CERT-SE:s veckobrev v.38

Veckans läsning innehåller bland annat artiklar om fortsatta utmaningar med utpressningsangrepp men även framgångar i att stänga ned tjänster för nätfiske. Som vanligt även en hel del rapporter och analyser.

Trevlig helg önskar CERT-SE!

Nyheter i veckan

FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data (14 sep) https://www.bleepingcomputer.com/news/security/fbi-warns-of-unc6040-unc6395-hackers-stealing-salesforce-data/

A Quarter of UK and US Firms Suffer Data Poisoning Attacks (17 sep) https://www.infosecurity-magazine.com/news/quarter-uk-us-firms-data-poisoning/

Scattered Spider gang feigns retirement, breaks into bank instead (17 sep) https://www.theregister.com/2025/09/17/scattered_spider_bank_attack/

Microsoft and Cloudflare disrupt massive RaccoonO365 phishing service (17 sep) https://www.bleepingcomputer.com/news/security/microsoft-and-cloudflare-disrupt-massive-raccoono365-phishing-service/ ..
338 sajter som använts för nätfiske har stängts ner av Microsoft (17 sep) https://computersweden.se/article/4058531/338-sajter-som-anvants-for-natfiske-har-stangts-ner-av-microsoft.html

ÖB: Utgår från att främmande makt kan använda läckan (17 sep) https://www.svt.se/nyheter/inrikes/ob-utgar-fran-att-frammande-makt-kan-anvanda-lackan

UK telco Colt’s recovery from August cyberattack pushes into November (17 sep) https://go.theregister.com/feed/www.theregister.com/2025/09/17/uk_telco_colts_cyberattack_recovery/

ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hacks (17 sep) https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/

BMW Allegedly Breached by Everest Ransomware Group, Internal Documents Reportedly Stolen (18 sep) https://cybersecuritynews.com/bmw-allegedly-breached/

SonicWall Urges Password Resets After Cloud Backup Breach Affecting Under 5% of Customers (18 sep) https://thehackernews.com/2025/09/sonicwall-urges-password-resets-after.html

Rapporter och analyser

AI-drivna phishing-attacker ökar (13 sep) https://www.securityuser.com/se/Nyheter/Samhalle/ai-drivna-phishing-attacker-okar1

ACR Stealer – Uncovering Attack Chains, Functionalities And IOCs (15 sep) https://cybersecuritynews.com/acr-stealer-uncovering-attack-chains/

Threat Actors Can Weaponize MCP Servers To Harvests Sensitive Data (16 sep) https://cybersecuritynews.com/threat-actors-can-weaponize-mcp-servers/

API Threats Surge to 40,000 Incidents in 1H 2025 (16 sep) https://www.infosecurity-magazine.com/news/api-threats-surge-40000-incidents/

Threat Actors Could Misuse Code Assistant To Inject Backdoors and Generating Harmful Content (16 sep) https://cybersecuritynews.com/threat-actors-could-misuse-code-assistant/

From ClickFix to MetaStealer: Dissecting Evolving Threat Actor Techniques (17 sep) https://www.bleepingcomputer.com/news/security/from-clickfix-to-metastealer-dissecting-evolving-threat-actor-techniques/

How a fake ICS network can reveal real cyberattacks (17 sep) https://www.helpnetsecurity.com/2025/09/17/icslure-ics-threat-detection/

Hackers Can Exploit Bitpixie Vulnerability to Bypass BitLocker Encryption and Escalate Privileges (17 sep) https://cybersecuritynews.com/bitpixie-vulnerability-bypass-bitlocker/

Storm-2603: Targeting SharePoint Vulnerabilities and Critical Infrastructure Worldwide (17 sep) https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/storm-2603-targeting-sharepoint-vulnerabilities-and-critical-infrastructure-worldwide/

How a Plaintext File On Users’ Desktops Exposed Secrets Leads to Akira Ransomware Attacks (17 sep) https://cybersecuritynews.com/plaintext-file-exposed-secrets/

SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers (18 sep) https://thehackernews.com/2025/09/silentsync-rat-delivered-via-two.html

Lessons Learned From Massive npm Supply Chain Attack Using “Shai-Hulud” Self-Replicating Malware (18 sep) https://cybersecuritynews.com/shai-hulud-npm-supply-chain-attack/

Informationssäkerhet och blandat

CISA official calls on lawmakers to extend cyber info-sharing law (12 sep) https://therecord.media/cisa-official-calls-on-lawmakers-renew-cisa2015

80 procent av all AI-bottrafik kommer från crawlers (13 sep) https://www.securityworldmarket.com/se/Nyheter/Foretagsnyheter/ny-rapport-80-procent-av-all-ai-bottrafik-kommer-fran-crawlers

Bedragare lockar med billiga resekort – fejkannonser sprids över landet (17 sep) https://www.svt.se/nyheter/lokalt/skane/bedragare-lockar-med-billiga-resekort-fejkannonser-sprids-over-landet

NCSC-SE: Rekommendationer vid intrång och informationsläckage (17 sep) https://www.ncsc.se/sv/aktuellt/rekommendationer-vid-intrang-och-informationslackage/

Cyberbrottslingar trappar upp attackerna mot tillverkningsindustrin (18 sep) https://www.aktuellsakerhet.se/cyberbrottslingar-trappar-upp-attackerna-mot-tillverkningsindustrin/

British spies turn to dark web to recruit Russian agents, access secrets (18 sep) https://www.reuters.com/world/uk/british-spies-turn-dark-web-recruit-russian-agents-access-secrets-2025-09-18/

CERT-SE i veckan

Hantera utpressningsangrepp (ransomware) och nätfiske (phishing) (Uppdaterad 17 sep) https://www.cert.se/2025/09/hantera-utpressningsangrepp-och-natfiske.html

Självreplikerande skadlig kod sprider sig via NPM (18 sep) https://www.cert.se/2025/09/sjalvreplikerande-skadlig-kod-sprider-sig-via-npm.html