Cyber Security Headlines: September 4, 2025
Podcast: CISO Series – Cyber Security Headlines
Host: Hadas Kasorla
Episode Theme:
A quick-fire roundup of the most critical cybersecurity incidents and evolving threats dominating the fintech, enterprise, and public sectors, spotlighting clever heist prevention, new state-backed malware, ongoing supply chain fallout, and the relentless adaptation of threat actors.
Key Stories and Discussion Points
1. Fintech Heist Thwarted at Cinqia SA
- Summary:
A sophisticated cybercriminal attempt to steal $130 million by exploiting Brazil’s Pix real-time payment system was quickly detected and contained by Cinqia SA, the Brazilian arm of Evertech. - Key Details:
- Breach was via stolen credentials from an IT vendor.
- Immediate halting of Pix transactions following detection on Aug. 29.
- Cybersecurity forensic experts brought in; some stolen funds already recovered.
- Cinqia’s access to Pix is now revoked by regulators.
- No customer data compromised, but financial/reputational impact still unclear.
- Memorable Quote:
“No customer data appears affected, but the full financial and reputational impact is still under review.” (Hadas Kasorla, 01:00)
2. APT28 Deploys “Notdoor” Outlook Backdoor
- Summary:
Russia’s state-backed APT28 has released a stealthy new malware—dubbed “Notdoor”—that activates only when triggered by a special email keyword in Microsoft Outlook, making it extremely difficult to detect. - Key Details:
- Sits dormant until receiving a trigger email (e.g., subject: "Daily Report").
- Upon activation, it can steal data, execute commands, and erase all traces.
- Stealth and control are key benefits for the hackers.
- Notable Moment:
“They called it Not Door because of the use of the word nothing in the code and not because it’s not a door—because it’s totally a door. A backdoor.” (Hadas Kasorla, 02:24)
3. Salesloft-Drift Supply Chain Fallout Spreads
- Summary:
The breach which affected companies through stolen OAuth tokens in the Salesloft/Drift/Salesforce supply chain continues to affect high-profile organizations. - Key Details:
- Cloudflare confirms attackers accessed Salesforce support and extracted 104 API tokens (since rotated).
- Palo Alto Networks and Zscaler also impacted.
- Attackers used stolen OAuth tokens between August 8–18.
- More companies may be implicated as the investigation expands.
- Memorable Quote:
“This is why we can’t have nice things.” (Hadas Kasorla, 03:12)
4. HexStrike AI: Red Team Tool Goes Rogue
- Summary:
HexStrike AI, intended for defensive red teaming, is being exploited by threat actors to launch rapid, automated attacks on recently disclosed vulnerabilities—sometimes within minutes of disclosure. - Key Details:
- Orchestrates 150+ security tools via AI agents.
- Built-in retry logic boosts attack success rates.
- Used to flag and sell vulnerable systems to other criminals.
- Cited exploits include Citrix Netscaler zero-days and n-days.
- Notable Quote:
“By orchestrating more than 150 security tools through AI agents, it scans, crafts and delivers exploits on its own.” (Hadas Kasorla, 04:04)
5. FSB Operatives Indicted for Global Infrastructure Hacks
- Summary:
US State Department offers up to $10 million for tips on three Russian FSB hackers from Center 16 (a.k.a. Berserk Bear, Blue Kraken, Dragonfly, etc.), linked to critical infrastructure attacks spanning over 130 countries. - Key Details:
- Targeted the US Nuclear Regulatory Commission and hundreds of other energy firms, 2012–2017.
- Recently connected to Cisco router exploits in US networks.
- Anonymous tips via the Rewards for Justice Tor Channel.
- Memorable Quote:
“A bear, a Kraken and a Yeti walk into a breach...” (Hadas Kasorla, 05:02)
6. Iranian State-Backed “Homeland Justice” Phishing Campaign
- Summary:
Global spear-phishing blitz targets embassies and major organizations using over 100 hijacked email accounts, masquerading as official documents to install persistent malware. - Key Details:
- Campaign sourced from Oman's Foreign Ministry in Paris among others.
- Lures induce enabling of malicious macros in fake Word docs.
- Attacks are attributed to Iran’s Ministry of Intelligence—not for profit, but espionage.
- Notable Moment:
“Security researchers say the operation is espionage, not crime for profit, and attribute it to Iran’s Ministry of Intelligence.” (Hadas Kasorla, 06:02)
7. Dark Web Fake ID Marketplace Seized (Sort Of)
- Summary:
US and Dutch law enforcement seized Verif Tools, a marketplace selling counterfeit IDs and financial documents—but the operators already relaunched the marketplace under a new domain. - Key Details:
- Verif Tools sold documents as cheaply as $9; netted $6.4 million since 2022.
- Two dozen servers seized. Operators quickly reappear elsewhere.
- Notable Quote:
“...in a twist that feels on brand, the operators have already relaunched the service under a new domain, giving the fake identity ring a fresh identity of their own.” (Hadas Kasorla, 07:04)
8. Android Patch: 120 Flaws Fixed, 2 Zero-Days
- Summary:
Google’s Sept 2025 Android update patches an unprecedented 120 vulnerabilities, including two zero-days already in the wild. - Key Details:
- Zero-days affect the Android kernel (full device compromise) and runtime (privilege escalation with no user action).
- Staged rollout to enable rapid response by different device makers.
- Users urged to patch ASAP.
- Notable Quote:
“The updates are being rolled out in two stages, giving device makers flexibility in deploying fixes across different hardware.” (Hadas Kasorla, 08:03)
Notable Quotes & Memorable Moments
- “No customer data appears affected, but the full financial and reputational impact is still under review.” (01:00)
- “They called it Not Door because of the use of the word nothing in the code and not because it’s not a door—because it’s totally a door. A backdoor.” (02:24)
- “This is why we can’t have nice things.” (03:12)
- “By orchestrating more than 150 security tools through AI agents, it scans, crafts and delivers exploits on its own.” (04:04)
- “A bear, a Kraken and a Yeti walk into a breach...” (05:02)
- “...in a twist that feels on brand, the operators have already relaunched the service under a new domain, giving the fake identity ring a fresh identity of their own.” (07:04)
Timestamps for Key Segments
- Fintech Heist Foiled — 00:30–01:30
- APT28 “Notdoor” Malware — 01:30–02:30
- Salesloft/Drift Fallout Continues — 02:30–03:30
- HexStrike AI Abused — 03:30–04:30
- Russian FSB Critical Infrastructure Attacks — 04:30–05:30
- Iranian Homeland Justice Phishing — 05:30–06:30
- Fake ID Marketplace Seizure & Rebirth — 06:30–07:30
- Android 120-Flaw Patch — 07:30–08:30
Tone and Style
Brisk, slightly sardonic, and deeply informed—a style that keeps even complex security topics accessible and engaging without sacrificing substance.
For full stories and links, visit cisoseries.com.