Fail-Safe Friday - 08/29/25

In partnership with

Another high-impact week in cyber: Nevada’s state systems were hit by ransomware with confirmed data exfiltration; a stealthy Mirai-derived "Gayfemboy" malware is now executing DDoS attacks globally; and it’s no accident—cyber insurance carriers like Healthplex are paying fines over inadequate security. This weekend, identity hygiene and infrastructure resilience are your best offense.

The AI Agent Shopify Brands Trust for Q4

Generic chatbots don’t work in ecommerce. They frustrate shoppers, waste traffic, and fail to drive real revenue.

Zipchat.ai is the AI Sales Agent built for Shopify brands like Police, TropicFeel, and Jackery — designed to sell, Zipchat can also.

• Answers product questions instantly and recommends upsells

• Converts hesitant shoppers into buyers before they bounce

• Recovers abandoned carts automatically across web and WhatsApp

• Automates support 24/7 at scale, cutting tickets and saving money

From 10,000 visitors/month to millions, Zipchat scales with your store — boosting sales and margins while reducing costs. That’s why fast-growing DTC brands and established enterprises alike trust it to handle their busiest season and fully embrace Agentic Commerce.

Setup takes less than 20 minutes with our success manager. And you’re fully covered with 37 days risk-free (7-day free trial + 30-day money-back guarantee).

On top, use the NEWSLETTER10 coupon for 10% off forever.

Try Zipchat free

Top-level takeaways this week:

• Ransomware & Extortion remain elevated, with state-level breaches and misconfiguration exposure.

• Zero-Days & Exploits spike with Chrome's use-after-free SSRF and privacy-layer weaknesses.

• Supply Chain Risk persists as a hidden multiplier, as third-party legal and healthcare services falter.

1) Widespread Salesforce data theft via Salesloft Drift OAuth tokens – High

What changed: Google GTIG and Mandiant detail a campaign (actor UNC6395) that exported data from hundreds of Salesforce tenants using compromised OAuth/refresh tokens from the Salesloft Drift app; Google also confirms a small number of Google Workspace email accounts were accessed via related tokens. See Google’s advisory, corroborating reports in CyberScoop and SecurityWeek, and a Workspace update from BleepingComputer.

• Why this matters: OAuth abuse bypasses MFA and lives inside allowed app flows. Stolen CRM data contains credentials/secrets (e.g., AWS keys) that fuel follow-on compromises across your stack.

2) Citrix NetScaler ADC/Gateway zero-day (CVE-2025-7775) – High

What changed this week: Citrix confirmed exploitation; CISA added it to KEV with a 48-hour FCEB remediation window; defenders report active scanning/exploitation. Coverage: CISA alert, Help Net Security, CSO Online.

• Why this matters: Edge devices are single-hop entry points into internal apps and identity—one missed ADC can become a domain pivot and SaaS session hijack platform.

3) Maryland Transit cyber incident impacts scheduling – High

What changed this week: MTA’s official status says core services run, but Mobility paratransit can’t book or rebook new trips; The Record notes a broader state response with emergency operations support.

• Why this matters: Real-world impact without encryption at scale—availability hits and citizen-service backlogs even when main networks remain up.

4) TransUnion breach (4.4M affected) – High

What changed this week: TransUnion filings and reporting show 4.4M impacted via a third-party support app; SSNs exposed in at least one state filing; Google’s write-up links similar data-theft to Salesforce token abuse.

• Why this matters: Reinforces that data exfiltration—not encryption—is the cost driver (notification, litigation, partner obligations).

5) Apple zero-day (CVE-2025-43300) exploited in attacks – Medium

What changed this week: Apple patched ImageIO out-of-bounds write; reports cite exploitation in sophisticated attacks; patch levels: iOS/iPadOS 18.6.2/17.7.10, macOS Sequoia 15.6.1, Sonoma 14.7.8, Ventura 13.7.8.

• Why this matters: Nation-state actors blend espionage with pre-positioning; edge bugs become identity pivots. Assume long-dwell and require evidence-based patch/hardening attestations from teams and vendors.

What Smart Investors Read Before the Bell Rings

Clickbait headlines won’t grow your portfolio. That’s why over 1M investors — including Wall Street insiders — start their day with The Daily Upside. Founded by investment bankers and journalists, it cuts through the noise with clear insights on business, markets, and the economy. Stop guessing and get smarter every morning.

Subscribe free today.

🔄 Patch & Hardening

• NetScaler ADC/Gateway: Patch immediately for CVE-2025-7775; verify appliances configured as Gateway/AAA are updated; assume active exploitation and review for indicators.

• SaaS (Salesforce): Follow Google GTIG guidance—revoke/rotate Salesloft Drift tokens, audit Connected Apps, and search export logs for anomalous bulk downloads; Salesforce removed Drift from the AppExchange pending investigation.

• Git across Linux/macOS builders: Ensure versions patched for CVE-2025-48384; CISA added to KEV this week (Aug 25). 

• Apple fleet: Enforce updates closing CVE-2025-43300 across iOS/iPadOS/macOS; confirm MDM compliance by Monday.

🧑‍💻 People & Monitoring

• Identity/SaaS hunters: Alert on Salesforce data export spikes, Connected App changes, and OAuth refresh token activity tied to Salesloft Drift; investigate for secret harvesting patterns.

• Edge telemetry: Watch NetScaler for AAA/Gateway requests and post-auth anomalies; validate WAF/VPN logs are streaming and retained. Public-service ops: Validate contingency plans for scheduling/real-time info outages (Maryland MTA case).

📋 Process

• Change freeze exceptions: Pre-approve only NetScaler emergency patches and OAuth credential rotation over the weekend.

• IR playbooks: Update OAuth token replay and SaaS bulk-export triage; add ADC edge-to-identity pivot hunting steps.

🤝 Partners

• MSP/MSSP & ISV attestations: Require written confirmation of NetScaler patch state, Salesforce token revocations, and 24×7 escalation paths for the weekend.

• Third-party risk: Ask vendors whether they use Salesloft Drift (or similar integrations) and whether OAuth tokens were rotated.

Non-human identities (OAuth, service accounts) are the fastest-moving risk this week.

Edge devices remain high-ROI targets… one unpatched ADC equals enterprise access.

Data-theft-first campaigns are the cost driver; exfiltration ≠ “no impact.”

🔄 Attest: Attest NetScaler patching for CVE-2025-7775 and verify monitoring/retention on ADC logs.

📊 Direct a Salesforce/Connected-Apps audit: revoke/rotate Salesloft Drift tokens, pull export logs, and report findings on Monday.

💼 Confirm: Git builder versions are remediated for CVE-2025-48384 and Apple fleet is current for CVE-2025-43300.

🔹 Schedule Monday tabletop: “OAuth-token replay → CRM data exfil → cloud secret compromise.”

Final Insight: Quiet weekends aren’t luck—they’re the product of OAuth hygiene, edge patching, and proof-based monitoring.

Daily News for Curious Minds

Be the smartest person in the room by reading 1440! Dive into 1440, where 4 million Americans find their daily, fact-based news fix. We navigate through 100+ sources to deliver a comprehensive roundup from every corner of the internet – politics, global events, business, and culture, all in a quick, 5-minute newsletter. It's completely free and devoid of bias or political influence, ensuring you get the facts straight. Subscribe to 1440 today.

Sign up now!