Cyberdudebivash

CyberDudeBivash | Breaking Threat Intel (past 12 hours)

1) China-linked Salt Typhoon / UNC4841: new infrastructure exposed

  • What happened: 45 previously unreported domains (some active since 2020) tied to Salt Typhoon & overlapping with UNC4841 (Barracuda ESG CVE-2023-2868 heritage).
  • Why it matters: Confirms long-running telecom targeting; fresh infra → add to blocklists, hunt for egress to new FQDNs.
  • Source: Silent Push research covered today by THN. The Hacker News

2) Drift/Salesloft supply-chain breach — impact expands

  • What happened: Salesloft says the Drift incident began with a compromised GitHub account; at least 22 companies confirmed affected. Attackers accessed Drift’s AWS and stole OAuth tokens for customer integrations (Salesforce, etc.).
  • Action: Rotate tokens/keys for all Drift integrations; search for suspicious OAuth grant flows since March.
  • Source: THN update. The Hacker News

3) Malvertising / GPUGate targets IT firms via fake GitHub commit links

  • What happened: Paid search ads push users into URLs that embed a bogus GitHub commit; redirect to look-alike download (“gitpage[.]app”) → malware.
  • Action: Block the domain, enforce browser isolation for developer searches; train against fake-commit URLs.
  • Source: THN. The Hacker News

4) CISA: critical Sitecore RCE (CVE-2025-53690) under active exploitation

  • What happened: Federal agencies ordered to patch by Sep 25; flaw involves ViewState deserialization/default machine keys → RCE.
  • Action: Patch all XM/XP/XC/Managed Cloud; rotate keys, review web.config; scan for unexpected ASP.NET machine keys.
  • Source: THN summary of CISA directive. The Hacker News

5) SAP S/4HANA command-injection actively exploited (CVE-2025-42957, CVSS 9.9)

  • Impact: Auth’d user can inject arbitrary ABAP, create SAP_ALL users, dump password hashes, modify processes.
  • Action: Apply August SAP patches; look for anomalous RFC module calls & sudden SAP_ALL grants.
  • Source: THN. The Hacker News

6) Newest CVEs (publication feed snapshot)

  • Context: NVD “recent” feed updated multiple times today; several dozen CVEs published inside the window. Use to seed hunting.
  • Where to pull: NVD CVE-Recent feed and Newest CVEs trackers (Tenable). NVDTenable®
  • Bulk list reference (rolling, shows “last 12 hours”): recent-CVE aggregator page (use as a pointer, then validate each CVE in NVD). cuberk.com

7) Broader backdrop you may get asked about today

  • Android September bulletin: 84 fixes; two 0-days reported exploited (CVE-2025-38352CVE-2025-48543). Ensure MDM fleets are on Sept patch levels. Tom’s Guide

Immediate Defender Playbook (CyberDudeBivash)

Threat-hunting high-value queries / detections

  • OAuth theft (Drift/Salesloft):
    • SIEM: look for unusual /services/oauth2/token exchanges; anomalous app registrations; sudden token refresh from new IPs.
  • SAP S/4HANA CVE-2025-42957:
    • Watch RFC calls to vulnerable function modules; creation of SAP_ALL users; mass ABAP changes.
  • Sitecore CVE-2025-53690:
    • IDS: ViewState tampering; unexpected machineKey values; post-exploitation webshell paths.
  • Salt Typhoon infra:
    • Add today’s domains to egress blocklists; pivot in proxy/DNS logs for first-seen FQDNs in the last 30 days. The Hacker News

Patch / config

  • Push emergency windows for: SAPSitecoreAndroid fleet.
  • Revoke & rotate OAuth/API tokens tied to Drift; audit GitHub orgs for new guests/workflows (per THN timeline). The Hacker News

Controls

  • Enforce IdP conditional access on all third-party SaaS/OAuth apps.
  • Enable token protection (DPoP/MTLS) where supported to reduce token replay.

Leadership Brief (copy-ready)

  • Risk now: Active exploitation in SAP and Sitecore; widening supply-chain fallout (Drift), and fresh PRC APT infra (Salt Typhoon).
  • Exposure: Integrations (OAuth), ERP, CMS, mobile fleets.
  • Action by EOD: Patch priorities (SAP/Sitecore), token rotations (Drift), blocklists (Salt Typhoon), Android MDM pushes.

Indicators & References 

  • Salt Typhoon/UNC4841: new domain set (see THN coverage → pull full list from Silent Push). The Hacker News
  • SAP S/4HANA CVE-2025-42957: “command injection via RFC” → validate against NVD/SAP notes; track as CVSS 9.9The Hacker News
  • Sitecore CVE-2025-53690: default machine keys → ViewState deserialization RCE (CISA directive). The Hacker News
  • Newest CVEs: seed list via NVD recent feed and Tenable “Newest CVEs.” NVDTenable®

CyberDudeBivash Recommended Stack 

  • XDR/SOC: SentinelOne, CrowdStrike (token theft & post-exploitation).
  • SAP/ERP hardening: Onapsis; custom ABAP monitors.
  • Attack surface & SaaS: Palo Alto Prisma Cloud, Wiz.
  • Threat-intel ops: MISP, Intel 471; NVD/CISA KEV alignment. (Use KEV tag in NVD to prioritize exploited CVEs.) NVD

CyberDudeBivash — Global Threat Intel Authority
Daily CVEs → cyberbivash.blogspot.com • Apps/Services → cyberdudebivash.com • Crypto/DeFi Intel → cryptobivash.code.blog

#CyberDudeBivash #ThreatIntel #CVE #CyberSecurity #DataBreach #Ransomware #ZeroDay #SupplyChainAttack #APT #CloudSecurity #AdSenseProof #HighCPC #GlobalThreats

Leave a comment

Design a site like this with WordPress.com
Get started