Summary5 min read

Cyber Security Headlines: August 26, 2025

Host: Hadas Kasorla | Podcast: CISO Series
Main Theme:
A fast-paced roundup of significant cyber incidents worldwide, ranging from high-profile breaches to fresh campaign tactics and evolving cybercrime trends.

Key Discussion Points & Insights

1. Salesforce Breach Hits Farmers Insurance

Details:
- Attackers accessed 1.1 million Farmers Insurance customers’ data through a breach in Salesforce’s systems.
- Exposed data: names, addresses, dates of birth, driver’s license numbers, and partial Social Security numbers.
- The attack, which happened in late May, is part of a broader spree by the Shiny Hunters group—already impacting Google, Workday, and Allianz Life.
Tactics:
- Voice phishing (vishing) was used to trick employees and exfiltrate data from Salesforce instances across multiple companies.
Host's Reaction:
- "How is this still tricking people?" (00:51)

2. Global UpCrypter Phishing Campaign

Vector:
- Victims receive emails posing as missed call alerts or purchase orders—with company logos and domains to increase credibility.
- Clicking “Play voicemail” leads to a phishing page prompting download of a malicious zip file (UpCrypter or JavaScript loader).
Impact:
- Remote access tools installed for spying and theft.
- Sectors hit include healthcare, manufacturing, retail, construction.
- Activity in Austria, Canada, Egypt, India, Pakistan.

3. APT36 Intensifies Attacks on Indian Agencies

Evolution:
- The Pakistan-linked APT36 (historically known for web defacement and basic data theft) now uses more advanced techniques.
Tactics:
- Phishing emails mimicking official Indian government contracts deliver malicious files.
- Payload downloads malware from Google Drive and runs a decoy PDF, quietly granting spy access to Linux machines.
Quote:
- "From tagging to bagging, APT36 is stepping up from simple hacks to more advanced techniques..." (02:03)

4. MacOS Malware Spreads via Fake Tech Support

Threat Actor:
- “Cookie Spider” is disseminating Shamos (a variant of the Atomic macOS stealer) globally—over 300 environments affected since June 2025.
Technique:
- Malicious ads and fake tech support sites prompt users to run “fix commands” in Terminal, bypassing security to install stealer.
Consequences:
- Theft of browser logins, keychain data, Apple notes, crypto wallets.
- Potential installation of counterfeit apps like “Fake Ledger Live.”

5. Critical Docker Desktop Vulnerability

Flaw:
- API exposure in Docker Desktop (Windows/macOS) allowed breakout from containers to host system using just two HTTP requests.
Mitigation:
- Docker Desktop users urged to update to version 4.4.3 (released August 20); Docker Engine on Linux not affected.

6. Chinese Hacking Group Targets Southeast Asian Diplomats

Group:
- Known as Earth Estres, Fishmonger, or UNC6384.
Method:
- Compromised Wi-Fi at hotels, airports, conferences via captive portal hijacking.
- Fake Adobe plugin updates deployed a PlugX backdoor to enable surveillance.
Attribution:
- Google's Threat Analysis Group detected the activity in March, reporting findings this week.

7. Major Cybercrime Crackdown: Interpol’s Operation Serengeti 2.0

Results:
- 1,200 arrests, $97 million recovered, over 11,000 malicious infrastructures dismantled.
Scope:
- Ransomware, BEC, crypto scams affecting 88,000+ victims with nearly $500 million in losses.
- Notable busts: $300 million crypto fraud in Zambia, $37 million illegal mining rigs in Angola.
Collaboration:
- Backed by 18 African nations, the UK, and companies like Kaspersky, Group IB, Fortinet.

8. Image-Based AI Prompt Injection

Discovery:
- Trail of Bits researchers unveiled a method ("image scaling attack") to smuggle malicious AI prompts—hidden at full image size, revealed upon downscaling.
Implication:
- Designed to exploit how AI tools handle images, opening doors for automated prompt injection or data exfiltration.
Quote:
- "Steganography isn't a dinosaur. Researchers revive it in an AI injection attack." (07:53)

9. Vendor Outreach Issues for CISOs

Pain Point:
- CISOs are overwhelmed by vendor pitches and sales emails, leading to ineffective communication and excessive filtering.
Upcoming Podcast Teaser:
- "How can the industry create meaningful contact between vendors and CISOs rather than just default to volume?...One of the segments we dig into on this week’s episode." (09:20)

Notable Quotes and Memorable Moments

“If Salesforce flutters its wings in San Francisco, Farmers Insurance confirms that 1.1 million customers were swept up in the same Salesforce targeted hack…” — Hadas Kasorla (00:16)
“Once in, Shamos steals browser logins, keychain secrets, Apple notes and crypto wallets, and can even drop spoofed apps like Fake Ledger Live.” — Hadas Kasorla (02:53)
“A critical bug in Docker Desktop for Windows and macOs allowed containers to break free and take over the host by abusing an exposed API…” — Hadas Kasorla (04:00)
“Serengeti? More like Serengadim. Interpol’s Operation Serengeti 2.0 was one of the largest cybercrime crackdowns in Africa…” — Hadas Kasorla (06:37)
“Steganography isn’t a dinosaur. Researchers revive it in an AI injection attack…” — Hadas Kasorla (07:53)
“Look at the inbox of any CISO and you’ll either find an endless stream of vendor outreach emails or some very robust filtering rules.” — Hadas Kasorla (09:20)

Timestamps for Important Segments

00:16 — Salesforce breach impacts Farmers Insurance, details of the customer data leak
01:10 — Global UpCrypter phishing campaign methodology and reach
02:03 — APT36's evolving attack methods against Indian agencies
02:53 — macOS stealer “Shamos” spread via fake tech support
04:00 — Docker Desktop vulnerability explained and mitigation advice
05:12 — Chinese espionage group compromises public Wi-Fi to target diplomats
06:37 — Interpol’s Operation Serengeti 2.0 cybercrime crackdown outcomes
07:53 — New image-based prompt injection attack on AI tools
09:20 — CISO vendor outreach pain points and podcast teaser

In Summary

This episode explains a series of fast-moving, high-impact cybersecurity incidents, connecting industry trends with technical insight and real-world consequences. The show covers key breaches, evolving attack techniques (including new phishing and prompt injection strategies), law enforcement successes, and persistent industry challenges around security communication and vendor management. Each story is delivered with the show's signature mix of urgency, clarity, and subtle humor.

Loading summary

Transcript1 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Tuesday, August 26, 2025. I'm Hadas Kasorla. If Salesforce flutters its wings in San Francisco, Farmers Insurance confirms that 1.1 million customers were swept up in the same Salesforce targeted hack that has already hit companies like Google Workday and Alliance Life. Farmers says attackers gained access through third party vendor Salesforce's system in late May, exposing names, addresses, dates of birth, driver's license numbers and partial Social Security numbers. The breach is part of a wider spree tied to the Shiny Hunters group, which used voice phishing to trick employees and exfiltrate data from Salesforce instances across across industries. How is this still tricking people? A global phishing campaign is blasting out fake voicemails and purchase order emails to trick people into downloading malware. Victims get an email that looks like a missed call alert with a Play voicemail button leading to a phishing page dressed up with their own company logo and domain. From there, they're pushed to grab a zip file carrying upcryptor or a JavaScript loader that installs remote access tools for spying and theft. The campaign, active since August, is hitting industries from healthcare and manufacturing to retail and construction, with major activity seen in countries including Austria, Canada, Egypt, India and Pakistan. From tagging to bagging, APT36 is stepping up from simple hacks to more advanced techniques known for defacing Indian websites and stealing sensitive data. The Pakistan link group is still going after Indian government agencies, but this time with malware aimed at Linux computers. The attackers sent phishing emails disguised as routine government contract paperwork such as purchase orders or bidding documents to trick officials into opening them. Inside were malicious files that downloaded malware from Google Drive, displayed a decoy PDF and quietly gave hackers a foothold for spying fake tech support. How can I steal from you? A cybercrime group known as Cookie Spider is Behind a new macOS campaign spreading shamos, a variant of the atomic macOS stealer, through fake tech support websites and malicious ads. Victims are told to copy paste a fix command into Terminal, which which bypasses gatekeeper to install the malware. Once in, sheamos steals browser logins, keychain secrets, Apple notes and crypto wallets, and can even drop spoofed apps like Fake Ledger. Live Active since June 2025, the campaign has targeted more than 300 environments worldwide, according to CrowdStrike. A huge thank you to our sponsor. Profit Security Security teams are drowning in alerts. Many companies generate upwards of 1000 or more alerts a day, and nearly half go ignored. That's where Profit Security comes in. Their AI SoC platform automatically triages and investigates alerts so your team can focus on real threats instead of busy work. Faster response, less burnout, and lower risks to your business. Learn more @ProfitSecurity AI does this bug make my container look vulnerable? A critical bug in Docker Desktop for Windows and macOS allowed containers to break free and take over the host by abusing an exposed API inside Docker Desktop's lightweight vm, an attacker could mount the host drive and run a privileged container with just two HTTP requests. The flaw bypassed isolation features, but only affects Docker Desktop, not Docker Engine on Linux servers. Docker fixed the issue in version 4.4.3 on August 20th, and users are urged to update I'm going to need you to itemize this attack in your hotel expense A Chinese linked group known sometimes as Earth Estres or Fishmonger or the ever memorable UNC6384, has been identified as the actor behind a campaign that turned WI fi at hotels, airports and conference centers into espionage tools targeting Southeast Asian diplomats and officials who would try to connect through the usual captive portal splash page. The attackers hijacked the connection and delivered a fake Adobe plugin update, which installed a backdoor tool called PlugX, giving the hackers access for surveillance. Google's Threat Analysis Group says it detected the activity in March. The findings were released this week. Serengeti More like Serengadim Interpol's Operation Serengeti 2.0 was one of the largest cybercrime crackdowns in Africa, resulting in 1,200 arrests, $97 million recovered and more than 11,000 malicious infrastructures dismantled. The three month sweep was backed by investigators from 18 African nations and the UK and a targeted ransomware business, email compromise and crypto scams that hit nearly 88,000 victims, with almost half a billion in losses. Highlights included busting a $300 million crypto fraud in Zambia tied to human trafficking, seizing $37 million in illegal mining rigs in Angola, and dismantling transnational scams in Cote d'. Ivoire. Interpol credited intelligence sharing from companies like Kaspersky Group, IB and Fortinet. Steganography isn't a dinosaur Researchers revive it in an AI injection attack Security researchers at Trail of Bits, Kikamora Morozova and Suhasabi Hussain have uncovered a new attack that hides malicious prompts inside everyday images. The method, called an image scaling attack, exploits the fact that most AI tools automatically shrink pictures before analyzing them. At full size, the images look harmless, but once downscaled, hidden instructions appear, telling the AI to leak data or execute commands. It's an updated spin on steganography, which is the art of hiding secrets in images. But it's engineered to exploit how AIs process images, the researchers warn. This could be used for prompt injection attacks. Look at the inbox of any CISO and you'll either find an endless stream of vendor outreach emails or some very robust filtering rules. Every CISO is quick to point out that the current vendor playbook is vexing and inefficient. So how can the industry create meaningful contact between vendors and CISOs rather than just default to volume? That's one of the segments we dig into on this week's episode of the CISO Series podcast. Look for the episode New study finds no email has ever found you. Well, wherever you get your podcasts, if you have some thoughts on the news from today or about the show in general, be sure to reach out to us@feedbackisoseries.com we'd love to hear from you. Reporting for the CISO series, I'm Hadas Kasorla, and I'm probably not an AI. Stay alert, Stay patched, Stay hydrated. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.