- with readers working within the Property industries
- within Insurance, Wealth Management and Tax topic(s)
Malware Activity
Vulnerabilities in Authentication Protocols and Advanced Espionage Campaigns
Recent security analyses reveal critical vulnerabilities and threat actors posing significant risks to digital and governmental infrastructure. A newly identified downgrade attack exploits weaknesses in Microsoft Entra ID's FIDO-based authentication. This vulnerability allows attackers to force a fallback to less secure password methods and bypass multi-factor protections. Concurrently, a sophisticated cyber espionage operation, attributed to the threat group "Curly Comrades," leverages custom malware like "GnatSpy" to infiltrate government and diplomatic networks worldwide. Utilizing techniques such as spear-phishing and supply chain compromises. The group demonstrates high operational security and resourcefulness in collecting sensitive intelligence. These developments underscore the importance for organizations and governments to implement strict security controls, maintain vigilant monitoring, and adopt adaptive defenses to counteract evolving cyber threats. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: New Downgrade Attack Can Bypass FIDO Auth In Microsoft Entra ID article
- BleepingComputer: Curly Comrades Cyberspies Hit Govt Orgs With Custom-malware article
Threat Actor Activity
ShinyHunters and Scattered Spider Suspected in Coordinated Salesforce Attack Campaign
ShinyHunters has resurfaced after a year-long hiatus with a highly sophisticated campaign targeting Salesforce platforms at major organizations including Google, marking a decisive shift from its historic database breaches toward advanced social engineering operations closely aligned with Scattered Spider's methods. ReliaQuest's analysis, supported by infrastructure forensics and forum activity under the alias "Sp1d3rhunters," points to a possible collaboration between the two (2) groups, with operations dating back to mid-2024. The campaign spans sectors including retail, aviation, insurance, finance, and technology, leveraging coordinated phishing domains, Okta-branded credential harvesting sites, and highly targeted vishing (voice phishing) calls impersonating IT staff to trick victims into authorizing malicious Salesforce "connected apps" disguised as legitimate tools. Over 700 phishing domains were registered in 2025 (many themed around luxury brands such as Dior and Louis Vuitton) using Cloudflare-masked infrastructure, consistent naming conventions, and VPN obfuscation to exfiltrate data. Targeting patterns have shifted since July 2025, with a 12% increase in attacks on financial services and a slight decline in technology sector focus; the U.S. remains the most affected, though UK organizations have also been hit. ReliaQuest warns that the speed, adaptability, and coordinated nature of these operations present a rapidly escalating threat, urging organizations to strengthen defences against phishing, vishing, and credential theft, enforce MFA, restrict admin permissions, monitor for suspicious domain registrations, and prepare for intensified cross-sector attacks in the coming months.
- Cyber Security News: ShinyHunters and Scattered Spider SalesForce Campaign Article
- ITBrief: ShinyHunters and Scattered Spider SalesForce Campaign Article
Vulnerabilities
CISA Warns of Active Exploitation of N-able N-central Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning amidst adding two (2) actively exploited flaws in N-able's N-central Remote Monitoring and Management (RMM) platform to its Known Exploited Vulnerabilities (KEV) catalog. The first vulnerability, tracked as CVE-2025-8875, is an insecure deserialization vulnerability. The second flaw, tracked as CVE-2025-8876, is a command injection flaw caused by improper input sanitization. Both require authentication to exploit but could allow attackers to execute commands on affected systems. N-able has patched the issues in N-central versions 2025.3.1 and 2024.6 HF2, released August 13, 2025, and urges customers to upgrade immediately, enable multi-factor authentication (particularly for admin accounts), and secure their environments before full technical details are published. While there is no current evidence linking these exploits to ransomware, Shodan data indicates roughly 2,000 N-central instances are exposed online, primarily in the U.S., Australia, and Germany. Federal Civilian Executive Branch (FCEB) agencies are mandated to patch by no later than August 20, 2025, under Binding Operational Directive 22-01, and CTIX analysts strongly encourage all organizations to do the same to mitigate the significant security risks posed by these vulnerabilities.
- Bleeping Computer: N-able N-central Vulnerabilities Article
- The Hacker News: N-able N-central Vulnerabilities Article
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
