Cyber Security Headlines: August 26, 2025

Host: Hadas Kasorla | Podcast: CISO Series
Main Theme:
A fast-paced roundup of significant cyber incidents worldwide, ranging from high-profile breaches to fresh campaign tactics and evolving cybercrime trends.

Key Discussion Points & Insights

1. Salesforce Breach Hits Farmers Insurance

Details:
- Attackers accessed 1.1 million Farmers Insurance customers’ data through a breach in Salesforce’s systems.
- Exposed data: names, addresses, dates of birth, driver’s license numbers, and partial Social Security numbers.
- The attack, which happened in late May, is part of a broader spree by the Shiny Hunters group—already impacting Google, Workday, and Allianz Life.
Tactics:
- Voice phishing (vishing) was used to trick employees and exfiltrate data from Salesforce instances across multiple companies.
Host's Reaction:
- "How is this still tricking people?" (00:51)

2. Global UpCrypter Phishing Campaign

Vector:
- Victims receive emails posing as missed call alerts or purchase orders—with company logos and domains to increase credibility.
- Clicking “Play voicemail” leads to a phishing page prompting download of a malicious zip file (UpCrypter or JavaScript loader).
Impact:
- Remote access tools installed for spying and theft.
- Sectors hit include healthcare, manufacturing, retail, construction.
- Activity in Austria, Canada, Egypt, India, Pakistan.

3. APT36 Intensifies Attacks on Indian Agencies

Evolution:
- The Pakistan-linked APT36 (historically known for web defacement and basic data theft) now uses more advanced techniques.
Tactics:
- Phishing emails mimicking official Indian government contracts deliver malicious files.
- Payload downloads malware from Google Drive and runs a decoy PDF, quietly granting spy access to Linux machines.
Quote:
- "From tagging to bagging, APT36 is stepping up from simple hacks to more advanced techniques..." (02:03)

4. MacOS Malware Spreads via Fake Tech Support

Threat Actor:
- “Cookie Spider” is disseminating Shamos (a variant of the Atomic macOS stealer) globally—over 300 environments affected since June 2025.
Technique:
- Malicious ads and fake tech support sites prompt users to run “fix commands” in Terminal, bypassing security to install stealer.
Consequences:
- Theft of browser logins, keychain data, Apple notes, crypto wallets.
- Potential installation of counterfeit apps like “Fake Ledger Live.”

5. Critical Docker Desktop Vulnerability

Flaw:
- API exposure in Docker Desktop (Windows/macOS) allowed breakout from containers to host system using just two HTTP requests.
Mitigation:
- Docker Desktop users urged to update to version 4.4.3 (released August 20); Docker Engine on Linux not affected.

6. Chinese Hacking Group Targets Southeast Asian Diplomats

Group:
- Known as Earth Estres, Fishmonger, or UNC6384.
Method:
- Compromised Wi-Fi at hotels, airports, conferences via captive portal hijacking.
- Fake Adobe plugin updates deployed a PlugX backdoor to enable surveillance.
Attribution:
- Google's Threat Analysis Group detected the activity in March, reporting findings this week.

7. Major Cybercrime Crackdown: Interpol’s Operation Serengeti 2.0

Results:
- 1,200 arrests, $97 million recovered, over 11,000 malicious infrastructures dismantled.
Scope:
- Ransomware, BEC, crypto scams affecting 88,000+ victims with nearly $500 million in losses.
- Notable busts: $300 million crypto fraud in Zambia, $37 million illegal mining rigs in Angola.
Collaboration:
- Backed by 18 African nations, the UK, and companies like Kaspersky, Group IB, Fortinet.

8. Image-Based AI Prompt Injection

Discovery:
- Trail of Bits researchers unveiled a method ("image scaling attack") to smuggle malicious AI prompts—hidden at full image size, revealed upon downscaling.
Implication:
- Designed to exploit how AI tools handle images, opening doors for automated prompt injection or data exfiltration.
Quote:
- "Steganography isn't a dinosaur. Researchers revive it in an AI injection attack." (07:53)

9. Vendor Outreach Issues for CISOs

Pain Point:
- CISOs are overwhelmed by vendor pitches and sales emails, leading to ineffective communication and excessive filtering.
Upcoming Podcast Teaser:
- "How can the industry create meaningful contact between vendors and CISOs rather than just default to volume?...One of the segments we dig into on this week’s episode." (09:20)

Notable Quotes and Memorable Moments

“If Salesforce flutters its wings in San Francisco, Farmers Insurance confirms that 1.1 million customers were swept up in the same Salesforce targeted hack…” — Hadas Kasorla (00:16)
“Once in, Shamos steals browser logins, keychain secrets, Apple notes and crypto wallets, and can even drop spoofed apps like Fake Ledger Live.” — Hadas Kasorla (02:53)
“A critical bug in Docker Desktop for Windows and macOs allowed containers to break free and take over the host by abusing an exposed API…” — Hadas Kasorla (04:00)
“Serengeti? More like Serengadim. Interpol’s Operation Serengeti 2.0 was one of the largest cybercrime crackdowns in Africa…” — Hadas Kasorla (06:37)
“Steganography isn’t a dinosaur. Researchers revive it in an AI injection attack…” — Hadas Kasorla (07:53)
“Look at the inbox of any CISO and you’ll either find an endless stream of vendor outreach emails or some very robust filtering rules.” — Hadas Kasorla (09:20)

Timestamps for Important Segments

00:16 — Salesforce breach impacts Farmers Insurance, details of the customer data leak
01:10 — Global UpCrypter phishing campaign methodology and reach
02:03 — APT36's evolving attack methods against Indian agencies
02:53 — macOS stealer “Shamos” spread via fake tech support
04:00 — Docker Desktop vulnerability explained and mitigation advice
05:12 — Chinese espionage group compromises public Wi-Fi to target diplomats
06:37 — Interpol’s Operation Serengeti 2.0 cybercrime crackdown outcomes
07:53 — New image-based prompt injection attack on AI tools
09:20 — CISO vendor outreach pain points and podcast teaser

In Summary

This episode explains a series of fast-moving, high-impact cybersecurity incidents, connecting industry trends with technical insight and real-world consequences. The show covers key breaches, evolving attack techniques (including new phishing and prompt injection strategies), law enforcement successes, and persistent industry challenges around security communication and vendor management. Each story is delivered with the show's signature mix of urgency, clarity, and subtle humor.

Cyber Security Headlines: August 26, 2025

Key Discussion Points & Insights

1. Salesforce Breach Hits Farmers Insurance

Details:
- Attackers accessed 1.1 million Farmers Insurance customers’ data through a breach in Salesforce’s systems.
- Exposed data: names, addresses, dates of birth, driver’s license numbers, and partial Social Security numbers.
- The attack, which happened in late May, is part of a broader spree by the Shiny Hunters group—already impacting Google, Workday, and Allianz Life.
Tactics:
- Voice phishing (vishing) was used to trick employees and exfiltrate data from Salesforce instances across multiple companies.
Host's Reaction:
- "How is this still tricking people?" (00:51)

2. Global UpCrypter Phishing Campaign

Vector:
- Victims receive emails posing as missed call alerts or purchase orders—with company logos and domains to increase credibility.
- Clicking “Play voicemail” leads to a phishing page prompting download of a malicious zip file (UpCrypter or JavaScript loader).
Impact:
- Remote access tools installed for spying and theft.
- Sectors hit include healthcare, manufacturing, retail, construction.
- Activity in Austria, Canada, Egypt, India, Pakistan.

3. APT36 Intensifies Attacks on Indian Agencies

Evolution:
- The Pakistan-linked APT36 (historically known for web defacement and basic data theft) now uses more advanced techniques.
Tactics:
- Phishing emails mimicking official Indian government contracts deliver malicious files.
- Payload downloads malware from Google Drive and runs a decoy PDF, quietly granting spy access to Linux machines.
Quote:
- "From tagging to bagging, APT36 is stepping up from simple hacks to more advanced techniques..." (02:03)

4. MacOS Malware Spreads via Fake Tech Support

Threat Actor:
- “Cookie Spider” is disseminating Shamos (a variant of the Atomic macOS stealer) globally—over 300 environments affected since June 2025.
Technique:
- Malicious ads and fake tech support sites prompt users to run “fix commands” in Terminal, bypassing security to install stealer.
Consequences:
- Theft of browser logins, keychain data, Apple notes, crypto wallets.
- Potential installation of counterfeit apps like “Fake Ledger Live.”

5. Critical Docker Desktop Vulnerability

Flaw:
- API exposure in Docker Desktop (Windows/macOS) allowed breakout from containers to host system using just two HTTP requests.
Mitigation:
- Docker Desktop users urged to update to version 4.4.3 (released August 20); Docker Engine on Linux not affected.

6. Chinese Hacking Group Targets Southeast Asian Diplomats

Group:
- Known as Earth Estres, Fishmonger, or UNC6384.
Method:
- Compromised Wi-Fi at hotels, airports, conferences via captive portal hijacking.
- Fake Adobe plugin updates deployed a PlugX backdoor to enable surveillance.
Attribution:
- Google's Threat Analysis Group detected the activity in March, reporting findings this week.

7. Major Cybercrime Crackdown: Interpol’s Operation Serengeti 2.0

Results:
- 1,200 arrests, $97 million recovered, over 11,000 malicious infrastructures dismantled.
Scope:
- Ransomware, BEC, crypto scams affecting 88,000+ victims with nearly $500 million in losses.
- Notable busts: $300 million crypto fraud in Zambia, $37 million illegal mining rigs in Angola.
Collaboration:
- Backed by 18 African nations, the UK, and companies like Kaspersky, Group IB, Fortinet.

8. Image-Based AI Prompt Injection

Discovery:
- Trail of Bits researchers unveiled a method ("image scaling attack") to smuggle malicious AI prompts—hidden at full image size, revealed upon downscaling.
Implication:
- Designed to exploit how AI tools handle images, opening doors for automated prompt injection or data exfiltration.
Quote:
- "Steganography isn't a dinosaur. Researchers revive it in an AI injection attack." (07:53)

9. Vendor Outreach Issues for CISOs

Pain Point:
- CISOs are overwhelmed by vendor pitches and sales emails, leading to ineffective communication and excessive filtering.
Upcoming Podcast Teaser:
- "How can the industry create meaningful contact between vendors and CISOs rather than just default to volume?...One of the segments we dig into on this week’s episode." (09:20)

Notable Quotes and Memorable Moments

“If Salesforce flutters its wings in San Francisco, Farmers Insurance confirms that 1.1 million customers were swept up in the same Salesforce targeted hack…” — Hadas Kasorla (00:16)
“Once in, Shamos steals browser logins, keychain secrets, Apple notes and crypto wallets, and can even drop spoofed apps like Fake Ledger Live.” — Hadas Kasorla (02:53)
“A critical bug in Docker Desktop for Windows and macOs allowed containers to break free and take over the host by abusing an exposed API…” — Hadas Kasorla (04:00)
“Serengeti? More like Serengadim. Interpol’s Operation Serengeti 2.0 was one of the largest cybercrime crackdowns in Africa…” — Hadas Kasorla (06:37)
“Steganography isn’t a dinosaur. Researchers revive it in an AI injection attack…” — Hadas Kasorla (07:53)
“Look at the inbox of any CISO and you’ll either find an endless stream of vendor outreach emails or some very robust filtering rules.” — Hadas Kasorla (09:20)

Timestamps for Important Segments

00:16 — Salesforce breach impacts Farmers Insurance, details of the customer data leak
01:10 — Global UpCrypter phishing campaign methodology and reach
02:03 — APT36's evolving attack methods against Indian agencies
02:53 — macOS stealer “Shamos” spread via fake tech support
04:00 — Docker Desktop vulnerability explained and mitigation advice
05:12 — Chinese espionage group compromises public Wi-Fi to target diplomats
06:37 — Interpol’s Operation Serengeti 2.0 cybercrime crackdown outcomes
07:53 — New image-based prompt injection attack on AI tools
09:20 — CISO vendor outreach pain points and podcast teaser

wavePod

Farmers Insurance also hit by Salesforce breach, UpCrypter phishing campaign, Pakistan hits Indian government agencies

Powered by Wave AI

Summary

Cyber Security Headlines: August 26, 2025

Key Discussion Points & Insights

1. Salesforce Breach Hits Farmers Insurance

2. Global UpCrypter Phishing Campaign

3. APT36 Intensifies Attacks on Indian Agencies

4. MacOS Malware Spreads via Fake Tech Support

5. Critical Docker Desktop Vulnerability

6. Chinese Hacking Group Targets Southeast Asian Diplomats

7. Major Cybercrime Crackdown: Interpol’s Operation Serengeti 2.0

8. Image-Based AI Prompt Injection

9. Vendor Outreach Issues for CISOs

Notable Quotes and Memorable Moments

Timestamps for Important Segments

In Summary

Summary

Cyber Security Headlines: August 26, 2025

Key Discussion Points & Insights

1. Salesforce Breach Hits Farmers Insurance

2. Global UpCrypter Phishing Campaign

3. APT36 Intensifies Attacks on Indian Agencies

4. MacOS Malware Spreads via Fake Tech Support

5. Critical Docker Desktop Vulnerability

6. Chinese Hacking Group Targets Southeast Asian Diplomats

7. Major Cybercrime Crackdown: Interpol’s Operation Serengeti 2.0

8. Image-Based AI Prompt Injection

9. Vendor Outreach Issues for CISOs

Notable Quotes and Memorable Moments

Timestamps for Important Segments

In Summary