Hackers accessed emails, usernames, password hashes, and authentication data stored in a Plex database.

The post Plex Urges Password Resets Following Data Breach appeared first on SecurityWeek.

An attacker exploited a zero-day vulnerability in Sitecore stemming from a misconfiguration of public ASP.NET machine keys that customers implemented based on the vendor’s documentation, according to researchers.

The critical zero-day defect — CVE-2025-53690 — was exploited by the attacker using exposed keys to achieve remote code execution, Mandiant Threat Defense said in a report Wednesday. The sample machine keys were included in Sitecore’s deployment guides dating back to at least 2017.

The configuration vulnerability impacts customers who used the sample key provided with deployment instructions for Sitecore Experience Platform 9.0 and earlier, Sitecore said in a security bulletin Wednesday. The vendor warned that all versions of Experience Manager, Experience Platform and Experience Commerce may be impacted if deployed in a multi-instance mode with customer-managed static machine keys.

“The issue stems from Sitecore users copying and pasting example keys from official documentation, rather than generating unique, random ones — a move we don’t recommend,” said Ryan Dewhurst, head of proactive threat intelligence at watchTowr. “Any deployment running with these known keys was left exposed to ViewState deserialization attacks, a straight path right to remote code execution.”

Mandiant said it disrupted the attack after engaging with Sitecore, but said that effort prevented it from observing the full attack lifecycle. The incident response firm warns that many Sitecore customers used the commonly known ASP.NET machine key. 

Upon gaining access to the affected internet-exposed Sitecore instance, the attacker deployed a ViewState payload containing malware designed for internal reconnaissance, according to Mandiant. Researchers explained that ViewStates, an ASP.NET feature, are vulnerable to deserialization attacks when validation keys are absent or compromised. 

Mandiant said the unidentified attacker, whose motivations are unknown, demonstrated a deep understanding of Sitecore’s product as it progressed from initial compromise to escalate privileges and achieve lateral movement. 

Sitecore and researchers advised customers to rotate the machine key if a commonly known one was used, and hunt for evidence of ViewState deserialization attacks. Rotating keys won’t protect organizations using systems the attacker may have already intruded. 

Mandiant researchers said the attacker established footholds, deployed malware and tools to maintain persistence, conducted reconnaissance, achieved lateral movement and stole sensitive data.

“It is quite common for documentation to contain placeholder keys, such as ‘PUT_YOUR_KEY_HERE,’ or other randomly generated examples,” Dewhurst said. “It is ultimately both a failure on the user’s and Sitecore’s side. The user should know not to copy and paste public machine keys, and Sitecore should adequately warn users not to.”

The number of organizations compromised or potentially exposed to attacks remains unknown. Sitecore did not immediately respond to a request for comment.

Caitlin Condon, VP of security research at VulnCheck, said the zero-day vulnerability is an insecure configuration at its core, exacerbated by the public exposure of the sample machine key. 

“It’s entirely possible that the software supplier hadn’t meant for a sample machine key to be used indefinitely for production deployments but, as we know, software is deployed and configured in unintended ways all the time,” she said. “If there’s one takeaway from this, it’s that adversaries definitely read product docs, and they’re good at finding quirks and forgotten tricks in those docs that can be used opportunistically against popular software.”

The post Sitecore zero-day vulnerability springs up from exposed machine key appeared first on CyberScoop.

Google Threat Intelligence Group warned about a “widespread data theft campaign” that compromised hundreds of Salesforce customers over a 10-day span earlier this month. 

According to a report published Tuesday, researchers say a threat group Google tracks as UNC6395 stole large volumes of data from Salesforce customer instances by using stolen OAuth tokens from Salesloft Drift, a third-party AI chat agent for sales and leads. Google said the attack spree occurred from at least Aug. 8 to Aug. 18.

“GTIG is aware of over 700 potentially impacted organizations,” Austin Larsen, principal threat analyst at GTIG, told CyberScoop. “The threat actor used a Python tool to automate the data theft process for each organization that was targeted.”

The attackers primarily sought to steal credentials to compromise other systems connected to the initial victims, according to Google. UNC6395 specifically searched for Amazon Web Services access keys, virtual private network credentials and Snowflake credentials.

“Using a single token stolen from Salesloft, the threat actor was able to access tokens for any Drift linked organization. The threat actor then used the Salesforce tokens to directly access that data and exfiltrate it to servers, where they looked for plaintext credentials including Amazon, Snowflake and other passwords,” said Tyler McLellan, principal threat analyst at GTIG.

Mandiant Consulting, Google’s incident response firm, hasn’t observed further use of the stolen credentials in any current investigations, he said. 

Salesloft confirmed the intrusions in a security update Monday and said all impacted customers have been notified. The company first issued an alert about malicious activity targeting Salesloft Drift applications integrated with Salesforce Aug. 19. 

Salesloft said it worked with Salesforce to revoke all active access and refresh tokens for the application and asserts the impact is limited to customers integrated with Salesforce. Google said the attacks stopped once Salesloft and Salesforce revoked access on Aug. 20. 

Salesforce, in a statement Tuesday, said a “small number of customers” were impacted, adding “this issue did not stem from a vulnerability within the core Salesforce platform, but rather from a compromise of the app’s connection.” 

Google advised Salesloft Drift customers integrated with Salesforce to consider their data compromised, search for secrets contained in their Salesforce instances and remediate by revoking API keys, rotating credentials and investigating further. 

Google hasn’t yet determined UNC6395’s origins or motivations. The attack spree was “broad and opportunistic, and appeared to take advantage of any organization using the Salesloft Drift integration with Salesforce,” McLellan said.

AppOmni CSO Cory Michal said the compromise and abuse of OAuth tokens and cloud-to-cloud integrations are a longtime known blind spot in most enterprises. Yet, the sheer scale and discipline of the attacks is surprising, he said. 

“The attacker methodically queried and exported data across many environments,” Michal added. “They demonstrated a high level of operational discipline, running structured queries, searching specifically for credentials, and even attempting to cover their tracks by deleting jobs. The combination of scale, focus and tradecraft makes this campaign stand out.”

The post Hundreds of Salesforce customers impacted by attack spree linked to third-party AI agent appeared first on CyberScoop.

Vietnamese-speaking hackers are carrying out a “highly evasive, multi-stage operation” to steal information from thousands of victims in more than 62 countries, researchers said in a report published Monday.

The attackers emerged late last year but have evolved with novel techniques this year, with SentinelLABS of SentinelOne and Beazley Security ultimately identifying 4,000 victims, most commonly in South Korea, the United States, the Netherlands, Hungary and Austria.

“The evolving tradecraft in these recent campaigns demonstrates that these adversaries have meticulously refined their deployment chains, making them increasingly more challenging to detect and analyze,” reads the report.

In particular, attacks just last month demonstrated tailored capabilities to bypass antivirus products and mislead security operations center analysts, according to the companies.

The hackers’ motives, apparently, are financial in nature.

“The stolen data includes over 200,000 unique passwords, hundreds of credit card records, and more than 4 million harvested browser cookies, giving actors ample access to victims’ accounts and financial lives,” according to the two companies.

The hackers have been known to make money off the stolen data through “a subscription-based ecosystem that efficiently automates resale and reuse” through the Telegram messaging platform. It’s sold to other cybercriminals who then engage in cryptocurrency theft or purchase access to infiltrate victims, the report states.

The infostealer they use, PaxStealer, first garnered the attention of cybersecurity analysts after Cisco Talos published a report on it last November. Cisco Talos concluded that the hackers were targeting governmental and educational organizations in Europe and Asia.

Both the November report and Monday’s report identified clues in the infostealer’s coding of the hackers’ use of the Vietnamese language. Cisco Talos wasn’t sure in the fall whether the attackers were affiliated with the CoralRaider group that materialized in early 2024, or another Vietnamese-speaking group.

Jim Walter, a senior threat researcher for SentinelOne, told CyberScoop the group was “a long-standing actor” and “appears to be out of Vietnam,” but “beyond that analysis is ongoing and we’ll refrain from further [attribution] comments on the specific actor. It’s the same actor that has been highlighted by Cisco Talos and others as well.”

In the activity highlighted in Monday’s report, Walter said the targeting “seems wide and indiscriminate / opportunistic. Corporate and home users, whole spectrum of ‘user types.’”
Other Vietnamese hackers have been known to target activists inside the country with spyware, lace AI generators with malware or carry out ransomware attacks.

The post ‘Highly evasive’ Vietnamese-speaking hackers stealing data from thousands of victims in 62+ nations appeared first on CyberScoop.

ON SECURITY By Susan Bradley Did I get you with that headline? It’s clickbait. Absolute clickbait. Lately, I’ve been seeing many similar headlines touting the same sort of magical mantra “Get rid of passwords, and we’ll have no security problems in the future.” You may have seen headlines about Microsoft wanting to get rid of […]

ON SECURITY By Susan Bradley The other day, I was working on something at home while my dad was doomscrolling through YouTube videos. Usually, he watches topics about classic cars and the like, but this time he hit on something political. The video focused on two people supposedly debating. The narrator urged everyone to stop […]

ISSUE 22.25 • 2025-06-23 MICROSOFT By Lance Whitney Are passkeys worth using with your accounts, particularly your Microsoft account? Here’s my experience. To try to eliminate or at least reduce the need for passwords, technology companies have been turning to passkeys. Now available through more websites and apps, passkeys are supposed to provide an easier […]

FREEWARE SPOTLIGHT By Deanna McElveen By now, you probably have dozens — if not hundreds — of passwords saved in your Web browser. Those created by your browser are super strong. But some are a pet’s name with maybe a number or two thrown in. Today we are going to accomplish two things. First, we’ll […]

Why are companies still recommending an 8-character password minimum?  Passwords are some of the easiest targets for attackers, yet companies still allow weak passwords in their environment. Multiple service providers recommend […]

The post Podcast: Passwords: You Are the Weakest Link appeared first on Black Hills Information Security, Inc..

💾

Michael Allen // Every year around the holidays I end up having a conversation with at least one friend or family member about the importance of choosing unique passwords for […]

The post The Paper Password Manager appeared first on Black Hills Information Security, Inc..

Why are companies still recommending an 8-character password minimum?  Passwords are some of the easiest targets for attackers, yet companies still allow weak passwords in their environment. Multiple service providers recommend […]

The post Webcast: Passwords: You Are the Weakest Link appeared first on Black Hills Information Security, Inc..

💾

Darin Roberts // “Why do you recommend a 15-character password policy when (name your favorite policy here) recommends only 8-character minimum passwords?” I have had this question posed to me […]

The post Passwords: Our First Line of Defense appeared first on Black Hills Information Security, Inc..

David Fletcher// The weak password policy finding is typically an indicator of one of two conditions during a test: A password could be easily guessed using standard authentication mechanisms. A […]

The post Finding: Weak Password Policy appeared first on Black Hills Information Security, Inc..

Kelsey Bellew // Dear Big All-Powerful Company, Your idea of a ‘strong password’ is flawed. When I first saw the following message, I laughed. I said out loud, “No, you […]

The post An Open Letter about Big All-Powerful Company’s Password Policy appeared first on Black Hills Information Security, Inc..

Sally Vandeven // Back in November Beau Bullock wrote a blog post describing how his awesome PowerShell tool MailSniper can sometimes bypass OWA portals to get mail via EWS if […]

The post How to Bypass Two-Factor Authentication – One Step at a Time appeared first on Black Hills Information Security, Inc..

Kent Ickler // As a start to a series on Windows Administration in the eyes of a security-conscious “Windows Guy” I invite you on configuring AD DS PSOs (Password Security […]

The post How to Increase the Minimum Character Password Length (15+) Policies in Active Directory appeared first on Black Hills Information Security, Inc..

Lawrence Hoffman // The list this week is a little shorter, I didn’t include a tool or POC link as I usually do. No particular reason, just didn’t run across […]

The post Lawrence’s List 072216 appeared first on Black Hills Information Security, Inc..

Carrie Roberts // Answer: Enough to make it worth it! Penetration testers love to perform password spraying attacks against publicly available email portals as described here in this great post by Beau Bullock. […]

The post Question:  What Can I Learn from Password Spraying a 2FA Microsoft Web App Portal? appeared first on Black Hills Information Security, Inc..

Lawrence Hoffman // It’s been one of those crazy busy weeks. I always feel like I didn’t get enough time to read articles, surf Reddit, and attempt to keep up […]

The post Lawrence’s List 061016 appeared first on Black Hills Information Security, Inc..

Joff Thyer // Recently I have been thinking about online challenges I encounter in daily life.   As I thought about it, I realized that many of these items I […]

The post 10 Ways to Protect Your Online Digital Life appeared first on Black Hills Information Security, Inc..