CyberHappenings logo
☰

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Insecure Consumer Devices Pose Threat to Hybrid Work Environments

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

Consumer devices in home networks are increasingly becoming attack vectors for enterprise systems in the hybrid work era. These devices are often unpatched, unsupported, and insecure, providing threat actors with an entry point into corporate environments. The risk is exacerbated by the fact that enterprise security teams have limited control over these devices. The D-Link camera and video recorders were recently added to the Known Exploited Vulnerabilities Catalog (KEV), highlighting the broader threat posed by consumer devices. These devices, when compromised, can intercept traffic, change DNS settings, or serve as a foothold for accessing other systems. They also contribute to the botnet ecosystem, which can be used to launch various attacks on corporate targets.

Timeline

  1. 26.08.2025 17:00 πŸ“° 1 articles Β· ⏱ 21d ago

    D-Link Cameras and Video Recorders Added to KEV Catalog

    D-Link cameras and video recorders were added to the Known Exploited Vulnerabilities Catalog (KEV), highlighting the risk posed by consumer devices in hybrid work environments. These devices, often unpatched and unsupported, provide threat actors with an entry point into corporate systems. The compromise of these devices can lead to various attacks, including traffic interception, DNS changes, and botnet participation, all of which can impact corporate security.

    Show sources

Information Snippets

Similar Happenings

UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns

The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.

Fourth Spyware Campaign Targeting French Apple Users in 2025

Apple has notified French users of a fourth spyware campaign in 2025. The Computer Emergency Response Team of France (CERT-FR) confirmed the alerts on September 3, 2025. The campaign targets individuals based on their status or function, including journalists, lawyers, activists, politicians, and senior officials. The alerts are part of a series of notifications sent throughout the year, with previous alerts on March 5, April 29, and June 25. These alerts indicate that at least one device linked to the users' iCloud accounts may have been compromised in highly-targeted attacks. The campaign follows a previous incident involving a security flaw in WhatsApp (CVE-2025-55177) and an Apple iOS bug (CVE-2025-43300), which were used in zero-click attacks. Apple has been sending these notifications since November 2021. Apple introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities.

Akira Ransomware Group Exploits SonicWall SSL VPN Flaws

The Akira ransomware group has been actively exploiting SonicWall SSL VPN flaws and misconfigurations to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting SonicWall devices to facilitate ransomware operations. The group leverages a combination of security vulnerabilities, including a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings, to bypass access controls and infiltrate networks. Organizations are advised to rotate passwords, remove unused accounts, enable multi-factor authentication, and restrict access to the Virtual Office Portal to mitigate risks. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of SonicWall SSL VPNs and issued alerts about the increased exploitation of CVE-2024-40766.

Increased browser targeting by threat actors

Threat actors are increasingly targeting web browsers as a primary attack vector. This shift is driven by the browser's central role in accessing sensitive data and cloud applications, making it an attractive target for credential theft and session hijacking. High-profile incidents, such as the Snowflake breach, underscore the need for enhanced browser security measures. The browser's role in accessing sensitive data and cloud applications makes it a prime target for attackers. The Snowflake breach, which exploited stolen credentials, highlights the risks associated with browser-based attacks. Experts emphasize the need for stronger browser security to mitigate these threats. Browser-based attacks include phishing for credentials and sessions, malicious copy & paste (ClickFix), malicious OAuth integrations, malicious browser extensions, malicious file delivery, and exploiting stolen credentials and MFA gaps. These attacks exploit the browser's role in accessing business applications and data, making it crucial for security teams to focus on browser security.

GhostRedirector Campaign Targets Windows Servers with Rungan and Gamshen

A threat cluster named GhostRedirector has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam. The attacks deployed a passive C++ backdoor called Rungan and an IIS module named Gamshen. The threat actor has been active since at least August 2024. The primary goal of the attacks is to manipulate search engine results to boost the ranking of specific websites, including gambling sites. The campaign targets various sectors, including education, healthcare, insurance, transportation, technology, and retail. Initial access is gained through an SQL injection vulnerability, followed by the use of PowerShell to deliver additional tools. The threat actor is assessed with medium confidence to be China-aligned.