Cybersecurity Newsletter - September 15, 2025
In this week's news: VoidProxy phishing-as-a-service bypasses MFA on Microsoft and Google accounts, massive 600GB Great Firewall of China data leak exposes censorship infrastructure, Windows 10 reaches end-of-support in 30 days affecting millions of users, and FBI warns of active Salesforce attacks by UNC6040 and UNC6395 threat groups.
Okta Threat Intelligence has uncovered VoidProxy, a sophisticated Phishing-as-a-Service (PhaaS) operation targeting Microsoft and Google accounts. This evasive service uses Adversary-in-the-Middle (AitM) techniques to intercept authentication flows in real-time, capturing credentials, MFA codes, and session tokens. The platform employs multiple anti-analysis layers including compromised email accounts, Cloudflare CAPTCHA challenges, and dynamic DNS services. Notably, accounts protected by phishing-resistant authenticators like Okta FastPass successfully blocked these attacks.
https://sec.okta.com/articles/uncloakingvoidproxy/
MITRE ATT&CK framework updated with new AitM techniques including LLMNR/NBT-NS poisoning, ARP cache poisoning, and DHCP spoofing
https://attack.mitre.org/techniques/T1557/
600GB Great Firewall of China Data Published in Largest Leak
Hacktivists from Enlace Hacktivista have released nearly 600GB of data allegedly linked to the Great Firewall of China, exposing source code, internal communications, and technical documentation from Geedge Networks and MESA Lab. The leak reveals how censorship technology is exported to governments in Myanmar, Pakistan, Ethiopia, and Kazakhstan through Belt and Road Initiative projects. This represents the most comprehensive exposure of China's internet censorship infrastructure to date.
https://hackread.com/great-firewall-of-china-data-published-largest-leak/
The Identity Theft Resource Center reports that 91.3 million individuals were impacted by data breaches in Q1 2025, a 26% increase year-over-year despite flat incident volumes (824 events). The surge was primarily driven by the PowerSchool ransomware breach affecting 71.9 million education software users. Financial services experienced the most incidents, followed by healthcare and professional services. Concerningly, 68% of breach notices lacked actionable attack vector details, leaving victims more vulnerable to identity crimes.
https://www.infosecurity-magazine.com/news/us-data-breach-victim-count-surges/
Microsoft has issued a final reminder that Windows 10 will reach end-of-support on October 14, 2025, affecting millions of users still on the platform. After this date, devices will no longer receive security updates or bug fixes. Users can upgrade to Windows 11, enroll in the Extended Security Updates (ESU) program ($30 for home users, $61 for enterprises), or switch to LTSC releases. According to Statcounter, Windows 11 has finally surpassed Windows 10 with 53% market share.
https://www.bleepingcomputer.com/news/microsoft/microsoft-reminds-of-windows-10-support-ending-in-30-days/
The FBI has issued warnings about threat actors UNC6040 and UNC6395 actively targeting Salesforce deployments to steal sensitive customer data. Google confirmed its own Salesforce CRM breach affecting prospective Google Ads customers, with ShinyHunters (UNC6040) sending extortion demands. Organizations are urged to review Salesforce security configurations and implement additional monitoring for suspicious API access patterns.
https://www.bleepingcomputer.com/news/security/fbi-warns-of-unc6040-unc6395-hackers-stealing-salesforce-data/
https://securityaffairs.com/181017/data-breach/google-confirms-salesforce-crm-breach-faces-extortion-threat.html
Researchers demonstrated how public domain controllers worldwide could be weaponized into a malicious DDoS botnet
https://thehackernews.com/2025/08/new-win-ddos-flaws-let-attackers-turn.html
Connex Credit Union: 172,000 members' personal and financial information stolen in June breach
https://www.bleepingcomputer.com/news/security/connex-credit-union-discloses-data-breach-impacting-172-000-people/
ShinyHunters Strikes Vietnam: National Credit Information Center breach exposes sensitive financial data
https://securityaffairs.com/182189/cyber-crime/shinyhunters-attack-national-credit-information-center-of-vietnam.html
The UK Information Commissioner's Office (ICO) found that students are responsible for the majority of data breaches in educational institutions, highlighting insider threats from non-malicious but careless or curious student activities that compromise school systems and data.
https://securityaffairs.com/182197/cyber-crime/uk-ico-finds-students-behind-majority-of-school-data-breaches.html
A new ransomware variant called HybridPetya has been discovered that can bypass UEFI Secure Boot protections, echoing techniques from the notorious Petya/NotPetya attacks. This represents a significant escalation in ransomware capabilities targeting fundamental system security mechanisms.
https://www.bleepingcomputer.com/news/security/new-hybridpetya-ransomware-can-bypass-uefi-secure-boot/
https://thehackernews.com/2025/09/new-hybridpetya-ransomware-bypasses.html
Samsung has released patches for a critical zero-day vulnerability (CVE-2025-5086) that was being actively exploited in the wild. The vulnerability, reported by WhatsApp, affects image parsing in Samsung devices and could allow remote code execution.
https://www.bleepingcomputer.com/news/security/samsung-patches-actively-exploited-zero-day-reported-by-whatsapp/
https://thehackernews.com/2025/09/samsung-fixes-critical-zero-day-cve.html
The INC ransomware group has claimed responsibility for breaching Panama's Ministry of Economy and Finance, potentially exposing sensitive government financial data and citizen information in a significant attack on critical government infrastructure.
https://securityaffairs.com/182189/cyber-crime/inc-ransom-group-claimed-the-breach-of-panamas-ministry-of-economy-and-finance.html
Apple has issued its fourth warning this year to French users about a sophisticated spyware campaign targeting their devices, indicating persistent state-sponsored or advanced threat actor activity focused on French citizens and organizations.
https://thehackernews.com/2025/09/apple-warns-french-users-of-fourth.html
CISA has added a critical vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso manufacturing operations management platform to its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
https://thehackernews.com/2025/09/critical-cve-2025-5086-in-delmia-apriso.html
https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-dassault-rce-vulnerability/
A man has been sentenced to over four years in prison for selling unreleased movies, highlighting law enforcement's continued crackdown on digital piracy and intellectual property theft.
https://www.bleepingcomputer.com/news/security/man-gets-over-4-years-in-prison-for-selling-unreleased-movies/
Security researchers have detected new attack waves distributing Muck Stealer malware through sophisticated phishing campaigns, targeting credentials and sensitive information from infected systems.
https://hackread.com/muck-stealer-malware-phishing-new-attack-waves/
Threat actors are exploiting SEO poisoning techniques to distribute HiddenGh0st, Winos, and KKRat malware, targeting Windows users searching for legitimate software through manipulated search results.
https://thehackernews.com/2025/09/hiddengh0st-winos-and-kkrat-exploit-seo.html