• Umer Wajih
• September 2, 2025
• No Comments

Threat Landscape Summary (August 25  – September 1 , 2025)

I. Executive Summary

This report analyzes the cybersecurity threat landscape observed between August 25 and September 1, 2025. The week featured active exploitation of critical edge and developer tooling, supply‑chain impacts through CRM integrations, and continued nation‑state activity targeting cloud identity workflows and telecom networks. Organizations should prioritize patching Citrix NetScaler CVE‑2025‑7775 and Git CVE‑2025‑48384, apply the emergency fixes for FreePBX, and harden OAuth and device‑code authentication flows.

Key Highlights

• Supply‑chain exposure: Zscaler confirms breach of its Salesforce instance via the Salesloft Drift compromise (OAuth token theft), exposing customer contact and limited case data.
• Cloud identity targeting: Amazon disrupted a watering‑hole campaign by APT29 (SVR) abusing Microsoft device‑code authentication with Cloudflare‑themed lures; new actor‑controlled domains were identified.
• Edge device risk: Citrix NetScaler critical RCE (CVE‑2025‑7775) is exploited in the wild; over 28k instances observed vulnerable shortly after disclosure.
• Developer tooling risk: Git CVE‑2025‑48384 added to CISA KEV and observed in exploitation; urgent updates available across supported release trains.
• Voice/UC exposure: FreePBX zero‑day exploited since at least Aug 21; emergency security update released and intrusion playbook published by the vendor community.

Dominant Trends

• Third-party service breaches spreading to customer data through compromised tokens and access chains.
• Cloud authentication attacks by nation-state groups using legitimate services as cover for targeting campaigns.
• Internet-facing device exploitation with thousands of vulnerable systems attacked shortly after disclosure.
• Developer tool compromises targeting core systems like Git to impact widespread development operations.
• Communication system breaches through zero-day attacks on phone/UC platforms with months of undetected access.

II. Global Cyber Threat Landscape Overview

Key Observations

• Cloud‑centric extortion: Microsoft reports Storm‑0501 shifting to pure cloud data theft/encryption using native Azure features and compromising Entra ID through weak MFA/tenant hygiene.
• Nation‑state tradecraft: Joint US–Five Eyes advisory attributes long‑running telecom intrusions to PRC‑linked actors (“Salt Typhoon”/Gallium/Summer Capital), emphasizing living‑off‑the‑land and valid‑credential abuse.
• Supply‑chain (SaaS/CRM): Ongoing theft of OAuth tokens from Drift (Salesloft) integrations fueling compromises of Salesforce data at multiple enterprises.

III. Notable Security Incidents and Data Breaches

Date (UTC)	Incident	Organization / Sector	Impact / Notes
2025‑09‑01	Zscaler discloses Salesforce data exposure following Salesloft Drift compromise	Zscaler	Customer PII (contact/job details), support case contents; increased phishing risk
2025‑08‑29	Amazon disrupts APT29 watering‑hole using device‑code auth lures	Multiple victims (watering‑hole)	Redirect to actor domains (e.g., findcloudflare[.]com); MFA/device‑code abuse
2025‑08‑28	TransUnion breach tied to Salesforce data‑theft campaigns	TransUnion (US)	4.4M+ US individuals; PII including SSNs reported by threat actor
2025‑08‑26	FreePBX servers hacked via zero‑day; emergency fix & detection guidance	Asterisk/FreePBX	Remote command execution through admin module; broad scanning observed

IV. Current Threat Landscape Analysis

Emerging trends this week include (a) identity‑centric attacks in cloud tenants leveraging OAuth/device‑code flows and phishing‑at‑scale; (b) rapid weaponization of newly disclosed perimeter and developer vulnerabilities; and (c) continued pressure on telecom and CRM ecosystems. Defenders should emphasize identity governance (MFA/conditional access), rapid patch orchestration, and SaaS integration hygiene.

• Increased targeting of cloud authentication workflows (device‑code, OAuth consent) to bypass endpoint‑centric defenses.
• Notable uptick in exploitation of Citrix NetScaler (CVE‑2025‑7775) and Git (CVE‑2025‑48384), both added to priority patch queues.
• Widespread scanning and exploitation attempts against FreePBX deployments; emergency mitigations and forensic checks advised.

V. Critical Vulnerabilities and CVEs (Prioritize within 24–72h)

CVE	Description	Severity	Mitigation / Notes
CVE‑2025‑7775	Citrix NetScaler ADC/Gateway RCE (zero‑day, exploited)	Critical	Upgrade to 14.1‑47.48+, 13.1‑59.22+, 13.1‑37.241 (FIPS/NDcPP)+, 12.1‑55.330 (FIPS/NDcPP)+; no workarounds.
CVE‑2025‑48384	Git link‑following/arbitrary file write leading to RCE on clone/init (macOS/Linux)	High–Critical	Update to fixed trains: 2.43.7/2.44.4/2.45.4/2.46.4/2.47.3/2.48.2/2.49.1/2.50.1.
CVE‑2024‑8069 / 8068	Citrix Session Recording limited RCE / privilege management flaws	High	Apply Citrix Session Recording security bulletin updates (CTX691941).
FreePBX zero‑day	Unauth. command execution via admin module (actively exploited)	High	Apply FreePBX emergency fixes; follow incident triage steps published by vendor community.

VI. Threat Actor Activities

Profiles of active or newly observed threat actors mapped to MITRE ATT&CK:

Group	Objective	Mapped TTPs (MITRE ATT&CK)	Notes
APT29 / Midnight Blizzard (SVR)	Espionage; credential harvesting & identity abuse	T1189 (Drive‑by), T1059 (Command), T1078 (Valid Accounts), T1071 (App‑Layer Protocol), T1556 (Modify Auth Proc)	Device‑code auth lures via compromised sites; Cloudflare‑themed pages; watering‑hole redirections; rapid infra rotation.
Salt Typhoon (PRC nexus)	Espionage; telecom & critical infra access	T1078, T1190 (Exploit Public‑Facing App), T1047 (WMI), T1105 (Ingress Tool Transfer)	Long‑running access in telecom networks; living‑off‑the‑land, valid creds, stealthy persistence.
Storm‑0501 (crime/RaaS evolution)	Data theft + cloud‑based encryption and extortion	T1078, T1098 (Account Manipulation), T1485 (Data Destruction), T1486 (Data Encrypted for Impact)	Pivot from on‑prem encryptors to cloud key‑vault abuse, backup deletion, Entra ID tenant takeover.

VII. Malware Spotlights

Malware	Capabilities	Delivery / TTPs	Affected Platforms / Notes
Brokewell (Android)	Banking/crypto‑focused mobile stealer with device control	Malvertising (fake TradingView Premium), Tor/WebSockets C2; overlays; accessibility abuse; keylogging; 2FA interception	Targets Android users via localized ads; attempts to exfiltrate wallet data and intercept SMS/Google Authenticator codes.

VIII. Recommendations

For Technical Audiences (Security, IT, DevOps) – Immediate (24–48h):

• Patch/upgrade Citrix NetScaler to fixed releases; inventory exposed instances; validate Gateway/AAA and IPv6 bindings.
• Update Git across developer endpoints/CI images to fixed versions; restrict cloning from untrusted repos; enforce signed commits.
• Apply FreePBX emergency updates; rotate secrets; review admin modules; check audit logs and telephony call events.
• Audit OAuth/CRM integrations (e.g., Drift, Salesforce). Revoke unused tokens, rotate API keys, enable IP allow‑listing and conditional access.
• Harden device‑code authentication (Microsoft): disable if not required; enforce MFA and conditional access; monitor for anomalous device authorization events.
• Cloud hardening (Azure): monitor elevateAccess actions; protect Recovery Services and snapshots; enforce least privilege; require MFA for Global Admins.

Strategic (2–6 weeks):

• Implement SaaS security posture management (SSPM) to continuously validate CRM/chatbot integrations and OAuth scopes.
• Adopt rapid patch orchestration SLAs for edge devices and developer tools; integrate KEV‑driven patch queues.
• Deploy identity threat detection & response (ITDR) for tenant‑level anomalies (new federated domains, mass consent grants).
• Codify Bring‑Your‑Own‑Git policies: sandbox clones, use ephemeral build runners, and enforce network egress controls for CI.

For Non‑Technical Audiences (Leadership & Staff):

• Beware of fake “verification” pages and unsolicited device‑authorization prompts. Verify before approving any device code.
• Treat any unsolicited support calls/emails requesting OAuth app approvals as suspicious; escalate to IT/SecOps.
• Use strong, unique passwords and MFA on all work accounts; never share MFA codes in chats or calls.

IX. Analyst Notes

• Expect increased “malvertising‑to‑mobile” chains targeting finance/crypto users, with broader localization and brand abuse.
• Cloud‑only extortion models reduce on‑prem dwell time requirements; prioritize telemetry and prevention on SaaS and IaaS control planes.
• Developer toolchain exploitation (e.g., Git CVE‑2025‑48384) continues to present supply‑chain risk; reinforce provenance controls (SBOMs, signed artifacts).

X. Contact Information

Meraal Cyber Security (MCS) – Threat Intelligence Team

• Website: www.meraal.me
• Email: office@meraal.me | naveed@meraal.me
• Phone: +92 42 357 27575 | +92 323 497 9477

Note on Sources & Intelligence:
This report synthesizes data from CISA, MS-ISAC, MITRE, law enforcement press releases, leading cybersecurity vendors, and internal MCS analysis. Confirmed intelligence is separated from unverified speculation to maintain accuracy and credibility.