Week that Was for 08.23.25

At a glance.

• FBI warns of Russian threat actors targeting years-old Cisco flaw.
• Apple issues patches for actively exploited zero-day.
• Scattered Spider hacker sentenced to 10 years in prison.
• Workday discloses data breach.
• DPRK-aligned spearphishing campaign targets embassies.
• Interpol operation targets cybercrime networks across Africa.

FBI warns of Russian threat actors targeting years-old Cisco flaw.

The US FBI warned yesterday that threat actors tied to Russia's Federal Security Service (FSB) are targeting a 7-year-old vulnerability (CVE-2018-0171) in end-of-life networking devices running Cisco Smart Install. The activity is attributed to the FSB's Center 16, tracked by the cybersecurity industry as "Berserk Bear" or "Dragonfly."

The Bureau stated, "In the past year, the FBI detected the actors collecting configuration files for thousands of networking devices associated with US entities across critical infrastructure sectors. On some vulnerable devices, the actors modified configuration files to enable unauthorized access to those devices. The actors used the unauthorized access to conduct reconnaissance in the victim networks, which revealed their interest in protocols and applications commonly associated with industrial control systems."

Apple issues patches for actively exploited zero-day.

Apple has released updates to fix a zero-day that was exploited in "an extremely sophisticated attack against specific targeted individuals," SecurityWeek reports. The vulnerability (CVE-2025-43300) is an out-of-bounds write issue that can allow malicious image files to result in memory corruption.

Patches are available for iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later. Users are advised to update their Apple devices.

Scattered Spider hacker sentenced to 10 years in prison.

20-year-old Noah Michael Urban of Palm Coast, Florida, has been sentenced to ten years in Federal prison after pleading guilty to his involvement with the Scattered Spider criminal gang, KrebsOnSecurity reports. Urban will also need to pay $13 million in restitution and undergo three years of supervised release after serving his sentence. Urban was accused of carrying out SMS and voice phishing attacks against more than 130 companies during the summer of 2022.

Krebs notes that Urban called the sentence "unjust" in a conversation on X, claiming that the judge was biased because another Scattered Spider member hacked the judge's email account during the trial. The prosecutors had initially asked for an eight-year sentence.

Workday discloses data breach.

HR software provider Workday is the latest organization to fall victim to a wave of social engineering attacks targeting Salesforce instances, BleepingComputer reports. The company didn't name Salesforce, but referred to "a recent social engineering campaign targeting many large organizations, including Workday." The company said in a press release, "We recently identified that Workday had been targeted, and threat actors were able to access some information from our third-party CRM platform. There is no indication of access to customer tenants or the data within them....The type of information the actor obtained was primarily commonly available business contact information, like names, email addresses, and phone numbers, potentially to further their social engineering scams."

BleepingComputer notes that the ShinyHunters extortion group is behind the wave of Salesforce attacks, previously hitting Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Tiffany & Co., Chanel, and Google. The threat actor uses voice phishing attacks to trick employees into linking a malicious OAuth app to their company's Salesforce instance. Salesforce advises customers to follow its security guidance to prevent these attacks.

DPRK-aligned spearphishing campaign targets embassies.

Trellix is tracking a North Korea-aligned spearphishing campaign targeting European embassies and foreign ministries in Seoul. The phishing emails contained PDF attachments designed to deliver the XenoRAT malware, leveraging the GitHub API for command-and-control.

The operation overlaps with previous activity by North Korea's Kimsuky APT, but the researchers note timing patterns that suggest the threat actor is based in China. Trellix says this "could indicate either North Korean operatives working from Chinese territory, a Chinese APT operation mimicking Kimsuky techniques, or a collaborative effort leveraging Chinese resources for DPRK intelligence objectives." The researchers attribute the campaign to Kimsuky, but assess with "medium-confidence that the operators are operating from China or are culturally Chinese."

Interpol operation targets cybercrime networks across Africa.

African law enforcement agencies have arrested over 1,200 individuals as part of an INTERPOL-coordinated operation targeting cybercrime and fraud networks. The operation, which involved eighteen African countries and the UK, resulted in the recovery of US$97.4 million tied to cybercrimes, including ransomware, online scams, and business email compromise (BEC).

Interpol notes, "Authorities in Angola dismantled 25 cryptocurrency mining centres, where 60 Chinese nationals were illegally validating blockchain transactions to generate cryptocurrency. The crackdown identified 45 illicit power stations which were confiscated, along with mining and IT equipment worth more than USD 37 million, now earmarked by the government to support power distribution in vulnerable areas."

Authorities in Zambia also dismantled a major investment fraud operation that scammed 65,000 victims and raked in $300 million.