Today’s security intelligence digest is led by an urgent FBI warning about threat actors actively targeting Salesforce platforms. Critical infrastructure is also under fire, with a significant ransomware attack shutting down a Texas school district and another hitting a Brazilian healthcare provider. Additionally, new research reveals a hardware-level ‘Phoenix’ attack that bypasses modern memory defenses and a NotPetya-like ransomware with UEFI compromise capabilities.
Top 5 Critical Security Alerts
- FBI warns of Scattered Spider and ShinyHunters attacks on Salesforce platforms. The FBI has issued an urgent warning about cybercriminal groups, including Scattered Spider, actively targeting and compromising Salesforce platforms. Read more
- Uvalde school district says ransomware attack forcing closure until Thursday. A ransomware attack has forced the Uvalde, Texas school district to close for several days after impacting critical operational systems like phones and visitor management. Read more
- New Phoenix attack bypasses Rowhammer defenses in DDR5 memory. Researchers have developed a new “Phoenix” attack, a Rowhammer variant capable of bypassing the latest security protections in modern DDR5 memory chips from SK Hynix. Read more
- HybridPetya Mimics NotPetya, Adds UEFI Compromise. A new ransomware strain named HybridPetya emulates the destructive NotPetya malware and includes a UEFI bootkit to achieve persistence and bypass Secure Boot. Read more
- KillSec Ransomware Hits Brazilian Healthcare Software Provider. The KillSec ransomware group has targeted a major Brazilian healthcare software provider, compromising the supply chain and stealing sensitive patient data. Read more
Threat Intelligence (APT, malware, ransomware)
- Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs. The China-linked APT group Mustang Panda is using a new USB worm, SnakeDisk, to deploy the Yokai backdoor, specifically targeting devices with IP addresses in Thailand. Read more
- AI-Forged Military IDs Used in North Korean Phishing Attack. The North Korean Kimsuky group is reportedly using AI tools like ChatGPT to create convincing fake military IDs for use in sophisticated spear-phishing campaigns. Read more
- HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks. A malware campaign is using SEO poisoning and fake software sites to target Chinese-speaking users with multiple remote access trojans, including HiddenGh0st and Winos. Read more
Security Breaches & Incidents
- Company that owns Gucci, Balenciaga, other brands confirms hack. Kering, the parent company of luxury brands like Gucci, confirmed a data breach affecting customer information but stated no credit card data was stolen. Read more
- Google confirms fraudulent account created in law enforcement portal. Google acknowledged that attackers successfully created a fraudulent account in its Law Enforcement Request System (LERS), potentially to submit bogus data requests. Read more
- FinWise insider breach impacts 689K American First Finance customers. FinWise Bank reports a data breach caused by a former employee who accessed sensitive files after their employment ended, impacting nearly 700,000 customers. Read more
Security Tools & Best Practices
- Microsoft: Exchange 2016 and 2019 reach end of support in 30 days. Microsoft issued a final reminder that Exchange Server 2016 and 2019 will reach end-of-support in October, urging administrators to migrate to supported versions. Read more
- Microsoft says Windows September updates break SMBv1 shares. Microsoft has confirmed that recent Windows security updates are causing connectivity issues for the legacy and insecure SMBv1 protocol. Read more
- AI-Powered Villager Pen Testing Tool Hits 11,000 PyPI Downloads Amid Abuse Concerns. An AI-powered penetration testing tool named Villager has seen rapid adoption on PyPI, raising concerns that it could be abused by malicious actors. Read more
Emerging Security Technologies (AI, XDR, CNAPP)
- Shiny tools, shallow checks: how the AI hype opens the door to malicious MCP servers. Kaspersky researchers detail how the Model Context Protocol (MCP) for AI integration can be abused, creating new attack vectors for supply chain attacks. Read more
- ‘Lies-in-the-Loop’ Attack Defeats AI Coding Agents. A new “Lies-in-the-Loop” attack demonstrates how AI coding assistants can be manipulated with false information to introduce vulnerabilities into code. Read more
- OpenAI releases GPT-5 Codex designed for bug fixes and code generation. OpenAI has launched GPT-5 Codex, a new AI model specialized in automated coding tasks such as generating tests, fixing bugs, and refactoring code. Read more
