Cyberdudebivash

Cyber Threat Intel — 10 August 2025 (IST)

By CyberDudeBivash — Cybersecurity & AI

Executive summary (today’s biggest movers)

  • Google breach notifications finished: Google confirmed ShinyHunters/UNC6040 exfiltrated business-contact data from a corporate Salesforce instance (prospective Google Ads customers). Impacted orgs were notified by Aug 8. Treat follow-on spear-phish as high-likelihood. BleepingComputer
  • Linux kernel LPE from Chrome renderer: Project Zero detailed a real-world kernel-priv-esc chain (CVE-2025-38236) via the rare MSG_OOB path on AF_UNIX sockets, reachable from a Linux Chrome renderer sandbox. Kernel fixes landed; Chromium now blocks MSG_OOB in renderers. Patch priority: urgent for Linux desktops used for browsing. googleprojectzero.blogspot.com
  • AI agents ‘0-click’ data exfil: The AgentFlayer research shows a poisoned doc can drive ChatGPT Connectors (e.g., Google Drive) to search and exfil secrets via an image URL—no extra clicks. Mitigations exist but bypasses were shown. Lock down connectors and strip remote images in agent UIs. WIREDZenity Labs
  • Exchange hybrid warning: CVE-2025-53786 in hybrid Exchange can enable domain compromise across on-prem + M365 if legacy trust is misconfigured. CISA issued an Emergency Directive (ED 25-02) with a deadline of Aug 11 (EDT) for US federal agencies; everyone else should follow the same playbook. CISA+1TechRadar
  • OT/ICS: Rockwell Arena Simulation memory-corruption bugs (DOE file parsing) fixed Aug 5; prioritize where Arena models are opened from shared/untrusted paths. Rockwell AutomationCISA
  • Ransomware live: City of St. Paul confirms ransomware; city-wide resets and service impact continue—good case study for municipal continuity planning. Star Tribune

What’s new & why it matters

1) Google’s Salesforce breach → targeted outreach risk

  • What’s confirmed: Notifications state basic business contact info and notes for prospective Ads customers were exposed; consumer Gmail/Ads account data not affected. ShinyHunters tied this to their ongoing Salesforce data-theft campaign (social-engineering initial access + mass export). Expect extortion emails and “billing/profile change” lures. BleepingComputer

Immediate actions

  • Create detections for Ads billing profile changesnew admin invites, and role escalations within 72h of external comms mentioning Google/Ads.
  • Brief finance/marketing: verify sender via console contacts, never via email phone numbers.

2) Linux kernel LPE via MSG_OOB in AF_UNIX (CVE-2025-38236)

  • Exploitability: Jann Horn (P0) shows read/write primitives and KASLR break from a Chrome renderer → root on Debian; Chromium now blocks MSG_OOB in renderers. Linux stable has fixes; feature is extremely niche but was enabled by default. googleprojectzero.blogspot.com

Patch/hardening

  • Roll kernel updates carrying CVE-2025-38236 fixes; verify distro backports.
  • Ensure Chrome/Chromium versions include the renderer MSG_OOB block.
  • In custom sandboxes, filter syscall flags, not just syscalls (seccomp-BPF). googleprojectzero.blogspot.com

3) ChatGPT Connectors ‘0-click’ exfil (AgentFlayer)

  • Attack chain: Hidden prompt in a shared doc instructs ChatGPT (with Drive/SharePoint/GitHub connectors) to search storage and embed secrets into an image URL that auto-renders, leaking data via request params; Azure Blob can bypass URL-safety heuristics. Class risk persists across agents. WIREDZenity Labs

Mitigations (today)

  • Disable non-essential connectors; enforce allow-listed render domains or strip remote images in enterprise agent UIs.
  • Enforce DLP scans on Drive/SharePoint for secrets & PII; quarantine or tokenize.

4) Exchange hybrid (CVE-2025-53786) — fix before Monday (US time)

  • Risk: Mis-configured/legacy hybrid trust can let attackers pivot from on-prem Exchange to Exchange Online with elevated rights. CISA ED-25-02 sets an aggressive timeline; Microsoft guidance includes Hybrid Agent migration and service principal clean-upCISA+1

Do this now

  • Run Exchange Health Checker, rotate shared service principal secrets, and migrate to the Exchange Hybrid app where applicable. TechRadar

5) OT/ICS — Rockwell Arena Simulation

  • Bugs: Multiple memory-corruption CVEs (malicious DOE file open). Rockwell shipped updates Aug 5; CISA ICS advisory published. Exploit requires user open, so target user training and file reputation controls. Rockwell AutomationCISA

KEV & trends to watch

  • CISA KEV additions this week include D-Link NVR items and previously flagged Chromium ANGLE/GPU (CVE-2025-6558); use KEV as your emergency patch backlog. CISA

Detection engineering snippets (drop-in)

Elastic/Sentinel (KQL): suspicious external image egress from agent UIs

kqlCopyEdit// LLM/agent UI returning markdown images with long query strings (exfil sign)
AppTraces
| where Application == "InternalAgentUI" and Url has "http" and Url contains "?"
| extend qlen = strlen(parse_urlquery(Url))
| where qlen > 200

Linux (eBPF/telemetry idea): watch MSG_OOB on AF_UNIX

  • Instrument unix_stream_{sendmsg,recvmsg} and alert on flags & MSG_OOB from unprivileged PIDs (Chrome renderer, Electron apps). (Temporary until fleet patched.) googleprojectzero.blogspot.com

Exchange hybrid hygiene (PowerShell)

powershellCopyEdit# Identify legacy EWS or service principals with overbroad perms
Get-ServicePrincipal -AppId <Legacy-EWS-AppId> | Get-AzureADServiceAppRoleAssignment
# Migrate to Exchange Hybrid app & rotate credentials per MS/CISA guidance

Guidance: ED-25-02 and Microsoft advisories. CISA

Prioritized action plan (24–72 hours)

  1. Linux endpoints: deploy kernel fixes for CVE-2025-38236; update Chrome/Chromium. googleprojectzero.blogspot.com
  2. Exchange hybrid: perform CISA ED-25-02 steps (health check, migrate hybrid agent, service principal reset). CISA
  3. AI connectors: temporarily restrict Drive/SharePoint/GitHub connectors; block remote image rendering or enforce strict allow-list in agent UIs. Zenity Labs
  4. Sales/marketing: push anti-BEC brief re: Google Ads themed lures; monitor for Ads admin/billing changes. BleepingComputer
  5. OT/engineering: patch Rockwell Arena; enforce mark-of-the-web checks / sandbox for DOE files. Rockwell AutomationCISA

Quick intel cards

Ransomware — St. Paul, MN (municipal)
City confirms ransomware; resetting ~3.5k employee passwords as recovery continues. Validate your municipal/utility playbooks for identity resets and offline service continuity. Star Tribune

Evolving delivery — “FileFix”
New twist on ClickFix: convinces users to paste a crafted string in File Explorer’s address bar, spawning PowerShell → RAT → ransomware (Interlock). Update user training and EDR rules for File Explorer address bar abuse. TechRadar

Leave a comment

Design a site like this with WordPress.com
Get started