Patch Now, Critical Citrix NetScaler Flaw Added to KEV; Nine ICS Security Advisories from CISA; Google Will Verify Android Developers of Sideloaded Apps

In an August 26 security bulletin, Citrix provided updates and information about a trio of vulnerabilities affecting NetScaler ADC and NetScaler Gateway. CVE-2025-7775, a critical memory overflow vulnerability that can be exploited to achieve remote code execution or denial-of-service, is being actively exploited and has already been added to CISA's Known Exploited Vulnerabilities (KEV) catalog with a mitigation due date of August 28. Citrix is urging users to install updated versions of NetScaler ADC and NetScaler Gateway as soon as possible to address CVE-2025-7775, as well as CVE-2025-7776, a memory overflow issue that could lead to "unpredictable or erroneous behavior" or denial-of-service, and CVE-2025-8424, an improper access control on the NetScaler Management Interface.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released nine industrial control systems (ICS) security advisories: four for vulnerabilities in Mitsubishi Electric products (MELSEC iQ-F Series CPU Module, FA Engineering Software products, and Ionics Digital Solutions and Electric Products), two for vulnerabilities in Delta Electronics products (CNCSoft-G2 and COMMGR), and one each for Schneider Electric Saitel DR & Saitel DP Remote Terminal Unit, GE Vernova CIMPLICITY, and Hitachi Energy Relion 670/650 and SAM600-IO series.

In an effort to reduce the presence of malware in Android devices, Google will introduce a developer verification program for apps to be installed on certified Android devices. Google introduced developer verification on Google Play in 2023; the new policy is for sideloaded apps. SC World observes that "currently, third-party apps from external sources can be sideloaded onto certified Android devices without any verification, although Google Play Protect, which is activated on certified devices by default, may still scan these apps for malware." Google is "building a new Android Developer Console just for developers who only distribute outside of Google Play, so they can easily complete their verification," as well as an Android Developer Console designed specifically for students and hobbyists. Starting in October 2025, Google will open early access to developer verification by invitation; the system will be open to all developers starting in March 2026. In September 2026, the new verification requirement will take effect in Brazil, Indonesia, Singapore, and Thailand, where users have been "impacted by these forms of fraudulent app scams, often from repeat perpetrators." In 2027, the verification requirement will start to be rolled out globally.

Farmers Insurance Exchange, Farmers Group, Inc., and their subsidiaries and affiliates have published a notice on their website and filed two reports with the Office of the Maine Attorney General to disclose a data breach that took place on May 29, 2025. On May 30, a third-party vendor's monitoring tools detected unauthorized access to databases containing customer information; the vendor implemented containment measures and notified Farmers, who notified law enforcement and began an investigation alongside a third-party data review expert. By July 24 the investigation found that data including "name, address, date of birth, driver’s license number, and/or last four digits of Social Security number" belonging to 1.11 million customers were contained in the breached database. Farmers began notifying affected individuals directly on August 22, and will provide 24 months of complimentary credit monitoring. The notice offers a toll-free weekday information hotline and lays out recommendations for monitoring accounts and credit, freezing credit, placing fraud alerts, and obtaining information on US-state-specific rights and resources.

IT vendor Miljödata, which supplies HR systems and related administration services for the majority of Sweden's municipal governments, took its entire IT environment offline after a cyberattack triggered a technical warning on August 23, 2025, impacting districts across the country. Miljödata is collaborating with law enforcement, Sweden's Computer Security Incident Response Team, and third-party cybersecurity experts to investigate. While all information backed up prior to August 22 at 4:13pm (GMT+2) is intact, 76 customers have been informed that they may have lost data from within the following 23 hours. The company's Adato, Stella, Novi, Opus and Atlas cloud-based services were made inaccessible after the attack, and customers using those services may have had data accessed or stolen by the threat actor, though Miljödata states that there is not digital forensic evidence to support this claim. The company has increased manual monitoring on top of the automatic systems that detected the intrusion, and promises a forthcoming technical incident report. While dissemination of information was initially limited due to an unavailable website, Miljödata notes that customer service and the support channel were functional throughout the incident, and service disruption announcements, direct communication with System Managers and Data Protection Officers, and notices of the data breach have been ongoing since Monday, August 25. Swedish media have relayed statements from police alleging that the threat actor is attempting to extort Miljödata for the unusually small sum of 1.5 BTC (approximately US$168,000) to prevent data being leaked.

Credit bureau TransUnion has disclosed a data security breach that compromised personal information of 4.46 million individuals. According to notifications being sent to affected people, the breach occurred on July 28, 2025 and was detected on July 30. TransUnion writes that they "experienced a cyber incident involving a third-party application serving [their] U.S. consumer support operations." It appears that the breach is related to a recent string of social engineering attacks targeting Salesforce instances and resulting in data theft.

On August 26, researchers from the Google Threat Intelligence Group (GTIG) published an advisory warning that threat actors have been using OAuth tokens stolen from Salesloft Drift to steal data from Salesforce customer instances. Two days later, GTIG updated their advisory to include "new information [indicating that] the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations. We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised." Salesloft has published an advisory, acknowledging that they are "currently responding to a security incident related to our Drift product. As a result of the incident, Salesforce has elected to temporarily disable all Salesloft integrations with Salesforce." The associated breaches are believed to have begun around August 8, 2025 and persisted through or beyond August 18.

Authorities in Germany have filed charges against a man "suspected of carrying out a cyberattack on Rosneft Deutschland GmbH in March 2022." Rosneft Deutschland GmbH, a petroleum refinery, is a subsidiary of a Russian company and is considered to be critical infrastructure. The individual faces two charges of spying on data, one of which allegedly involves computer sabotage. The suspect allegedly disrupted Rosneft Deutschland GmbH's operations for days, costing the company millions of euros in losses and follow-up costs. Authorities allege that he stole 20 terabytes of data and deleted critical information from the company's systems.

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a press release announcing its collaboration with Nevada officials in the restoration process after a cyberattack that disrupted the state's phone lines (including police dispatch lines), websites, and online platforms on Sunday, August 24, 2025, forcing state offices to close the following day. At no cost and for "as long as necessary," CISA is prioritizing "assisting the state in restoring networks for lifesaving and critical services and rebuilding its systems," as well as investigating the attack's scope and conducting threat hunting and mitigation aided by the Federal Bureau of Investigation (FBI). CISA is also advising the state on Federal Emergency Management Agency (FEMA) emergency response grants. Government employees returned to offices on August 26 and 27, but many departments' phones and websites remain offline. Nevada Governor Joe Lombardo has posted a document announcing service status by department, notably: Nevada Health Authority "has limited essential operations at district offices for care coordination efforts," and Medicaid services are fully functional; while applications can be accepted, complete enrollments for public assistance programs with the Department of Human Services must wait until systems are operational; and both the Department of Agriculture and the Department of Wildlife are working around system outages by conducting certain operations manually using pen and paper or hotspots. There is not evidence that personally identifiable information (PII) was compromised, and essential emergency services including 911 calls remain available statewide.

Cybersecurity agencies from 13 countries have published a joint advisory providing technical details about the People’s Republic of China (PRC) state-sponsored advanced persistent threat (APT) actor known by several names, including Salt Typhoon. The advisory notes that the threat actors "are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks. While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks. These actors often modify routers to maintain persistent, long-term access to networks." The document provides technical details about the group's initial access, persistence, lateral movement and data collection, and exfiltration. It also includes a case study, threat hunting guidance, indicators of compromise, suggested mitigations, and other resources. The advisory is published jointly by agencies from the US, Australia, Canada, New Zealand, the UK, Czechia, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain.