Attacks & Vulnerabilities |
Supply-chain attack hits Zscaler via Salesloft Drift, leaking customer info (3 minute read)
Zscaler confirmed that a threat actor compromised OAuth tokens via the Salesloft Drift integration from August 8 to 18, exposing business contacts and Salesforce data. Though core infrastructure remained secure, the breach revealed names, emails, job titles, phone numbers, and licensing info. The attack extended beyond Salesforce, targeting AWS keys and Snowflake tokens across multiple organizations. Zscaler revoked Drift's access and rotated API tokens. |
Malicious Go Module Disguised as SSH Brute Forcer Exfiltrates Credentials via Telegram (6 minute read)
The Go module "golang-random-ip-ssh-bruteforce" mimics an SSH brute-force tool but secretly exfiltrates credentials to a Telegram bot (@sshZXC_bot) controlled by Russian-speaking threat actor IllDieAnyway. It scans random IPv4 addresses on port 22, attempts to log in with default IoT credentials (such as "root"/"admin" with passwords like "toor"), and then stops after the first successful login to avoid detection. Active since June 2022 and still on pkg.go.dev despite removal requests, it exploits trust in security tools, turning them into credential harvesters using ssh.InsecureIgnoreHostKey() and the HTTPS Telegram API are used to evade monitoring. |
Palo Alto Networks Data Breach Exposes Customer Info, Support Cases (2 minute read)
Palo Alto Networks suffered a data breach due to compromised OAuth tokens from the Salesloft Drift breach. The attacker primarily extracted business content and related account information, internal sales account records, and basic case data from their Salesforce environment. They were searching for secrets, including AWS access keys, Snowflake tokens, VPN and SSO login strings, and generic keywords. |
|
Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth (10 minute read)
Attackers have been exploiting CVE-2024-36401 in GeoServer to deploy legitimate SDKs and bandwidth-sharing apps that monetize victims' internet connections, operating stealthily with minimal resource consumption while generating passive income through residential proxy networks. The campaign uses Dart-compiled executables distributed via transfer. To maintain persistence, attackers are targeting over 7,000 exposed GeoServer instances globally, while evading detection by shifting their infrastructure with different IP addresses. The exploit leverages JXPath extension functions to achieve remote code execution, allowing attackers to download and execute monetization payloads that masquerade as legitimate passive income services. |
Beyond IAM Access Keys: Modern Authentication Approaches for AWS (4 minute read)
Long-lived IAM access keys can present risks such as credential exposure, unauthorized sharing, or theft. AWS CLI access can be achieved with CloudShell or via IAM Identity Center to avoid using access keys. Users can work with IDEs without using access keys by leveraging the AWS Toolkit extension for IDEs such as VS Code. IAM roles can be leveraged by CI/CD pipelines, on-premise workloads, or third-party applications instead of access keys. |
The Wonderfully Lazy Way to SSH Into Your Computers (4 minute read)
Tailscale offers a web-based SSH tool called Tailscale SSH that can be used to SSH into connected devices without the need to manage SSH keys. It utilizes an ephemeral authentication key to create an end-to-end encrypted tunnel in a pop-out browser window to allow for one-click access via the admin panel. Tailscale SSH requires users to run the open-source version of Tailscale's Mac client to access Macs and does not work on Synology or QNAP systems. |
|
SAMLSmith (GitHub Repo)
SAMLSmith is a C# tool designed for creating custom SAML responses and executing Silver SAML and Golden SAML attacks. It offers extensive features suitable for security researchers and penetration testers dealing with SAML-based authentication systems. |
We Built the Security Layer MCP Always Needed (6 minute read)
`mcp-context-protector` is a security wrapper for LLM apps using MCP that defends against line jumping attacks and prompt injection via tool descriptions and ANSI escape codes. It requires users to review new and modified server descriptions and tool definitions. The tool sanitizes ANSI sequences to prevent prompt injection and is implemented as an MCP. It is unable to evaluate chain-of-thought attacks. |
Burpa (GitHub Repo)
This repository is a maintained fork of the Burp Automator tool, originally at 0x4D31/burpa, which was left abandoned. It provides a high-level CLI and Python interfaces to Burp Suite scanner and can be used to set up Dynamic Application Security Testing (DAST). |
|
ISO 27001:2022 Requirements Explained for 2025 (7 minute read)
Any organization that wishes to retain its ISO 27001 certification must upgrade to the latest 2022 standard by October. This post breaks down the clauses that cover formal certification requirements and are the focus of the audit process and provides examples of how each clause can be applied in practice. The post also highlights which of the Annex A controls were revised or added in the 2022 standard. |
Infostealers: The Silent Smash-and-Grab Driving Modern Cybercrime (8 minute read)
Modern infostealers operate through a sophisticated malware-as-a-service model, executing complete credential harvests within minutes using silent entry, stealthy data collection (including session cookies that bypass MFA), and traceless exfiltration before victims realize they've been compromised. These tools have evolved from simple keyloggers into turnkey identity harvesting systems that extract browser credentials, hardware IDs, personal documents, and cryptocurrency wallets, with stolen logs selling for as little as $10 on underground markets and Telegram channels. The harvested credentials serve as the foundation for 90% of corporate breaches, enabling initial access brokers to monetize compromised accounts through ransomware operations, financial fraud, and identity theft in an increasingly specialized cybercrime economy. |
Jaguar Land Rover Shuts Down in Scramble to Secure 'Cyber Incident' (2 minute read)
Jaguar Land Rover halted operations after a cyberattack disrupted its retail and production activities. The company is carefully rebooting its global applications, reporting no customer data theft so far. Experts say the breach was spotted late, and JLR is now working with responders to restore service and lock out attackers from its systems. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
| Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us.
Want to work at TLDR? 💼 Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them!
If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile
|
|
| |
0 Comments