Guillermo Sánchez
Ethan Grammer / August 26, 2025 / 3 minutes of readingRecent Breaches/Incidents
Cisco.com User Data Breach via Vishing Attack
Description:
Cisco disclosed a data breach that compromised user accounts on Cisco.com, stemming from a vishing attack targeting one of its representatives. On July 24, a cybercriminal posed via phone and tricked an employee into granting access to a third-party CRM system used by Cisco. Basic profile data, including names, organization, email, user IDs, addresses, phone numbers, and account metadata, was extracted.
Cisco clarified that no passwords, organizational customer proprietary data, internal systems, or other CRM instances were compromised. Upon discovery, Cisco revoked the attacker’s access and launched an investigation. The company is re-educating staff on social engineering, working with data protection authorities, and notifying affected users where legally required.
Google’s Threat Intelligence Group (GTIG) has uncovered a sophisticated cyber campaign involving threat actor cluster UNC6040, associated with the ShinyHunters extortion group. Attackers use voice phishing (vishing) to impersonate IT support, guiding employees to authorize a malicious version of Salesforce’s Data Loader via a connected‑app setup workflow. Once installed, the rogue app gives attackers full access to export sensitive Salesforce data and potentially pivot to other systems such as Okta and Microsoft 365.
Organizations reliant on Salesforce or third-party CRM platforms should urgently audit app permissions, enhance human security training, and validate connected‑app deployments. Prompt detection, response, and a proactive stance on social engineering are decisive in thwarting these campaigns.
Advisories/ Vulnerabilities/Alerts
1. FBI Alert: Scammers Masquerading as Health Fraud Investigators to Steal Sensitive Data
Source Advisory URL: https://www.bleepingcomputer.com/news/security/fbi-warns-cybercriminals-steal-health-data-posing-as-fraud-investigators/
Description:
The FBI has issued a public warning about a new wave of cybercriminal schemes where actors impersonate health insurer fraud investigators to trick individuals into revealing personal and medical information.
Victims receive unsolicited emails, texts, or calls claiming to be from legitimate health insurers, often including alarming messages about alleged overpayments or fraud. The intent is to pressure recipients into divulging personal health data, financial details, or uploading medical records, and even sending false reimbursements.
Recommended Actions:
- Verify authenticity—contact your insurer directly, not via provided links or phone numbers.
- Be cautious of any unsolicited communications requesting sensitive data.
- Use strong passwords and enable Multi-Factor Authentication (MFA).
Disconnect and report any suspicious outreach immediately.
2. VMware Security Advisory Summary – VMSA-2025-0013
Source Advisory URL: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877
Description:
On July 15, 2025, Broadcom has issued a critical security advisory (VMSA‑2025‑0013) affecting VMware ESXi, Workstation, Fusion, and VMware Tools. The advisory addresses four vulnerabilities, three of which are rated Critical with a CVSS score of 9.3, allowing potential VM escape and code execution on the host.
Key vulnerabilities:
- CVE-2025-41236/CVE-41237/CVE-41238 (Critical)
Exploitable flaws in VMXNET3, VMCI, and PVSCSI components can allow attackers inside a VM to execute code on the host. - CVE-2025-41239 (Important)
A memory handling issue in vSockets and VMware Tools could lead to sensitive data exposure.
Recommended Actions:
- Apply the latest patches provided by Broadcom immediately.
Review and secure all systems running affected VMware products.
3. SonicWall Urges Admins to Disable SSLVPN Amid Spike in Ransomware Attack
Source Advisory URL: https://www.sonicwall.com/support/notices/gen-7-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430
Description:
On August 4, 2025, SonicWall has issued an urgent advisory urging administrators of Gen 7 firewalls to immediately disable SSLVPN services, following an alarming uptick in ransomware attacks that appear to exploit a suspected zero‑day vulnerability in those systems.
Security firms such as Arctic Wolf Labs, Google Mandiant, and Huntress have detected multiple Akira ransomware campaigns since mid‑July targeting SonicWall’s SSLVPN functionality. Attackers appear to bypass multi-factor authentication, escalate privileges, pivot to domain controllers, and deploy ransomware in a matter of hours in compromised environments.
Recommended Actions:
- Disable SSLVPN immediately, unless absolutely necessary.
- If disabling is not possible, restrict SSLVPN access to a trusted IP‑address allow‑list.
- Enable security services like Botnet Protection and Geo‑IP Filtering to block known malicious sources.
- Enforce robust MFA for all remote access—even though bypasses have been reported, MFA remains a critical layer.
- Remove inactive or unused local firewall accounts, especially those with VPN permissions.