Unmasking Akira: The Ransomware Tactics You Can’t Afford to Ignore

Zensec highlights the ransomware group Akira's tactics, focusing on their operation since 2023, impacting various UK industries. Akira employs double extortion, exploiting SSL VPN vulnerabilities for initial access, and using tools like Netscan and AnyDesk for execution. Key findings from investigations show their methods in privilege escalation, data exfiltration, and encryption processes, which often include targeting backup systems. Recommendations for organizations include ensuring multi-factor authentication on VPNs, regular software updates, and rigorous monitoring of security tools to prevent such attacks.

https://zensec.co.uk/blog/unmasking-akira-the-ransomware-tactics-you-cant-afford-to-ignore/

Large-Scale Attack Targeting Macs Via GitHub Pages Impersonating Companies to Attempt to Deliver Stealer Malware

, ,

TLDR: A large-scale cyberattack targets Mac users through fake GitHub pages impersonating companies, promoting the installation of an infostealer malware called Atomic. The malicious sites use SEO tactics to appear high in search results, redirecting users to download malware after entering commands. LastPass has taken down some fraudulent sites and continues to monitor the situation.

https://blog.lastpass.com/posts/attack-targeting-macs-via-github-pages

One Token to Rule Them All

Dirk-jan Mollema, an infosec researcher, discusses a significant vulnerability in Microsoft's Entra ID that allows attackers to gain Global Admin access in any tenant using undocumented “Actor tokens.” This flaw arises from a defect in the Azure AD Graph API, which fails to validate originating tenants, enabling cross-tenant access with impersonation tokens. After reporting it to Microsoft, the vulnerability was swiftly fixed. The implications include potential full control over any Entra ID tenant, with minimal logging or detection capabilities, fundamentally highlighting design flaws in token management and security protocols.

https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/

New Attack on ChatGPT Research Agent Pilfers Secrets From Gmail Inboxes

New attack, ShadowLeak, exploits OpenAI's Deep Research agent to extract confidential Gmail data without user interaction. Utilizing prompt injection, attackers access emails and exfiltrate information to their servers, bypassing security. Despite known vulnerabilities, mitigating measures were implemented only after the attack was alerted. Users should reconsider connecting LLMs to sensitive information due to ongoing risks.

https://arstechnica.com/information-technology/2025/09/new-attack-on-chatgpt-research-agent-pilfers-secrets-from-gmail-inboxes/

Kerberoasting

Kerberoasting is a persistent vulnerability in Microsoft’s Active Directory that exploits weak service account passwords, allowing attackers to crack them offline. Despite being a known issue for over a decade, it remains prevalent due to legacy systems and insufficient mitigation efforts by Microsoft. This flaw enables lateral movement within corporate networks and has been linked to ransomware attacks, highlighting the need for stronger security measures and abandonment of outdated cryptographic practices.

https://blog.cryptographyengineering.com/2025/09/10/kerberoasting/

Why XSS Still Matters: MSRC’s Perspective on a 25-year-old Threat 

XSS (Cross-Site Scripting) vulnerabilities remain prevalent despite being known for 25 years, with Microsoft mitigating over 970 cases from January 2024 to mid-2025. Researchers report vulnerabilities across various Microsoft platforms, emphasizing the need for secure coding practices and proactive validation. MSRC evaluates XSS severity based on its potential impact on customer security, focusing on exploitability and data sensitivity. Future blog posts will explore defensive strategies against XSS attacks, advocating for continuous engagement with security researchers.

https://msrc.microsoft.com/blog/2025/09/why-xss-still-matters-msrcs-perspective-on-a-25-year-old-threat/

Claude Code Runs Code to Test if It Is Safe, Which Has Risks

Automated security reviews in Anthropic's Claude Code identify bugs but can create new risks by executing code during testing. While it finds some vulnerabilities effectively, it failed on more complex issues and misidentified dangerous code as safe. Researchers warn caution, suggesting AI's code review should not replace human oversight due to risks like prompt injection and naive decision-making. Recommendations include restricting production access and requiring human validation for risky AI actions.

https://www.theregister.com/2025/09/09/ai_security_review_risks/

Cyberattack on Jaguar Land Rover Threatens to Hit British Economic Growth

Cyberattack on Jaguar Land Rover (JLR) disrupts operations, threatening UK's economic growth. Experts warn that government inaction on cybersecurity regulations may lead to more severe incidents. JLR, a key exporter, faces operational delays, affecting supply chains. Intelligence agencies have previously alerted the government to rising cyber threats, but legislative action, like the Cyber Security and Resilience Bill, remains stalled. Critics emphasize urgency in improving cybersecurity to prevent strategic economic risks and call for a more proactive government approach.

https://therecord.media/cyberattack-jaguar-land-rover-economic-growth-uk-government

Hackers Hijack Npm Packages With 2 Billion Weekly Downloads in Supply Chain Attack

Hackers hijacked NPM packages with over 2.6 billion weekly downloads through a phishing attack on a maintainer's account, injecting malware that intercepts cryptocurrency transactions. The malicious code alters wallet interactions, rerouting funds to attacker-controlled addresses. Attackers used spoofed emails to scare maintainers into revealing credentials. Some compromised packages include ‘chalk' and ‘debug', which were removed after detection. Despite concerns, specific conditions limit overall impact on users.

https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/

Claude AI Chatbot Abused to Launch “Cybercrime Spree”

Malwarebytes reports Claude AI used by cybercriminals for a large-scale extortion operation targeting various organizations, automating attacks through simplified coding. Over 17 entities faced financial threats with ransom demands between $75,000 and $500,000. Anthropic’s findings highlight AI-enhanced cybercrime tactics, stressing the need for improved defenses against AI misuse in attacks.

https://www.malwarebytes.com/blog/news/2025/08/claude-ai-chatbot-abused-to-launch-cybercrime-spree

“Scamlexity”: When Agentic AI Browsers Get Scammed

AI Browsers, promising convenience, compromise security by interacting with scams without proper guardrails. Tests with AI like Perplexity's Comet revealed vulnerabilities, allowing it to fall for fake shops and phishing schemes, acting without human oversight. With techniques like PromptFix, attackers can exploit AIs directly, escalating the threat landscape into a new era of Scamlexity, where human intuition is bypassed, and AI takes over decision-making. Future scams may automate the manipulation of AI models, leading to widespread exploitation. Enhanced security must be integrated into AI systems before they become mainstream.

https://guard.io/labs/scamlexity-we-put-agentic-ai-browsers-to-the-test-they-clicked-they-paid-they-failed

How Threat Actors Are Rizzing Up Your AI for Profit

Cybercriminals exploit generative AI by using poisoned content and Traffic Distribution Systems (TDS) to redirect users for malicious purposes. As search habits shift from traditional search engines to AI, TDS operators manipulate usage patterns to ensure their content is favored by AI models, creating vulnerabilities in online environments. This includes employing strategies like domain aging, content velocity attacks, and recommendation manipulation. Organizations must implement robust defenses, such as verifying link provenance and monitoring publication patterns, to prevent AI from leading users to malicious sites. Regulatory and liability frameworks need adaptation to address these emerging risks effectively.

https://www.recordedfuture.com/blog/how-threat-actors-are-rizzing-up-your-ai-for-profit

Google to Verify All Android Developers in 4 Countries to Block Malicious Apps

Google will verify all Android developers to enhance app security, starting invitations in October 2025 and enforcement in September 2026 across Brazil, Indonesia, Singapore, and Thailand. This aims to curb malicious apps and bolster developer accountability while maintaining user choice. Existing Play Store developers may face fewer changes due to prior compliance, while new accounts will require a D-U-N-S number.

https://thehackernews.com/2025/08/google-to-verify-all-android-developers.html

Impersonation as a Service’ Next Big Thing in Cybercrime

,

Cybercrime is evolving with “impersonation-as-a-service,” where criminals hire English-speaking social engineers on underground forums. Job ads for these skills doubled from 2024 to 2025, indicating a rise in social engineering attacks. Criminals combine social engineering with ransomware, leveraging AI and collaboration for more sophisticated operations. Examples include Scattered Spider and ShinyHunters targeting organizations like Dior and Google through voice-phishing to access credentials. The trend reflects increased tactics seen in nation-state cyber attacks, indicating a troubling future for digital security.

https://www.theregister.com/2025/08/21/impersonation_as_a_service/

Scroll to Top