Critical SaaS Breaches, Phishing Campaigns, and AI-Powered Attacks Shake Enterprises – August 2025 Cyber Threats

This incident demonstrates the risks created by third-party integrations within enterprise SaaS ecosystems. By compromising Drift, attackers were able to pivot into Salesforce environments without directly attacking Salesforce itself. Google emphasised that other integrations, such as those connecting with Google Workspace or similar platforms, may also be at risk if they rely on compromised Drift tokens. 

In response, Salesforce took defensive action by disabling all Drift integrations and revoking related OAuth tokens. Salesloft also suspended Drift integrations and began working with Mandiant, Google Cloud, and law enforcement agencies to investigate the breach and strengthen security controls.

Google’s report highlights the importance of carefully managing OAuth tokens and third-party app permissions. Organisations using Drift were urged to assume their tokens may be compromised, rotate credentials immediately, and review system logs for signs of unauthorised access. 

This campaign underscores a growing trend in cyber attacks, adversaries increasingly exploit the trust placed in SaaS integrations to infiltrate environments indirectly. Even when core platforms are well-secured, vulnerabilities in connected services can open the door to large-scale data theft.

https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift 

Netherlands’ Largest Medical Data Breach Sparks Two Class-Action Lawsuits Against Clinical Diagnostics

In late August 2025, two law firms in the Netherlands announced the preparations for class-action lawsuits against Clinical Diagnostics and the Centre for Population Screening, following a massive data breach that compromised the personal and sensitive information of participants in a cervical cancer screening programme. 

The breach occurred within Clinical Diagnostics, an external research laboratory responsible for collecting and analysing samples. Cybercriminal group Nova stole the data of 485,000 participants, including full names, addresses, dates of birth, citizens' service numbers (BSN), test results, and the names of healthcare providers involved. 

Affected participants, over 405,000 women, received notification letters from the Centre for Population Screening, alerting them that their data had been compromised. The incident is considered one of the most serious medical data breaches in the Netherlands. 

Described as still in early stages, the proposed class actions are being led by two Dutch law firms:

• Van Diepen Van der Kroef, which has already received over 50,000 registrations on a dedicated site, datalekbevolkingsonderzoek.nl.
• DHKV Advocaten, which launched claimbevolkingsonderzoek.nl and gathered over 18,000 registrations by Wednesday morning of that week.

Victims may seek compensation under the European General Data Protection Regulation (GDPR). This includes claims for both material damages (e.g., costs from identity theft, extortion, financial fraud) and non-material damages (such as stress, anxiety, or loss of trust). However, legal experts caution that proving actual damage resulting from a data breach is often difficult, and even serious breaches frequently fail to yield compensation.

At the time of reporting, neither Clinical Diagnostics nor the Centre for Population Screening had issued a public response to the looming lawsuits.

https://cybernews.com/cybercrime/clinical-diagnostics-two-class-action-lawsuits-data-breach/

Phishers Weaponise Zoom and Teams Invites to Deploy Remote Access Malware via ScreenConnect 

On 26 August 2025, SiliconANGLE published a report revealing an active cyber-attack campaign documented by Abnormal AI Inc. The attackers are impersonating everyday workplace communications, including Zoom and Microsoft Teams invitations, to trick users into installing ConnectWise ScreenConnect, a legitimate remote-monitoring and management (RMM) tool. Once installed, it grants adversaries full administrative control over compromised systems. 

This operation goes beyond traditional credential-theft phishing. Instead, targets are deceived into willingly installing what appears to be standard enterprise software. Attackers bolster credibility using emails sent from compromised legitimate accounts and embedding timely hooks, such as “tax season” cues or meeting invites, to lower suspicion.

Clicking the malicious link redirects victims to phishing landing pages, sometimes AI-generated, or file-sharing platforms that trigger ScreenConnect downloads. In other cases, victims are directly connected to live ScreenConnect sessions, bypassing the need for installation altogether. 

To further obscure detection, the attackers employed a range of obfuscation techniques, such as SendGrid domain wrapping, open redirect exploitation, Cloudflare Workers hosting, and Base64-encoded links, making the malicious links appear to originate from trusted providers. 

Once installed, ScreenConnect provides attackers with administrator-level access. They use this foothold to move laterally within networks, harvest credentials, and carry out secondary phishing campaigns. Notably, malicious links are inserted into ongoing legitimate email threads, making them appear as natural continuations of business correspondence. 

The campaign has gained traction across hacking communities via dark-web offerings. Vendors are marketing pre-packaged “ScreenConnect Revolution” kits, bundling features like hidden VNC capabilities, Windows Defender evasion, and session recovery options. Some packages are sold for as little as $6,000 with support included, while others offer access to already compromised networks for $500–$2,000.

To date, more than 900 organisations across sectors including education, religious institutions, healthcare, financial services, insurance, and technology, have been targeted. Most victims are located in the U.S., Canada, the U.K., and Australia.

Abnormal AI researchers highlight that this campaign represents a notable shift in cyber-threat strategy: weaponising trusted systems rather than trying to breach them directly. The skilled social engineering, obfuscation, and dark-web commercialisation significantly amplify the threat's sophistication. 

To counter this evolving risk, enterprises are urged to adopt AI-powered email security, implement enhanced endpoint monitoring for unauthorised remote-access tools, embrace zero-trust architectures, and reinforce security awareness training so staff can identify such deceptive attacks.

https://siliconangle.com/2025/08/26/attackers-exploit-zoom-teams-impersonations-deliver-screenconnect-malware/

Anthropic Reports Hackers Exploiting Claude AI for Cybercrime and Fraud Schemes 

US artificial intelligence company Anthropic, the developer of the Claude chatbot, has disclosed that its technology has been weaponised by hackers to enable large-scale cybercrime. According to the firm, malicious actors have used Claude to commit data theft, extortion, and fraud, demonstrating a worrying evolution in the misuse of advanced AI tools. 

Anthropic said its systems were used to generate malicious code for cyber-attacks against at least 17 organisations, including government bodies. Hackers reportedly relied on Claude to make both tactical and strategic decisions, ranging from determining which datasets to exfiltrate to drafting psychologically tailored extortion demands. In some cases, the AI even suggested specific ransom amounts. Anthropic described this as an “unprecedented degree” of AI involvement in cybercrime. 

The firm also reported a case of “vibe hacking”, where Claude was used not only for technical exploits but also to craft attacks with a social engineering dimension. Anthropic intervened to disrupt the threat actors and has since enhanced its internal detection capabilities while sharing findings with authorities. 

Beyond direct cyberattacks, Anthropic highlighted a separate scheme in which North Korean operatives exploited its technology to fraudulently obtain remote employment at major US tech companies. The operatives used Claude to generate job applications, translate communications, and write code, overcoming cultural and technical barriers that typically hinder such fraud. Once hired, these workers could provide the North Korean regime with access to corporate systems, effectively making employers unwittingly violate international sanctions. 

Experts caution that these cases underscore the growing risks tied to agentic AI systems capable of acting autonomously and at scale. While such technologies are often touted as the next big step in AI innovation, they also accelerate cybercriminal operations. AI is shrinking the time required to exploit vulnerabilities, pushing the need for proactive, preventative cyber security measures rather than reactive ones. 

Nonetheless, analysts such as Geoff White, co-presenter of _The Lazarus Heist_ podcast, argue that AI is not creating entirely new waves of cybercrime on its own. Traditional attack methods like phishing and vulnerability exploitation still dominate ransomware campaigns. Instead, AI is serving as a force multiplier, enabling both state-backed and criminal actors to operate more effectively and at greater scale. 

Security experts warn that AI systems must be treated like any other sensitive repository, requiring robust protection and oversight. As Nivedita Murthy of Black Duck Security put it, organisations need to recognise that AI is a critical source of confidential data, and therefore a prime target for cyber adversaries. 

https://www.bbc.com/news/articles/crr24eqnnq9o

Cyber Incident at Colt Services Underscores Escalating Risks to UK & European Critical Infrastructure 

A recent cyber incident at Colt Technology Services, one of the largest telecommunications providers spanning both the UK and Europe, has illuminated the growing vulnerabilities of critical infrastructure in the region. According to TEISS, the attack led to significant outages by taking key internal systems offline, even though customer-facing network services remained unaffected. 

The incident highlights the reality that even segmented internal systems, when compromised, can force substantial disruption. TEISS emphasised that this attack represents a broader alarm: cyber threats to critical infrastructure are not only persistent but increasingly sophisticated, with attackers targeting the backbone systems that support essential services across the continent. 

The core message is clear: localised breaches, especially at telecommunications firms, can ripple outward, jeopardising everything from data integrity to operational continuity. Colt’s network of internal systems, while separate from customer infrastructure, served as a vital support layer: its compromise underscores how even protective segmentation can be challenged by rising cyber threats.

https://www.teiss.co.uk/news/cyber-incident-at-colt-technologies-highlights-growing-threats-to-uk-and-european-critical-infrastructure-16246 

KLM Reports Customer Data Breach via Third-Party System: Flying Blue and Support Info Exposed 

KLM Royal Dutch Airlines has confirmed a customer data breach resulting from unauthorised access to a third-party system used for customer service. In a notification sent to affected customers, the carrier specified that the exposed information included: 

• First and last names
• Contact details (e.g., email addresses or phone numbers)
• Flying Blue frequent-flyer membership numbers and tier levels
• Subject lines from service-related email correspondence hackread.com

Importantly, KLM assured that no sensitive data, such as passwords, credit card information, passport details, booking data, or Flying Blue miles, was compromised during the breach. The airline worked collaboratively with the third-party provider to contain the incident. Corrective actions were taken to secure the system, and KLM filed a report with the Dutch Data Protection Authority in accordance with EU privacy regulations. 

Cyber security experts noted that while the exposed data may appear limited, it still poses significant risks. Such information could be leveraged to craft convincing phishing messages or social engineering attacks, increasing the probability of successful scams targeting affected customers. The airline apologised for the inconvenience and encouraged users to remain cautious. KLM has also made support available via its Customer Contact Centre for any concerns

https://hackread.com/klm-customer-data-breach-linked-third-party-system/

Sophisticated Ransomware Forces National Guard Activation in St. Paul Cyber Crisis 

In late July 2025, the city of St. Paul, Minnesota suffered a deliberate, coordinated digital attack that significantly disrupted municipal systems. Suspicious activity was first detected on 25 July, prompting city officials to proactively shut down internal information systems by 27 July to contain the threat. 

The severity of the attack exceeded the city's capacity to respond, leading Governor Tim Walz to issue an executive order deploying the Minnesota National Guard’s cyber protection team. A state of emergency was simultaneously declared by Mayor Melvin Carter to streamline response efforts.

 The shutdown caused widespread outages: public Wi-Fi was down in municipal buildings, library services were interrupted, and access to online payment platforms was disabled. Despite the disruptions, emergency services like 911 remained fully operational. 

Officials later confirmed that the incident was a ransomware attack, with the city refusing to pay the ransom demanded. The hacker group Interlock claimed responsibility, stating they had stolen and publicly posted 43 GB of sensitive data from St. Paul’s network. 

The leaked data included: 

• Over 3,000 HR records, performance evaluations, job descriptions, internal employee documents
• Nearly 4,800 pieces of operational content, work plans, memos, proposals
• More than 2,000 financial files, invoices, budgets, payment records
• At least 280 files with personal IDs, passport scans, driver’s licenses
• Hundreds of internal email archives and correspondence
• Recovery and Safeguarding Measures

The city launched “Operation Secure St. Paul”, which involved resetting passwords for about 3,500 employees, deploying advanced cyber security enhancements across 90% of city devices, and offering free credit monitoring and identity protection to all staff. Entrepreneurial monitoring and forensic efforts were supported by two cyber security firms and the FBI, while the National Guard provided technical aid and incident mitigation. 

The St. Paul attack is part of a wider trend: in 2025 alone, U.S. government entities experienced at least 46 ransomware-related attacks, reflecting the growing threat to public infrastructure. Experts warn residents and employees to remain alert for phishing scams and fraudulent communications following the breach.

https://thecyberexpress.com/city-of-st-paul-cyberattack/ 

Threat actors targeting financial entities in August 2025 

Ransomware vs Finance (last three months)