Summary5 min read

Cyber Security Headlines: September 4, 2025

Podcast: CISO Series – Cyber Security Headlines
Host: Hadas Kasorla
Episode Theme:
A quick-fire roundup of the most critical cybersecurity incidents and evolving threats dominating the fintech, enterprise, and public sectors, spotlighting clever heist prevention, new state-backed malware, ongoing supply chain fallout, and the relentless adaptation of threat actors.

Key Stories and Discussion Points

1. Fintech Heist Thwarted at Cinqia SA

Summary:
A sophisticated cybercriminal attempt to steal $130 million by exploiting Brazil’s Pix real-time payment system was quickly detected and contained by Cinqia SA, the Brazilian arm of Evertech.
Key Details:
- Breach was via stolen credentials from an IT vendor.
- Immediate halting of Pix transactions following detection on Aug. 29.
- Cybersecurity forensic experts brought in; some stolen funds already recovered.
- Cinqia’s access to Pix is now revoked by regulators.
- No customer data compromised, but financial/reputational impact still unclear.
Memorable Quote:

“No customer data appears affected, but the full financial and reputational impact is still under review.” (Hadas Kasorla, 01:00)

2. APT28 Deploys “Notdoor” Outlook Backdoor

Summary:
Russia’s state-backed APT28 has released a stealthy new malware—dubbed “Notdoor”—that activates only when triggered by a special email keyword in Microsoft Outlook, making it extremely difficult to detect.
Key Details:
- Sits dormant until receiving a trigger email (e.g., subject: "Daily Report").
- Upon activation, it can steal data, execute commands, and erase all traces.
- Stealth and control are key benefits for the hackers.
Notable Moment:

“They called it Not Door because of the use of the word nothing in the code and not because it’s not a door—because it’s totally a door. A backdoor.” (Hadas Kasorla, 02:24)

3. Salesloft-Drift Supply Chain Fallout Spreads

Summary:
The breach which affected companies through stolen OAuth tokens in the Salesloft/Drift/Salesforce supply chain continues to affect high-profile organizations.
Key Details:
- Cloudflare confirms attackers accessed Salesforce support and extracted 104 API tokens (since rotated).
- Palo Alto Networks and Zscaler also impacted.
- Attackers used stolen OAuth tokens between August 8–18.
- More companies may be implicated as the investigation expands.
Memorable Quote:

“This is why we can’t have nice things.” (Hadas Kasorla, 03:12)

4. HexStrike AI: Red Team Tool Goes Rogue

Summary:
HexStrike AI, intended for defensive red teaming, is being exploited by threat actors to launch rapid, automated attacks on recently disclosed vulnerabilities—sometimes within minutes of disclosure.
Key Details:
- Orchestrates 150+ security tools via AI agents.
- Built-in retry logic boosts attack success rates.
- Used to flag and sell vulnerable systems to other criminals.
- Cited exploits include Citrix Netscaler zero-days and n-days.
Notable Quote:

“By orchestrating more than 150 security tools through AI agents, it scans, crafts and delivers exploits on its own.” (Hadas Kasorla, 04:04)

5. FSB Operatives Indicted for Global Infrastructure Hacks

Summary:
US State Department offers up to $10 million for tips on three Russian FSB hackers from Center 16 (a.k.a. Berserk Bear, Blue Kraken, Dragonfly, etc.), linked to critical infrastructure attacks spanning over 130 countries.
Key Details:
- Targeted the US Nuclear Regulatory Commission and hundreds of other energy firms, 2012–2017.
- Recently connected to Cisco router exploits in US networks.
- Anonymous tips via the Rewards for Justice Tor Channel.
Memorable Quote:

“A bear, a Kraken and a Yeti walk into a breach...” (Hadas Kasorla, 05:02)

6. Iranian State-Backed “Homeland Justice” Phishing Campaign

Summary:
Global spear-phishing blitz targets embassies and major organizations using over 100 hijacked email accounts, masquerading as official documents to install persistent malware.
Key Details:
- Campaign sourced from Oman's Foreign Ministry in Paris among others.
- Lures induce enabling of malicious macros in fake Word docs.
- Attacks are attributed to Iran’s Ministry of Intelligence—not for profit, but espionage.
Notable Moment:

“Security researchers say the operation is espionage, not crime for profit, and attribute it to Iran’s Ministry of Intelligence.” (Hadas Kasorla, 06:02)

7. Dark Web Fake ID Marketplace Seized (Sort Of)

Summary:
US and Dutch law enforcement seized Verif Tools, a marketplace selling counterfeit IDs and financial documents—but the operators already relaunched the marketplace under a new domain.
Key Details:
- Verif Tools sold documents as cheaply as $9; netted $6.4 million since 2022.
- Two dozen servers seized. Operators quickly reappear elsewhere.
Notable Quote:

“...in a twist that feels on brand, the operators have already relaunched the service under a new domain, giving the fake identity ring a fresh identity of their own.” (Hadas Kasorla, 07:04)

8. Android Patch: 120 Flaws Fixed, 2 Zero-Days

Summary:
Google’s Sept 2025 Android update patches an unprecedented 120 vulnerabilities, including two zero-days already in the wild.
Key Details:
- Zero-days affect the Android kernel (full device compromise) and runtime (privilege escalation with no user action).
- Staged rollout to enable rapid response by different device makers.
- Users urged to patch ASAP.
Notable Quote:

“The updates are being rolled out in two stages, giving device makers flexibility in deploying fixes across different hardware.” (Hadas Kasorla, 08:03)

Notable Quotes & Memorable Moments

“No customer data appears affected, but the full financial and reputational impact is still under review.” (01:00)
“They called it Not Door because of the use of the word nothing in the code and not because it’s not a door—because it’s totally a door. A backdoor.” (02:24)
“This is why we can’t have nice things.” (03:12)
“By orchestrating more than 150 security tools through AI agents, it scans, crafts and delivers exploits on its own.” (04:04)
“A bear, a Kraken and a Yeti walk into a breach...” (05:02)
“...in a twist that feels on brand, the operators have already relaunched the service under a new domain, giving the fake identity ring a fresh identity of their own.” (07:04)

Timestamps for Key Segments

Fintech Heist Foiled — 00:30–01:30
APT28 “Notdoor” Malware — 01:30–02:30
Salesloft/Drift Fallout Continues — 02:30–03:30
HexStrike AI Abused — 03:30–04:30
Russian FSB Critical Infrastructure Attacks — 04:30–05:30
Iranian Homeland Justice Phishing — 05:30–06:30
Fake ID Marketplace Seizure & Rebirth — 06:30–07:30
Android 120-Flaw Patch — 07:30–08:30

Tone and Style

Brisk, slightly sardonic, and deeply informed—a style that keeps even complex security topics accessible and engaging without sacrificing substance.

For full stories and links, visit cisoseries.com.

Loading summary

Transcript1 lines

[00:00]
A
From the CISO series it's Cybersecurity Headlines these are the cybersecurity headlines for Thursday, September 4, 2025. I'm Hadas Kisorla Fintech foils Bank heist Cybercriminals attempted to steal $130 million by breaching Cinchia SA, the Brazilian arm of fintech firm Evertech, during a short lived cyberattack on Brazil's Pix real time payments system. The breach was detected on August 29 when stolen credentials from an IT vendor were used to try unauthorized business to business transfers. Cinqia immediately halted Pix transactions and brought in cybersecurity forensic teams. Part of the stolen funds have already been recovered and Cincia's access to Pix has been revoked by regulators. No customer data appears affected, but the full financial and reputational impact is still under review. Notdoor Backdoor security researchers say Russia's state backed hacking group APT28 has rolled out a new tool called Notdoor that lets them secretly spy through Microsoft Outlook. The malware first has to be planted on a victim's computer, but instead of running constantly, it sits dormant until it sees a special trigger email with a keyword like Daily Report. That message silently activates the backdoor, which then steals data, runs commands and erases its tracks. Analysts say APT28 uses this trick because it makes the malware stealthier, easier to control and harder to detect than a backdoor that's always open. They called it Not Door because of the use of the word nothing in the code and not because it's not a door because because it's totally a door. A backdoor. Salesloft Drift impact continues Drifting the body count from the Salesforce Salesloft Drift supply chain breach keeps rising cloudflare has now confirmed attackers accessed its Salesforce support cases and extracted 104 API tokens, all since rotated. Palo Alto Networks has disclosed it was also affected alongside zscaler after stolen OAuth tokens from Drift were used to break into Salesforce instances between August 8th and 18th with three major security firms already on the roster, investigators warn more names could surface as the full extent of the compromise comes into focus. This is why we can't have nice things. HexStrike AI, an AI driven offensive security framework meant for red teaming, has been leveraged by threat actors to exploit newly disclosed vulnerabilities at high speed, sometimes within 10 minutes. By orchestrating more than 150 security tools through AI agents, it scans, crafts and delivers exploits on its own. The built in retry logic allows exploit attempts to continue until successful, massively improving attacker success rates. Threat actors are also using the tool to flag vulnerable systems for resale to other criminals. The tool has already been used to exploit Citrix Netscaler, zero days and n days. Huge thanks to our sponsor ThreatLocker. ThreatLocker is a global leader in zero Trust endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit threatlocker.com CISO A bear, a Kraken and a Yeti Walk into a breach the US State Department has announced a reward of up to $10 million for information on three Russian intelligence officers accused of hacking US critical infrastructure. The operatives, Tiokov, Gavrilov and Akulov, are all part of the FSB's Center 16, who are also tracked as Berserk Bear, Blue, Kraken, Crouching Yeti, Dragonfly and koala team. Between 2012 and 2017, they allegedly carried out attacks on the Nuclear Regulatory Commission, Wolf Creek Nuclear Operating Corporation and hundreds of foreign energy companies across 135 countries. More recently, the group has been linked to exploiting Cisco router flaws against US Networks. Tips can be submitted anonymously through the Rewards for Justice Tor Channel Phishing Diplomats An Iranian state sponsored group known as Homeland justice has carried out a global phishing blitz against embassies, consulates and international organizations across Europe, Africa, Asia and the Americas using over 100 hijacked email accounts, including one from Oman's Foreign Ministry in Paris. They sent fake Word documents that lured officials into enabling malicious macros. Once triggered, the malware installed itself to stay persistent, phone home to command server and collect system data. Security researchers say the operation is espionage, not crime for profit, and attribute it to Iran's Ministry of Intelligence. Spies worldwide may have to delay their travel. Law enforcement in the US And Netherlands have seized Verif Tools, an online marketplace that sold counterfeit driver's license, passports and bank documents for as little as $9 to help criminals dodge Know youw Customer checks. Investigators say the site raked in $6.4 million since 2022 before the FBI and Dutch police pulled down its domains and more than two dozen servers. But in a twist that feels on brand, the operators have already relaunched the service under a new domain, giving the fake identity ring a fresh identity of their own. 120 Android security flaws updated Google's September 2025 Android update fixes a whopping 120 vulnerabilities, including two zero day flaws that are already being used in targeted attacks. One affects the Android kernel and could grant full device control, while the other hits the Android runtime and lets attackers escalate privileges, both requiring no user action. The updates are being rolled out in two stages, giving device makers flexibility in deploying fixes across different hardware. Google urges users and partners to apply the latest patch levels without delay. We have a hard enough time managing the flow and security of data with humans. How are we supposed to address the speed and scale of data flows as we operationalize agentic AI? That's what we are trying to answer on this week's episode of Defense In Depth. Look for the episode how are you managing the flow of AI data? Wherever you get your podcasts, if you have some thoughts on the news from today or about the show in general, be sure to reach out to us@feedbackisoseries.com we'd love to hear from you. I'm Hadas Kasorla, reporting for the CISO series. Stay Alert, Stay Patched, Stay Hydrated. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.