicious apps feature polished interfaces, real functionality, and valid digital signatures from newly registered companies. The AI-generated malware code is designed to evade traditional antivirus detection.

Trend Micro researchers warn this appears to be preparation for larger future attacks, possibly by initial access brokers setting the stage for ransomware or data theft operations.

Source: Dark Reading

CISA issued 14 security advisories Tuesday highlighting serious vulnerabilities in industrial automation systems from Rockwell and ABB. The flaws affect critical manufacturing infrastructure, including Rockwell's ThinManager software, FactoryTalk platforms, and various controllers, plus ABB's ASPECT, NEXUS, and MATRIX equipment.

The most severe issues include authentication bypasses allowing attackers to take full device control, remote code execution vulnerabilities, and buffer overflows that could crash systems. One Rockwell ThinManager flaw (CVE-2025-9065) scores 8.6 on the severity scale, while ABB vulnerabilities reach 9.8.

Both companies have released patches and recommend immediate updates. CISA emphasizes these systems should never be directly exposed to the internet and must use proper network segmentation and VPN access controls.

Source: Industrial Cyber

A Russia-linked hacking group dubbed "Noisy Bear" has targeted KazMunayGas, Kazakhstan's state-owned oil company and the country's largest corporation. The attackers used phishing emails disguised as urgent company business to trick employees into downloading malware that established hidden access to company systems.

The hackers compromised a finance department email account and sent fake messages about salary schedules and corporate policy changes. Their sophisticated malware bypassed Windows security features and created covert backdoors for long-term espionage.

While KMG claims this was just a security exercise, researchers found evidence linking the attack to sanctioned Russian hosting providers. The timing is significant as European countries seek alternatives to Russian energy amid ongoing geopolitical tensions.

Source: Dark Reading

Jaguar Land Rover has confirmed that hackers breached "some data" during a cyber attack that first emerged last week. The UK's biggest carmaker can't yet specify what information was stolen or whether customer and supplier data was compromised, but promises to contact anyone affected.

The attack has forced JLR to shut down production at factories in the Midlands and Merseyside until at least next Monday, with global facilities also paused. Suppliers and retailers are operating without normal computer systems, disrupting spare parts sourcing and vehicle registration.

A hacker group combining elements of Scattered Spider, Lapsus$, and ShinyHunters has claimed responsibility, posting screenshots of JLR's internal systems on Telegram. The India-owned Tata subsidiary is working with cybersecurity specialists to safely restart operations.

Source: The Guardian

Cybercriminals successfully hijacked 18 widely-used NPM packages after tricking maintainer Josh Junon with a phishing email that appeared to come from NPM support. The fake message directed him to update his two-factor authentication on a lookalike website.

The compromised packages, including popular tools like chalk and debug, collectively see over 2.5 billion weekly downloads. Attackers injected malicious code designed to steal cryptocurrency by intercepting transactions and replacing wallet addresses with their own.

NPM removed the poisoned packages within two hours of the attack being reported. Security firm Wiz estimates the malicious code reached 10% of cloud environments during that brief window, though actual financial damage appears minimal since the attack targeted test addresses rather than real wallets.

Source: Security Week

Cybercriminals are now using the Salty2FA phishing kit to launch attacks that rival legitimate enterprise software in sophistication. Researchers from Ontinue tracked a campaign that deployed advanced features including rotating subdomains, dynamic corporate branding that mimics six different MFA methods, and anti-debugging tactics to evade security teams.

The kit automatically customizes fake login pages based on victim email domains, creating convincing replicas of corporate authentication portals across healthcare, finance, and tech sectors. Attackers quickly set up campaigns using legitimate platforms like Aha.io to build trust before redirecting victims through Cloudflare's security challenges.

Security experts warn these enterprise-grade phishing tools are making even unskilled criminals dangerous, requiring organizations to adopt behavioral detection methods rather than relying on traditional warning signs.

Source: Dark Reading

Attaullah Baig, WhatsApp's former head of security, filed a federal lawsuit Monday claiming Meta endangered billions of users by ignoring critical cybersecurity flaws. Baig alleges 1,500 engineers had unrestricted access to user data without oversight, potentially violating a 2020 government order that cost Meta $5 billion.

The 115-page complaint details how over 100,000 accounts were hacked daily while executives prioritized growth over security fixes. Baig says he repeatedly warned senior leadership, including CEO Mark Zuckerberg, that engineers could steal user data "without detection."

Meta dismissed the claims as "distorted" and said Baig was fired for poor performance, not retaliation. The case adds pressure on Meta's data practices across its platforms serving billions globally.

Source: The Guardian

Salesloft disclosed that hackers gained access to its GitHub account as early as March, leading to a massive supply-chain attack that compromised hundreds of organizations in August. The threat group, tracked as UNC6395 by Google, spent months lurking in Salesloft's systems before accessing Drift's AWS environment and stealing OAuth tokens to infiltrate customer data.

The company took Drift offline Friday and rotated security credentials, but many questions remain unanswered. Salesloft hasn't explained how attackers initially accessed GitHub or obtained the OAuth tokens. Security analysts criticize the company's lack of transparency, with some suggesting Drift's reputation may be permanently damaged by the breach.

Source: CyberScoop

Tenable confirmed hackers accessed customer contact details and support case information through a sophisticated supply chain attack exploiting Salesforce-Salesloft Drift integrations. The breach exposed business emails, phone numbers, and support ticket descriptions but didn't compromise Tenable's core products.

This wasn't an isolated incident—the same campaign hit major tech companies including Palo Alto Networks, Zscaler, Google, Cloudflare, and PagerDuty. Attackers specifically targeted vulnerabilities in the integration between Salesforce and the popular sales platform Salesloft Drift.

Tenable responded by revoking compromised credentials, disabling the Drift application, and hardening their Salesforce environment. The company found no evidence the stolen data has been misused yet.

Source: Cybersecurity News

CISA issued an urgent alert Thursday about a high-severity Android zero-day vulnerability (CVE-2025-48543) being actively exploited by attackers. The use-after-free bug in Android Runtime allows hackers to escape Chrome's security sandbox and gain elevated device permissions, potentially installing malware or accessing sensitive data.

The vulnerability was added to CISA's Known Exploited Vulnerabilities catalog on September 4, 2025, confirming real-world attacks are underway. Federal agencies must patch by September 25 or stop using affected products.

Google addressed the flaw in its September 1 security bulletin. All Android users should immediately check Settings > System > System update and install available patches to protect against this serious threat.

Source: Cybersecurity News