ARTICLE
18 August 2025

Ankura CTIX FLASH Update - August 15, 2025

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Recent security analyses reveal critical vulnerabilities and threat actors posing significant risks to digital and governmental infrastructure.
United States Technology
Ankura Consulting Group LLC’s articles from Ankura Consulting Group LLC are most popular:
  • with readers working within the Property industries
Ankura Consulting Group LLC are most popular:
  • within Insurance, Wealth Management and Tax topic(s)

Malware Activity

Vulnerabilities in Authentication Protocols and Advanced Espionage Campaigns

Recent security analyses reveal critical vulnerabilities and threat actors posing significant risks to digital and governmental infrastructure. A newly identified downgrade attack exploits weaknesses in Microsoft Entra ID's FIDO-based authentication. This vulnerability allows attackers to force a fallback to less secure password methods and bypass multi-factor protections. Concurrently, a sophisticated cyber espionage operation, attributed to the threat group "Curly Comrades," leverages custom malware like "GnatSpy" to infiltrate government and diplomatic networks worldwide. Utilizing techniques such as spear-phishing and supply chain compromises. The group demonstrates high operational security and resourcefulness in collecting sensitive intelligence. These developments underscore the importance for organizations and governments to implement strict security controls, maintain vigilant monitoring, and adopt adaptive defenses to counteract evolving cyber threats. CTIX analysts will continue to report on the latest malware strains and attack methodologies.

Threat Actor Activity

ShinyHunters and Scattered Spider Suspected in Coordinated Salesforce Attack Campaign

ShinyHunters has resurfaced after a year-long hiatus with a highly sophisticated campaign targeting Salesforce platforms at major organizations including Google, marking a decisive shift from its historic database breaches toward advanced social engineering operations closely aligned with Scattered Spider's methods. ReliaQuest's analysis, supported by infrastructure forensics and forum activity under the alias "Sp1d3rhunters," points to a possible collaboration between the two (2) groups, with operations dating back to mid-2024. The campaign spans sectors including retail, aviation, insurance, finance, and technology, leveraging coordinated phishing domains, Okta-branded credential harvesting sites, and highly targeted vishing (voice phishing) calls impersonating IT staff to trick victims into authorizing malicious Salesforce "connected apps" disguised as legitimate tools. Over 700 phishing domains were registered in 2025 (many themed around luxury brands such as Dior and Louis Vuitton) using Cloudflare-masked infrastructure, consistent naming conventions, and VPN obfuscation to exfiltrate data. Targeting patterns have shifted since July 2025, with a 12% increase in attacks on financial services and a slight decline in technology sector focus; the U.S. remains the most affected, though UK organizations have also been hit. ReliaQuest warns that the speed, adaptability, and coordinated nature of these operations present a rapidly escalating threat, urging organizations to strengthen defences against phishing, vishing, and credential theft, enforce MFA, restrict admin permissions, monitor for suspicious domain registrations, and prepare for intensified cross-sector attacks in the coming months.

Vulnerabilities

CISA Warns of Active Exploitation of N-able N-central Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning amidst adding two (2) actively exploited flaws in N-able's N-central Remote Monitoring and Management (RMM) platform to its Known Exploited Vulnerabilities (KEV) catalog. The first vulnerability, tracked as CVE-2025-8875, is an insecure deserialization vulnerability. The second flaw, tracked as CVE-2025-8876, is a command injection flaw caused by improper input sanitization. Both require authentication to exploit but could allow attackers to execute commands on affected systems. N-able has patched the issues in N-central versions 2025.3.1 and 2024.6 HF2, released August 13, 2025, and urges customers to upgrade immediately, enable multi-factor authentication (particularly for admin accounts), and secure their environments before full technical details are published. While there is no current evidence linking these exploits to ransomware, Shodan data indicates roughly 2,000 N-central instances are exposed online, primarily in the U.S., Australia, and Germany. Federal Civilian Executive Branch (FCEB) agencies are mandated to patch by no later than August 20, 2025, under Binding Operational Directive 22-01, and CTIX analysts strongly encourage all organizations to do the same to mitigate the significant security risks posed by these vulnerabilities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More