NEWS ROUNDUP – 3rd September 2025 – Digital Forensics Magazine

Digital Forensics Magazine — 48-Hour Global Cyber News Roundup

01-09-2025 00:00 UTC → 03-09-2025 23:59 UTC

Snapshot Summary

Section	Highlights (last 48h)	Items
DFIR & Incident Response	Salesforce OAuth/Drift fallout; vendor IR timelines and SaaS scoping guidance.	3
Cyber Investigations	Amazon disruption of APT29 device-code phishing via compromised sites.	2
Major Cyber Incidents	Jaguar Land Rover disruption; Pennsylvania AG ransomware; vendors affected via Salesforce–Drift.	3
Exploits & Threat Intelligence	WhatsApp CVE chained with Apple ImageIO; AI “model namespace reuse.”	2
Law Enforcement	DOJ crypto forfeiture; FTC final order in Disney COPPA case.	2
Policy	EU General Court backs EU-US data transfer framework.	1
Standards & Compliance	CISA adds WhatsApp CVE to KEV.	1

DFIR & Incident Response

Cloudflare published an incident-response timeline for OAuth token abuse tied to the Drift/Salesloft campaign targeting its Salesforce tenant, with exfiltration scope and containment steps. This provides a clear SaaS IR pattern for correlating OAuth activity, rotating tokens, and validating exposure across support-case data. (Cloudflare, 03-09-2025, AMER)

Unit 42 issued hunting guidance and IOCs for the campaign abusing third-party integrations to access Salesforce data. Teams should mine API/Event Monitoring for anomalous OAuth/device activity and pre-stage token rotation playbooks. (Palo Alto Networks Unit 42, 02-09-2025, AMER)

Palo Alto Networks described its own IR after the third-party Drift app breach impacted Salesforce data and detailed follow-on hardening. The post underscores third-party risk across SaaS ecosystems and the importance of rapid vendor coordination and customer communications. (Palo Alto Networks, 02-09-2025, AMER)

Cyber Investigations

Amazon disrupted a Midnight Blizzard (APT29) campaign abusing compromised sites to redirect targets into Microsoft device-code phishing flows. Identity workflows are becoming initial-access terrain—monitor anomalous device authorizations and consent flows. (Dark Reading, 02-09-2025, AMER)

Additional reporting details redirection domains and Amazon’s takedown actions, noting randomized victim selection to evade detection. Defenders should tune for Cloudflare-lookalike checks and partial redirect logic common in such campaigns. (The Record, 03-09-2025, AMER)

Major Cyber Incidents

Jaguar Land Rover said a cyber incident forced system shutdowns, severely disrupting UK manufacturing and global retail operations while recovery proceeded. The timing during a key sales period highlights OT-IT coupling risk and extortion leverage. (Reuters, 02-09-2025, EMEA)

The Pennsylvania Attorney General’s Office confirmed ransomware caused a multi-week outage and declined to pay. Justice-sector outages can cascade into court operations and citizen services—prioritize continuity plans and offline evidence handling. (BleepingComputer, 02-09-2025, AMER)

Multiple security vendors including Cloudflare, Palo Alto Networks, and Zscaler confirmed compromise of their Salesforce instances via the Salesloft/Drift OAuth campaign. Vendor-side exposure of support case data raises downstream phishing risks using ticket context against customers and partners. (SecurityWeek, 03-09-2025, Global)

Exploits & Threat Intelligence

WhatsApp zero-day CVE-2025-55177 was reportedly exploited alongside an Apple ImageIO zero-day (CVE-2025-43300); Apple shipped fixes on 20-08-2025 while WhatsApp patches landed in July/August. Mobile comms apps and core image stacks remain prime vectors—validate patch levels and review telemetry for message-triggered exploit chains. (SecurityWeek, 02-09-2025 updated 03-09-2025, Global)

Unit 42 detailed “Model Namespace Reuse,” an AI supply-chain issue enabling RCE by hijacking abandoned or transferred model names across registries. Treat model identifiers like dependencies: pin by commit, mirror to trusted registries, and scan repos for hard-coded model references. (Palo Alto Networks Unit 42, 03-09-2025, Global)

Law Enforcement

The U.S. Department of Justice filed a civil forfeiture complaint to seize ~$848,247 in USDT tied to multi-state “confidence scam” crypto fraud schemes after FBI tracing. The case showcases wallet analysis, exchange coordination, and swift asset restraint to improve victim restitution odds. (U.S. Attorney’s Office DC, 02-09-2025, AMER)

The U.S. Federal Trade Commission announced a final order in its COPPA case against Disney over children’s data practices, cementing restrictions and compliance obligations. It reinforces heightened enforcement risk around kids’ data handling and the need for rigorous SDK governance. (U.S. FTC, 02-09-2025, AMER)

Policy

The EU General Court upheld the EU-US Data Privacy Framework in case T-553/23, dismissing a challenge and confirming adequacy for transatlantic transfers. Organizations gain short-term certainty but should retain SCC/DTIA contingencies amid possible appeals. (Reuters, 03-09-2025, EMEA)

Standards & Compliance

CISA added WhatsApp CVE-2025-55177 and TP-Link CVE-2020-24363 to the Known Exploited Vulnerabilities catalog, triggering BOD 22-01 remediation timelines for U.S. federal agencies. Enterprises should map KEV entries to asset exposure and compensating controls to drive prioritization. (CISA, 02-09-2025, AMER)

Editorial Perspective

Third-party OAuth exposure across SaaS shows how quickly “support data” becomes high-value for targeted social engineering and follow-on access. Identity flows remain contested terrain—APT29’s device-code abuse should push orgs to monitor conditional-access anomalies and tighten consent policies. On exploits, pairing WhatsApp CVE-2025-55177 with Apple’s ImageIO zero-day reinforces the need for aggressive mobile patch baselines and telemetry for zero-click triggers. The EU court decision reduces near-term data-transfer uncertainty—use the window to trim vendors, update DTIAs, and minimize data footprints.