1) Workday confirms CRM breach (part of ongoing Salesforce-targeting wave)
What happened: Workday disclosed a social-engineering intrusion against a third-party CRM (Salesforce) that exposed business contact data; no access to customer tenants. Multiple firms have been hit in a similar campaign attributed in reporting to ShinyHunters. BleepingComputerThe Record from Recorded Future
Why it matters: Valid contacts + org context fuel follow-on vishing/OAuth abuse and BEC.
Notables: Same campaign has also touched brands like Adidas/Qantas/Allianz/Google, per industry coverage. BleepingComputer
Attacker TTPs (MITRE): T1566 (phishing/social engineering), token/OAuth abuse, T1078 (valid accounts).
Immediate actions: Audit Salesforce/CRM Connected Apps & OAuth grants; revoke unrecognized apps/tokens; enable MFA + SSO and enforce least-privilege API scopes. (Also notify sellers/CS teams to expect vishing.)
2) Allianz Life customer impact clarified
What’s new: Reuters reports ~1.1M customers’ data in the Allianz Life incident tied to the same CRM-targeting wave; firm is offering ID monitoring. Reuters
Risk: Contact data → highly convincing phish/brokered access against finance sector users.
3) Australia: TPG Telecom (iiNet) incident
What happened: Unauthorized access to an order-management system under iiNet; exfil included ~280k emails, ~20k landlines, plus a subset of usernames/addresses/phones; access likely via stolen employee credentials. Reuters
Why it matters: Telco data is routinely weaponized for SIM-swap/social engineering.
Actions: Force resets for impacted accounts, monitor for SIM-swap attempts, tighten help-desk verification and IP/geo velocity rules.
4) MSP supply chain: N-able N-central vulns actively exploited
What’s new: CVE-2025-8875 (insecure deserialization) & CVE-2025-8876 (command injection) are exploited; >870 internet-exposed instances still unpatched as of Aug 17; CISA added them to KEV with an Aug 20 remediation due date for US FCEB. SecurityWeekCISA
Risk: Compromising an MSP’s RMM can cascade into many customer environments.
Actions (today): Patch to N-central 2025.3, rotate creds/tokens, review admin actions and remote scripts/jobs for tampering. (MITRE: T1190, T1548, T1105.)
5) New 5G pre-auth attack: Sni5Gect
What happened: Researchers showed over-the-air sniffing & message injection against 5G without a rogue base station; enables modem crashes, device fingerprinting/tracking, and 4G downgrade. Tested on multiple Android handsets. SecurityWeek
Who should care: MNOs, critical-comm users, and enterprises relying on 5G routers/IoT.
Actions: Coordinate with carriers for mitigations; harden airplane-mode/recall procedures for field teams; consider IPsec on top of 5G for sensitive flows.
6) Taiwan hosting providers targeted by Chinese APT (UAT-7237)
What’s new: Cisco Talos-tracked cluster abuses known public-facing vulns, web shells, SoftEther VPN for persistence; tools include Cobalt Strike, SharpWMI, JuicyPotato, and a custom loader “SoundBill.” Goal: long-term access to high-value targets via hosting infrastructure. SecurityWeek
Actions: Hunt for SoftEther installs, WMI abuse, web-shell artifacts; review RDP exposure; segment tenant workloads; block Cobalt Strike C2 beacons.
7) Android: ERMAC v3 source code leaked
What happened: Full codebase leak exposes MaaS internals, 700+ targeted apps, infra OPSEC blunders (hardcoded JWTs/default creds). Expect forks/imitations. BleepingComputer
Actions: Tighten MDM policies (install sources), enforce Play Protect, monitor for overlay/fake-push behavior and SMS interception on corp devices.
8) KEV update (patch priority): Trend Micro Apex One
What’s new: CISA added CVE-2025-54948 (OS command injection) to the Known Exploited Vulnerabilities catalog on Aug 18. CISA
Actions: Patch Apex One per vendor guidance; verify EDR is not excluded by policy.
9) Broader trend you should note: Kinsing cryptomining group expands
What’s new: Researchers in Russia report large-scale Kinsing campaigns hijacking compute for Monero; part of a cross-border surge in opportunistic cloud/container abuse. The Record from Recorded Future
Actions: Lock down container runtimes, auto-remediate misconfigs, monitor for XMRig/Kinsing IOCs and unusual CPU spikes.
Quick response checklist (do these today)
-
CRM hardening: Enumerate & revoke suspicious OAuth/Connected Apps; enable MFA/SSO everywhere; brief Sales/Support on vishing playbooks. BleepingComputer
-
Patch sprint: N-able N-central → 2025.3; prioritize KEV items including Trend Micro Apex One. SecurityWeekCISA
-
Identity hygiene: Force password resets where employee creds may be reused (TPG-style); enable impossible travel and token-anomaly detections. Reuters
-
MSP/customer segregation: For MSPs and their clients, re-validate RMM trust boundaries, script signing, and per-tenant keys. SecurityWeek
-
Mobile fleet: Block sideloading; hunt for overlay permissions and abuse of Accessibility Services (ERMAC v3). BleepingComputer
-
APT vigilance: Scan for web shells & SoftEther across hosting/DMZ; tune detections for WMI and Cobalt Strike. SecurityWeek