Threat advisories

Top Middle East Cyber Threats – August 13th, 2025 

By Help AG

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats. 

 

Google Reports Salesforce Database Breach Linked to ShinyHunters

In June 2025, Google confirmed a significant data breach of its corporate Salesforce database, attributed to the cybercriminal group ShinyHunters (UNC6040). The attackers used voice phishing (vishing) to impersonate IT support, tricking employees into authorizing a malicious Salesforce Data Loader connected app. This granted them unauthorized access to contact information and related notes for small and medium businesses, exposing approximately 2.55 million records.

Google responded by immediately terminating the malicious access, conducting a detailed impact analysis, implementing additional security measures, and notifying affected customers by August 8, 2025. ShinyHunters, known for extortion tactics, has targeted multiple high-profile organizations throughout 2025.

RECOMMENDATIONS    

  • Conduct phishing and vishing awareness training for all employees.
  • Implement strict application authorization controls in Salesforce.
  • Regularly audit connected apps and revoke unused or suspicious ones.
  • Enable multi-factor authentication for Salesforce admin accounts.
  • Monitor for abnormal Salesforce API activity and large data exports.
  • Review incident response plans for social engineering scenarios.

 

New Technique Exploits Windows Editor to Bypass UAC and Escalate Privileges

A newly disclosed technique exploits the Windows Private Character Editor (eudcedit.exe) to bypass User Account Control (UAC) and escalate privileges without user interaction. Discovered by security researcher Matan Bahar, the issue affects a legitimate Microsoft utility located in C:\Windows\System32, originally intended for creating and editing End-User Defined Characters (EUDC).
The risk stems from application manifest settings that instruct Windows to run eudcedit.exe with full administrative rights and enable automatic elevation without UAC prompts. In environments where UAC is set to “Elevate without prompting,” attackers could silently escalate from Medium to High integrity levels, potentially gaining elevated privileges without user awareness.

RECOMMENDATIONS    

  • Audit UAC settings: Avoid using “Elevate without prompting” whenever possible.
  • Monitor the execution of eudcedit.exe, especially by non-interactive users or during unusual hours.
  • Track parent-child process relationships, for example, if eudcedit.exe is launched by scripting engines (e.g., wscript.exe, powershell.exe, cmd.exe) or other suspicious executables.
  • Establish a baseline: Profile normal eudcedit.exe usage in your environment to help identify anomalies.
  • Regularly monitor Microsoft’s security updates and documentation for new mitigation guidance related to this attack vector

 

Microsoft Releases Security Fixes Addressing Critical Vulnerabilities in 365 Copilot and Azure

Microsoft has released four security fixes with the following severities: two Critical, one High, and one Medium. These updates address vulnerabilities across Microsoft 365 Copilot, Azure OpenAI, and the Azure Portal.

The resolved CVEs are as follows: [High] CVE-2025-53787 – Microsoft 365 Copilot’s Business Chat Information Disclosure Vulnerability; [Medium] CVE-2025-53774 – Microsoft 365 Copilot’s Business Chat Information Disclosure Vulnerability; [Critical] CVE-2025-53767 – Azure OpenAI Elevation of Privilege Vulnerability; and [Critical] CVE-2025-53792 – Azure Portal Elevation of Privilege Vulnerability.

RECOMMENDATIONS    

  • Ensure all systems are patched and updated.

 

BadSuccessor Exploits Delegated Accounts to Escalate Privileges in Windows Server 2025

A serious privilege escalation flaw, nicknamed BadSuccessor, affects Windows Server 2025. The issue lies in how delegated Managed Service Accounts (dMSAs) inherit permissions from legacy service accounts. Currently, no official patch is available.

In Windows Server 2025, dMSAs facilitate migration from traditional service accounts by linking to the original account and inheriting its permissions. After migration, the original account is disabled, and authentication redirects through the dMSA via the Local Security Authority (LSA), preserving elevated privileges.

While only administrators should perform service account migrations, attackers with sufficient rights can exploit this by manually modifying dMSA attributes—specifically msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState—to impersonate migrated accounts and gain full privileges.

SharpSuccessor is a proof of concept (PoC) hosted on a GitHub repository that automates the BadSuccessor technique.

RECOMMENDATIONS    

  • Monitor Critical Event IDs: Event ID 5137 – Detects the creation of delegated Managed Service Accounts (dMSAs).
  • Event ID 5136 – Logs modifications to the msDS-ManagedAccountPrecededByLink attribute.
  • Event ID 2946 – Captures Ticket Granting Ticket (TGT) issuance to dMSAs.

 

Cisco Releases Severity Fixes Addressing Webex and ISE Vulnerabilities

Cisco has released three Medium-severity security fixes addressing vulnerabilities in Webex Meetings (CVE-2025-20215) and Cisco Identity Services Engine (CVE-2025-20331, CVE-2025-20332).

CVE-2025-20215 (Webex Meetings): Addressed a vulnerability in the meeting-join process that could have allowed an attacker on a local or adjacent network to join a meeting as another user.

CVE-2025-20331 (Cisco Identity Services Engine Software & Cisco ISE Passive Identity Connector): Fixed a stored XSS flaw in the web-based management interface that could allow execution of arbitrary scripts or access to sensitive browser data.

CVE-2025-20332 (Cisco Identity Services Engine Software): Resolved a permissions validation issue that could let a read-only administrator modify certain configuration details.

RECOMMENDATIONS    

  • Ensure all systems are patched and updated.

 

Google Releases Chrome Update Fixing Multiple Security Vulnerabilities

Google has released Chrome version 139.0.7258.66/67 to the Stable Channel for Windows, macOS, and Linux. The update, which will be rolled out progressively, includes multiple security fixes and feature enhancements.

The security updates address several vulnerabilities: Medium severity – CVE-2025-8576 (Use-after-free in Extensions), CVE-2025-8577 (Inappropriate implementation in Picture-in-Picture), and CVE-2025-8578 (Use-after-free in Cast). Low severity – CVE-2025-8579 (Inappropriate implementation in Gemini Live), CVE-2025-8580 (Inappropriate implementation in Filesystems), CVE-2025-8581 (Inappropriate implementation in Extensions), CVE-2025-8582 (Insufficient validation of untrusted input in DOM), and CVE-2025-8583 (Inappropriate implementation in Permissions). Users and administrators are advised to update to the latest stable version to mitigate these vulnerabilities.

RECOMMENDATIONS    

  • Ensure all systems are patched and updated.

 

Researchers Identify CL-CRI-1040 Cluster Driving Storm-2603 Exploitation Campaign

An activity cluster tracked as CL-CRI-1040 shows strong overlap with Microsoft’s reporting on ToolShell, an exploit chain targeting SharePoint vulnerabilities and attributed to the suspected China-based group Storm-2603. Based on host and network artifacts, researchers are highly confident that CL-CRI-1040 is linked to the same threat actor.

This financially motivated cluster uses a custom toolset called Project AK47, which includes a multi-protocol backdoor (AK47C2), ransomware (AK47/X2ANYLOCK), and loaders employing DLL side-loading techniques. Previously associated with a LockBit 3.0 affiliate, CL-CRI-1040 is now connected to the double-extortion leak site known as Warlock Client.

.RECOMMENDATIONS    

  • Apply the principle of least privilege to minimize access to sensitive systems and data.
  • Enforce Multi-Factor Authentication (MFA) for all accounts, especially administrative ones.
  • Regularly patch and update internet-facing systems to mitigate vulnerability exploits.
  • Conduct awareness programs to educate users about phishing attacks and social engineering tactics.
  • Monitor your network for abnormal behaviors and Indicator of Compromise(IOCs).

 

Researcher Unveils BitLocker Exploit Technique Enabling Lateral Movement

Organizations using BitLocker for data-at-rest protection should be aware that, while effective, it introduces components that may expand the attack surface. At Troopers 2025, researcher Fabian Mosch revealed a novel lateral movement technique that exploits BitLocker’s registry keys via Windows Management Instrumentation (WMI) to hijack its COM objects, enabling remote code execution in the context of the interactive user. If the user has elevated privileges, this could lead to domain escalation. Security teams are advised to proactively implement detection mechanisms for such emerging techniques, as threat actors often adopt researcher-disclosed methods to reduce operational costs and evade attribution.

BitLockMove is a tool designed to simulate lateral movement through BitLocker by leveraging undocumented Microsoft APIs from the winsta.dll library. These APIs, also used by the native qwinsta utility—which enumerates remote desktop sessions—allow the tool to identify active sessions on remote systems.

RECOMMENDATIONS    

  • Implement Least Privilege: Limit user permissions to only what is necessary to reduce the risk of privilege escalation.
  • Monitor Registry and WMI Activity: Set up logging and alerts for suspicious modifications to registry keys and unusual WMI activity.
  • Regularly Update and Patch Systems: Keep all software and operating systems up to date to minimize vulnerabilities

 

References

https://cybersecuritynews.com/google-confirms-data-breach/

https://medium.com/@matanb707/windows-fonts-exploitation-in-2025-bypassing-uac-with-eudcedit-915599705639

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53787
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53774
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53767
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53792

https://unit42.paloaltonetworks.com/badsuccessor-attack-vector/, https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory#title-971c0073d4, https://github.com/logangoins/SharpSuccessor/tree/master

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-join-yNXfqHk4
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise_xss_acc_cont-YsR4uT4U

https://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desktop[.]html

https://unit42.paloaltonetworks.com/ak47-activity-linked-to-sharepoint-vulnerabilities/

https://ipurple.team/2025/08/04/lateral-movement-bitlocker/ , https://github.com/rtecCyberSec/BitlockMove/

 

More Resources

Download the Content

I’m interested in the solutions & services from?

(Choose all that apply)

2025 Cybersecurity State of the Market Report Is Here!
Be informed. Be prepared. Be secure.

Request Demo