BURSTThis past week was packed with high-severity disclosures and active exploitation reports across the global threat landscape. At the forefront, Apple rushed out emergency patches for yet another zero-day vulnerability affecting iOS, iPadOS, and macOS devices.
The flaw, reportedly being exploited in the wild, highlights the continued trend of nation-state and surveillance actors leveraging critical bugs in widely deployed consumer platforms for targeted attacks. For Apple users, the urgency around applying updates cannot be overstated, given the rapid weaponization seen in recent incidents.
Meanwhile, Google Chrome also received critical security updates addressing multiple vulnerabilities, including a high-severity type confusion issue within the V8 JavaScript engine.
As the world’s most widely used browser, any exploitable flaw has implications on a massive scale, making timely patching essential for both enterprise and consumer environments.
On the enterprise software front, Microsoft Copilot came under scrutiny following the disclosure of vulnerabilities that could allow data exposure and privilege escalation in specific deployment scenarios.
With AI assistants increasingly integrated into corporate workflows, these findings underscore both the opportunities and risks of adopting generative AI tools at speed.
Beyond patch advisories, significant cyber attack activity made headlines. Multiple sectors—including healthcare, finance, and critical infrastructure—reported ransomware and data extortion incidents, reinforcing the steady evolution of double-extortion tactics. State-backed groups were also observed engaging in espionage-focused intrusions, continuing the geopolitical use of cyber operations as a lever of influence.
Overall, Aug 18–24 illustrated the dual-edged nature of today’s threat landscape: vendors rapidly pushing out fixes for previously unknown bugs, while adversaries remain equally quick in exploiting them. For defenders, the week was yet another reminder that patch velocity, threat intelligence, and layered resilience continue to define the modern cybersecurity battlefield.
Cyber Attacks
1. Surge in Back-to-School Shopping Scams
Cybercriminals are exploiting the seasonal shopping rush with sophisticated fake retail sites, phishing lures, and manipulated delivery notifications. These malicious websites leverage AI-driven visuals and aggressive social media ads to mimic legitimate retailers, harvesting credit card and login credentials through backend JavaScript payloads. Automated platforms enable rapid fake site deployment, evading basic detection with randomized domains and SSL certificates. Immediate credential exfiltration and persistent account compromise are common outcomes for victims. Read more: Source
2. Hackers Weaponizing Cisco’s Secure Links
A newly discovered attack vector abuses Cisco’s Safe Links technology, converting this security feature—traditionally used to screen email links—into a shield for phishing and credential theft. Attackers embed malicious URLs within trusted Cisco-branded links, bypassing network filters and user skepticism by exploiting brand trust. Four primary techniques have been revealed, including insider compromise and SaaS integration abuse, making traditional email gateways less effective against these attacks. Read more: Source
3. Mass Compromise of Cisco Small Business Routers
Recent campaigns are exploiting known flaws in end-of-life Cisco routers, notably CVE-2018-0171, to hijack more than 5,000 devices for global surveillance. Vulnerable models include RV016, RV042, RV042G, RV082, RV320, and RV325, many left unpatched. Attackers transform these routers into traffic sniffer nodes using malicious scripts, leading to widespread data interception and network manipulation, including in critical sectors. Read more: Source
4. Microsoft 365 Phishing Campaigns Escalate
Adversaries are leveraging Microsoft 365’s infrastructure for advanced phishing. Key tactics include creating admin accounts, abusing forwarding rules, and manipulating tenant display information. Victims receive emails signed and delivered directly from Microsoft systems that appear legitimate, often containing transaction lures and fraudulent support information. Attacks are increasingly exploiting “Direct Send” features to spoof internal users without compromising accounts. Read more: Source
5. Russian Hackers Exploiting Old Cisco Router Flaw
Russian state actors, part of FSB Center 16/Berserk Bear, are actively exploiting a seven-year-old vulnerability (CVE-2018-0171) in Cisco IOS and IOS XE software for persistent access and espionage. The flaw affects “Smart Install” and enables attackers to execute arbitrary code or DoS. Targets include telecom, education, manufacturing, with heavy activity focused on Ukraine and its allies. Read more: Source
6. Critical Apache Tika PDF Parser Vulnerability (CVE-2025-54988)
A severe XXE flaw impacts Apache Tika’s PDF parser (versions 1.13–3.2.1), posing risks of data exfiltration, SSRF, and DoS. Attackers can exploit maliciously crafted XFA files in PDFs to access sensitive system files and internal network resources. Upgrading to Tika 3.2.2 or implementing network-level restrictions is strongly advised. Read more: Source
7. VS Code Remote-SSH Extension Hacked
A high-impact vulnerability allows attackers to execute code on developers’ local machines via compromised remote servers and the VS Code Remote-SSH extension. Unsanitized SSH command arguments are exploited, with fixes available in newer extension versions. Malicious VSCode extensions have also been used to leak sensitive source code from major enterprises. Read more: Source
8. New MITM6 + NTLM Relay Attack: Rapid Domain Admin Escalation
Attackers combine MITM6 (Man-in-the-Middle for IPv6) with NTLM relay to compromise Windows AD domains in minutes. Rogue IPv6 router advertisements divert traffic for authentication interception and NTLM relaying, while default AD settings enable the creation and abuse of machine accounts for Kerberos delegation. This technique highlights the urgency of hardening AD configurations and monitoring network behavior. Read more: Source
Threats
1. North Korean Stealthy Linux Malware Leaked
A cache of advanced Linux hacking tools, attributed to a North Korean APT, has leaked online, exposing sophisticated rootkit malware. This stealthy toolkit leverages custom kernel modules to evade standard detection, achieving persistent access and enabling remote encrypted control—even bypassing common Linux security tools. The malware targets South Korean networks, and the leak offers rare insight into state-backed cyber-espionage.
2. Ransomware Surges in Japan
Ransomware incidents in Japan surged by 1.4 times in H1 2025 compared to the previous year, with 68 reported cases. Small and medium enterprises were primary targets, and the manufacturing sector was especially hard-hit. These attacks cause major operational disruptions, significant financial loss, and reputational damage, reinforcing the need for robust ransomware defenses.
Researchers have identified QuirkyLoader, a modular malware loader active since November 2024. Used in phishing emails, it’s delivered through DLL side-loading, installs via archive attachments, and deploys payloads such as Agent Tesla, AsyncRAT, Formbook, and Snake Keylogger. Campaigns have targeted IT companies in Taiwan and random users in Mexico, highlighting the loader’s versatility and sophistication.
4. PromptFix Attack Exploits AI-Powered Browsers
A fresh threat labeled “PromptFix” tricks AI-driven browsers into running malicious scripts by hiding instructions in web page elements, such as fake CAPTCHA checks. Security analysts warn that this drives new risks—like drive-by downloads—by making AI agents perform actions invisible to the user, bypassing standard user security instincts and browser controls.
5. UNC5518: Hacking Legitimate Sites with Fake CAPTCHAs
UNC5518, a financially motivated group, compromised trusted websites to inject fake CAPTCHA pages. These lures trick users into executing downloader scripts, resulting in installations of backdoors like CORNFLAKE.V3 for persistent access and malware deployment. This highlights the growing danger of initial access brokers in cybercrime-as-a-service models.
6. PDF Editor Trojan Campaign Converts Devices into Proxies
Threat actors have distributed trojanized PDF editor installers bearing valid code-signing certificates. Once installed, these tools covertly convert victims into residential proxies, evading detection and allowing attackers to monetize or use victim bandwidth for further attacks.
7. APT MuddyWater Phishing CFOs Worldwide
The Iranian-linked APT MuddyWater targets CFOs and financial executives globally in a spear-phishing campaign. Using customized recruiting lures and multi-stage payloads, attackers abuse OpenSSH and NetBird to install backdoors, enable RDP, and create stealthy admin accounts for persistent remote access.
8. Hackers Abuse VPS Servers to Attack SaaS Accounts
Adversaries increasingly exploit trusted system admin tools like OpenSSH (built into Windows 10+) and PuTTY, deploying trojanized variants to establish persistent backdoors. These “living off the land” attacks blend with legitimate network activity and often evade detection by standard security solutions.
9. Help TDS Hijacks Legitimate Sites via PHP Code
The Help TDS campaign hijacks websites with PHP templates, injecting redirection code to send users to fake Microsoft security alerts. Unique URL patterns (/help/?d{14}) are used to monitor and monetize traffic or deliver fraudulent content seamlessly through trusted websites.
Vulnerabilities
1. Zero-Day Flaw Hits Elastic EDR: Bypass, RCE, and Persistent DoS
A critical zero-day in Elastic’s elastic-endpoint-driver.sys (v8.17.6+) enables attackers to blind the EDR, gain kernel-level code execution, install persistent drivers, and trigger repeated BSODs. The flaw (CWE-476: NULL Pointer Dereference) lets a user-mode controllable pointer crash or weaponize endpoints. No patch is available and all Elastic Defend/Agent users are currently at risk.
Read more
2. Rockwell ControlLogix Ethernet Vulnerability – Critical RCE in ICS
CVE-2025-7353—an insecure default configuration in Rockwell Automation’s ControlLogix Ethernet modules—permits remote code execution via a web debugger agent left enabled in production. Affected models include 1756-EN2T/D, EN2F/C, EN2TR/C, EN3TR/B, and EN2TP/A (≤ v11.004); patch available in 12.001. The flaw’s CVSS is 9.8 and can lead to full ICS compromise.
Read more
3. Over 1,000 N-able N-central RMM Servers Still Exposed
More than 1,000 N-able N-central RMM servers remain unpatched, exposed to zero-days CVE-2025-8875 (insecure deserialization) and CVE-2025-8876 (command injection). Exploitation risks include lateral movement, ransomware, and data theft. Patching to 2025.3.1 is urgent.
Read more
4. SAP Zero-Day Exploit Script Leaked: CVE-2025-31324
Researchers disclosed a working exploit for CVE-2025-31324, a CVSS 10.0 remote code execution flaw in SAP Visual Composer. Allows unauthenticated attackers to upload arbitrary files and fully take over vulnerable systems. Patch released; active exploitation seen.
Read more
5. SNI5GECT – New 5G Attack Technique Emerges
A novel attack method dubbed SNI5GECT targets 5G network protocol handling, enabling traffic interception and potential DoS against 5G infrastructure components. Details remain limited, but initial research suggests widespread exposure of mobile networks.
Read more
6. McDonald’s Free Nuggets Glitch Unveils Major Corporate Security Failures
A seemingly harmless app glitch allowed free food redemptions—leading to the discovery of major McDonald’s security lapses, including plaintext password emailing, insecure API keys, and exposed sensitive executive data. The flaws required aggressive researcher escalation to be patched.
Read more
7. Clickjacking Zero-Days Strike Major Password Managers
A zero-day clickjacking technique impacts 1Password, LastPass, Bitwarden, and more—enabling attackers to steal credentials and 2FA codes via malicious overlays. No vendor patches yet; heightened user vigilance is advised.
Read more
8. Chrome High-Severity Out-of-Bounds Write Vulnerability
Google patched CVE-2025-9132, a V8 JavaScript engine flaw allowing remote code execution and sandbox escape. All users must update to 139.0.7258.138/.139. A separate GPU stack bug (CVE-2025-6558) is also being actively exploited.
Read more
9. Microsoft Copilot Vulnerabilities Break Audit Trails, Expose Sensitive Files
M365 Copilot was found to have two severe issues: 1) Circumventing audit logs by denying reference links in summarizations—leaving data access invisible to compliance monitoring, and 2) “EchoLeak” (CVE-2025-32711), which enables data exfiltration through prompt manipulation. Both are patched, but notification and audits are lacking.
Read more
10. Apple Patches Actively Exploited Zero-Day Affecting iOS, macOS, iPadOS
Apple released urgent fixes for CVE-2025-43300, an out-of-bounds write in ImageIO abused via malicious image files in highly targeted attacks. Users are advised to update immediately.
Read more
Windows
1. Windows 11 24H2 Security Update Triggers Hardware Failures
The newly released Windows 11 24H2 (KB5063878) security update is causing significant issues, including SSD/HDD failures and potential data corruption. Users report that, besides installation problems with error code 0x80240069, successful installs can lead to drives becoming inaccessible and even data loss. Read more
2. Windows Reset and Recovery Options Break After August Update
Microsoft’s August 2025 update (particularly KB5063709) has broken essential recovery features such as “Reset this PC” and other restoration options across Windows 10 and multiple Windows 11 versions. This flaw jeopardizes users’ ability to recover from incidents or reinstall Windows. Read
3. Microsoft Defender AI Spots Plaintext Credentials
Microsoft Defender now leverages AI to detect plaintext credentials exposed within Active Directory and Microsoft Entra ID environments. Early research revealed over 40,000 exposed credentials across 2,500 organizations—much of the risk stemming from non-human identities and unstructured AD attributes. Read
4. Microsoft Teams ‘Couldn’t Connect’ Error – Workaround and Security Advisory
A sidebar interface update caused a widespread “couldn’t connect” error in Microsoft Teams desktop and web apps. Microsoft is deploying a fix; meanwhile, users can bypass the error by launching Teams via the “Activity” or “Chat” sidebar icons. The issue is unrelated to a newly disclosed CVE-2025-53783 Teams vulnerability, which merits independent attention. Read
5. Emergency Fix for Windows Reset and Recovery Error
Related to the earlier reset disruption, Microsoft has released a critical out-of-band update to resolve the broken Windows recovery mechanisms that stemmed from Patch Tuesday releases. Read
6. Microsoft Office.com Experiences Major Outage
Office.com and associated cloud services recently suffered a major outage, leaving millions without access to essential productivity tools. Microsoft is investigating the root cause and working to restore global service. Read
Data Breach
Bragg Gaming Group: Cyber Attack Contained, No Customer Data Lost
Bragg Gaming Group, a leader in iGaming technology, reported a cybersecurity incident detected on August 16, 2025. The attack was rapidly contained and appears to have been limited to Bragg’s internal IT systems, with no evidence so far of customer or partner personal data exposure. Operations remain unaffected, and the company has engaged external cybersecurity experts for a thorough investigation.
Read more
Workday Data Breach: Social Engineering Targets Third-Party CRM
Workday disclosed a breach after attackers compromised a third-party CRM platform using sophisticated social engineering tactics. Attackers impersonated HR and IT personnel to solicit employee credentials and gained access to business contact data like names, emails, and phone numbers. No core systems or customer data were affected. Workday acted swiftly to terminate access and is emphasizing heightened security awareness for its workforce. Read more
Allianz Life Data Breach: 1.1 Million Records Exposed Through CRM Vendor
In July, Allianz Life suffered a major data breach when hackers exfiltrated personal information on approximately 1.1 million customers via a third-party, cloud-based CRM platform. Exposed details include names, contact info, dates of birth, and, in some cases, Social Security numbers. The breach is attributed to the ShinyHunters group, who used social engineering against vendor staff. Internal Allianz systems were reportedly not compromised. Impacted customers are being offered free credit monitoring. Read more
Colt Hit by Ransomware: WarLock Group Claims Responsibility
British telecom giant Colt Technology Services is working to restore its systems after a ransomware attack that began August 12, 2025. The WarLock group claims to have stolen more than a million internal documents, including customer, employee, and financial data, and has put the data up for sale. Some Colt services, such as API platforms, remain offline as the company coordinates with law enforcement for recovery. Read more
Grok AI Chats Exposed in Google Search Results
More than 370,000 user conversations with Elon Musk’s Grok AI have been indexed by Google due to a ‘share’ feature that inadvertently made transcript URLs publicly searchable. Sensitive content—including passwords, business data, and instructions for illegal activities—was found among the indexed chats. Users were apparently unaware that shared conversations would be made public. xAI has not issued an official statement as of publication. Read more
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post Weekly Cybersecurity News Recap : Apple 0-day, Chrome, Copilot Vulnerabilities and Cyber Attacks appeared first on Cyber Security News.