Judge Imposes Limits on Google Deals After Monopoly Ruling but Avoids Breakup

U.S. District Judge Amit Mehta declined to break up Google’s search business but imposed behavioral remedies to address monopolistic conduct in the DOJ’s 2020 antitrust suit. The proposed injunction bars Google from conditioning Play Store licensing or revenue-share payments on bundling apps like Search, Chrome, Google Assistant, or Gemini. Google must share parts of its search index and user-interaction data with “qualified competitors,” and offer syndication at standard rates—measures Mehta framed as temporary and narrower than the EU’s Digital Markets Act, which he used as a benchmark.

Google spent $26 billion in 2021 alone securing default placement deals—$18 billion went to Apple, which also receives 36% of Google’s Safari search ad revenue. These exclusivity deals, Mehta noted, exploited the value of default settings that most users never change, freezing out rivals. The final judgment, due September 10, will be enforced by a technical committee for six years. Mehta rejected the DOJ’s broader demands—divestiture of Chrome or Android, termination of multi-billion-dollar agreements with Apple and Samsung, and forced disclosure of ranking algorithms and synthetic queries—which Google called a “de facto divestiture.”

Judge Leonie Brinkema, presiding over a separate case, already ruled in April 2025 that Google monopolized the ad-tech market; remedies will be determined in September. Appeals may run through 2028.

Read: https://techcrunch.com/2025/09/02/google-avoids-breakup-but-has-to-give-up-exclusive-search-deals-in-antitrust-trial/

Salesloft Drift Breach Exposes Salesforce Data at Zscaler, Palo Alto Networks, and Hundreds More

In early August, threat actor UNC6395 breached Drift, a Salesloft-owned SaaS product, by exploiting its Salesforce integration. The actor stole OAuth and refresh tokens between Aug. 8–18, enabling access to customer Salesforce data. Salesloft disclosed the breach on Aug. 20, hiring Mandiant and Coalition for incident response. Google (which owns Mandiant) warned that all authentication tokens associated with Drift should be presumed compromised. In response, Salesforce disabled all Salesloft integrations until further notice.

The attackers exfiltrated Salesforce objects including Account, Contact, Case, and Opportunity records. Palo Alto Networks’ Unit 42 observed mass data harvesting, credential scanning, and deletion of query logs to hinder forensics. PAN confirmed exposure of CRM data such as internal sales records and contact details. Zscaler reported unauthorized access to Salesforce info involving customer names, emails, job titles, phone numbers, regional data, licensing info, and plaintext support case content. Both firms emphasized no impact to their products, systems, or infrastructure.

Salesloft Drift serves “a few thousand” customers, with PAN stating “hundreds” affected. CISOs Sam Curry (Zscaler) and Marc Benoit (PAN) disclosed breaches publicly. Organizations were advised to audit Drift API integrations, review identity and network logs, rotate exposed credentials, and prepare for social engineering stemming from the breach.

Read: https://www.darkreading.com/cyberattacks-data-breaches/zscaler-palo-alto-networks-breached-salesloft-drift

APT Group Exploits Microsoft Trust to Deploy Stealthy Malware

The Silver Fox APT group is hijacking trust, using Microsoft-signed but vulnerable drivers—namely WatchDog Antimalware (amsdk.sys v1.0.600) and an old Zemana kernel-mode driver—to disable security processes on Windows 10/11 and drop ValleyRAT, a modular backdoor also known as Winos. The loader is an all-in-one package: anti-analysis, embedded drivers, process-killer, and downloader. It targets nearly 200 processes—largely antivirus tools prevalent in Asia—selecting the right exploit path based on OS version.

Check Point Research discovered that even after WatchDog patched its driver, Silver Fox subtly altered the new file by flipping a byte in the unauthenticated timestamp of its Microsoft Authenticode signature, producing a new hash while retaining trust—defeating hash-based blocklists. With Living Off The Land Drivers (LOLDrivers) and Microsoft’s Vulnerable Driver Blocklist both having missed it, the malware thrived. ValleyRAT’s infrastructure ties to China, with targets skewing Asia-heavy. Vulnerabilities included raw disk access, privilege escalation, and lack of namespace access control. Microsoft’s lagging updates enabled the breach.

Read: https://hackread.com/silver-fox-apt-exploit-signed-windows-driver-valleyrat/

Storm-0501 Executes Cloud-Only Ransom Operation by Exploiting Entra ID and Azure Admin Gaps

Storm-0501, a financially motivated threat actor fluent in ransomware deployment since 2021, has escalated its tactics, targeting cloud-native infrastructure for data theft and extortion. Previously associated with families like Sabbath, BlackCat, Hive, Hunters International, LockBit, and Embargo, the group now weaponizes Microsoft Entra ID environments. In a recent attack on a large enterprise, it compromised multiple Active Directory domains using Evil-WinRM, breached Entra Connect Sync servers, and identified a non-human synced identity with global admin rights. After resetting its password and bypassing MFA, the group registered a new MFA method and authenticated as that identity.

From there, Storm-0501 accessed the Azure portal, registered a new Entra ID tenant, deployed a backdoor for persistent access, and escalated privileges to the “Owner” role across all Azure subscriptions. Using AzureHound, it mapped the environment, locating sensitive storage and backup targets. It exfiltrated data using AzCopy CLI and stolen Azure Storage access keys, then mass-deleted data, circumvented protections with cloud encryption, and exposed internal assets to external networks. Finally, the attackers issued ransom demands via Microsoft Teams using a compromised account, completing a seamless, cloud-native extortion loop.

Read: https://www.securityweek.com/ransomware-group-exploits-hybrid-cloud-gaps-gains-full-azure-control-in-enterprise-attacks/


Cloudflare Neutralizes 11.5 Tbps DDoS Amid Rising IoT Botnet Exploits

Cloudflare blocked a 35-second, record-setting 11.5 Tbps volumetric DDoS attack—initially misattributed mostly to Google Cloud but later traced to multiple IoT and cloud sources.

This UDP flood, peaking at 5.1 Bpps, marked a surge in Layer 3/4 hyper-volumetric attacks: 6,500 in Q2 2025 versus 700 in Q1. A prior May 2025 incident hit 7.3 Tbps. These attacks generate packet tsunamis to degrade networks, often masking multi-vector intrusions. RapperBot, detailed by Bitsight, exemplifies the botnet machinery behind them, exploiting path traversal flaws in network video recorders (NVRs) to leak admin credentials, mount remote NFS shares, and execute fake firmware installing bash-executed binaries.

The malware uses hard-coded DNS TXT records and a simplified domain generation algorithm—four domains, four subdomains, two TLDs—to resolve command-and-control servers and launch DDoS floods. No persistence needed: attackers repeatedly scan for vulnerable edge devices like routers and DVRs. Pedro Umbelino noted their clever use of NFS reflects deep model-specific reverse engineering.

Read: https://thehackernews.com/2025/09/cloudflare-blocks-record-breaking-115.html