ThreatsDay Bulletin: CarPlay Exploit, BYOVD Tactics, SQL C2 Attacks, iCloud Backdoor Demand & More

Anthropic said it has rolled out a number of safety and security improvements to Claude Sonnet 4.5, its latest coding focused model, that make it difficult for bad actors to exploit and secure the system against prompt injection attacks, sycophancy (i.e., the tendency of an AI to echo and validate user beliefs no matter how delusional or harmful they may be), and child safety risks. "Claude's improved capabilities and our extensive safety training have allowed us to substantially improve the model's behavior, reducing concerning behaviors like sycophancy, deception, power-seeking, and the tendency to encourage delusional thinking," the company said. "For the model's agentic and computer use capabilities, we've also made considerable progress on defending against prompt injection attacks, one of the most serious risks for users of these capabilities." The AI company said the latest model has better defensive cybersecurity abilities, such as vulnerability discovery, patching, and basic penetration testing capabilities. However, it did acknowledge that these tools could be "dual-use," meaning they might also potentially be used by malicious actors, as well as cybersecurity professionals. Generative AI systems like those offered by Microsoft and OpenAI are at the forefront of a battle between companies providing sophisticated text and image generation capabilities and malicious actors looking to exploit them.

The SANS Internet Storm Center Security has disclosed its observation of a significant increase in internet-wide scans targeting the critical PAN-OS GlobalProtect vulnerability (CVE-2024-3400). The vulnerability, disclosed last year, is a command injection vulnerability that could be exploited by an unauthenticated attacker to execute arbitrary code with root privileges on susceptible firewalls. SANS ISC said it has detected specially crafted requests that seek to upload a TXT file and subsequently attempt to retrieve that file via an HTTP GET request. "This will return a '403' error if the file exists, and a '404' error if the upload failed. It will not execute code," it noted. "The content of the file is a standard Global Protect session file, and will not execute. A follow-up attack would upload the file to a location that leads to code execution." In recent weeks, exploit attempts have also been registered against Hikvision cameras susceptible to an older flaw (CVE-2017-7921), SANS ISC said.

A sophisticated attack campaign has targeted improperly managed Microsoft SQL servers to deploy the open-source XiebroC2 command-and-control (C2) framework using PowerShell to establish persistent access to compromised systems. The attack leverages vulnerable credentials on publicly accessible database servers, allowing threat actors to obtain an initial foothold and escalate privileges through a tool called JuicyPotato. "XiebroC2 is a C2 framework with open-source code that supports various features such as information collection, remote control, and defense evasion, similar to Cobalt Strike," AhnLab said.

Google has outlined the various hardening recommendations that organizations can take to safeguard against attacks mounted by UNC6040, a financially motivated threat cluster that specializes in voice phishing (vishing) campaigns specifically designed to compromise organizations' Salesforce instances for large-scale data theft and subsequent extortion. Central to the operation involves deceiving victims into authorizing a malicious connected app to their organization's Salesforce portal. "Over the past several months, UNC6040 has demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements," it said. "This approach has proven particularly effective in tricking employees, often within English-speaking branches of multinational corporations, into actions that grant the attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of the organization's Salesforce data. In all observed cases, attackers relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce."

Censys said it identified over 60 cryptocurrency phishing pages impersonating popular hardware wallet brands Trezor and Ledger through an analysis of robots.txt files. These sites have an entry in the file: "Disallow: /add_web_phish.php." "Notably, the actor behind the pages attempted to block popular phishing reporting sites from indexing the pages by including endpoints of the phishing reporting sites in their own robots.txt file," the company said. The unusual robots.txt pattern has also been discovered on several GitHub repositories, some of which date back to January 2025. "The misuse of robots.txt and the merge conflicts found in multiple READMEs could also suggest that the actor behind these pages is not well-versed in web development practices," security researcher Emily Austin added.

Google has announced that it's updating Google Drive for desktop with AI-powered ransomware detection to automatically stop file syncing and allow users to easily restore files with a few clicks. "Our AI-powered detection in Drive for desktop identifies the core signature of a ransomware attack — an attempt to encrypt or corrupt files en masse — and rapidly intervenes to put a protective bubble around a user's files by stopping file syncing to the cloud before the ransomware can spread," Google Cloud said. "The detection engine adapts to novel ransomware by continuously analyzing file changes and incorporating new threat intelligence from VirusTotal. When Drive detects unusual activity that suggests a ransomware attack, it automatically pauses syncing of affected files, helping to prevent widespread data corruption across an organization's Drive and the disruption of work." Users subsequently receive an alert on their desktop and via email, guiding them to restore their files. The real-time ransomware detection capability is built atop a specialized AI model trained on millions of real victim files encrypted by various ransomware strains.

Imgur, a popular image hosting platform with more than 130 million users, has blocked access to users in the U.K. after regulators signalled their intention to impose penalties over concerns around children's data. The U.K.'s data watchdog, the Information Commissioner's Office (ICO), said it recently notified the platform's parent company, MediaLab AI, of plans to fine Imgur after investigating its approach to age checks and handling of children's personal data. The probe was launched earlier this March. "Imgur's decision to restrict access in the U.K. is a commercial decision taken by the company," the ICO said. "We have been clear that exiting the U.K. does not allow an organisation to avoid responsibility for any prior infringement of data protection law, and our investigation remains ongoing." In a help page, Imgur confirmed U.K. users will not be able to log in, view content, or upload images.

An audit of the Russian government's new MAX instant messenger mobile app has found no evidence of surveillance beyond accessing features necessary for the app to function. "During two days of observation, no test configurations revealed improper access to the camera, location, microphone, notifications, contacts, photos, and videos," RKS Global said. "Technically, the application had the ability to collect these data and send them, but experts did not record what happened. After revoking permits, the application does not record attempts to obtain these accesses again through requests or unauthorized."

The U.K. government has issued a new request for Apple to provide access to encrypted iCloud user data, this time focusing specifically on the ‌iCloud‌ data of British citizens, according to the Financial Times. The request, issued in early September 2025, has demanded that Apple create a way for officials to access encrypted ‌iCloud‌ backups. In February, Apple withdrew ‌iCloud‌'s Advanced Data Protection feature in the U.K. Subsequent pushback from civil liberty groups and the U.S. government led to the U.K. apparently abandoning its plans to force Apple to weaken encryption protections and include a backdoor that would have enabled access to the protected data of U.S. citizens. In late August, the Financial Times also reported that the U.K. government's secret order was "not limited to" Apple's ADP feature and included requirements for Apple to "provide and maintain a capability to disclose categories of data stored within a cloud-based backup service," suggesting that the access was far broader in scope than previously known.

Back in April 2025, Oligo Security disclosed a set of flaws in AirPlay called AirBorne (CVE-2025-24252 and CVE-2025-24132) that could be chained together to take over Apple CarPlay, in some cases, without even requiring any user interaction or authentication. While the underlying technology uses the iAP2 protocol to establish a wireless connection over Bluetooth and negotiate a CarPlay Wi-Fi password to allow an iPhone to connect to the network and initiate screen mirroring, the researcher found that many devices and systems default to a "No-PIN" approach during the Bluetooth pairing phase, making the attacks "frictionless and harder to detect." This, coupled with the fact that iAP2 does not authenticate the iPhone, meant that an attacker with a Bluetooth radio and a compatible iAP2 client can impersonate an iPhone, request the Wi-Fi credentials, trigger app launches, and issue any arbitrary iAP2 command. From there, attackers can exploit CVE-2025-24132 to achieve remote code execution with root privileges. "Although patches for CVE-2025-24132 were published on April 29, 2025, only a few select vendors actually patched," Oligo said. "To our knowledge, as of this post, no car manufacturer has applied the patch."

Russia's Ministry of Digital Development is working on regulations to force companies to restrict the type of data they collect from citizens in the country, in the hopes of minimizing future leaks of confidential data. "Systems should not process information containing personal data beyond what is necessary to ensure business processes," said Evgeny Khasin, acting director of the Ministry of Digital Development's cybersecurity department. "This is because many organizations tend to collect as much data as possible in order to interact with it in some way or use it for their own purposes, while the law stipulates that data should be minimized."

The Dutch government has said it won't support Denmark's proposal for an E.U. Chat Control legislation to force tech companies to introduce encryption backdoors so as to scan communications for "abusive material." The proposal is up for a vote on October 14. The Electronic Frontier Foundation (EFF) has called the legislative proposal "dangerous" and tantamount to "chat surveillance." Other E.U. countries that have opposed the controversial legislation include Austria, Czechia, Estonia, Finland, Luxembourg, and Poland.

Google has agreed to pay $48 million, and the menstrual tracking app Flo Health will pay $8 million to resolve a class action lawsuit alleging the app illegally shared people's health data. Google is expected to set up a $48 million fund for Flo app users who entered information about menstruation or pregnancy from November 2016 until the end of February 2019. In March 2025, defunct data analytics company Flurry said it would pay $3.5 million for harvesting sexual and reproductive health data from the period tracking app. The complaint, filed in 2021, alleged that Flo used software development kits to allow Google, Meta, and Flurry to intercept users' communications within the app.

Meta Platforms said it plans to start using people's conversations with its AI chatbot to help personalize ads and content. The policy is set to go into effect on December 16, 2025. It won't apply to users in the U.K., South Korea, and the European Union, for now. While there is no opt-out mechanism, conversations related to religious or political views, sexual orientation, health, and racial or ethnic origin will be automatically excluded from the company's personalization efforts. The company said its AI digital assistant now has more than 1 billion active monthly users.

The Federal Trade Commission (FTC) has sued Sendit's operating company, Iconic Hearts, and its CEO for "unlawfully collecting personal data from children, misleading users by sending messages from fake 'people,' and tricking consumers into purchasing paid subscriptions by falsely promising to reveal the senders of anonymous messages." The agency said, "Even though it was aware that many users were under 13, Iconic Hearts failed to notify parents that it collected personal information from children, including their phone numbers, birthdates, photos, and usernames for Snapchat, Instagram, TikTok, and other accounts, and did not obtain parents' verifiable consent to such data collection."

Threat actors are selling access to MatrixPDF, a tool that lets them alter ordinary PDF files to lures that can redirect users to malware or phishing sites. "It bundles phishing and malware features into a builder that alters legitimate PDF files with fake secure document prompts, embedded JavaScript actions, content blurring, and redirects," Varonis said. "To the recipient, the file looks routine, yet opening it and following a prompt or link can result in credential theft or payload delivery."

Microsoft said it's planning to introduce a new Edge security feature that will protect users against malicious extensions sideloaded into the web browser. "Microsoft Edge will detect and revoke malicious sideloaded extensions," it said. The rollout is expected to start sometime in November 2025. It did not provide further details on how these dangerous extensions will be identified.

The U.S. government extended the deadline for ByteDance to divest TikTok's U.S. operations until December 16, 2025, making it the fourth such extension. The development came as China said the U.S. spin-off of TikTok will use ByteDance's Chinese algorithm as part of a U.S.-agreed framework that includes "licensing the algorithm and other intellectual property rights." The artificial intelligence (AI)-powered algorithm that underpins the app has been a source of concern among national security circles, as it could be manipulated to push Chinese propaganda or polarizing material to users. China has also called the framework deal a "win-win." Under the framework deal, about 80% of TikTok's U.S. business would be owned by a joint venture that includes Oracle, Silver Lake Partners, media mogul Rupert Murdoch, and Dell CEO Michael Dell, with ByteDance's stake dropping below 20% to comply with the national security law. The divestiture also extends to other applications like Lemon8 and CapCut that are operated by ByteDance. Furthermore, TikTok's algorithm will be copied and retrained using U.S. user data as part of the deal, with Oracle auditing the recommendation system. The White House has also promised that all U.S. user data on TikTok will be stored on Oracle servers in the U.S.

An information stealer known as Acreed is gaining traction among threat actors, with a steady rise in Acreed logs in Russian-speaking forums. The stealer was first advertised on the Russian Market in February 2025 by a user named "Nu####ez" and is assessed to be a private project. As of September 2025, the top five information stealer strains included Rhadamanthys (33%), Lumma (33%), Acreed (17%), Vidar (12%), and StealC (5%). "At the present time, Acreed is maybe a privately developed project, but our infrastructure analysis shows that it is also integrated in an existing ecosystem that overlaps with Vidar," Intrinsec said.

Cybersecurity company Sophos said it observed Warlock ransomware actors (aka Storm-2603 or Gold Salem) abusing the legitimate open-source Velociraptor digital forensics and incident response (DFIR) tool to establish a Visual Studio Code network tunnel within the compromised environment. Some of the incidents led to the deployment of the ransomware. Warlock gained prominence in July 2025 after it was found to be of the threat actors abusing a set of security flaws in Microsoft SharePoint called ToolShell to infiltrate target networks. The group has claimed 60 victims as of mid-September 2025, starting its operations in March, including a Russian company, suggesting that it may be operating from outside the Kremlin. Microsoft has described it with moderate confidence as a China-based threat actor. The group has also been observed weaponizing the ToolShell flaws to drop an ASPX web shell that's used to download a Golang-based WebSockets server that allows continued access to the compromised server independently of the web shell. Furthermore, Gold Salem has employed the Bring Your Own Vulnerable Driver (BYOVD) technique to bypass security defenses by using a vulnerability (CVE-2024-51324) in the Baidu Antivirus driver BdApiUtil.sys to terminate EDR software. "The emerging group demonstrates competent tradecraft using a familiar ransomware playbook and hints of ingenuity," Sophos said.

Threat actors are distributing fake Chrome extensions posing as artificial intelligence (AI) tools like OpenAI ChatGPT, Llama, Perplexity, and Claude. Once installed, the extensions let users type prompts in the Chrome search bar, but will hijack the prompts to redirect queries to attacker-controlled domains and track search activity. The browser add-ons "override the default search engine settings via the chrome_settings_overrides manifest key," Palo Alto Networks Unit 42 said. The queries are redirected to domains like chatgptforchrome[.]com, dinershtein[.]com, and gen-ai-search[.]com.

A sophisticated operation has been found to break into routers and IoT devices using weak credentials and known security flaws, and rent the compromised devices to other botnet operators. The operation has witnessed a major spike in activity this year, jumping 230% in mid-2025, with the botnet loader-as-a-service infrastructure used to deliver payloads for DDoS and cryptomining botnets like RondoDoX, Mirai, and Morte, per CloudSEK.

Tile location trackers leak sensitive information that can allow threat actors to track a device's location. That's according to researchers from the Georgia Institute of Technology, who reverse-engineered the location-tracking service and found that the devices leak MAC addresses and unique device IDs. An attacker can take advantage of the absence of encryption protections to intercept and collect the information using a simple radio antenna, ultimately enabling them to track all of the company's customers. "Tile's servers can persistently learn the location of all users and tags, unprivileged adversaries can track users through Bluetooth advertisements emitted by Tile's devices, and Tile's anti-theft mode is easily subverted," the researchers said in a study. The issues were reported to its parent company Life360 in November 2024, following which it said a "number of improvements" were rolled out to address the problem, without specifying what those were.

New statistics released by Forescout show that a quarter of all OpenSSH and 8.5% of all SSH servers now support post-quantum cryptography (PQC). In contrast, TLSv1.3 adoption remains at 19% and TLSv1.2 – which does not support PQC – increased from 43% to 46%. The report also found that manufacturing, oil and gas, and mining have the lowest PQC adoption rates, whereas professional and business services have the highest. "The absolute number of servers with PQC support grew from 11.5 million in April to almost 15 million in August, an increase of 30%," it added. The relative number grew from 6.2% of total servers to 8.5%.

Synacktiv has documented a new technique to programmatically inject and activate Chrome extensions in Chromium-based browsers within Windows domains for malicious purposes by manipulating Chromium internal preference files and their associated JSON MAC property ("super_mac"). The research "highlights the inherent challenge in cryptographically protecting browser-internal secrets like the MAC seed, as any truly robust solution would need to account for diverse operating system-specific security mechanisms (like DPAPI on Windows) without affecting cross-platform compatibility," the company said.

An email phishing campaign has been spotted targeting entities in the higher education sector to steal credentials and Cisco Duo one-time passwords (OTPs) with the goal of compromising accounts, exfiltrating data, and launching lateral attacks. "Targets are funneled to spoofed sign-in portals that perfectly mimic university login pages," Abnormal AI said. "Then, purpose-built phishing kits harvest both credentials and Duo one-time passwords (OTPs) through seamless multi-step flows. With these details in hand, attackers swiftly hijack accounts, hide their tracks with malicious mailbox rules, and launch lateral phishing campaigns within the same organization." More than 40 compromised organizations and over 30 targeted universities and colleges have been identified as part of the campaign.