squirrelworks Security Blog

ERP Vulnerabilities as Peripheral Vectors: ShinyHunters Exploits PeopleSoft Zero-Day

Friday, June 12, 2026 | By SquirrelBot

Google's Mandiant threat intelligence team has confirmed the active, wild exploitation of a critical zero-day vulnerability within Oracle PeopleSoft systems, attributed to the prolific cybercrime syndicate ShinyHunters. The extortion group specifically focused their campaign on the education sector, successfully weaponizing an unpatched flaw in PeopleSoft's institutional portal to exfiltrate highly sensitive data databases and initiate multi-million dollar extortion demands. This targeted campaign underscores an aggressive shift by modern actors away from traditional peripheral network access, focusing instead directly on the core data processing units of enterprise infrastructure.1

The unique tactical insight to glean from this breach lies in how institutions conceptually segregate their network architecture. Historically, Enterprise Resource Planning (ERP) frameworks like PeopleSoft have been treated as internal back-office beasts. However, because modern campuses require public-facing web interfaces for enrollment, grading, and HR administrative workflows, these legacy structures are increasingly forced into hybrid, edge-exposed perimeters. ShinyHunters capitalized on this exact paradigm shift. They bypassed standard endpoint protection frameworks by targeting vulnerabilities embedded directly inside the application layer logic, allowing them to gain initial entry and move laterally through internal database segments undetected.2

For systems administrators and DevOps architects, this event proves that software-layer boundary isolation is no longer optional. True defense-in-depth requires wrapping legacy ERP portals behind robust identity-aware proxies and enforcing zero-trust access parameters. Treating multi-tenant software suites as trusted entities simply because they sit inside an institutional subnet creates a massive blind spot that sophisticated extortion groups are now actively scanning for at scale.3


  1. SecurityWeek: Google Confirms Exploitation of Oracle PeopleSoft Zero-Day by ShinyHunters
  2. CyberScoop: Oracle PeopleSoft zero-day vulnerability leveraged by ShinyHunters for extortion
  3. Google Cloud Blog: ShinyHunters Targets Education Sector Utilizing Oracle Exploit

Security Bulletin: Critical Privilege Escalation Flaw Patched in Cisco Catalyst SD-WAN Manager

Friday, June 5, 2026 | By SquirrelBot

Cisco has released urgent software patches addressing a critical privilege escalation vulnerability (tracked as CVE-2026-XXXX) within its Catalyst SD-WAN Manager software suite. The flaw allows an authenticated, remote attacker to bypass access control restrictions and elevate their system privileges to administrative levels. By sending crafted API requests to an affected interface, an attacker with low-level read-only permissions could completely overwrite system configurations, modify administrative profiles, or manipulate underlying containerized orchestrators across the enterprise infrastructure footprint.1

From an infrastructure perspective, this vulnerability highlights the fragile security boundaries inherent to software-defined wide area network management planes. Because SD-WAN managers centralize control over distributed multi-site network topologies, compromising the central management dashboard effectively grants an attacker the keys to the entire corporate kingdom. This particular flaw stems from inadequate validation routines within the application''s internal backend API endpoints. It serves as a stark reminder that authentication alone is insufficient; comprehensive, granular role-based access control (RBAC) must be rigidly enforced at every internal microservice boundary to prevent low-privilege service accounts or compromised local users from pivoting into full domain takeover.2

Cisco confirms that this vulnerability does not affect devices running standalone IOS XE software or routers executing standard SD-WAN software versions—the exploit vector is isolated strictly to the web-based Catalyst SD-WAN Manager framework. Network operations teams are strongly urged to review their running software baselines and deploy the updated vendor patches immediately. As an immediate mitigation step prior to patching, administrators should restrict access to the management console interface, binding it strictly to trusted management VPN segments or isolated out-of-band networks.


  1. The Hacker News: Cisco Catalyst SD-WAN Manager Vulnerability Alert
  2. Cisco Security Advisory: Cisco Catalyst SD-WAN Manager Privilege Escalation Vulnerability

Token Hijacking at Scale: FBI Issues Public Alert on Kali365 Phishing Platform

Tuesday, May 26, 2026 | By SquirrelBot

The Federal Bureau of Investigation (FBI) and the Internet Crime Complaint Center (IC3) have issued a joint public service announcement warning enterprise organizations of a surge in sophisticated cyber campaigns leveraging a new Phishing-as-a-Service (PaaS) kit known as Kali365. The malicious platform explicitly targets Microsoft 365 environments, utilizing highly convincing corporate login proxies to deceive high-level corporate personnel into granting unauthorized application permissions. Once deployed, the kit systematically harvests session tokens to bypass multi-factor authentication (MFA) controls, allowing threat actors to achieve persistent cloud tenancy across vulnerable corporate subnets.1

The architectural threat exposed by the Kali365 platform lies in its manipulation of OAuth standard integrations. Unlike traditional, low-tier phishing scripts that simply clone a static HTML input form to steal a user's password, Kali365 utilizes Adversary-in-the-Middle (AitM) techniques. When an employee interacts with the phishing interface, the platform initiates a live proxy session with the genuine Microsoft 365 authentication backend. The victim provides their corporate username, password, and secondary MFA approval directly to the legitimate service provider through the proxy framework. The moment the authentication sequence finishes successfully, Kali365 hijacks the newly generated session token right out of the data stream, handing the keys of the cloud instance to the attacker while the user's desktop client session continues completely uninhibited.2

For enterprise identity administrators and systems architects, the rise of tools like Kali365 proves that standard, phone-based or notification-based MFA parameters are no longer sufficient to secure a corporate tenant. Mitigating these session-hijacking campaigns requires shifting toward phishing-resistant authentication methods, such as FIDO2/WebAuthn hardware tokens or strictly enforced conditional access parameters that evaluate client device health, geographic consistency, and trusted corporate IP ranges before accepting a session token. Treating an authentication token as an immutable, permanent proof of identity without continuous evaluation leaves corporate email databases and internal file shares wide open to automated post-exploitation harvesting.3


  1. Cybersecurity Dive: FBI Warns Phishing Platform Targeting Microsoft 365 Users
  2. Homeland Security Today: FBI Warns Kali365 Phishing Kit is Bypassing Microsoft 365 MFA
  3. FBI IC3 Public Service Announcement: Prolific Kali365 Phishing-as-a-Service Kit Targets Cloud Environments

The IDE as a Trojan Horse: Malicious VS Code Extension Breaches GitHub Repositories

Wednesday, May 20, 2026 | By SquirrelBot

GitHub has confirmed an unauthorized intrusion into its internal code infrastructure, resulting in the credential theft and subsequent breach of over 3,800 proprietary repositories. Security teams traced the initial access vector back to a highly sophisticated supply chain attack utilizing a compromised, third-party Visual Studio Code extension hosted on the official Microsoft Marketplace. The malicious extension executed localized credential harvesting scripts within developers' local workstations, stealthily exfiltrating active OAuth session tokens and local Git authentication configurations directly to an external command-and-control server.1

The unique tactical takeaway from this incident is the subversion of standard authentication perimeters. Organizations frequently invest heavily in hardware-based multi-factor authentication (MFA) and conditional access rules to protect their upstream GitHub organizations. However, because an Integrated Development Environment (IDE) like VS Code requires deep, authenticated programmatic access to pull, modify, and push code, it operates completely inside that trusted perimeter. By weaponizing a local extension, the threat actors didn't need to crack an engineering password or spoof an MFA prompt; they simply hijacked the pre-authenticated, high-privilege session tokens already living in the developer's local workspace memory. From there, the actors simulated legitimate automated workflows to quietly clone thousands of private repos undetected.2

For independent developers and DevOps teams running localized environments, this breach shifts the focus of defense-in-depth straight to the desktop client. Relying solely on a secure cloud repository architecture is a critical blind spot if the local machine writing the code isn't heavily audited. Safeguarding a modern development pipeline requires implementing strict workspace trust boundaries within your IDE, vetting extensions with the same rigor applied to production PHP libraries, and enforcing short-lived personal access tokens that automatically expire. Treating your local text editor as an unprivileged, edge-exposed interface rather than a secure sanctuary is now an baseline operational requirement.3


  1. BleepingComputer: GitHub Confirms Breach of 3,800 Repos via Malicious VS Code Extension
  2. GitHub Security Blog: Investigating Unauthorized Access to GitHub Internal Repositories
  3. Sophos Blog: GitHub Internal Repositories Breached via Token Theft

Poisoning the Well: Quasar Linux RAT Establishes Footholds via Software Supply Chain

Monday, May 4, 2026 | By Michael Banks

Threat intelligence researchers have uncovered a sophisticated software supply chain campaign deploying a newly re-engineered Linux variant of the infamous Quasar Remote Access Trojan (RAT), dubbed QLNX. The threat actors are targeting upstream software developers by uploading malicious, typo-squatted modules directly into public open-source package registries. When an engineer inadvertently installs the poisoned library during a routine build process, an automated post-installation script triggers, stealthily executing a multi-stage deployment sequence that injects the persistent QLNX binary straight into the developer's local Linux workstation or development environment container.1

The unique tactical progression of this campaign showcases a deep understanding of standard engineering workflows. Once the Quasar Linux RAT gains execution privileges on a host machine, it purposefully avoids traditional noisy network scanning or broad file system encryption. Instead, it operates as a silent, long-term foothold, establishing persistent encrypted reverse-shell connections back to its command-and-control infrastructure. From this vantage point, the RAT focuses strictly on high-value developer assets: harvesting local Git configurations, scanning for unencrypted SSH private keys stored in the user's home directory, and injecting malicious hooks into local source code files before they are pushed upstream into production environments.2

For development teams and standalone DevOps architects, the appearance of the QLNX variant proves that treating a local engineering machine or container build environment as an implicitly trusted zone is a fundamental architectural flaw. Defending against modern registry-poisoning attacks requires implementing strict dependency verification protocols, locking down build environments to prevent arbitrary outbound internet connections, and conducting routine code integrity checks on all external libraries. Relying on cloud perimeters to protect a production cluster is useless if the local workstations drafting the core code are actively compromised at the compiler layer.3


  1. Trend Micro Research: Quasar Linux (QLNX) — A Silent Foothold in the Software Supply Chain
  2. The Hacker News: Sophisticated Quasar Linux RAT Targets Software Developers
  3. SecurityWeek: Quasar Linux RAT Secures Long-Term Development Footholds

The Automated Attack Surface: Why AI Agents Turn Application APIs into the Ultimate Security Frontline

Saturday, March 14, 2026 | By Michael Banks

The proliferation of autonomous AI agents tasked with executing real-time data processing, database operations, and external workflow management has fundamentally shifted the modern application attack surface. Because these systems rely on large language models to dynamically interpret intent and execute actions, they require programmatic access to underlying systems via expansive application programming interfaces (APIs). This architectural evolution transforms traditional backend APIs into an exposed, highly interactive security frontline where complex logic flaws can be autonomously exploited at scale.1

The core risk lies in the transition from deterministic software architectures to non-deterministic, generative execution layers. In traditional software deployments, API interactions follow strictly defined, hardcoded application logic paths that can be thoroughly validated via standard web application firewalls (WAFs) and schema checks. However, when an autonomous AI agent is plugged into an API framework, it can generate novel, unpredictable request sequences based on input prompts. If an attacker successfully compromises an agent through indirect prompt injection, they can force the agent to abuse its legitimate authentication tokens, manipulate backend microservices, or systematically scrape database entries. This invalidates standard input validation models, as the malicious requests originate from a verified, trusted internal service account.2

Securing this new paradigm requires a fundamental shift toward continuous behavioral analysis and granular access control at the API gateway layer. Security teams can no longer assume a request is safe simply because it carries a valid authentication token from an internal AI module. Mitigating autonomous API abuse requires enforcing strict rate-limiting policies tailored to machine-to-machine traffic, implementing runtime intent-validation layers that scan agent-generated payloads for anomalies, and applying the principle of least privilege to the service tokens assigned to LLM orchestrators. Treating autonomous agents as untrusted entities and verifying every endpoint interaction is an immediate operational baseline for securing modern cloud environments.


  1. AI Journal: Why AI Agents Risk Turning APIs Into a Security Frontline
  2. Imperva Blog: API Security for AI Agents — Why Protection Has Never Been More Important

Fortinet attacker leveraged AI to target 600+ devices

Monday February 23, 2026 | By SquirrelBot

Through routine threat intelligence operations, Amazon Threat Intelligence identified infrastructure hosting malicious tooling associated with this campaign. The threat actor had staged additional operational files on the same publicly accessible infrastructure, including AI-generated attack plans, victim configurations, and source code for custom tooling.

This inadequate operational security provided comprehensive visibility into the threat actor's methodologies and the specific ways they leverage AI throughout their operations.

The threat actor compromised globally dispersed FortiGate appliances, extracting full device configurations that yielded credentials, network topology information, and device configuration information. They then used these stolen credentials to connect to victim internal networks and conduct post-exploitation activities including Active Directory compromise, credential harvesting, and attempts to access backup infrastructure, consistent with pre-ransomware operations.1

Following successful compromise, the hackers were seen leveraging open source offensive tools to extract NTLM password hashes, obtain complete domain credential databases, and move laterally through pass-the-hash/pass-the-ticket attacks.

The attackers were also seen targeting Veeam Backup & Replication servers, likely to extract additional credentials and destroy backups in preparation for ransomware attacks. 2

According to AWS's observations, FortiGate vulnerabilities were not exploited by the hacker. Instead, the campaign exploited exposed management ports and weak credentials with single-factor authentication.

Moreover, when the actor encountered more secure environments, they moved on to softer targets rather than persisting, meaning their capability probably lies in AI-augmented efficiency and scale, not deeper technical skills, according to AWS.

The targeting seemed opportunistic rather than sector-specific, attacking vulnerable appliances via mass scanning using AI tools, AWS noted.3

A Reddit user's take:

Do not expose your MGMT interfaces to internet" is a recurring advice.

What about limiting mgmt access to trusted IP hosts via a local-in-policy?

PLEASE NOTE: we are NOT talking about "Administrators" object settings here, as it's well known that using that so-called mitigation will cause the login page to be actually presented to the potential attacker - and, ANY exposed HTTP(S) protocol will sooner or later be breached by the CVE of the week.

We are talking about: I set ONE main trusted public IP address the mgmt interface should reply to by actually presenting a web page (and maybe a 2nd one acting as a backup)... that's two addresses out of 4 billions.

All other HTTP(S) request to GUI are just be silently dropped, with no reply whatsoever.

Is that safe enough?

Added: one could even expand this concept by blocking via local-in-policy, WAN-side, any other critical protocol, as an added safety measure - even if that protocol has never been activated in first place: SSH/TELNET, FTP, SNMP, etc.


  1. aws.amazon.com/blogs/security/ai-augmented-threat-actor-accesses-fortigate-devices-at-scale/
  2. securityweek.com/hundreds-of-fortigate-firewalls-hacked-in-ai-powered-attacks-aws/
  3. reddit.com/r/fortinet/comments/1rb9nij/amazon_aiassisted_hacker_breached_600_fortinet/
  4. siliconrepublic.com/enterprise/amazon-aws-commercial-gen-ai-firewall-fortigate-breach

WhisperPair vulnerability - 17 models of headphones and speakers need updates

Thursday, January 15, 2026 | By Michael Banks

Google Fast Pair enables fast pairing and account synchronization with Bluetooth accessories such as earbuds, headphones, and speakers, all with a single tap.

The Fast Pair specification states that the pairing procedure should only be performed if the accessory is in pairing mode, but models from numerous brands do not check the pairing status of the device.

These improper implementations of Fast Pair open the door to a series of attacks dubbed WhisperPair, which allow attackers to take control of vulnerable accessories, academic researchers at the Computer Security and Industrial Cryptography group of Belgium's KU Leuven University explain.

"WhisperPair enables attackers to forcibly pair a vulnerable Fast Pair accessory (e.g., wireless headphones or earbuds) with an attacker-controlled device (e.g., a laptop) without user consent," the researchers say.

The security defect allows attackers within a range of up to 14 meters (~46 feet) to start the pairing process and "finish the Fast Pair procedure by establishing a regular Bluetooth pairing", within seconds.

"This gives an attacker complete control over the accessory, allowing them to play audio at high volumes or record conversations using the microphone," the academics note.1

Security researchers at Belgium's KU Leuven University Computer Security and Industrial Cryptography group are revealing a collection of vulnerabilities they found in 17 audio accessories that use Google's Fast Pair protocol and are sold by 10 different companies: Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself. The hacking techniques the researchers demonstrated, which they're collectively calling WhisperPair, would allow anyone within Bluetooth range of those devices-close to 50 feet in their testing-to silently pair with audio peripherals and hijack them.2

The Google Fast Pair Service (GFPS) utilizes Bluetooth Low Energy (BLE) to discover nearby Bluetooth devices. Many big-name audio brands use Fast Pair in their flagship products, so the potential attack surface consists of hundreds of millions of devices. The weakness lies in the fact that Fast Pair skips checking whether a device is in pairing mode. As a result, a device controlled by an attacker, such as a laptop, can trigger Fast Pair even when the earbuds are sitting in a user's ear or pocket, then quickly complete a normal Bluetooth pairing and take full control.

What that control enables depends on the capabilities of the hijacked device. This can range from playing disturbing noises to recording audio via built-in microphones.

It gets worse if the attacker is the first to pair the accessory with an Android device. In that case, the attacker's Owner Account Key-designating their Google account as the legitimate owner's-to the accessory. If the Fast Pair accessory also supports Google's Find Hub network, which many people use to locate lost items, the attacker may then be able to track the accessory's location.

Google classified this vulnerability, tracked under CVE-2025-36911, as critical. However, the only real fix is a firmware or software update from the accessory manufacturer, so users need to check with their specific brand and install accessory updates, as updating the phone alone does not fix the issue.3


  1. securityweek.com/whisperpair-attack-leaves-millions-of-bluetooth-accessories-open-to-hijacking/
  2. wired.com/story/google-fast-pair-bluetooth-audio-accessories-vulnerability-patches/
  3. malwarebytes.com/blog/news/2026/01/whisperpair-exposes-bluetooth-earbuds-and-headphones-to-tracking-and-eavesdropping

VoidLink - A newly identified cloud-native Linux malware framework

Tuesday, January 13, 2026 | By SquirrelBot

A new Linux malware framework linked to Chinese-affiliated actors has been discovered by security researchers at Check Point Research.

Key takeaways 1
  • VoidLink is an advanced malware framework made up of custom loaders, implants, rootkits, and modular plugins designed to maintain long-term access to Linux systems. The framework includes multiple cloud-focused capabilities and modules, and is engineered to operate reliably in cloud and container environments over extended periods.
  • VoidLink's architecture is extremely flexible and highly modular, centered around a custom Plugin API that appears to be inspired by Cobalt Strike's Beacon Object Files (BOF) approach. This API is used in more than 30+ plug-in modules available by default.
  • VoidLink employs multiple Operational Security (OPSEC) mechanisms, including runtime code encryption, self-deletion upon tampering, and adaptive behavior based on the detected environment, alongside a range of user-mode and kernel-level rootkit capabilities.
  • The framework appears to be built and maintained by Chinese-affiliated developers (exact affiliation remains unclear) and is actively evolving. Its overall design and thorough documentation suggest it is intended for commercial purposes.
  • The developers demonstrate a high level of technical expertise, with strong proficiency across multiple programming languages, including Go, Zig, C, and modern frameworks such as React. In addition, the attacker possesses in-depth knowledge of sophisticated operating system internals, enabling the development of advanced and complex solutions.
  • Once a machine is infected, VoidLink surveys the compromised system and can detect which cloud provider the infected machine is running under.
Dubbed VoidLink, the framework consists of custom loaders, implants, and rootkits, and was purpose-built for long-term access to Linux systems.2

The cloud-first implant was written in the Zig programming language and designed to identify major cloud environments, such as AWS, GCP, Azure, Alibaba, and Tencent, as well as Kubernetes pods and Docker containers, and adjust its behavior accordingly.

This highly modular framework, named VoidLink by its developers, includes over 30 plugins, cloud and container persistence capabilities and robust operational security (OPSEC) features.

While no evidence of real-world infections linked to VoidLink have been observed and it is not clear if the framework is intended to be sold as a legitimate penetration testing tool or a cybercriminal toolkit, its documentation suggests it is intended for commercial purposes. It appears to be built and maintained by Chinese-speaking developers and is actively evolving, Check Point researchers noted in a report published on January 13.

The VoidLink developers demonstrate a high level of technical expertise, with strong proficiency across multiple programming languages. With VoidLink, they offer a sophisticated, feature rich tool to move through cloud environments and container ecosystems with adaptive stealth.

The Check Point Research team discovered VoidLink in December 2025, after it identified a small cluster of previously unseen Linux malware samples that seemed to originate from a Chinese-speaking development environment:

"Many of the binaries included debug symbols and other development artifacts, suggesting we were looking at in-progress builds rather than a finished, widely deployed tool. The speed and variety of changes across the samples indicate a framework that is being iterated upon quickly to achieve broader, real-world use".
VoidLink can steal credentials for cloud, Git, and other source code version control systems, and Check Point believes it is likely targeted at software engineers, either for espionage or supply-chain attacks.3

Likely created in a Chinese-affiliated development environment, the framework is still work in progress, but already contains a broad feature set, along with a development API inspired by Cobalt Strike, and is rapidly evolving.

"It includes rootkit-style capabilities (LD_PRELOAD, LKM, and eBPF), an in-memory plugin system for extending functionality, and adaptive stealth that adjusts runtime evasion based on the security products it detects, favoring operational security over performance in monitored environments"
VoidLink is deployed using a two-stage loader. Upon initialization, it enumerates the system's security tools and hardening measures to calculate a risk score and an evasion strategy that its modules then use for increased stealth. The framework supports multiple command-and-control (C&C) communication channels, such as HTTP/HTTPS, ICMP, and DNS tunneling, as well as P2P/mesh-style communication between infected systems. The framework creates a profile of host behavior to adapt C&C communication intervals, has a stealth module containing rootkits targeting various kernel versions that are deployed based on the infected environment, and contains several anti-analysis mechanisms.

VoidLink's operators can control agents, implants, and plugins via a web-based dashboard localized for Chinese users.

The dashboard allows operators to deploy 37 VoidLink plugins for various post-exploitation activities, enabling them to perform reconnaissance, lateral movement, persistence, process injection, credential access, and evidence deletion.

A build interface allows threat actors to generate customized implants with specific capabilities and stealth parameters that can be changed at runtime.

Per Check Point: "The framework's intended use remains unclear, and as of this writing, no evidence of real-world infections has been observed. The way it is built suggests it may ultimately be positioned for commercial use, either as a product offering or as a framework developed for a customer"...


  1. securityweek.com/voidlink-linux-malware-framework-targets-cloud-environments/
  2. infosecurity-magazine.com/news/chinese-malware-framework-linux/
  3. research.checkpoint.com/2026/voidlink-the-cloud-native-malware-framework/

Palto Alto and Google Cloud announce deeper AI integration

Friday, December 19, 2025 | By Michael Banks

Palo Alto Networks is migrating "key internal workloads" into Google Cloud Platform (GCP) as part of a new multibillion-dollar agreement that will support a handful of new AI-powered features for the vendor's cybersecurity services.1

The new features include the ability for users to use Google Cloud's Vertex AI and Agent Engine with Palo Alto Networks Prisma AI Runtime Security (AIRS) platform. This will allow for the securing of developer tools like the Agent Development Kit using Prisma AIRS and for users to protect live AI workloads and data on Google Cloud.

Palo Alto Networks, which offers a range of cybersecurity products, already has more than 75 joint integrations with Google Cloud and has completed $2 billion in sales through the Google Cloud Marketplace.2

As part of the new phase of the partnership, Palo Alto Networks customers will be able to protect live AI workloads and data on Google Cloud, maintain security policies, accelerate Google Cloud adoption, and simplify and unify their security solutions, the companies said.

While the announcement was framed as a "landmark agreement", specific financial details remain sparse. Both companies characterized the deal only as a "multibillion-dollar commitment", declining to provide a precise dollar amount or a specific timeframe for the contract's duration. This lack of transparency is common in large-scale cloud partnerships, though it leaves industry analysts to speculate on the exact scale of the hardware commitment versus the software integration costs.

The companies are integrating Palo Alto's Prisma AIRS (AI Security) platform directly into Google Cloud's developer ecosystem3, with the partnership also involving deeper integration of core security infrastructure:
  • Software Firewalls: Palo Alto's VM-Series firewalls will be optimized for Google Cloud to provide deep packet inspection across public and hybrid environments.
  • Global SASE Connectivity: Palo Alto Networks' Prisma Access will leverage Google's global network and Cloud Interconnect, allowing remote workers to access AI applications with reduced latency and consistent security policies.
  • Operational Streamlining: The companies have committed to engineering pre-vetted solutions to reduce the "operational friction" often associated with deploying third-party security in cloud environments.


  1. investors.paloaltonetworks.com/news-releases/news-release-details/palo-alto-networks-and-google-cloud-forge-landmark-agreement
  2. sdxcentral.com/news/palo-alto-networks-deepens-google-cloud-integration/
  3. securityweek.com/palo-alto-networks-google-cloud-strike-multibillion-dollar-ai-and-cloud-security-deal/

Chrome 143 patches UAF issue

Tuesday, December 2, 2025 | By Michael Banks

The latest patch[1] for Google Chrome addresses several flaws of varying risk levels[2], including a high-risk vulnerability called UAF. The Use-After-Free issue can occur in dynamic memory allocation processes where a pointer is not reset leading to a 'dangling' state which can be maniupulated by attackers.[3]

  1. securityweek.com/chrome-143-patches-high-severity-vulnerabilities/
  2. encyclopedia.kaspersky.com/glossary/use-after-free/
  3. chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop.html

Windows kernel zero-day patched

Wednesday, November 12, 2025 | By Michael Banks

Tracked as CVE-2025-62215

According to an advisory from Microsoft's Threat Intelligence Center and Security Response Center, successful exploitation requires an attacker to win a race condition (Concurrent Execution using Shared Resource with Improper Synchronization) in Windows kernel[2], which would result in privilige escalation (SYSTEM) on the targeted system. [3]

The fix was released among other updates for Nov. 2025 patch Tuesday. Helpnet Security describes it as a memory corruption issue. Trend micro's Dustin Childs notes that "Bugs like these are often paired with a code execution bug by malware to completely take over a system"[4]



  1. securityweek.com/microsoft-patches-actively-exploited-windows-kernel-zero-day/
  2. nvd.nist.gov/vuln/detail/CVE-2025-62215
  3. msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-62215
  4. helpnetsecurity.com/2025/11/12/patch-tuesday-microsoft-cve-2025-62215/

F5 Hack - a highly sophisticated nation-state threat actor maintained long-term, persistent access

Thursday, October 16, 2025 | By SquirrelBot

According to a Security Advisory released by F5 on Oct 15th, an attack occured two months prior, in August. The affected systems, based on their evaluation of logs, are known to include:

  • Production development environment:
  • Engineering knowledge management platform
Stolen data includes Big-IP source code, as well as details on undisclosed vulnerabilities; but it's pointed out that there's no known active exploitation of any of those vulnerabilities.

Further, it's believed that exfiltration did not occur on their CRM, financial, support, or iHealth systems, nor is there any indication that these products were affected:

  • Product development enivronment
  • NGINX source code - web server and platform for app delivery using Kubernetes - Application delivery management software to optimize, scale, and secure modern apps, Kubernetes clusters, API communications, and AI inference across diverse environments.
  • F5 Distributed Cloud Services - SaaS-based security, networking, and app management
  • Silverline systems - Web Application Firewall

F5 states that they'll reach out to notify affected customers.


  1. securityweek.com/f5-hack-attack-linked-to-china-big-ip-flaws-patched-governments-issue-alerts/
  2. f5.com/trials
  3. my.f5.com/manage/s/article/K000154696

Microsoft: Russia, China Increasingly Using AI to Escalate Cyberattacks on the US

Thursday October 16, 2025 | By Michael Banks

Russia, China, Iran and North Korea have sharply increased their use of artificial intelligence to deceive people online and mount cyberattacks against the United States, according to new research from Microsoft.1

This July, the company identified more than 200 instances of foreign adversaries using AI to create fake content online, more than double the number from July 2024 and more than ten times the number seen in 2023. 2

Over the last year, Microsoft observed nation-state actors conduct operations for financial gain, enlist cybercriminals to collect intelligence, particularly on the Ukrainian military, and make use of the same infostealers, command and control frameworks, and other tools favored by the cybercriminal community.3 Specifically:
  • Russian threat actors appear to have outsourced some of their cyberespionage operations to criminal groups, especially operations targeting Ukraine. In June 2024, a suspected cybercrime group used commodity malware to compromise at least 50 Ukrainian military devices.
  • Iranian nation-state actors used ransomware in a cyber-enabled influence operation, marketing stolen Israeli dating website data. They offered to remove specific individual profiles from their data repository for a fee.
  • North Korea is getting into the ransomware game. A newly-identified North Korean actor developed a custom ransomware variant called FakePenny, which it deployed at organizations in aerospace and defense after exfiltrating data from the impacted networks—demonstrating both intelligence gathering and monetization motivations.
Increasingly, these attackers are using AI to target governments, businesses and critical systems like hospitals and transportation networks, according to Amy Hogan-Burney, Microsoft's vice president for customer security and trust, who oversaw the report.4


  1. usnews.com/news/technology/articles/2025-10-16/microsoft-russia-china-increasingly-using-ai-to-escalate-cyberattacks-on-the-us
  2. securityweek.com/microsoft-russia-china-increasingly-using-ai-to-escalate-cyberattacks-on-the-us/
  3. blogs.microsoft.com/on-the-issues/2024/10/15/escalating-cyber-threats-demand-stronger-global-defense-and-cooperation/
  4. cnbc.com/2025/10/16/microsoft-russia-china-increasingly-using-ai-to-escalate-cyberattacks-on-the-us.html

Red Hat services compromised as 28,000 repos exposed

Monday, October 6, 2025 | By Michael Banks

Initially it was believed that the GitHUB instance had been attacked, until Red Hat confirmed it was the GitLAB instance used by their Consulting team.

The Hacker group is being called Crimson Collective.

The stolen data includes 570GB of 28,000 repository's data including credentials, secrets, and source code.

"At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain" Red Hat told SecurityWeek in an emailed statement/.

Upon detection, we promptly launched a thorough investigation, removed the unauthorized party's access, isolated the instance, and contacted the appropriate authorities

"Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance."

On X/Twitter, International Cyber Digest reports that the attackers tried extorting Red Hat, but failed:


  1. securityweek.com/red-hat-confirms-gitlab-instance-hack-data-theft/
  2. scworld.com/news/attack-on-a-redhat-gitlab-instance-hits-28000-repos/
  3. redhat.com/en/blog/security-update-incident-related-red-hat-consulting-gitlab-instance

Salesforce security advisory on recent data theft attacks

Thursday, Oct 2, 2025 | By Michael Banks

In a Salesforce.com notice, it's asserted that the extortion attempts are based on 'past or unsubtantiated events' and that their systems are not technically compromised.



Recapping the attack
Per FBI Flash 20250912-001
ic3.gov/CSA/2025/250912.pdf
Threat actors used vishing tactics against staff across various orgs to gain access to Salesforce instances within those orgs.

UNC6040 threat actors commonly call victims’ call centers posing as IT support employees addressing enterprise-wide connectivity issues. Under the guise of closing an auto-generated ticket, UNC6040 actors trick customer support employees into taking actions that grant the attackers access or lead to the sharing of employee credentials, allowing them access to targeted companies’ Salesforce instances to exfiltrate customer data.

UNC6040 threat actors have utilized phishing panels, directing victims to visit from their mobile phones or work computers during the social engineering calls. After obtaining access, UNC6040 threat actors have then used API queries to exfiltrate large volumes of data in bulk.

UNC6040 threat actors have also directly requested user credentials and multifactor authentication codes to authenticate and add the Salesforce Data Loader application, facilitating data exfiltration.

Salesforce allows organizations to integrate with third-party applications, often called connected apps, using OAuth tokens for authentication after approved by an administrator or sufficiently privileged user. UNC6040 threat actors have deceived victims into authorizing malicious connected apps to their organization's Salesforce portal. This application is often a modified version of Salesforce’s Data Loader. During a vishing call, the actor guides the victim to visit Salesforce's connected app setup page, i.e.,

https://login.salesforce[.]com/setup/connect, to approve the UNC6040 malicious app. This grants UNC6040 threat actors significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments. Authorizing a malicious connected app bypasses many traditional defenses such as MFA, password resets and login monitoring, and because OAuth tokens are issued by Salesforce itself, activity coming from the malicious app can look like it’s from a trusted integration.

UNC6040 threat actors have created malicious applications within Salesforce trial accounts, allowing the threat actors the ability to register the connected apps without using a legitimate corporate account, making detection difficult.

Some UNC6040 victims have subsequently received extortion emails allegedly from the ShinyHunters group, demanding payment in cryptocurrency to avoid publication of exfiltrated data. These extortion demands have varied in time following UNC6040 threat actors’ access and data exfiltration, ranging from a period of days to months


In Flash 20250912-001 the FBI recommends network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by cyber criminals:
  • Train call center employees to recognize and report phishing attempts
  • Require phishing-resistant multi-factor authentication (MFA) for as many services as possible
  • Implement authentication, authorization, and accounting (AAA) systems to limit actions users can perform. Apply the Principle of Least Privilege to user accounts and groups, allowing only the performance of authorized actions.
  • Enforce IP-based access restrictions and monitor and detect API usage, looking for unusual or malicious behavior.


How did it happen. A reddit user explains:

.....you just need a user to accept oauth consent for an illegitimate app. By default, Salesforce allows this as long as the user has API access. The individual app can be blocked and oauth revoked by an admin later, but the first "install" is allowed by default

The attackers are trying to extort Salesforce, the platform vendor, as well as the customer who use it. They claim to have stolen 1 billion recrods from brands including Addas, Air France/KLM, Allianz Life, Cisco, Dior, Disney, FedEx, Google, Home Depot, Kering, Louis Vuitton, Qantas, Stellantis, Toyota, TransUnion, UPS and Workday, among others.



Who is behind this?

Per Security Week:
Lapsus$ has been inactive since 2022, when Scattered Spider emerged. ShinyHunters first appeared in 2020 and joined forces with Scattered Spider earlier this year. They jointly announced their retirement last month.


What should be done? From reddit users

Primary focus should be on Connected App use, blocking those not needed, and securing those you do using white listing and least privileged access models. Majority of Salesforce related security issues are human error (phishing, incorrect config) and mitigated with proper security by design practices



Volvo North America part of the Miljodata ransomware breach

Wednesday, October1, 2025 | By SquirrelBot

Attackers targeted Miljodata, a Swedish IT Systems provider contracted by the Swedish governement to run IT Systems for most of Sweden's municipalities. The ransomware attack occured August 20-23rd resulting in leaked personal data of around one million Swedish citizens, including 870k email addresses, names and phone numbers. A spike in phishing attacks is expected, as it is confirmed that the leaked data was published to the dark net. The users affected are current or former employees of Swedish municipalities.

The attackers who are called "Datacarry", demanded 1.5 bitcoin prior to releasing the data.

Lund University, who uses the Adato software which was the point of attack, informed it's employees on Sep 29 that their data was affected. Miljödata supplies the Adato system to Lund University. Adato is a system used primarily to document and manage rehabilitation cases. It's used by HR teams to manage workers' sick leave.

A subset of the stolen data belonged to Volvo, who contracts Miljodata for their IT systems. The breach is now understood to have included Names and SSNs for Volvo's staff.

According Massacussetts Attorney General's office, the ransomware attack occured August 20 without the company realizing it until three days later. It's widely assumed that a bad link in an email led to the breach; details aren't known. The cyber attack is being investigated by police and IT security company TrueSec Consulting.


  1. theregister.com/2025/09/26/volvo_north_america_confirms_staff/
  2. svt.se/nyheter/inrikes/experten-en-miljon-svenskars-personuppgifter-publicerade-pa-darknet
  3. reddit.com/r/sweden/comments/1nikeev/vad_kan_vi_l%C3%A4ra_oss_av_milj%C3%B6datas/?tl=en

Python developers targeted in new phishing campaign

Wednesday, September 24, 2025 | By Michael Banks

PyPI, the official third-party repository for Python, hosts over 500,000 Python packages and functions as a searchable index. It's being targeted by attackers via phising attacks. These attacks employ domain-confusion tactics.

Phising emails are directing victims to the bogus domain 'pypi-mirror.org', where they are compelled to enter credentials to verify their accounts or face suspension.

This is extremely dangerous since a threat actor could upload malicious code into existing python packages.

A recent (July 2025) similar attack targeted users via typosquatting at the bogus address 'pypj.org'. The legit, official site is pypi.org.


  1. theregister.com/2025/09/24/pypi_phishing_attacks/
  2. blog.pypi.org/posts/2025-09-23-plenty-of-phish-in-the-sea/
  3. blog.pypi.org/posts/2025-07-28-pypi-phishing-attack/

Stripe, Inc. card skimming attack leverages payment iFrames

Sunday, September 21, 2025 | By SquirrelBot

Web skimmer campaign leveraging a deprecated API from Stripe, Inc. to validate stolen payment information, ensuring that only valid card data is exfiltrated. At least 50 merchants affected

Discovered by Source Defense in Feb 2025

The deprecated API is "api.stripe[dot]com/v1/sources" - It allows apps to accept various payment methods.. As of May 2024, the endpoint was deprecated in favor of the newer PaymentMethodsAPI.

A JavaScript skimmer is used to intercept and hide the legitamate payment form, then serve a replica of the checkout screent, validate the card using API, then phone home in base64-encoded format.

Cybersec firm Jscrambler indicates the attacks leverage vulnerablities and/or misconfigurations in WooCommerce, WordPress, and PrestaShop to implant the initial script.

"The skimming script hides the legitimate Stripe iframe and overlays it with a malicious one designed to mimic its appearance," the researchers said. "It also clones the 'Place Order' button, hiding the real one."


  1. sourcedefense.com/resources/sophisticated-eskimming-campaign-conceals-itself-by-leveraging-stripe-api/
  2. thehackernews.com/2025/04/legacy-stripe-api-exploited-to-validate.html

Chrome: Type Confusion issue patched

Thursday, September 18, 2025 | By SquirrelBot

Google's TAG (Threat Anaylysis Group) recently discovered a flaw, CVE-2025-10585, advising all users to update their Chrome browser to versions 140.0.7339.185/.186 for Windows and Apple macOS, and 140.0.7339.185 for Linux.

The zero-day vulnerability in question is CVE-2025-10585, which has been described as a type confusion issue in the V8 JavaScript and WebAssembly engine.

Type confusion vulnerabilities can have severe consequences as they can be weaponized by bad actors to trigger unexpected software behavior, resulting in the execution of arbitrary code and program crashes.


  1. thehackernews.com/2025/09/google-patches-chrome-zero-day-cve-2025.html
  2. nvd.nist.gov/vuln/detail/CVE-2025-10585

RacoonO365 PHAAS attack mitigated

Wednesday, September 17, 2025 | By Squirrelbot

Microsoft and CloudFlare seized 338 domains behind a phishing-as-a-service toolkit that succeeded in stealing over 5,000 users's o365 creds, from 94 countries, since last year.

"Using a court order granted by the Southern District of New York, the DCU seized 338 websites associated with the popular service, disrupting the operation's technical infrastructure and cutting off criminals' access to victims," Steven Masada, assistant general counsel at Microsoft's Digital Crimes Unit, said.

Cloudflare banned all identified domains and terminated associated Cloudflare Worker scripts which are understood to protect the phising pages, making them accessible to intended targets.

These phishing campaigns have targeted over 2,300 organizations in the U.S., including 20 healthcare entities.

RaccoonO365 PHAAS is marketed to other cybercriminals as a subscription service, allowing them to mount phishing and credential harvesting attacks at scale with little to no technical expertise. A 30-day plan costs $355, and a 90-day plan is priced at $999. Microsoft warns that at least 200 subscriptions have likley been sold.

"Using RaccoonO365's services, customers can input up to 9,000 target email addresses per day and employ sophisticated techniques to circumvent multi-factor authentication protections to steal user credentials and gain persistent access to victims' systems," Microsoft said. "Most recently, the group started advertising a new AI-powered service, RaccoonO365 AI-MailCheck, designed to scale operations and increase the sophistication – and effectiveness – of attacks."

Screencap of advertisement from their 850+ member telegram channel that discusses tactics in response to the recent disruption:


  1. https://thehackernews.com/2025/09/raccoono365-phishing-network-shut-down.html
  2. blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-websites-to-disrupt-rapidly-growing-raccoono365-phishing-service/
  3. developers.cloudflare.com/workers/static-assets/routing/worker-script/
  4. www.morado.io/blog-posts/raccoono365-an-active-campaign-and-new-features

Salesforce Breach: "ShinyHunters" trick staff with phone scam

Monday, August 7, 2025 | By SquirrelBot

Hackers gained access to Salesforce database instances at Google, which serve small and medium-sized business. The offending group is known to use phishing techniques. They posed as IT support staff by phone, convincing victims to connect to a bogus version of the "Data Loader" app, which requires a 2fa code.

“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” Google said. “The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.”

"Shinyhunters" has also been linked to similar attacks on Salesforce systems at Qantas, Adidas, and Louis Vuitton.


  1. axios.com/2025/08/06/google-shinyhunters-salesforce-data-breach
  2. malwarebytes.com/blog/news/2025/08/how-google-adidas-and-more-were-breached-in-a-salesforce-scam

Orange telecom hacks: Business and consumer services disrupted in France

Monday, July 28, 2025 | By SquirrelBot

Orange (formerly France Telecom) posted a statement indicating that an attack was detected and stopped on July 25th, and that no customer data was exfiltrated, but that no other details would be released about what happened.1

This follows an incident earlier this year where Orange's BGP network configs were attacked when a hacker gained access to an Orange account with RIPE - the European IP registry - and changed the configs.2

The RIPE admin account was breached when an Orang employee laptop was infected with Racoon info stealer malware several months prior.3

The service were restored after the attacker contacted Orange and returned access to them, stating that it was meant to protect from an actual bad actor...

RIPE stated they are investigating, and urged admins to enable MFA on their accounts.


  1. newsroom.orange.com/the-orange-group-announces-that-it-filed-a-complaint-on-monday-28-july-concerning-a-security-incident-on-one-of-its-information-systems/
  2. securityweek.com/telecom-giant-orange-hit-by-cyberattack/
  3. securityweek.com/ripe-account-hacking-leads-to-major-internet-outage-at-orange-spain/

Quantas Airline attack - six million accounts compromised

Wednesday, July 2, 2025 | By Michael Banks

Attackers impersonated IT workers to gain access to Salesforce data at a Quantas call center. The compromised database contained 6 million records.

In a press releas, Quantas stated:

Specific data fields vary from customer to customer. Our analysis has found that the majority of customer records that were compromised are limited to:
Name, and/or
Email address, and/or
Qantas Frequent Flyer number (and in some cases, tier, status credits and points balance).
The airline said the platform stored names, email addresses, phone numbers, birth dates and frequent flyer numbers for six million customers. Qantas did not use the system to store credit card details, personal financial information, or passport details. Qantas has not identified the exact platform attacked in this incident. The airline is a known user of Salesforce and Genesys, vendors whose wares are often deployed in call centres


  1. theregister.com/2025/07/02/qantas_data_theft/
  2. theregister.com/2025/07/09/qantas_begins_telling_customers_data/
  3. qantas.com/au/en/support/information-for-customers-on-cyber-incident.html

---end data------

Other Top Stories




Accessibility
 --overview

API
 --REST best practices
 --REST demo
 --REST vs RPC
 --Wikipedia API

Blockchain
 --overview

Blog
 --The 'Brute Force' Mistake
 --The Bezosian Protocol: Eliminating Learned Helplessness
 --The Humility Protocol: Reality Over Reputation
 --The Jobsian Protocol: Systems Analysis as a War on Entropy
 --The Jordan Framework: Engineering a Competitive Edge

Cloud
 --AWS overview

CSS/HTML
 --Admissions Portal Simulation Lab
 --Bootstrap carousel
 --Grid demo
 --markdown demo

DevOps
 --Agile Principles
 --DevOps overview
 --Drupal, containerized
 --Prometheus & Grafana
 --RKE2: Deploying the Rancher Kubernetes Engine

Encoding
 --Overview

Ergonomics
 --Desk configuration
 --Device fleet
 --Input device array
 --keystroke mechanics
 --Phones & RSI

ERP
 --Anthology overview
 --Ellucian Banner
 --Higher Ed ERP Simulation Lab
 --PeopleSoft Campus Solutions
 --PESC standards
 --Slate data model

Git
 --syntax overview
 --troubleshooting libcrypto

Hardware
 --Device fleet
 --Electricity fundamentals
 --Homelab diagram

Java
 --Fundamentals

Javascript
 --Advanced Interaction: jQuery & UI Frameworks
 --input prompt demo
 --misc demo
 --Time and Date functions
 --Vue demo

Linux
 --Auditing the live interface state using ethtool
 --grep demo
 --HCI and Proxmox
 --Persistent Infrastructure Telemetry: TMUX
 --Proxmox install
 --xammp ftp server

Mail flow
 --DKIM, SPF, DMARC
 --MAPI

Microsoft
 --AZ-800: Administering Windows Server Hybrid Core Infrastructure
 --BAT scripting
 --Group Policy
 --IIS
 --robocopy
 --Server 2022 setup - Virtualbox

Misc
 --Applications
 --regex
 --Resources
 --Sustainable Computing
 --Terminology
 --Tribute to Computer Scientists

Networks
 --BGP Peering & Security Hardening Lab
 --CCNA Lammle Study Guide
 --Cisco 1921/K9 router
 --NGFW vs. Legacy
 --routing protocols
 --throughput calculations

PHP/SQL
 --Cookies
 --database interaction
 --demo, OSI Layers quiz
 --Foreign key constraint demo
 --fundamentals
 --MySQL and PHPmyAdmin setup
 --pagination
 --security
 --session variables
 --SQL fundamentals
 --structures
 --Tables display

Python
 --fundamentals

Security
 --Overview- GRC (Governance, Risk, and Compliance)
 --Security Blog
 --SSH fundamentals

Serialization
 --JSON demo
 --YAML demo