Robert Grupe's AppSecNewsBits 2025-08-30

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
SK Telecom walloped with $97M fine after schoolkid security blunders let attackers run riot
South Korea's privacy watchdog has slapped SK Telecom with a record ?134.5 billion ($97 million) fine after finding that the mobile giant left its network wide open to hackers through a catalog of bungles. The case stems from a breach disclosed in April, when SK Telecom admitted that hackers had swiped the universal subscriber identity module (USIM) data of almost 27 million subscribers. To put that in context, the population of the entire country is a shade over 50 million. The company allegedly didn't check logs from intrusion detection systems so it ignored anomalous behavior while attackers quietly mapped out the operator's infrastructure. Administrators had dumped thousands of server credentials in plaintext on a management network server. Around 4,899 usernames and passwords for 2,365 servers were just sitting there, without so much as a password protecting access to Home Subscriber Server (HSS) databases. It doesn't take much imagination to guess what happened next. Armed with the harvested account details, intruders appear to have hopped into the management servers, installed malware, and queried the HSS database directly. From there, they were able to view and extract subscriber information without so much as a raised eyebrow from SKT's monitoring teams. More than 26 million USIM authentication keys – the "Ki" values used to verify subscribers and provision mobile services – were left unencrypted in SKT's databases. That blunder would have handed attackers the means to replicate SIM credentials, raising the specter of large-scale identity fraud or cloned devices piggybacking on legitimate accounts.

TransUnion says hackers stole 4.4 million customers’ personal information
TransUnion is one of the largest credit reporting agencies in the United States, and stores the financial data of more than 260 million Americans. TransUnion attributed the July 28 breach to unauthorized access of a third-party application storing customers’ personal data for its U.S. consumer support operations. [They detected the breach 2-days later]. TransUnion claimed “no credit information was accessed,” but provided no immediate evidence for its claim. The data breach notice did not specify what specific types of personal data were stolen. In a separate data breach disclosure filed subsequently (8-Aug) in Texas, TransUnion confirmed that the stolen personal information includes customers’ names, dates of birth, and Social Security numbers. [rG: 31 days to legal required filing notification, but when are affected individuals to be notified? They state that their customers are being notified, but they have data beyond those that subscribe to their products. With migrations to cloud based storage and use of vendor SaaS solutions, trying to lay blame there isn’t credible given shared security assurance requirements.]

Farmers Insurance data breach impacts 1.1M people after Salesforce attack
Since the beginning of the year, threat actors classified as 'UNC6040' or 'UNC6240' have been conducting social engineering attacks on Salesforce customers. During these attacks, threat actors conduct voice phishing (vishing) to trick employees into linking a malicious OAuth app with their company's Salesforce instances. Once linked, the threat actors used the connection to download and steal the databases, which were then used to extort the company through email. On May 30, 2025, one of Farmers' third-party vendors alerted Farmers to suspicious activity involving an unauthorized actor accessing one of the vendor's databases containing Farmers customer information (the "Incident"). The third-party vendor had monitoring tools in place, which allowed the vendor to quickly detect the activity and take appropriate containment measures, including blocking the unauthorized actor. its investigation determined that customers' names, addresses, dates of birth, driver's license numbers, and/or last four digits of Social Security numbers were stolen during the breach. Farmers began sending data breach notifications to impacted individuals on August 22.
[rG: 85 days (2 months 24 days) to notify customers.]

Law firm email blunder exposes Church of England abuse victim details
A London law firm leaked the details of nearly 200 people who requested to receive updates about the redress scheme set up for victims of abuse at the hands of the Church of England (CoE). City firm Kennedys Law confirmed that due to "human error," the email addresses of 194 individuals and law firms were exposed to all recipients. Standard email etiquette became so concerning in 2023 that the UK Information Commissioner's Office was forced to issue a reminder of the dangers associated with confusing CC and BCC.
[rG: Not AppSec I know; just a reminder of a recuring issue sharing sensitive information via email.]

Unpacking Passkeys Pwned: Possibly the most specious research in decades
Don’t believe everything you read—especially when it’s part of a marketing pitch designed to sell security services. The latest example of the runaway hype that can come from such pitches is research published by SquareX, a startup selling services for securing browsers and other client-side applications. It claims, without basis, to have found a “major passkey vulnerability” that undermines the lofty security promises made by Apple, Google, Microsoft, and thousands of other companies that have enthusiastically embraced passkeys. SquareX is right in saying that passkeys haven’t withstood decades of security research the way more traditional forms of authentication have. There very possibly will be vulnerabilities discovered in either the FIDO spec or various implementations of it. For now, though, passkeys remain the best defense against attacks relying on things like credential phishing, password reuse, and database breaches.

High-severity WinRAR 0-day exploited for weeks by 2 groups
WinRAR makes a perfect vehicle for spreading malware because the utility has no automated mechanism for installing new updates. That means users must actively download and install patches on their own. What's more, Windows versions of the command-line utilities UnRAR.dll and the portable UnRAR source code are also vulnerable. People should steer clear of all WinRAR versions prior to the most current. Although given the seemingly unending stream of WinRAR zero-days, it isn’t much of an assurance.

Malware-ridden apps made it into Google's Play Store, scored 19 million downloads
Cloud security vendor Zscaler says customers of Google’s Play Store have downloaded more than 19 million instances of malware-laden apps that evaded the web giant’s security scans. Zscaler’s ThreatLabz spotted and reported 77 apps containing malware, many of them purporting to be utilities or personalization tools. Google insists it picked up on the flaws and protected against these malware infections before Zscaler issued its report. We asked if responsible disclosure spurred this discovery, but no one has confirmed or denied it. Apple, despite having a better record than Google in such matters, isn't immune to such issues.

What’s Weak This Week:

• CVE-2025-57819 Sangoma FreePBX Authentication Bypass Vulnerability:
  Due to insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. Related CWEs: CWE-89| CWE-288

• CVE-2025-7775 Citrix NetScaler Memory Overflow Vulnerability:
  Could allow for remote code execution and/or denial of service. Related CWE: CWE-119

• CVE-2024-8069 Citrix Session Recording Deserialization of Untrusted Data Vulnerability:
  Allows limited remote code execution with privilege of a NetworkService Account access. Attacker must be an authenticated user on the same intranet as the session recording server. Related CWE: CWE-502

• CVE-2024-8068 Citrix Session Recording Improper Privilege Management Vulnerability:
  Could allow for privilege escalation to NetworkService Account access. An attacker must be an authenticated user in the same Windows Active Directory domain as the session recording server domain. Related CWE: CWE-269

• CVE-2025-48384 Git Link Following Vulnerability: Stems from Git’s inconsistent handling of carriage return characters in configuration files. Related CWEs: CWE-59| CWE-436

HACKING

The intruder is in the house: Storm-0501 attacked Azure, stole data, demanded payment via Teams
Storm-0501, a financially motivated cybercrime crew, recently broke into a large enterprise's on-premises and cloud environments, ultimately exfiltrating and destroying data within the org's Azure environment. The criminals then contacted the victim via a Microsoft Teams account that they'd also compromised in the attack, demanding a ransom payment for the stolen files.
This attack, according to Microsoft's threat intelligence team, illustrates a scary shift in ransomware tactics, which are moving away from traditional endpoint-based attacks and toward cloud-based ransomware. Leveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom — all without relying on traditional malware deployment.
Redmond recently made a change in Microsoft Entra ID that aims to prevent attackers from abusing Directory Synchronization Accounts in attacks to escalate privileges, plus a new May version in public preview allows customers to configure application-based authentication. The tech company also urges customers to enable Trusted Platform Module (TPM) on the Entra Connect Sync server to store sensitive credentials and cryptographic keys, thus preventing those from being stolen.
There's also a list of steps to take to protect both on-premises environments and cloud identities, so be sure to check out all of them. And here are a few key ones to protect cloud-based identities: practice principle of least privilege to ensure that users and applications are only granted minimum permissions needed to perform specific tasks, enforce conditional access policies that are enforced every time a user tried to sign in to an account, and — please, please, please — require MFA for all users.

Affiliates Flock to ‘Soulless’ Scam Gambling Machine
Recently hundreds of polished online gaming and wagering websites have emerged that lure people with free credits and eventually abscond with any cryptocurrency funds deposited by players. These scam gambling sites have proliferated thanks to a new Russian affiliate program called “Gambler Panel” that bills itself as a “soulless project that is made for profit.”
The scam begins with deceptive ads posted on social media that claim the wagering sites are working in partnership with popular athletes or social media personalities. The ads invariably state that by using a supplied “promo code,” interested players can claim a $2,500 credit on the advertised gaming website. The gaming sites ask visitors to create a free account to claim their $2,500 credit, which they can use to play any number of extremely polished video games that ask users to bet on each action.
However, when users try to cash out any “winnings” the gaming site will reject the request and prompt the user to make a “verification deposit” of cryptocurrency — typically around $100 — before any money can be distributed. Those who deposit cryptocurrency funds are soon pressed into more wagering and making additional deposits. And — shocker alert — all players eventually lose everything they’ve invested in the platform.
[rG: If you want to gamble online, first verify that the company is legitimate by checking directly with your state gaming commission licensing registrations.]

Warning: Watch Out for This Japanese Character in Your Booking.com Email
Hackers use visually similar characters from foreign alphabets to trick even tech-savvy users into clicking. A phishing campaign uses the Japanese letter “?,” which can, particularly in some fonts, look pretty similar to a forward slash if you’re not paying close attention.

ZipLine attack uses 'Contact Us' forms, White House butler pic to invade sensitive industries
Instead of emailing a malicious link in an unsolicited email, the miscreants initiate contact through the organization's public Contact Us form, tricking the victim into starting the conversation and allowing the attackers to bypass email filters. The attackers followed up via email with a series questions stretched over weeks and a meeting request before finally delivering a ZIP archive that ultimately deploys MixShell, a custom, in-memory implant. "Many dozens" of organizations were targeted in the still-ongoing campaign that dates back to the beginning of May. Several of the domains used to initiate email communications match the names of US-based companies and some previously belonged to legitimate businesses. All of these were originally registered between 2015 and 2019, years before the ZipLine campaign began. Using these old domains with long-standing DNS records and clean reputations helped the attackers bypass security filters and gain victims' trust. Upon closer inspection, researchers determined that the websites hosted on these domains were completely phony, and all shared the same content and layouts, with the "About Us" pages appearing on all of these displaying the same image that purports to be company founders. In reality, it's a photo of White House butlers.

DSLRoot, Proxies, and the Threat of ‘Legal Botnets’
DSLRoot is sold as a residential proxy service under the name DSLRoot and GlobalSolutions. The service is advertised to people who are not in the United States but who want to seem like they are. DSLRoot pays people in the United States to run the company’s hardware and software — including 5G mobile devices — and in return it rents those IP addresses as dedicated proxies to customers anywhere in the world — priced at $190 per month for unrestricted access to all locations. The cybersecurity community on Reddit responded in disbelief this month when a self-described Air National Guard member with top secret security clearance began questioning the arrangement they’d made with the company. “I have been getting paid 250$ a month by a residential IP network provider named DSL root to host devices in my home. They are on a separate network than what we use for personal use. They have dedicated DSL connections (one per host) to the ISP that provides the DSL coverage. My family used Starlink. Is this stupid for me to do? They just sit there and I get paid for it. The company pays the internet bill too.”
[rG: Oh boy. Schools need to teach kids Greek mythology and the story of the Trojan horse, along with fundamentals of modern computer systems and security.]

FBI, Dutch cops seize fake ID marketplace that sold identity docs for $9
VerifTools was one of the largest online shops for fake driver's licenses, passports, and other forms of ID. With these documents, criminals can assume new identities, get hired by tech companies in fake IT worker scams, or pull off digital identity and bank help-desk fraud. Teens can also use fake IDs to trick sales clerks into selling them alcohol, we're told. 

APPSEC, DEVSECOPS, DEV

NIST enhances SP 800-53 controls to improve cybersecurity and software maintenance, reduce cyber risks
SP 800-53 Release 5.2.0 addresses multiple aspects of the software development and deployment process, including software and system resiliency by design, developer testing, the deployment and management of updates, and software integrity and validation. The update also revises the discussion sections of some existing controls to provide additional scoping and implementation examples. Additionally, SP 800-53A Release 5.2.0 provides corresponding updates to SP 800-53A, Assessing Security and Privacy Controls in Information Systems and Organizations. No changes were made to SP 800-53B, Control Baselines for Information Systems and Organizations, but a new release has been issued for consistency.

Top 10 Best API Penetration Testing Companies In 2025
Salt Security, Noname Security, Traceable, Cequence Security, 42Crunch, Wallarm, APIsec, Invicti (Netsparker), F5 (WAAP), Imperva.

Bug bounties: The good, the bad, and the frankly ridiculous ways to do it
Thirty years ago, Netscape kicked off the first commercial bug bounty program. In 2005, Tipping Point started the Zero Day Initiative, paying for high?impact vulnerabilities with working proof?of?concepts. The practice went into turbo mode when several tech giants picked up the practice, led by Google in 2010, Facebook a year later, and then the biggie – Microsoft – in 2013. One common misconception is that flaw finders are just in it for the money, but it's more complicated than that. It's true that money is a factor. In the last decade, the amount of money up for grabs for bugs has exploded. At ZDI's forthcoming Pwn2Own contest, a lucky hacker can earn $1 million for a zero-click remote code execution attack on WhatsApp. And despite its initial reluctance Microsoft has become a firm supporter of the bounty system, and paid out $17 million last year to independent security researchers. The first hacker to make a million dollars total on HackerOne was asked 'did you just find a bunch of criticals? He's like, no, I don't look for criticals at all, they're too hard and take too long. I go for automation to get more efficient low- and medium-severity bugs.' The mediums are the sweet spot, because they pay more. So far, AI is a mixed blessing. Yes, it's finding more flaws, faster, but on the other hand, machine-generated flaws and the reporting on them are flooding out bug analysis.

BGP’s security problems are notorious. Attempts to fix that are a work in progress
The core of the Internet is notoriously vulnerable to attacks, with Border Gateway Protocol (BGP) and DNS being particular weak points. It’s safe to say that we won’t ever get BGP to be completely immune to attacks and misconfigurations but there seems to be real progress in making it much more robust than it was just a few years ago.

TypeScript Migrates to Go: What's Really Behind That 10x Performance Claim?
What's actually getting faster is the TypeScript compiler, not the TypeScript language itself or the JavaScript's runtime performance. Your TypeScript code will compile faster, but it won't suddenly execute 10x faster in the browser or Node.js. Beneath the headline figures lies a story worth unpacking about design choices, performance trade-offs, and the evolution of developer tools. Even if you’re not interested in compilers, there are suitable lessons learned for your system’s design.

VENDORS & PLATFORMS

Desktop-as-a-service now often cheaper to run than laptops - even after thin client costs
Hosted PCs are now often cheaper to operate than on-prem laptops, and two years away from being cost-effective for 95 percent of workers. Gartner predicts that by 2027, 20 percent of workers will use a hosted machine as their main workspace, up from 10 percent in 2019. By 2027, virtual desktops will be cost-effective for 95 percent of workers, up from 40 percent in 2019. Effect personal AI Agents require cloud based desktop apps.

Hottest cybersecurity open-source tools of the month: August 2025
Buttercup: Open-source AI-driven system detects and patches vulnerabilities
EntraGoat: Vulnerable Microsoft Entra ID infrastructure to simulate identity security misconfigurations
LudusHound: Open-source tool brings BloodHound data to life

7 software tools in my keychain USB to help out family and friends 

Your Word documents will be saved to the cloud automatically on Windows going forward
The change is rolling out with Word for Windows version 2509 and later. Microsoft notes that the same change is coming to Excel for Windows and PowerPoint for Windows at a later stage as well. Customers who do not want their documents to be saved to the cloud by default need to become active to change the default save location. Select File > Options > Save tab, uncheck "AutoSave files stored in the Cloud by default in Word".
[rG Home Security: If you don’t want to pay Microsoft to store your files and use your files to train their AI, keep your files elsewhere and don’t use MS Office. Could use something like OpenLibre with file encryption and then back to cloud to keep snooping agents at bay. Same consideration for Apple platforms.]

Framework Laptop 16 gets a 2025 upgrade
[rG: Fire modular laptop kit – checkout videos showing assembly with captured screws, button pins, etc. This should now be a kids’ first computer so they can understand ‘what’s inside’.] 

LEGAL & REGULATORY

FTC warns tech giants not to bow to foreign pressure on encryption
The Federal Trade Commission (FTC) is warning major U.S. tech companies against yielding to foreign government demands that weaken data security, compromise encryption, or impose censorship on their platforms. FTC letter sent to large American companies like Akamai, Alphabet (Google), Amazon, Apple, Cloudflare, Discord, GoDaddy, Meta, Microsoft, Signal, Snap, Slack, and X (Twitter) stated that weakening data security at the request of foreign governments, especially if they don't alert users about it, would constitute a violation of the FTC Act and expose companies to legal consequences. 

And Now For Something Completely Different …

Google has eliminated 35% of managers overseeing small teams in past year
The idea is to reduce bureaucracy and run the company more efficiently. The 35% reduction refers to the number of managers who oversee fewer than three people, according to a person familiar with the matter. Many of those managers stayed with the company as individual contributors.
[rG: Span of control efficiency is usually 5-12 supervised/direct reports in medium+ organizations. Having more or less are inefficiency/competency red flags to evaluate organization, job descriptions, and compensation structures.]