securityweek.com ByIonut Arghire| September 2, 2025 (11:02 AM ET)
Updated: September 3, 2025 (2:45 AM ET)
Cloudflare on Monday said it blocked the largest distributed denial-of-service (DDoS) attack ever recorded, at 11.5 Tbps (Terabits per second).
In a short message on X, Cloudflare only shared that the attack was a UDP flood mainly sourced from Google Cloud infrastructure, which lasted approximately 35 seconds.
“Cloudflare’s defenses have been working overtime. Over the past few weeks, we’ve autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud,” the company said.
In a Tuesday update, Cloudflare said that Google Cloud was one source of attack, but not the majority, and that several IoT and cloud providers were used to launch the assault.
“Defending against this class of attack is an ongoing priority for us, and we’ve deployed numerous strong defenses to keep users safe, including robust DDoS detection and mitigation capabilities,” a Google Cloud spokesperson told SecurityWeek.
“Our abuse defenses detected the attack, and we followed proper protocol in customer notification and response. Initial reports suggesting that the majority of traffic came from Google Cloud are not accurate,” the spokesperson said.
A UDP flood attack consists of a high volume of UDP (User Datagram Protocol) packets being sent to a target, which becomes overwhelmed and unresponsive when attempting to process and respond to them.
Because UDP packets are small and the receiver spends resources trying to process them, the attackers also increased the packet rate to 5.1 Bpps (billion packets per second) to deplete those resources and take down the target.
This record-setting DDoS attack takes the lead as the largest in history roughly three months after Cloudflare blocked a 7.3 Tbps DDoS attack.
Seen in mid-May, the assault targeted a hosting provider and lasted for only 45 seconds. Approximately 37.4 Tb of traffic, or the equivalent of over 9,000 HD movies, was delivered in the timeframe.
The same as the newly observed attack, the May DDoS assault mainly consisted of UDP floods. It originated from over 122,000 IP addresses.
Cloudflare mitigated 27.8 million DDoS attacks in the first half of 2025, a number that surpassed the total observed in 2024 (21.3 million HTTP and Layer 3/4 DDoS attacks).
*Updated with statement from Google Cloud Cloudflare
techcrunch.com
Lorenzo Franceschi-Bicchierai
9:11 AM PDT · September 2, 2025
The Israeli spyware maker now faces the dilemma of whether to continue its relationship with U.S. Immigration and Customs Enforcement and help fuel its mass deportations program.
U.S. Immigration and Customs Enforcement (ICE) signed a contract last year with Israeli spyware maker Paragon worth $2 million.
Shortly after, the Biden administration put the contract under review, issuing a “stop work order,” to determine whether the contract complied with an executive order on commercial spyware, which restricts U.S. government agencies from using spyware that could violate human rights or target Americans abroad.
Almost a year later, when it looked like the contract would just run out and never become active, ICE lifted the stop work order, according to public records.
“This contract is for a fully configured proprietary solution including license, hardware, warranty, maintenance, and training. This modification is to lift the stop work order,” read an update dated August 30 on the U.S. government’s Federal Procurement Data System, a database of government contracts.
Independent journalist Jack Poulson was the first to report the news in his newsletter.
Paragon has for years cultivated the image of being an “ethical” and responsible spyware maker, in contrast with controversial spyware purveyors such as Hacking Team, Intellexa, and NSO Group. On its official website, Paragon claims to provide its customers with “ethically based tools, teams, and insights.”
The spyware maker faces an ethical dilemma. Now that the contract with ICE’s Information Technology Division is active, it’s up to Paragon to decide whether it wants to continue its relationship with ICE, an agency that has dramatically ramped up mass deportations and expanded its surveillance powers since Donald Trump took over the White House.
Emily Horne, a spokesperson for Paragon, as well as executive chairman John Fleming, did not respond to a request for comment.
In an attempt to show its good faith, in February of this year, Fleming told TechCrunch that the company only sells to the U.S. government and other unspecified allied countries.
Paragon has already had to face a thorny ethical dilemma. In January, WhatsApp revealed that around 90 of its users, including journalists and human rights workers, had been targeted with Paragon’s spyware, called Graphite. In the following days and weeks, Italian journalist Francesco Cancellato and several local pro-immigration activists came forward saying they were among the victims.
In response to this scandal, Paragon cut ties with the Italian government, which had in the meantime launched an inquiry to determine what happened. Then, in June, digital rights research group Citizen Lab confirmed that two other journalists, an unnamed European and a colleague of Cancellato, had been hacked with Paragon’s spyware.
An Italian parliament committee concluded that the spying of the pro-immigration activists was legal, but it also claimed that there was no evidence that Italy’s intelligence agencies, former Paragon customers, had targeted Cancellato.
John Scott-Railton, a senior researcher at Citizen Lab, who has investigated cases of spyware abuse for more than a decade, told TechCrunch that “these tools were designed for dictatorships, not democracies built on liberty and protection of individual rights.”
The researcher said that even spyware is “corrupting,” which is why “there’s a growing pile of spyware scandals in democracies, including with Paragon’s Graphite. Worse, Paragon is still shielding spyware abusers. Just look at the still-unexplained hacks of Italian journalists.”
bleepingcomputer.com
By Sergiu Gatlan
September 3, 2025
Update September 04, 06:27 EDT: Updated the list of cybersecurity companies whose Salesforce instances were breached in the Salesloft supply chain attack.
Workiva, a leading cloud-based SaaS (Software as a Service) provider, notified its customers that attackers who gained access to a third-party customer relationship management (CRM) system stole some of their data.
The company's cloud software helps collect, connect, and share data for financial reports, compliance, and audits. It had 6,305 customers at the end of last year and reported revenues of $739 million in 2024.
Its customer list includes 85% of the Fortune 500 companies and high-profile clients such as Google, T-Mobile, Delta Air Lines, Wayfair, Hershey, Slack, Cognizant, Santander, Nokia, Kraft Heinz, Wendy's, Paramount, Air France KLM, Mercedes-Benz, and more.
According to a private email notification sent to affected Workiva customers last week and seen by BleepingComputer, the threat actors exfiltrated a limited set of business contact information, including names, email addresses, phone numbers, and support ticket content.
"This is similar to recent events that have targeted several large organizations. Importantly, the Workiva platform and any data within it were not accessed or compromised," the company explained. "Our CRM vendor notified us of unauthorized access via a connected third-party application."
Workiva also warned impacted customers to remain vigilant, as the stolen information could be used in spear-phishing attacks.
"Workiva will never contact anyone by text or phone to request a password or any other secure details. All communications from Workiva come through our trusted official support channels," it said.
Salesforce data breaches
While Workiva didn't share more details regarding this attack, BleepingComputer has learned that this incident was part of the recent wave of Salesforce data breaches linked to the ShinyHunters extortion group that impacted many high-profile companies.
Most recently, Cloudflare disclosed that it was forced to rotate 104 Cloudflare platform-issued tokens stolen by ShinyHunters threat actors, who gained access to the Salesforce instance used for customer support and internal customer case management in mid-August.
ShinyHunters has been targeting Salesforce customers in data theft attacks using voice phishing (vishing) since the start of the year, impacting companies such as Google, Cisco, Allianz Life, Farmers Insurance, Workday, Qantas, Adidas, and LVMH subsidiaries, including Dior, Louis Vuitton, and Tiffany & Co.
More recently, the extortion group has shifted to using stolen OAuth tokens for Salesloft's Drift AI chat integration with Salesforce to gain access to customer Salesforce instances and extract sensitive information, such as passwords, AWS access keys, and Snowflake tokens, from customer messages and support tickets.
Using this method, ShinyHunters also gained access to a small number of Google Workspace accounts in addition to stealing Salesforce CRM data and breaching the Salesforce instances of multiple cybersecurity companies, including Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Rubrik, Cato Networks, and Palo Alto Networks.
Huawei has already ‘built an ecosystem entirely independent of the United States’, according to a senior executive.
South China Morning Post scmp.com Coco Fengin Guangdong
Published: 9:00pm, 29 Aug 2025
China has virtually overcome crippling US tech restrictions, according to a senior executive at Huawei Technologies, as mainland-developed computing infrastructure, AI systems and other software now rival those from the world’s largest economy.
Shenzhen-based Huawei, which was added to Washington’s trade blacklist in May 2019, has already “built an ecosystem entirely independent of the United States”, said Tao Jingwen, president of the firm’s quality, business process and information technology management department, at an event on Wednesday in Guiyang, capital of southwestern Guizhou province.
Tao highlighted the privately held company’s resilience at the event, as he discussed some of the latest milestones in its journey towards tech self-sufficiency.
That industry-wide commitment to tech self-reliance would enable China to “surpass the US in terms of artificial intelligence applications” on the back of the country’s “extensive economy and business scenarios”, he said.
His remarks reflected Huawei’s efforts to surmount tightened US control measures and heightened geopolitical tensions, as the company pushes the boundaries in semiconductors, computing power, cloud services, AI and operating systems.
Tao’s presentation was made on the same day that Huawei said users of token services on its cloud platform had access to its CloudMatrix 384 system, which is a cluster of 384 Ascend AI processors – spread across 12 computing cabinets and four bus cabinets – that delivers 300 petaflops of computing power and 48 terabytes of high-bandwidth memory. A petaflop is 1,000 trillion calculations per second.
Une activité malveillante a été détectée sur le site de la CGN. Les clients ayant effectué des opération durant cette période ont été alertés.
Le site internet de la CGN a été victime d’une cyberattaque, rapporte l’entreprise dans un communiqué de presse ce jeudi. «Mardi 2 septembre 2025, en milieu d’après-midi, une activité suspecte a été détectée» sur celui-ci. «Le site a été aussitôt mis hors service», détaille la compagnie.
Les analyses menées ont montré que «le script malveillant a été actif cinq jours avant sa détection», précise le communiqué. «L’attaque a été stoppée immédiatement et des mesures de sécurité renforcées ont été mises en place. Les mesures correctives ayant été faites, le site a été réactivé aujourd’hui (ndlr: ce jeudi)», ajoute la CGN.
Plusieurs centaines de clients concernés
Par mesure de précaution, «les quelque 400 clients ayant réalisé des opérations durant la période identifiée ont été informés et invités à vérifier leur relevé de transaction et à contacter leur banque». L’entreprise affirme que la probabilité que des données puissent être utilisées est faible, «notamment si la société émettrice de la carte de crédit utilise la double authentification ou d’autres mesures de sécurité avancées».
L’entreprise rapporte qu’aucun «système interne de la CGN n’a été mis en danger ou exposé lors de cette attaque». Une plainte pénale sera déposée.
salesforce.com Eoghan Casey
August 27, 2025
Learn how to detect, investigate, and respond to Salesforce security incidents with logs, permissions, and backups.
A guide to investigating Salesforce security incidents with logs, permissions, and backups to strengthen response and resilience.
I am increasingly asked by customers how to investigate potential security incidents in their Salesforce environments. Common questions are: What did a specific user do during that time? and What data was impacted? Every organization and incident is unique, and the answer to these questions depends on the specific situation, but there is some general guidance I can provide.
Three key sources of information for investigating a security incident in Salesforce environments are activity logs, user permissions, and backup data.
bbc.com Chris VallanceSenior Technology Reporter andTheo Leggett International Business Correspondent 3.09.2025
Staff were sent home and the company shut down its IT systems in an effort to minimise the damage done.
A cyber-attack has "severely disrupted" Jaguar Land Rover (JLR) vehicle production, including at its two main UK plants.
The company, which is owned by India's Tata Motors, said it took immediate action to lessen the impact of the hack and is working quickly to restart operations.
JLR's retail business has also been badly hit at a traditionally a popular time for consumers to take delivery of a new vehicle - but there is no evidence any customer data had been stolen, it said.
The attack began on Sunday as the latest batch of new registration plates became available on Monday, 1 September.
The BBC understands that the attack was detected while in progress, and the company shut down its IT systems in an effort to minimise any damage.
Workers at the company's Halewood plant in Merseyside were told by email early on Monday morning not to come into work while others were sent home, as first reported by the Liverpool Echo.
The BBC understands the attack has also hit JLR's other main UK manufacturing plant at Solihull, with staff there also sent home.
The company said: "We took immediate action to mitigate its impact by proactively shutting down our systems. We are now working at pace to restart our global applications in a controlled manner."
It added: "At this stage there is no evidence any customer data has been stolen but our retail and production activities have been severely disrupted."
It is not yet known who is responsible for the hack, but it follows crippling attacks on prominent UK retail businesses including Marks & Spencer and the Co-op.
In both cases, the hackers sought to extort money.
While JLR's statement makes no mention of a cyber-attack, a separate filing by parent company Tata Motors to the Bombay Stock Exchange referred to an "IT security incidence" causing "global" issues.
The National Crime Agency said: "We are aware of an incident impacting Jaguar Land Rover and are working with partners to better understand its impact."
In 2023, as part of an effort to "accelerate digital transformation across its business", JLR signed a five-year, £800m deal with corporate stablemate Tata Consultancy Services to provide cybersecurity and a range of other IT services.
The halt in production is a fresh blow to the firm which recently revealed a slump in profits attributed to increasing in costs caused by US tariffs.
helpnetsecurity.com Zeljka Zorz, Editor-in-Chief, Help Net Security
September 2, 2025
Zscaler, Palo Alto Networks, PagerDuty, Tanium, and SpyCloud say their Salesforce instances were accessed following the Salesloft breach.
The companies noted that attackers had only limited access to Salesforce databases, not to other systems or resources. They warned, however, that the stolen customer data could be used for convincing phishing and social engineering attacks.
The Salesloft breach
Salesloft is the company behind a popular sales engagement platform of the same name.
The company’s Drift application – an AI chat agent – can be integrated with many third-party platforms and tools, including Salesforce.
On August 26, Salesloft stated that from August 8 to August 18, 2025, attackers used compromised OAuth credentials to exfiltrate data from the Salesforce instances of customers that have set up the Drift-Saleforce integration.
Several days later, the Google Threat Intelligence Group (GTIG) confirmed that the compromise impacted other integrations, as well.
“On August 28, 2025, our investigation confirmed that the actor also compromised OAuth tokens for the ‘Drift Email’ integration. On August 9, 2025, a threat actor used these tokens to access email from a very small number of Google Workspace accounts,” GTIG analysts shared.
Astrix Security researchers have confirmed that the attackers used the Drift Email OAuth application for Google Workspace to exfiltrate emails and that – at least in one case – they tried to access S3 buckets whose names have been likely extracted from compromised Salesforce environments.
Similarly, WideField threat researchers have observed suspicious log event activity across multiple customers using its security platform, pointing to attackers rifling through Salesforce databases and Gmail accounts.
Salesloft breach victims Zscaler
How UNC6395 accessed emails (Source: WideField)
Zscaler, Palo Alto Networks and the other companies mentioned above are just some of the 700+ companies impacted by this breach.
While the stolen customer information can be valuable, GTIG analysts say that the attackers were focused on searching for AWS access keys, passwords, and Snowflake-related access tokens, which can (and likely have been) further misused by the attackers.
What to do if your organization is on the victims list?
Salesloft has yet to reveal how the attackers managed to get their hands on the OAuth tokens they used, but the company has engaged cybersecurity experts from (Google’s) Mandiant and Coalition to help them investigate and remediate the compromise.
“We are recommending that all Drift customers who manage their own Drift connections to third-party applications via API key, proactively revoke the existing key and reconnect using a new API key for these applications. This only relates to API key-based Drift integrations. OAuth applications are being handled directly by Salesloft,” the company said on August 27, and outlined the process for updating the API keys.
Salesforce has, for the moment, disabled all integrations between Salesforce and Salesloft technologies, including the Drift app.
“Disabling the connection is a precautionary measure to help safeguard customer environments while we continue to assess and address the situation. We recognize this change may cause disruption and will provide further updates as more information becomes available,” the company noted.
Likewise, Google has disabled the integration functionality between Google Workspace and Salesloft Drift pending further investigation, and has advised organizations to “review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access.”
Google Mandiant incident responders have provided extensive advice on how organizations can investigate for compromise and scan for exposed secrets and hardcoded credentials.
Astrix researchers have shared additional indicators of compromise and described AWS-specific activity to look out for. WideField threat analysts have provided guidance useful to both their customers and other affected organizations.
blog.checkpoint.com ByAmit Weigman | Office of the CTO September 2, 2025
Researchers analyze Hexstrike-AI, a next-gen AI orchestration framework linking LLMs with 150+ security tools—now repurposed by attackers to weaponize Citrix NetScaler zero-day CVEs in minutes.
Key Findings:
The emergence of Hexstrike-AI now provides the clearest embodiment of that model to date. This tool was designed to be a defender-oriented framework: “a revolutionary AI-powered offensive security framework that combines professional security tools with autonomous AI agents to deliver comprehensive security testing capabilities”, their website reads. In this context, Hexstrike-AI was positioned as a next-generation tool for red teams and security researchers.
But almost immediately after release, malicious actors began discussing how to weaponize it. Within hours, certain underground channels discussed application of the framework to exploit the Citrix NetScaler ADC and Gateway zero-day vulnerabilities disclosed last Tuesday (08/26).
This marks a pivotal moment: a tool designed to strengthen defenses has been claimed to be rapidly repurposed into an engine for exploitation, crystallizing earlier concepts into a widely available platform driving real-world attacks.
Figure 1: Dark web posts discussing HexStrike AI, shortly after its release.
The Architecture of Hexstrike-AI
Hexstrike-AI is not “just another red-team framework.” It represents a fundamental shift in how offensive cyber operations can be conducted. At its heart is an abstraction and orchestration layer that allows AI models like Claude, GPT, and Copilot to autonomously run security tooling without human micromanagement.
Figure 2: HexStrike AI MCP Toolkit.
More specifically, Hexstrike AI introduces MCP Agents, an advanced server that bridges large language models with real-world offensive capabilities. Through this integration, AI agents can autonomously run 150+ cyber security tools spanning penetration testing, vulnerability discovery, bug bounty automation, and security research.
Think of it as the conductor of an orchestra:
The AI orchestration brain interprets operator intent.
The agents (150+ tools) perform specific actions; scanning, exploiting, deploying persistence, exfiltrating data.
The abstraction layer translates vague commands like “exploit NetScaler” into precise, sequenced technical steps that align with the targeted environment.
This mirrors exactly the concept described in our recent blog: an orchestration brain that removes friction, decides which tools to deploy, and adapts dynamically in real time. We analyzed the source code and architecture of Hexstrike-AI and revealed several important aspects of its design:
MCP Orchestration Layer
The framework sets up a FastMCP server that acts as the communication hub between large language models (Claude, GPT, Copilot) and tool functions. Tools are wrapped with MCP decorators, exposing them as callable components that AI agents can invoke. This is the orchestration core; it binds the AI agent to the underlying security tools, so commands can be issued programmatically.
Tool Integration at Scale
Hexstrike-AI incorporates core network discovery and exploitation tools, beginning with Nmap scanning and extending to dozens of other reconnaissance, exploitation, and persistence modules. Each tool is abstracted into a standardized function, making orchestration seamless.
Figure 3: the nmap_scan tool is exposed as an MCP function.
Here, AI agents can call nmap_scan with simple parameters. The abstraction removes the need for an operator to run and parse Nmap manually — orchestration handles execution and results.
Automation and Resilience
The client includes retry logic and recovery handling to keep operations stable, even under failure conditions. This ensures operations continue reliably, a critical feature when chaining scans, exploits, and persistence attempts.
Figure 4: Hexstrike-AI’s automated resilience loop
Intent-to-Execution Translation
High-level commands are abstracted into workflows. The execute_command function demonstrates this. Here, an AI agent provides only a command string, and Hexstrike-AI determines how to execute it, turning intent into precise, repeatable tool actions.
Figure 5: Hexstrike-AI’s execute_command function.
Why This Matters Right Now
The release of Hexstrike-AI would be concerning in any context, because its design makes it extremely attractive to attackers. But its impact is amplified by timing.
Last Tuesday (08/26), Citrix disclosed three zero-day vulnerabilities affecting NetScaler ADC and NetScaler Gateway appliances, as follows:
CVE-2025-7775 – Unauthenticated remote code execution. Already exploited in the wild, with webshells observed on compromised appliances.
CVE-2025-7776 – A memory-handling flaw impacting NetScaler’s core processes. Exploitation not yet confirmed, but high-risk.
CVE-2025-8424 – An access control weakness on management interfaces. Also unconfirmed in the wild but exposes critical control paths.
Exploiting these vulnerabilities is non-trivial. Attackers must understand memory operations, authentication bypasses, and the peculiarities of NetScaler’s architecture. Such work has historically required highly skilled operators and weeks of development.
With Hexstrike-AI, that barrier seems to have collapsed. In underground forums over the 12 hours following the disclosure of the said vulnerabilities, we have observed threat actors discussing the use of Hexstrike-AI to scan for and exploit vulnerable NetScaler instances. Instead of painstaking manual development, AI can now automate reconnaissance, assist with exploit crafting, and facilitate payload delivery for these critical vulnerabilities.
Figure 6: Top Panel: Dark web post claiming to have successfully exploited the latest Citrix CVE’s using HexStrike AI, originally in Russian;
Bottom Panel: Dark web post translated into English using Google Translate add-on.
Certain threat actors have also published vulnerable instances they have been able to scan using the tool, which are now being offered for sale. The implications are profound:
A task that might take a human operator days or weeks can now be initiated in under 10 minutes.
Exploitation can be parallelized at scale, with agents scanning thousands of IPs simultaneously.
Decision-making becomes adaptive; failed exploit attempts can be automatically retried with variations until successful, increasing the overall exploitation yield.
The window between disclosure and mass exploitation shrinks dramatically. CVE-2025-7775 is already being exploited in the wild, and with Hexstrike-AI, the volume of attacks will only increase in the coming days.
Figure 7: Seemingly vulnerable NetScaler instances curated by HexStrike AI.
Action Items for Defenders
The immediate priority is clear: patch and harden affected systems. Citrix has already released fixed builds, and defenders must act without delay. In our technical vulnerability report, we have listed technical measures and actions defenders should take against these CVEs, mostly including hardening authentications, restricting access and threat hunting for the affected webshells.
However, Hexstrike-AI represents a broader paradigm shift, where AI orchestration will increasingly be used to weaponize vulnerabilities quickly and at scale. To defend against this new class of threat, organizations must evolve their defenses accordingly:
Adopt adaptive detection: Static signatures and rules will not suffice. Detection systems must ingest fresh intelligence, learn from ongoing attacks, and adapt dynamically.
Integrate AI-driven defense: Just as attackers are building orchestration layers, defenders must deploy AI systems capable of correlating telemetry, detecting anomalies, and responding autonomously at machine speed.
Shorten patch cycles: When the time-to-exploit is measured in hours, patching cannot be a weeks-long process. Automated patch validation and deployment pipelines are essential.
Threat intelligence fusion: Monitoring dark web discussions and underground chatter is now a critical defensive input. Early signals, such as the chatter around Hexstrike-AI and NetScaler CVEs, provide vital lead time for professionals.
Resilience engineering: Assume compromise. Architect systems with segmentation, least privilege, and robust recovery capabilities so that successful exploitation does not equate to catastrophic impact.
Conclusion
Hexstrike-AI is a watershed moment. What was once a conceptual architecture – a central orchestration brain directing AI agents – has now been embodied in a working tool. And it is already being applied against active zero days.
For defenders, we can only reinforce what has already been said in our last post: urgency in addressing today’s vulnerabilities, and foresight in preparing for a future where AI-driven orchestration is the norm. The sooner the security community adapts, patching faster, detecting smarter, and responding at machine speed, the greater our ability to keep pace in this new era of cyber conflict.
The security community has been warning about the convergence of AI orchestration and offensive tooling, and Hexstrike-AI proves those warnings weren’t theoretical. What seemed like an emerging possibility is now an operational reality, and attackers are wasting no time putting it to use.
clubic.com
Par Alexandre Boero, Journaliste-reporter, responsable de l'actu.
Publié le 01 septembre 2025 à 08h04
La plateforme TikTok Shop commercialise des trackers GPS qui ressemblent au fameux AirTag d'Apple depuis des vidéos virales qui encouragent l'espionnage de ses proches ou de son ou sa partenaire. Les ventes dépasseraient déjà les 100 000 unités.
La marketplace de TikTok héberge des vendeurs de dispositifs de géolocalisation de type AirTag. Les commerçants opèrent leurs ventes à l'aide d'arguments publicitaires qui incitent directement à surveiller secrètement son partenaire. Des vidéos aux millions de vues, des dizaines de milliers de ventes, et une modération défaillante malgré les alertes ont été signalées aux États-Unis. Si la plateforme chinoise affirme interdire ces contenus, elle peine visiblement à les supprimer, ce qui contribue à normaliser les comportements abusifs sur le célèbre réseau social.
Des vidéos à plusieurs millions de vues normalisent sur TikTok l'espionnage conjugal
D'après l'enquête menée récemment par 404 Media, les vendeurs de trackers GPS assument totalement leur positionnement toxique. « Si ta copine dit qu'elle sort juste avec des amies tous les soirs, tu ferais mieux d'en coller un sur sa voiture », peut-on entendre dans une vidéo vue des millions de fois. Le dispositif, carrément présenté comme indétectable contrairement aux AirTags, fait miroiter aux potentiels acheteurs une surveillance mondiale, grâce à la carte SIM intégrée.
Les interactions sous ces publications sont d'ailleurs symptomatiques. Un utilisateur confie dans les commentaires : « J'en ai acheté et les ai mis sur les voitures de filles que je trouve attirantes à la salle de sport. » Oui, c'est flippant, surtout lorsque le vendeur répond avec désinvolture par un émoji rieur. D'après les métriques de TikTok Shop, l'un des traceurs s'est vendu à plus de 32 500 exemplaires, quand un autre affiche quasiment 100 000 unités écoulées.
Eva Galperin, co-fondatrice de la Coalition Against Stalkerware, la coalition contre les logiciels espions, est dépitée. « C'est tout bonnement présenté comme un outil d'abus. » Elle explique que tout dispositif justifié par « attraper son partenaire en train de tromper » facilite le contrôle coercitif. Le pire, c'est que les vidéos multiplient les prétextes pour essayer de toucher plus d'utilisateurs, comme une méfiance conjugale, les références à Coldplay et à l'ex-patron d'Astronomer piégé par une kiss cam, le tout avec des accroches comme « les hommes avec des femmes infidèles, vous pourriez en vouloir un ».
TikTok supprime quelques vidéos mais le problème persiste
Questionné par 404 Media, TikTok a supprimé certaines vidéos et banni un compte, en ajoutant interdire « les contenus qui encouragent la surveillance secrète ». Pourtant, au lendemain de la réponse, le média a déniché des vidéos identiques, qui restaient accessibles. Dès qu'un utilisateur clique sur l'une de ces vidéos, l'algorithme de TikTok Shop lui recommande des produits similaires, notamment des enregistreurs audio secrets vendus avec les mêmes arguments toxiques.
Aux États-Unis, d'où lesdites vidéos ont été publiées, onze États interdisent explicitement le tracking GPS dans leurs lois anti-harcèlement, et quinze considèrent comme illégale la surveillance véhiculaire sans consentement. Les vendeurs jouent sur l'ambiguïté. Certains vont même jusqu'à manier l'ironie dans leur vidéo : « C'est illégal de tracer les gens ? Je ne sais pas, je ne suis pas avocat, mais vous aurez probablement des problèmes ». On n'arrête pas les progrès, mais surtout les dérives.
bleepingcomputer.com
By Sergiu Gatlan
September 2, 2025
Cloudflare is the latest company impacted in a recent string of Salesloft Drift breaches, part of a supply-chain attack disclosed last week.
The internet giant revealed on Tuesday that the attackers gained access to a Salesforce instance it uses for internal customer case management and customer support, which contained 104 Cloudflare API tokens.
Cloudflare was notified of the breach on August 23, and it alerted impacted customers of the incident on September 2. Before informing customers of the attack, it also rotated all 104 Cloudflare platform-issued tokens exfiltrated during the breach, even though it has yet to discover any suspicious activity linked to these tokens.
"Most of this information is customer contact information and basic support case data, but some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens," Cloudflare said.
"Given that Salesforce support case data contains the contents of support tickets with Cloudflare, any information that a customer may have shared with Cloudflare in our support system—including logs, tokens or passwords—should be considered compromised, and we strongly urge you to rotate any credentials that you may have shared with us through this channel."
The company's investigation found that the threat actors stole only the text contained within the Salesforce case objects (including customer support tickets and their associated data, but no attachments) between August 12 and August 17, after an initial reconnaissance stage on August 9.
These exfiltrated case objects contained only text-based data, including:
The subject line of the Salesforce case
The body of the case (which may include keys, secrets, etc., if provided by the customer to Cloudflare)
Customer contact information (for example, company name, requester's email address and phone number, company domain name, and company country)
"We believe this incident was not an isolated event but that the threat actor intended to harvest credentials and customer information for future attacks," Cloudflare added.
"Given that hundreds of organizations were affected through this Drift compromise, we suspect the threat actor will use this information to launch targeted attacks against customers across the affected organizations."
Wave of Salesforce data breaches
Since the start of the year, the ShinyHunters extortion group has been targeting Salesforce customers in data theft attacks, using voice phishing (vishing) to trick employees into linking malicious OAuth apps with their company's Salesforce instances. This tactic enabled the attackers to steal databases, which were later used to extort victims.
Since Google first wrote about these attacks in June, numerous data breaches have been linked to ShinyHunters' social engineering tactics, including those targeting Google itself, Cisco, Qantas, Allianz Life, Farmers Insurance, Workday, Adidas, as well as LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.
While some security researchers have told BleepingComputer that the Salesloft supply chain attacks involve the same threat actors, Google has found no conclusive evidence linking them.
Palo Alto Networks also confirmed over the weekend that the threat actors behind the Salesloft Drift breaches stole some support data submitted by customers, including contact info and text comments.
The Palo Alto Networks incident was also limited to its Salesforce CRM and, as the company told BleepingComputer, it did not affect any of its products, systems, or services.
The cybersecurity company observed the attackers searching for secrets, including AWS access keys (AKIA), VPN and SSO login strings, Snowflake tokens, as well as generic keywords such as "secret," "password," or "key," which could be used to breach more cloud platforms to steal data in other extortion attacks.
therecord.media | The Record from Recorded Future News
September 1st, 2025
Last week, a contract worth €10 million ($11.7 million) had been awarded to the Spanish multinational Telefónica to use Huawei kit to upgrade the RedIRIS network, effectively more than 16,000km of infrastructure. On Friday, the government reversed course for “reasons of digital strategy and strategic autonomy,” as reported by El País.
The RedIRIS upgrade using Huawei equipment had been negotiated directly with Telefónica as the company had an existing €5.5 million contract from 2020 to boost the network. The Ministry of Digital Transformation argued the new upgrade was urgent due to the demands of new digital services, supercomputing projects and the network’s connections to Spain’s defense establishment.
It was partially driven by a need to improve the RedIRIS network’s resilience to cyberattacks, despite concerns that the use of equipment provided by Chinese vendors could increase the risk of cyberattacks to Western infrastructure.
These fears are often expressed in the context of Beijing’s offensive cyber espionage activities and China’s National Intelligence Law of 2017, which allows the state to “compel anyone in China to do anything,” as summarized by Britain’s National Cyber Security Centre. Huawei has consistently argued that such criticisms are illegitimate.
The company is currently restricted from most 5G networks across the European Union, although Spain has opted out of imposing such restrictions, and faces varying levels of bans in networks of NATO allies such as the United States and the United Kingdom.
Despite the apparent political hesitation regarding restricting Huawei equipment, Spain was among more than a dozen allies who last week warned about Chinese companies compromising global critical infrastructure.
The cancellation of the Telefoníca contract comes amid alarm from Madrid’s allies about the prevalence of the Chinese company’s equipment within the Spanish telecommunications infrastructure, including the core of Telefoníca’s 5G network.
In July, the chairs of the U.S. House and Senate Intelligence panels asked the country’s spy chief to scrutinize any intelligence information the U.S. shares with Spain after the disclosure the country’s wiretap system is underpinned by Huawei technology.
Spanish Prime Minister Pedro Sánchez, who has been among the EU’s most supportive leaders regarding Huawei, has pushed back against the bloc’s efforts to restrict it from 5G networks. Huawei has opened research facilities in Madrid and is a major employer as a technology contractor for a number of public administrations.
Natasha Buckley, a researcher at RUSI and lecturer in cybersecurity at Cranfield University, previously told Recorded Future News that Spain’s approach to the company stood in stark contrast to that of other NATO allies and many EU member states.
“Spain’s stance on high-risk technology vendors places greater emphasis on supply chain reliability than on geopolitical considerations, setting it apart from more restrictive approaches seen in countries like the UK, the Netherlands and Poland.
“While the EU’s 5G Cybersecurity Toolbox recommends limiting or excluding high-risk Chinese suppliers like Huawei, Spain’s implementation has been uneven. Huawei is restricted from some public 5G projects, yet its servers have been approved to store sensitive police wiretap data. The result is a case-by-case approach that falls short of a clearly defined policy towards high-risk vendors,” Buckley said.
justice.gov District of New Mexico | U.S. Government Seizes Online Marketplaces Selling Fraudulent Identity Documents Used in Cybercrime Schemes | United States Department of Justice
Thursday, August 28, 2025
The operators of VerifTools produced and sold counterfeit driver’s licenses, passports, and other identification documents that could be used to bypass identity verification systems and gain unauthorized access to online accounts.
ALBUQUERQUE – The U.S. Attorney’s Office for the District of New Mexico announced today the seizure of two marketplace domains and one blog used to sell fraudulent identity documents to cybercriminals worldwide. The operators of VerifTools produced and sold counterfeit driver’s licenses, passports, and other identification documents that could be used to bypass identity verification systems and gain unauthorized access to online accounts.
The Federal Bureau of Investigation (FBI) began investigating in August 2022 after discovering a conspiracy to use stolen identity information to access cryptocurrency accounts. The investigation revealed that VerifTools offered counterfeit identification documents for all 50 U.S. states and multiple foreign countries for as little as nine dollars, payable in cryptocurrency.
The FBI used the VerifTools marketplace to generate and purchase counterfeit New Mexico driver’s licenses, which were paid for with cryptocurrency. The FBI has identified the equivalent of approximately $6.4 million of illicit proceeds linked to the VerifTools marketplace. The following counterfeit documents are an example of New Mexico driver’s licenses obtained from VerifTools.
“The internet is not a refuge for criminals. If you build or sell tools that let offenders impersonate victims, you are part of the crime,” said Acting U.S. Attorney Ryan Ellison. “We will use every lawful tool to disrupt your business, take the profit out of it, and bring you to justice. No one operation is bigger than us together. With our partners at every level of law enforcement we will protect New Mexicans and defend those who stand up for our community.”
"The removal of this marketplace is a major step in protecting the public from fraud and identity theft crime," said Philip Russell, Acting Special Agent in Charge of the FBI Albuquerque Division. "Together with our partners, we will continue to target and dismantle the platforms that criminals depend on, no matter where they operate."Acting U.S. Attorney Ryan Ellison and Acting Special Agent in Charge Philip Russell of the FBI’s Albuquerque Field Office made the announcement today.
The FBI’s Albuquerque Field Office investigated this case. The Justice Department’s Office of International Affairs provided valuable assistance.
The Justice Department collaborated closely with investigators and prosecutors from multiple jurisdictions in this investigation, including the District of New Mexico, Eastern District of Virginia, the Dutch National Police and the Netherlands Public Prosecution Service.
developers.googleblog.com
JULY 18, 2024
Sumit Chandel
Developer Relations Engineer
Understand how you will be impacted by our decision to turn off the serving portion of Google URL Shortener.
Updated August 1, 2025: While we previously announced discontinuing support for all goo.gl URLs after August 25, 2025, we've adjusted our approach in order to preserve actively used links.
We understand these links are embedded in countless documents, videos, posts and more, and we appreciate the input received.
Nine months ago, we redirected URLs that showed no activity in late 2024 to a message specifying that the link would be deactivated in August, and these are the only links targeted to be deactivated. If you get a message that states, “This link will no longer work in the near future”, the link won't work after August 25 and we recommend transitioning to another URL shortener if you haven’t already.
All other goo.gl links will be preserved and will continue to function as normal. To check if your link will be retained, visit the link today. If your link redirects you without a message, it will continue to work.In 2018, we announced the deprecation and transition of Google URL Shortener because of the changes we’ve seen in how people find content on the internet, and the number of new popular URL shortening services that emerged in that time. This meant that we no longer accepted new URLs to shorten but that we would continue serving existing URLs.
Over time, these existing URLs saw less and less traffic as the years went on - in fact more than 99% of them had no activity in the last month.
As such, we will be turning off Google URL Shortener. Please read on below to understand more about how this may impact you.
Who is impacted?
Any developers using links built with the Google URL Shortener in the form https://goo.gl/* will be impacted, and these URLs will no longer return a response after August 25th, 2025. We recommend transitioning these links to another URL shortener provider.
Note that goo.gl links generated via Google apps (such as Maps sharing) will continue to function.
What to expect
Starting August 23, 2024, goo.gl links will start displaying an interstitial page for a percentage of existing links notifying your users that the link will no longer be supported after August 25th, 2025 prior to navigating to the original target page.
Over time the percentage of links that will show the interstitial page will increase until the shutdown date. This interstitial page should help you track and adjust any affected links that you will need to transition as part of this change. We will continue to display this interstitial page until the shutdown date after which all links served will return a 404 response.
Note that the interstitial page may cause disruptions in the current flow of your goo.gl links. For example, if you are using other 302 redirects, the interstitial page may prevent the redirect flow from completing correctly. If you’ve embedded social metadata in your destination page, the interstitial page will likely cause these to no longer show up where the initial link is displayed. For this reason, we advise transitioning these links as soon as possible.
Note: In the event the interstitial page is disrupting your use cases, you can suppress it by adding the query param “si=1” to existing goo.gl links.We understand the transition away from using goo.gl short links may cause some inconvenience. If you have any questions or concerns, please reach out to us at Firebase Support. Thank you for using the service and we hope you join us in moving forward into new and innovative ways for navigating web and app experiences.
zscaler.com August 30, 2025
Zscaler swiftly mitigates a security incident impacting Salesloft Drift, and ensuring robust protection against potential vulnerabilities.
At Zscaler, protecting your data and maintaining transparency are core to our mission to secure, simplify and accelerate businesses transformation. We are committed to keeping you informed about key developments that may impact your organization.
What Happened?
Zscaler was made aware of a campaign targeted at Salesloft Drift (marketing software-as-a-service) and impacting a large number of Salesforce customers. This incident involved the theft of OAuth tokens connected to Salesloft Drift, a third-party application used for automating sales workflows that integrates with Salesforce databases to manage leads and contact information.
The scope of the incident is confined to Salesforce and does not involve access to any of Zscaler's products, services or underlying systems and infrastructure.
As part of this campaign, unauthorized actors gained access to Salesloft Drift credentials of its customers including Zscaler. Following a detailed review as part of our ongoing investigation, we have determined that these credentials have allowed limited access to some Zscaler Salesforce information.
What Information May Be Affected?
The information accessed was limited to commonly available business contact details for points of contact and specific Salesforce related content, including:
Names
Business email addresses
Job titles
Phone numbers
Regional/location details
Zscaler product licensing and commercial information
Plain text content from certain support cases [this does NOT include attachments, files, and images]After extensive investigation, Zscaler has currently found no evidence to suggest misuse of this information. If anything changes, we will provide further communications and updates.
What Did Zscaler Do?
Zscaler acted swiftly to address the incident and mitigate risks. Steps taken include:
Revoking Salesloft Drift’s access to Zscaler’s Salesforce data
Out of an abundance of caution, rotating other API access tokens.
Launching a detailed investigation into the scope of the event, working closely with Salesforce to assess and understand impacts as they continue investigating.
Implementing additional safeguards and strengthening protocols to defend against similar incidents in the future.
Immediately launched a third party risk management investigation for third party vendors used by Zscaler.
Zscaler Customer Support team has further strengthened customer authentication protocol when responding to customer calls to safeguard against potential phishing attacks.What You Can Do
Although the incident’s scope remains limited (as stated above) and no evidence of misuse has been found, we recommend that customers maintain heightened vigilance. Please be wary of potential phishing attacks or social engineering attempts, which could leverage exposed contact details.
Given that other organizations have suffered similar incidents stemming from Salesloft Drift, it’s crucial to exercise caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information. Always verify the source of communication and never disclose passwords or financial data via unofficial channels.
Zscaler Support will never request authentication or authorization details through unsolicited outreach, including phone calls or SMS. All official Zscaler communications come from trusted Zscaler channels. Please exercise caution and report any suspicious phishing activity to security@zscaler.com.