North Korean operatives that dupe job seekers into installing malicious code on their devices have been spotted using new malware strains and techniques, resulting in the theft of credentials or cryptocurrency and ransomware deployment, according to researchers from Cisco Talos and Google Threat Intelligence Group.

Cisco Talos said it observed an attack linked to Famous Chollima that involved the use of BeaverTail and OtterCookie — separate but complementary malware strains frequently used by the North Korea-aligned threat group. Researchers said their analysis determined the extent to which BeaverTail and OtterCookie have merged and displayed new functionality in recent campaigns. 

GTIG said it observed UNC5342 using EtherHiding, malicious code in the form of JavaScript payloads that turn a public blockchain into a decentralized command and control server. Researchers said UNC5342 incorporated EtherHiding into a North Korea-aligned social engineering campaign previously dubbed Contagious Interview by Palo Alto Networks. 

Cisco and Google both said North Korean threat groups’ use of more specialized and evasive malware underscores the efforts the nation-state attackers are taking to achieve multiple goals while avoiding more common forms of detection.

By installing EtherHiding on the blockchain, UNC5342 can remotely update the malware’s functionality and maintain continuous control over their operations without worry about infrastructure takedowns or disruptions.

“This development signals an escalation in the threat landscape, as nation-state threat actors are now utilizing new techniques to distribute malware that is resistant to law enforcement takedowns and can be easily modified for new campaigns,” Robert Wallace, consulting leader at Mandiant, Google’s incident response firm, said in an email. 

Google researchers described North Korea’s social engineering campaign as a sophisticated and ongoing effort to commit espionage, gain persistent access to corporate networks and steal sensitive data or cryptocurrency during the job application and interview process.

The crux of these attacks often occur during a fake technical assessment when job candidates are asked to download files that unbeknownst to them contain malicious code, according to Google. Researchers observed a multi-stage malware infection process involving JadeSnow, BeaverTail and InvisibleFerret. 

Cisco Talos researchers uncovered a Famous Chollima attack on an undisclosed organization based in Sri Lanka that likely originated from a user that fell for a fake job offer. The organization wasn’t targeted by the attackers, according to the report.

Researchers observed a previously undocumented keylogging and screenshotting module in the campaign that they traced to OtterCookie samples. The information-stealing malware contained a module that listens for keystrokes and periodically takes screenshots of the desktop session, which are automatically uploaded to the OtterCookie command and control server, Cisco Talos said.

Cisco and Google both shared indicators of compromise in their respective reports to help threat hunters find additional artifacts of the North Korea threat groups’ malicious activity.

The post North Korean operatives spotted using evasive techniques to steal data and cryptocurrency appeared first on CyberScoop.

Clop, the notorious ransomware group, began targeting Oracle E-Business Suite customers three months ago and started exploiting a zero-day affecting the enterprise platform to steal massive amounts of data from victims as early as Aug. 9, Google Threat Intelligence Group and Mandiant said in a report Thursday. 

“We’re still assessing the scope of this incident, but we believe it affected dozens of organizations. Some historic Clop data extortion campaigns have had hundreds of victims,” John Hultquist, chief analyst at GTIG, said in a statement. “Unfortunately large scale zero-day campaigns like this are becoming a regular feature of cybercrime.”

The new timeline provided by Google’s incident response firm and security researchers confirms malicious activity against Oracle E-Business Suite customers began almost three months before Clop sent extortion emails to executives of alleged victim organizations demanding payment on Sept. 29. 

Oracle disclosed the critical zero-day vulnerability — CVE-2025-61882 — Saturday, two days after it said its customers had received extortion emails following exploitation of vulnerabilities it previously identified and addressed in a July security update. 

The widespread attack spree actually involved at least five distinct defects, including the zero-day, that were chained together to achieve pre-authenticated remote code execution, watchTowr researchers said earlier this week.

Researchers at watchTowr reproduced the full exploit chain after obtaining a proof of concept and published a flow chart depicting how attackers chained multiple vulnerabilities together. 

“It’s currently unclear which specific vulnerabilities or exploit chains correspond to CVE-2025-61882, however, GTIG assesses that Oracle EBS servers updated through the patch released on Oct. 4 are likely no longer vulnerable to known exploitation chains,” Google said in the report.

Researchers identified suspicious traffic that may point to early attempts at exploitation prior to Oracle’s July security update, but Google has not confirmed the precise nature of that activity. 

Many customers remain exposed and potentially vulnerable to attacks. Shadowserver scans found 576 potentially vulnerable instances of Oracle E-Business Suite on Oct. 6, with the majority of those IPs based in the United States.

Clop’s ransom demands have reached up to $50 million, according to Halcyon. “We have seen seven- and eight-figure demands thus far,” Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, told CyberScoop.

Investigations into Clop’s activity underscore the stealthy nature of the threat group’s operations, including the use of multi-stage fileless malware designed to evade file-based detection. Other critical details remain unknown and cybercriminals from other groups have complicated analysis through unsubstantiated claims. 

Mandiant said it observed artifacts on Oct. 3 that overlap with an exploit leaked in a Telegram group dubbed “Scattered LAPSUS$ Hunters.” Yet, Google hasn’t gathered enough evidence to definitively link the malicious July 2025 activity with this exploit. 

“At this time, GTIG does not assess that actors associated with UNC6240 (also known as “Shiny Hunters”) were involved in this exploitation activity,” Google said in the report. 

While multiple pieces of evidence indicate Clop is behind the attacks, Google said it’s possible other threat groups are involved.

Clop has successfully intruded multiple technology vendors’ systems, particularly file-transfer services, allowing it to steal data on many downstream customers. The threat group achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

The post Dozens of Oracle customers impacted by Clop data theft for extortion campaign appeared first on CyberScoop.

When security researchers issued warnings about the Salesloft Drift issues last month, two prominent cybersecurity companies found themselves facing the same threat — but their stories ended up unfolding in different ways. 

Okta and Zscaler, among the larger players in the identity management space, were among the more than 700 Drift customers targeted in what has become one of the most significant supply chain attacks of the year.   Within a week of Google security researchers’ warning about the incident, which targeted the widespread theft of Salesforce customer data, both companies went to work in figuring out how bad the damage would be.  

The companies had very different experiences. While Okta’s security measures thwarted any lasting damage, Zscaler wasn’t as lucky, having to deal with unauthorized access of both customer and internal company data. Same threat actor. Same timeline. Opposite outcomes.

The divergence in incidents and responses offers a rare opportunity to understand how a cybersecurity strategy works in action. CyberScoop spoke with the security leaders of both companies to learn about how the attack went down from those directly in its crosshairs, and lessons learned that could bolster defenses of their companies and others going forward.

From warning to incident

Salesloft hasn’t publicly released a comprehensive root-cause analysis into the attack, but initial results of its investigation revealed a threat group gained access to its GitHub account as far back as March. The group, which Google tracks as UNC6395, achieved lateral movement and set up workflows in the Salesloft application environment before it accessed Drift’s Amazon Web Services environment and obtained OAuth tokens used by Drift customers. 

Those tokens allowed the threat group to access and steal data from separate platforms integrated with Drift, an AI chat agent primarily used by sales teams. Google said the “widespread data theft campaign” occurred during a 10-day period in mid-August. Nearly 40 companies, including more than 20 cybersecurity vendors, have publicly disclosed they were caught up in the attack spree.

Zscaler received its first security alert from Salesforce a week after the data theft concluded, warning the security vendor that unauthorized IP addresses were using the application programming interface (API) for its Drift OAuth token. Zscaler immediately revoked the token, “even though it didn’t really matter by that point,” said Sam Curry, the company’s chief information security officer.

The damage was already done. Data on a large number of Zscaler’s customers was exposed, including names, business email addresses, job titles, phone numbers, location details, Zscaler product licensing and commercial information, and plain text content from some support cases. 

IP limitations for defense

Since Okta uses Drift, it proactively hunted for signs of compromise when threat intel experts started warning about an issue with the service. The company found a “short burst of attempts” to use Drift tokens from locations outside of the manually configured IP range it set up for security purposes, David Bradbury, Okta’s chief security officer, told CyberScoop.

That control blocked the attack and kept Okta’s Drift integrations secure. Yet, many companies don’t take that approach because setting IP restrictions for API calls is a manual and often laborious process requiring input and support from every vendor in the supply chain. 

“If we can put our minds to these problems, we can come up with solutions so that you can implement IP restrictions in a matter of clicks, rather than in a matter of days and weeks of continuous testing, and investigation and discovery,” Bradbury said.

Okta’s investigation revealed a seemingly automated threat campaign. “They were not persistent,” Bradbury said. “The hypothesis that we have at the moment is that there was a single significant script that was engineered that hit all of these all at once and pulled down all of this information in a series of events.”

Zscaler’s compromise was particularly frustrating given the timing: the company had already stopped using Drift in July, a decision completely unrelated to security — and made before any indicators of the attack campaign came to light. 

“That OAuth token that was being used with [Drift] was still active,” Curry said. “It was due to be retired by the end of August,” he added, describing that decision as a deliberate delay to make sure the token was fully disconnected and no longer in use. 

Token theft cause remains a mystery

Salesloft hasn’t explained how the threat group accessed its GitHub account, nor how it accessed Drift’s AWS environment and ultimately obtained customers’ OAuth tokens. 

“I don’t actually know how they got the tokens out. I just know they did,” Curry said. “As for how they store it, I don’t know internally, except that they passed our security questionnaire and probably hundreds, if not thousands of others” for third-party risk management, he added. 

Okta also doesn’t know how the threat group accessed its Salesloft Drift OAuth token. That information would have to come from Salesloft, Bradbury said.

“The internet is connected by some very brittle, small pieces of information — these tokens that we constantly talk about, these combinations of letters and numbers in files that ultimately provide access to all of the applications that we use,” he said. 

“Those tokens need to be stored somewhere, and sadly there are mechanisms in place right now which doesn’t necessitate actually tying these tokens directly to something — to prevent their reuse,” Bradbury added. 

Most SaaS applications implement tokens and authentication in rather rudimentary means. “They’re doing what’s easy and what works, and what works is once you’ve granted access you’re actually storing these tokens somewhere,” he said. 

Lessons learned for collective defense

While their experiences in the wake of the Salesloft Drift attacks were quite different, Bradbury and Curry shared similar reflections and took many like-minded lessons from the third-party compromise that impacted hundreds of companies. 

“APIs are becoming a new highway of access that we need more control over, and we need better control of collectively,” Curry said. “APIs get wider in terms of what you can do with them, and you need the ability to monitor them and to put preventative controls on them to look for behavioral changes.”

Zscaler learned another lesson the hard way — the importance of limiting IP address ranges for API queries, and rotating tokens more frequently. 

“For me, this wake-up call is saying API is a new attack-and-control plane that’s far more exposed than most people realize from just a simple risk exercise,” Curry said.

“There are no small vendors in an API-connected world. It’s just like — if you think about border security — there’s no small and insignificant ports of entry,” he added. “They all use the same highway systems.”

Bradbury, who is expectedly pleased Okta wasn’t impacted by this malicious campaign, can’t help but feel frustrated because he believes there are better, more secure methods to protect unauthorized token use. The central issue in this supply-chain attack could have been avoided with Demonstrating Proof of Possession (DPoP), a mechanism that can constrain token use to a specific client and prevent the use of stolen tokens, he said. 

Once attackers steal tokens that can be reused without restriction, disastrous consequences await all, Bradbury added. 

“We need to see more SaaS vendors actually prioritizing security features on their roadmap, not just the features that will result in customer growth and revenue,” he said. 

Security leaders have an important role to play in demanding these changes from their vendors. “It’s about time that we started to use our collective ambitions to raise the bar for security to actually hold our vendors accountable,” Bradbury said. 

Curry is taking a similar forward-looking approach. “Let’s learn from one another, instead of bayoneting the wounded,” he said. 

“After the fact, in the cold light of day, we’ll all look at what happened,” Curry added. “I’m not interested in blame at this point. I’m interested in better security.”

The post Security leaders at Okta and Zscaler share lessons from Salesloft Drift attacks appeared first on CyberScoop.

Emails sent to Oracle customers by members of the Clop ransomware group assert that the cybercriminals are solely interested in a financial payout, framing the extortion as a business transaction rather than a politically motivated attack.  

The extortion emails were sent to executives of alleged victim organizations earlier this week, with attackers claiming they would provide victims copies of any three files or data rows upon request to verify their organization’s data was stolen. 

“But, don’t worry,” the attackers wrote in an extortion email, which CyberScoop obtained a copy of Thursday. “You can always save your data for payment. We do not seek political power or care about any business.”

Broken English and poor spelling appears throughout the email. The sender begins the message by introducing themselves as “CL0P team” and encourages the recipient to search for information about Clop on the internet if they haven’t heard of the highly prolific threat group.  

The extortion email is designed to achieve several goals: intimidate recipients, apply a deadline to create urgency, show proof of compromise and provide contact info to negotiate an extortion payment.  

“We always fulfil all promises and obligations,” the email said. “We are not interested in destroying your business. We want to take the money and you not hear from us again.”

Clop hasn’t made the claims public through its leak site. Researchers have yet to verify if a breach occurred or if the threat group is behind the attacks, yet the contact info in the emails has been previously used by the group.

Oracle on Thursday confirmed it’s aware some Oracle E-Business Suite customers have received extortion emails.

“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 critical patch update,” Rob Duhart, chief security officer at Oracle Security, said in a blog post.

Oracle did not say which vulnerabilities are under active exploitation, nor did it confirm if its customers’ data was stolen. The July security update included 309 patches, including nine that addressed defects in Oracle E-Business Suite. 

The vendor, at the time, said three of the Oracle E-Business Suite vulnerabilities, all of which it designated as medium-severity, can be remotely exploited without authentication. Three additional Oracle E-Business Suite vulnerabilities addressed in July were designated high severity. 

The company has not responded to multiple requests for comment. 

The emails were sent from hundreds of compromised third-party accounts beginning on or before Monday, researchers said.

“The compromised accounts belong to various, unrelated organizations,” Austin Larsen, principal analyst at Google Threat Intelligence Group, told CyberScoop. “This is a common tactic where threat actors acquire credentials for legitimate accounts, often from infostealer malware logs sold on underground forums, to add a layer of legitimacy to their campaigns and help bypass spam filters.”

In the email obtained by CyberScoop, the sender claims to have carefully examined the data they allegedly stole, warning “that estimated financial losses, harm to reputation and regulatory fines are likely to materially exceed the amount claimed.” 

This tactic has appeared in previous extortion attacks wherein hackers mention accompanying effects of a compromise, such as legal penalties, as a reason to pay the ransom.

The extortion email ends with a threatening call to action, claiming the clock is ticking and data will be published in a few days. 

“Please convey this information to your executive and managers as soon as possible,” the attackers said in the email. “We advice not reach point of no return.”

The full text of the email is below:

Dearest executive,

We are CL0P team. If you haven’t heard about us, you can google about us on internet.

We have recently breached your Oracle E-Business Suite application and copied a lot of documents. All the private files and other information are now held on our systems.

But, don’t worry. You can always save your data for payment. We do not seek political power or care about any business.

So, your only option to protect your business reputation is to discuss conditions and pay claimed sum. In case you refuse, you will lose all abovementioned data: some of it will be sold to the black actors, the rest will be published on our blog and shared on torrent trackers.

We always fulfil all promises and obligations.

We have carefully examined the data we got. And, regrettably for your company, this analysis shows that estimated financial losses, harm to reputation , and regulatory fines are likely to materially exceed the amount claimed.

Lower you see our contact email addresses:

[REDACTED]

[REDACTED]

As evidence, we can show any 3 files you ask or data row.

We are also ready to continue discussing the next steps after you confirm that you are a legitimate representative of the company.

We are not interested in destroying your business. We want to take the money and you not hear from us again.

Time is ticking on clock and in few days if no payment we publish and close chat.

Please convey this information to your executive and managers as soon as possible.

After a successful transaction and receipt of payment we promise

1) technical advice

2) We will never publish you data

3) Everything we download will be delete w/proof

4) Nothing will ever disclose

Decide soon and recall that no response result in blog posting. Name is first and soon data after. We advice not reach point of no return.

KR CL0P

Update: 10/02/25, 5:30 p.m: This story has been updated with information about Oracle’s alert.

The post Here is the email Clop attackers sent to Oracle customers appeared first on CyberScoop.

Attackers appearing to be aligned with the Clop ransomware group have sent emails to Oracle customers seeking extortion payments, claiming they stole data from the tech giant’s E-Business Suite, according to researchers who spoke with CyberScoop. 

Researchers haven’t confirmed the veracity of Clop’s claimed data theft, but multiple investigations into Oracle environments belonging to organizations that received the emails are underway.

“We are currently observing a high-volume email campaign being launched from hundreds of compromised accounts,” Mandiant Consulting CTO Charles Carmakal told CyberScoop. “The malicious emails contain contact information, and we’ve verified that the two specific contact addresses provided are also publicly listed on the Clop data leak site,” he added.

Clop hasn’t made the claims public through its leak sites.

Oracle on Thursday confirmed it’s aware some Oracle E-Business Suite customers have received extortion emails.

“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 critical patch update,” Rob Duhart, chief security officer at Oracle Security, said in a blog post.

Oracle did not say which vulnerabilities are under active exploitation, nor did it confirm if its customers’ data was stolen. The July security update included 309 patches, including nine that addressed defects in Oracle E-Business Suite. 

The vendor, at the time, said three of the Oracle E-Business Suite vulnerabilities, all of which it designated as medium-severity, can be remotely exploited without authentication. Three additional Oracle E-Business Suite vulnerabilities addressed in July were designated high severity. 

The company has not responded to multiple requests for comment. 

The extortion activity involves targeted emails sent to company executives from hundreds of compromised third-party accounts beginning on or before Sept. 29, according to Genevieve Stark, head of cybercrime and information operations intelligence analysis at Google Threat Intelligence Group.

“It is not yet clear whether the threat actor’s claims are credible, and if so, how they obtained access,” Stark told CyberScoop.

While the tactics and contact email addresses align with Clop, researchers have yet to verify if the financially-motivated group is behind the attacks.

Clop is a highly prolific and notorious ransomware group that has successfully intruded multiple technology vendors’ systems, allowing it to steal data on many downstream customers. 

The financially motivated threat group specializes in exploiting vulnerabilities in file-transfer services to conduct large-scale attacks. Clop achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

The extortion emails originate from hundreds of compromised third-party accounts at various legitimate websites, and not from one specific vendor, said Austin Larsen, principal analyst at GTIG. “The claim within those emails is that they have stolen data from the Oracle E-Business Suite of the targeted organizations,” he added. 

The emails observed by researchers don’t contain a specific demand, but pressure victims to contact the threat group to start negotiations.  

“The primary indicators of this new campaign are the extortion emails themselves and the use of email addresses associated with the Clop data leak site,” Stark said. “At this time, we do not have evidence of a successful data breach or a specific malware family associated with this particular campaign.”

Investigators are working through the night to confirm if and how attackers gained access to Oracle’s E-Business Suite and the extent to which Oracle customers may be impacted.

Update: 10/02/25, 5:30 p.m.: This story has been updated with information about Oracle’s security alert.

The post Oracle customers being bombarded with emails claiming widespread data theft appeared first on CyberScoop.

Ambitious, suspected Chinese hackers with a slew of goals — stealing intellectual property, mining intelligence on national security and trade, developing avenues for future advanced cyberattacks — have been setting up shop inside U.S. target networks for exceptionally long stretches of time, in a breach that the researchers who uncovered it said could present problems for years to come.

Mandiant and Google Threat Intelligence Group (GTIG) researchers described the campaign as exceptionally sophisticated, stealthy and complex, calling those behind it a “next-level threat.” But they don’t yet have a full handle on who the hackers are behind the malware they’ve dubbed Brickstorm, or how far it stretches. A blog post the company posted Wednesday sheds light on the group.

The primary targets are legal services organizations and tech companies that provide security services, the researchers said. But the hackers aren’t limiting their interest to the primary targets, since they’ve used that access to infiltrate “downstream” customers. The researchers declined to describe those downstream customers, or say whether U.S. federal agencies are among those targeted. A great many of them don’t know yet that they’re victims, they said.

By stealing intellectual property from security-as-a-service (SaaS) firms, the hackers aim to find future zero-day vulnerabilities, a kind of vulnerability that is previously unknown and unpatched and thus highly prized, in order to enable more attacks down the line, the researchers from Mandiant and its parent company Google said.

The researchers declined to comment on possible Chinese government agency connections. But they see overlap with Chinese hacking groups like the one they’ve labeled UNC5221 — perhaps best known for exploiting Ivanti flaws, and a group that Mandiant and GTIIG described as the “most prevalent” Chinese-centered threat group right now — and the one Microsoft calls Silk Typhoon, which researchers warned recently has been ramping up its attacks this year, with targets including IT supply chains and the cloud. Silk Typhoon is believed to be Chinese government-sponsored. 

The company has also developed a tool for potential victims to discover if they’ve been affected by Brickstorm activity, which Google experts indicated is a distinct possibility that could impact scores of organizations over the coming weeks.

“We have no doubt that organizations will use our tools to hunt for this adversary, and they will find evidence of compromise in their environments,” Charles Carmakal, chief technology officer at Mandiant Consulting, told reporters briefed on the blog post. “And it may be active compromises, it might be historic compromises, but many of our organizations are going to discover that they were dealing with this adversary.” 

Sneaky, sneaky

The campaign’s average “dwell time” is 400 days, they said, compared to dwell times more commonly measured in days or weeks. 

Several features obscure Brickstorm activity. “It’s very hard to detect them and to investigate them,” said Austin Larsen, principal threat analyst at GTIG.

The hackers target systems that don’t support defenses for finding and tracking threats on endpoints, such as laptops or cell phones. Examples of target systems that don’t support that kind of endpoint detection and response (EDR) include email security gateways or vulnerability scanners. They consistently target VMware vCenter and ESXi hosts, according to the blog post.

The researchers also never see overlap between the internet protocols of the attackers between victims, Larsen said, or another way of identifying attackers: “The hashes when they land on this are different for essentially every system.”

Brickstorm attackers also “clean up after themselves” at times, Carmakal said. “Brickstorm may not exist in a victim environment today, but it could have been there for a year and a half. It might have been deleted back in April this year, back in January this year,” he said.

What they want

Brickstorm also isn’t just about one goal. “It’s an intelligence operation, but not just an intelligence operation,” said John Hultquist, chief analyst at GTIG. “This is a long-term play.”

The hackers are primarily compromising victims through zero-days, but they’re aiming to uncover new ones, too, by going through companies’ proprietary source code. That gives them multiple ways to penetrate new victim networks.

The Brickstorm hackers “hit the SaaS providers, who either hold data for people, or they have some connectivity to downstream,” Hultquist said. Or he said the group can “get a hold of the technology source code and leverage that source code information to gain access or to build out exploits in that technology, which would then give [them] basically a skeleton key to that technology.”

But its victims can be even more precise than that. “As part of this campaign, we observed in some organizations — including some legal organizations — we observed the actor searching the emails of very specific individuals,” Larsen said. The hackers have focused on collecting espionage on international trade and national security from those organizations.

Google has been tracking Brickstorm for a while now. This spring, Belgian cybersecurity company NVISO also shined the spotlight on Brickstorm variants spying on European businesses. Google’s latest blog post identifies Brickstorm activity as far more extensive than previously described.

The response

Mandiant and GTIG have notified U.S. federal agencies and international governments about the campaign.

The tool is a scanner script that can be used on Unix systems, even if YARA (a common security tool used to find and identify malware) isn’t installed. This script is designed to do the same type of search as a specific YARA rule by looking for certain words and patterns that are unique to the Brickstorm backdoor.

“The most important thing here is, if you find Brickstorm, you really need to do a very thorough enterprise investigation, because the adversary that’s dropping this is a very, very advanced adversary that is known for stealing intellectual property from organizations,” Carmakal said. “It’s known for using access from victim companies to get into downstream customer environments.”

It’s all a “very, very significant threat campaign [that’s] very, very hard to defend against in tech,” Carmakal said.

Updated 9/24/25: with additional information about past Brickstorm reporting.

The post Brickstorm malware powering ‘next-level’ Chinese cyberespionage campaign appeared first on CyberScoop.

Terminating their employment is the easy part. The rest is complicated.

When enterprises discover they have inadvertently hired North Korean information technology workers, they face a cascade of urgent decisions involving sanctions law, cybersecurity protocols, and law enforcement cooperation that can expose them to significant legal and financial risks.

Incident response experts and cybersecurity lawyers explained how enterprises can navigate these risks Monday at Google’s Cyber Defense Summit in Washington, D.C. The challenges have grown more prominent as cybersecurity firms track what they describe as an organized employment scheme designed to generate revenue for North Korea’s weapons programs. 

“Their primary goal is revenue generation, often from multiple employers at once, to fund their weapons of mass destruction program,” Mike Lombardi, who leads North Korean-focused incident response work at Mandiant, said during a panel discussion on the issue.

While North Korean IT workers ultimately funnel their earnings back to the regime, cybersecurity experts emphasize that the workers themselves are primarily motivated by securing paychecks rather than causing immediate corporate damage. Because of this, experts emphasized Monday how companies need all of their departments — like human resources, security, and legal — to watch for warning signs when hiring and to work together if they discover a suspicious worker on their team.

Detection through HR anomalies

Evan Wolff, who co-chairs Akin’s cybersecurity, privacy and data protection practice, emphasized that initial detection often occurs during routine vetting processes. “A lot of these cases seem more HR than cyber at first,” Wolff said.

Key indicators include email addresses that lack credentials with known data brokers, LinkedIn profiles with recycled resumes, and an applicant’s reluctance to appear on video during interviews. Matthew Welling, a partner in Crowell & Moring’s cyber practice, noted that mismatched personal information often provides the first clues.

“A big part of this is spotting pieces of information that don’t fit together — for example, if the address on their ID doesn’t match the address where they want things sent, that’s often a giveaway,” Welling said.

Caroline Brown, a Crowell & Moring partner specializing in international trade and national security, said investigations sometimes reveal more complex patterns. “We saw one IT worker employed at several places at once, looking for their next job, possibly using their employer’s systems to do so,” Brown said.

Immediate sanctions exposure

The legal implications can become apparent quickly once a North Korean is suspected to be employed inside an organization. Brown, who previously worked at the Justice Department’s National Security Division and the Department of Treasury’s Office of Foreign Assets Control (OFAC), explained the strict liability that can come with violating U.S. sanctions.

“North Korea is under a comprehensive embargo — no dealings with U.S. persons or companies, directly or indirectly,” Brown said. “Finding out you’ve made a payment to them could be an additional violation, even strict liability, meaning you don’t need to know you did it; you’re still liable.”

The timing of discovery creates additional complications for things like payroll processing. When asked about scenarios where companies discover a rogue employee mid-week but have payroll scheduled for Friday, Brown responded that the situation becomes “very fact-specific and is about risk tolerance.”

“If you process a payment and it turns out to be for a North Korean, your payment processor — a U.S. financial institution — has violated sanctions, which may also expose you as the cause of that violation,” Brown said.

Strategic response decisions

Unlike typical cybersecurity incidents, these cases sometimes involve staying in communication with the suspected workers to facilitate evidence collection and device recovery. Welling noted that the threat actors’ behavior differs from expectations.

“More often than not, they’re very cooperative, trying to get one more paycheck or severance, even arranging for someone to return the laptop for money,” Welling said. “The key is to keep the interaction alive: tell them you’re having technical issues, keep communication open, and stay in touch.”

Lombardi confirmed this approach to CyberScoop, stating that “most of the time, we just want to get the laptop back.” He explained that maintaining the ruse can be essential for forensic analysis, particularly when evidence is stored locally on devices rather than in centralized systems.

The cooperative nature of these workers when discovered reflects their primary motivation. “By and large, we see that their motivation is to remain employed,” Lombardi said. “Even if things fall apart, the worker will usually comply, to try to stretch out payments or maintain a relationship, not go nuclear.”

Law enforcement and regulatory coordination

One of the biggest decisions companies face is when and how to involve federal authorities. Wolff, who previously worked at the Department of Homeland Security, noted the FBI’s effectiveness in these cases.

“As someone who spent four years at Homeland Security, I don’t always love the FBI, but in this case they’re extremely effective and can work proactively with affected clients to stop this pre-employment,” Wolff said.

There is no legal requirement to notify law enforcement, but Wolff noted that “sharing information with the FBI is helpful, and as the relationship lengthens or the money paid increases, the risk grows.”

Brown also highlighted the benefits of voluntary self-disclosure to OFAC. “More companies are doing so, which preserves mitigation credit — a 50% reduction in penalties — if OFAC were to penalize you,” she said.

The disclosure decision becomes more complex when the FBI initiates contact. “It depends on what the cooperation agreement is with the FBI and whether they’ve already told OFAC about the incident,” Brown said.

Wolff emphasized that whatever the appetite is for getting outside parties involved, an organization should test those plans through tabletop exercises. He explained that even companies that hold cybersecurity-focused tabletops “don’t cover this kind of case” and stressed the importance of including HR personnel in planning a response.

“One challenge is that nobody tells you ‘this person is definitely North Korean’ early on, so you’re piecing together information, often through HR investigations rather than standard cyber incident response,” Wolff said.

The panel members agreed that the threat continues to evolve and expand. Welling characterized it as an enduring challenge: “This isn’t a threat that’s going away. If anything, more groups are picking up the playbook.”

Update – 9/24/25: A previous version of this article attributed a quote to Matthew Welling that was actually said by Evan Wolff.

The post What to do if your company discovers a North Korean worker in its ranks appeared first on CyberScoop.

Salesloft pinned the root cause of the Drift supply-chain attacks to a threat group gaining access to its GitHub account as far back as March, the company said in an update Saturday. 

During a 10-day period in mid-August, the threat group compromised and stole data from hundreds of organizations. 

The threat group, which Google tracks as UNC6395, spent time lurking in the Salesloft application environment, downloaded content from multiple repositories, added a guest user and set up workflows over a monthslong period through June, according to Salesloft. 

“The threat actor then accessed Drift’s Amazon Web Services environment and obtained OAuth tokens for Drift customers’ technology integrations,” the company said. “The threat actor used the stolen OAuth tokens to access data via Drift integrations.”

The update marks the most significant details shared yet by Salesloft since Google security researchers first warned about the “widespread data theft campaign” last month. The company is still withholding key details as its incident response firm, Mandiant, has transitioned to confirm the quality of its forensic investigation.

Salesloft has not explained how its GitHub account was accessed, what attackers did in its environment, nor how the threat group accessed Drift’s AWS environment and obtained OAuth tokens. The company also hasn’t explained why OAuth tokens were stored in the cloud environment, and if the stolen OAuth tokens were for internal integrations with third-party platforms or customers’ OAuth tokens for individual integrations.

The company has not responded to multiple requests for comment dating back to Aug. 26, when news of the attacks first surfaced.

Analysts and researchers acknowledge that Salesloft may still be seeking definitive answers about what went wrong, yet the company already misfired when it erroneously claimed exposure was limited to Drift customer instances integrated with Salesforce. Days later, Google Cloud’s incident response firm Mandiant said Salesloft Drift customers were compromised en masse, potentially snagging any user that integrated the AI chat agent platform to another third-party service.

“I don’t think they’re being fully transparent. They’re still holding some stuff back,” said Paddy Harrington, senior analyst at Forrester.

Salesloft’s post-incident investigation thus far underscores multiple areas where the company’s security practices and controls were apparently less than adequate, according to Harrington. 

Nathaniel Jones, VP of security and AI strategy at Darktrace, said he hopes more information will be shared once the investigation is complete. “They’ve confirmed the breach and downstream impacts but stopped short of saying how the attacker got in,” he added.

“They’ve boxed in the Drift environment, taken it offline, rotated credentials, and emphasized containment. That’s all good practice,” Jones said.

Salesloft took Drift offline Friday and said the move was temporary “to fortify the security of the application and its associated infrastructure.” Salesloft rotated all centrally managed keys for OAuth users, but customers who manage Drift connections to third-party applications via API keys need to revoke existing keys directly with the third-party provider’s application, the company said. 

The Salesloft platform, which has been technically segmented from Drift and confirmed uncompromised, according to Mandiant, restored connections with Salesforce Sunday, the company said. 

Salesloft doesn’t know when Drift will be restored and brought back online. Yet, the company may need to make significant changes to regain trust as the lingering and still unknown effects of the damage caused by the breach stain Drift’s reputation.

“They’re probably going to have to rename that thing. The name alone is now totally tainted,” Harrington said. “They could reintroduce the product, but they’re going to have to totally talk about a rearchitecture change.”

Key details are still missing about how the attack occurred, and customers need to understand the true scope of the supply-chain attack and the extent of data stolen, he added.

“We’re in a time where attackers are going to find the least-protected asset and they’re going to go for it, and they struck gold here. Holy crap, did they strike gold,” Harrington said. “This thing just keeps getting worse and worse and worse.”

The post Salesloft Drift security incident started with undetected GitHub access appeared first on CyberScoop.

An attacker exploited a zero-day vulnerability in Sitecore stemming from a misconfiguration of public ASP.NET machine keys that customers implemented based on the vendor’s documentation, according to researchers.

The critical zero-day defect — CVE-2025-53690 — was exploited by the attacker using exposed keys to achieve remote code execution, Mandiant Threat Defense said in a report Wednesday. The sample machine keys were included in Sitecore’s deployment guides dating back to at least 2017.

The configuration vulnerability impacts customers who used the sample key provided with deployment instructions for Sitecore Experience Platform 9.0 and earlier, Sitecore said in a security bulletin Wednesday. The vendor warned that all versions of Experience Manager, Experience Platform and Experience Commerce may be impacted if deployed in a multi-instance mode with customer-managed static machine keys.

“The issue stems from Sitecore users copying and pasting example keys from official documentation, rather than generating unique, random ones — a move we don’t recommend,” said Ryan Dewhurst, head of proactive threat intelligence at watchTowr. “Any deployment running with these known keys was left exposed to ViewState deserialization attacks, a straight path right to remote code execution.”

Mandiant said it disrupted the attack after engaging with Sitecore, but said that effort prevented it from observing the full attack lifecycle. The incident response firm warns that many Sitecore customers used the commonly known ASP.NET machine key. 

Upon gaining access to the affected internet-exposed Sitecore instance, the attacker deployed a ViewState payload containing malware designed for internal reconnaissance, according to Mandiant. Researchers explained that ViewStates, an ASP.NET feature, are vulnerable to deserialization attacks when validation keys are absent or compromised. 

Mandiant said the unidentified attacker, whose motivations are unknown, demonstrated a deep understanding of Sitecore’s product as it progressed from initial compromise to escalate privileges and achieve lateral movement. 

Sitecore and researchers advised customers to rotate the machine key if a commonly known one was used, and hunt for evidence of ViewState deserialization attacks. Rotating keys won’t protect organizations using systems the attacker may have already intruded. 

Mandiant researchers said the attacker established footholds, deployed malware and tools to maintain persistence, conducted reconnaissance, achieved lateral movement and stole sensitive data.

“It is quite common for documentation to contain placeholder keys, such as ‘PUT_YOUR_KEY_HERE,’ or other randomly generated examples,” Dewhurst said. “It is ultimately both a failure on the user’s and Sitecore’s side. The user should know not to copy and paste public machine keys, and Sitecore should adequately warn users not to.”

The number of organizations compromised or potentially exposed to attacks remains unknown. Sitecore did not immediately respond to a request for comment.

Caitlin Condon, VP of security research at VulnCheck, said the zero-day vulnerability is an insecure configuration at its core, exacerbated by the public exposure of the sample machine key. 

“It’s entirely possible that the software supplier hadn’t meant for a sample machine key to be used indefinitely for production deployments but, as we know, software is deployed and configured in unintended ways all the time,” she said. “If there’s one takeaway from this, it’s that adversaries definitely read product docs, and they’re good at finding quirks and forgotten tricks in those docs that can be used opportunistically against popular software.”

The post Sitecore zero-day vulnerability springs up from exposed machine key appeared first on CyberScoop.

Multiple security and technology companies have been swept up in a far-reaching attack spree originating at Salesloft Drift, including Cloudflare, PagerDuty, Palo Alto Networks, SpyCloud and Zscaler. 

Victim organizations continue to come forward as customers of the third-party AI chat agent hunt for evidence of compromise or receive notices from Salesloft and other companies involved in response, recovery and ongoing attack investigations. 

Salesloft initially claimed exposure was limited to customers integrated with Salesforce. Yet, Google Threat Intelligence Group and Mandiant Consulting — Google’s incident response firm which is now working with Salesloft — said any platform integrated with Drift is potentially compromised. 

The root cause of the attacks, specifically how the threat group that Google tracks as UNC6395 gained initial access to Salesloft Drift, remains unconfirmed. “There is no evidence of any unusual or malicious activity with the Salesloft platform,” Salesloft said in an update Saturday.

On Monday, the company said “Drift will be taken offline in the very near future,” rendering the platform inaccessible and the Drift chatbot unavailable on customer websites. “This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality,” the company added.

Salesloft, which acquired Drift in February 2024, has not responded to requests for comment since news of the attacks first surfaced last week. 

The company announced an agreement to merge with Clari, a competitor in the customer-relationship management space, one day before the attacks started Aug. 8. In the merger announcement, the combined companies said they will serve more than 5,000 organizations globally across all industries.

The exposure caused by the attacks has cast widespread concern, as customers seek clarity about the unfolding disaster. Salesloft customers are assessing if they were impacted, and then sifting through data to determine the extent to which they or their customers were compromised. 

The attacks did not hit every Salesloft Drift customer. Some Salesloft Drift customers, when contacted by CyberScoop, confirmed they were not implicated by the attacks and found no evidence that corporate or customer data was compromised. 

Okta said it was not impacted by the incident, but confirmed it was a target based on indicators of compromise Google Threat Intelligence Group shared last week. “The threat actor attempted to use a compromised token to access our Salesforce instance, but the attack failed because the connection originated from an unauthorized IP address,” the company said in a blog post Tuesday.

Many other businesses were less fortunate.

Sam Curry, chief information security officer at Zscaler, said the company’s Salesloft Drift integration with Salesforce was the point of unauthorized access. The company was using Salesloft Drift integrated with other platforms, but they were not impacted, he added. 

Data on a large number of Zscaler’s customers was exposed, including names, business email addresses, job titles, phone numbers, location details, Zscaler product licensing and commercial information, and plain text content from some support cases. 

“No product, service, or infrastructure was affected,” Curry said. “We are looking to hear from Salesloft Drift and from Salesforce if there are any other findings since this happened in their infrastructure.”

Curry said Zscaler was already in the process of ending its relationship with Salesloft Drift for unrelated reasons. 

Palo Alto Networks on Tuesday confirmed that it, too, was one of hundreds of organizations impacted by the supply chain attack. The company’s incident response business Unit 42 confirmed the incident was limited to its Salesforce environment, adding that no Palo Alto Networks products or services were impacted. 

“Most of the exfiltrated data was business contact information,” a Palo Alto Networks spokesperson told CyberScoop in an email. “However, a small number of customers who included sensitive information, such as credentials, in their recent case notes might also have had that data compromised.”

Cloudflare said any information customers shared with the company’s support system — including logs, tokens or passwords — should be considered compromised. The company said it found 104 Cloudflare API tokens in the compromised data and, while it found no evidence of abuse, rotated the tokens out of an abundance of caution.

The company also maintained that no Cloudflare services or infrastructure were compromised. 

“We are responsible for the choice of tools we use in support of our business,” a group of Cloudflare security leaders said in a blog post Tuesday. “This breach has let our customers down. For that, we sincerely apologize.”

Former Salesloft Drift customers were impacted as well. In a blog post announcing some data contained in its Salesforce environment was exposed, SpyCloud said it was previously a customer of Salesloft and Drift, but not currently.

Google previously said the data theft campaign occurred over a 10-day period last month, potentially impacting more than 700 organizations.

The post Salesloft Drift attacks hit Cloudflare, Palo Alto Networks, Zscaler appeared first on CyberScoop.

The recent mass-theft of authentication tokens from Salesloft, whose AI chatbot is used by a broad swath of corporate America to convert customer interaction into Salesforce leads, has left many companies racing to invalidate the stolen credentials before hackers can exploit them. Now Google warns the breach goes far beyond access to Salesforce data, noting the hackers responsible also stole valid authentication tokens for hundreds of online services that customers can integrate with Salesloft, including Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI.

Salesloft disclosed on August 20 that, “Today, we detected a security issue in the Drift application,” referring to the technology that powers an AI chatbot used by so many corporate websites. The alert urged customers to re-authenticate the connection between the Drift and Salesforce apps to invalidate their existing authentication tokens, but it said nothing then to indicate those tokens had already been stolen.

On August 26, the Google Threat Intelligence Group (GTIG) warned that unidentified hackers tracked as UNC6395 used the access tokens stolen from Salesloft to siphon large amounts of data from numerous corporate Salesforce instances. Google said the data theft began as early as Aug. 8, 2025 and lasted through at least Aug. 18, 2025, and that the incident did not involve any vulnerability in the Salesforce platform.

Google said the attackers have been sifting through the massive data haul for credential materials such as AWS keys, VPN credentials, and credentials to the cloud storage provider Snowflake.

“If successful, the right credentials could allow them to further compromise victim and client environments, as well as pivot to the victim’s clients or partner environments,” the GTIG report stated.

The GTIG updated its advisory on August 28 to acknowledge the attackers used the stolen tokens to access email from “a very small number of Google Workspace accounts” that were specially configured to integrate with Salesloft. More importantly, it warned organizations to immediately invalidate all tokens stored in or connected to their Salesloft integrations — regardless of the third-party service in question.

“Given GTIG’s observations of data exfiltration associated with the campaign, organizations using Salesloft Drift to integrate with third-party platforms (including but not limited to Salesforce) should consider their data compromised and are urged to take immediate remediation steps,” Google advised.

On August 28, Salesforce blocked Drift from integrating with its platform, and with its productivity platforms Slack and Pardot.

The Salesloft incident comes on the heels of a broad social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal. That campaign led to data breaches and extortion attacks affecting a number of companies including Adidas, Allianz Life and Qantas.

On August 5, Google disclosed that one of its corporate Salesforce instances was compromised by the attackers, which the GTIG has dubbed UNC6040 (“UNC” stands for “uncategorized threat group”). Google said the extortionists consistently claimed to be the threat group ShinyHunters, and that the group appeared to be preparing to escalate its extortion attacks by launching a data leak site.

ShinyHunters is an amorphous threat group known for using social engineering to break into cloud platforms and third-party IT providers, and for posting dozens of stolen databases to cybercrime communities like the now-defunct Breachforums.

The ShinyHunters brand dates back to 2020, and the group has been credited with or taken responsibility for dozens of data leaks that exposed hundreds of millions of breached records. The group’s member roster is thought to be somewhat fluid, drawing mainly from active denizens of the Com, a mostly English-language cybercrime community scattered across an ocean of Telegram and Discord servers.

Recorded Future’s Alan Liska told Bleeping Computer that the overlap in the “tools, techniques and procedures” used by ShinyHunters and the Scattered Spider extortion group likely indicate some crossover between the two groups.

To muddy the waters even further, on August 28 a Telegram channel that now has nearly 40,000 subscribers was launched under the intentionally confusing banner “Scattered LAPSUS$ Hunters 4.0,” wherein participants have repeatedly claimed responsibility for the Salesloft hack without actually sharing any details to prove their claims.

The Telegram group has been trying to attract media attention by threatening security researchers at Google and other firms. It also is using the channel’s sudden popularity to promote a new cybercrime forum called “Breachstars,” which they claim will soon host data stolen from victim companies who refuse to negotiate a ransom payment.

But Austin Larsen, a principal threat analyst at Google’s threat intelligence group, said there is no compelling evidence to attribute the Salesloft activity to ShinyHunters or to other known groups at this time.

“Their understanding of the incident seems to come from public reporting alone,” Larsen told KrebsOnSecurity, referring to the most active participants in the Scattered LAPSUS$ Hunters 4.0 Telegram channel.

Joshua Wright, a senior technical director at Counter Hack, is credited with coining the term “authorization sprawl” to describe one key reason that social engineering attacks from groups like Scattered Spider and ShinyHunters so often succeed: They abuse legitimate user access tokens to move seamlessly between on-premises and cloud systems.

Wright said this type of attack chain often goes undetected because the attacker sticks to the resources and access already allocated to the user.

“Instead of the conventional chain of initial access, privilege escalation and endpoint bypass, these threat actors are using centralized identity platforms that offer single sign-on (SSO) and integrated authentication and authorization schemes,” Wright wrote in a June 2025 column. “Rather than creating custom malware, attackers use the resources already available to them as authorized users.”

It remains unclear exactly how the attackers gained access to all Salesloft Drift authentication tokens. Salesloft announced on August 27 that it hired Mandiant, Google Cloud’s incident response division, to investigate the root cause(s).

“We are working with Salesloft Drift to investigate the root cause of what occurred and then it’ll be up to them to publish that,” Mandiant Consulting CTO Charles Carmakal told Cyberscoop. “There will be a lot more tomorrow, and the next day, and the next day.”

Salesloft Drift customers are compromised in a much more expansive downstream attack spree than previously thought, potentially ensnaring any user that integrated the AI chat agent platform to another service.

“We’re telling organizations to treat any Drift integration into any platform as potentially compromised, so that increases the scope of victims,” Mandiant Consulting CTO Charles Carmakal told CyberScoop. This expanded attack radius includes Google Workspace customers that integrated Salesloft Drift into their instances. Victims have been notified that Google has found evidence of compromise.

Freshly uncovered evidence proves the threat actors, which Google tracks as UNC6395, didn’t just hit Salesforce customers who used Salesloft Drift, as Salesloft claimed Tuesday. 

“This just really blows wide open the scope here,” said Austin Larsen, principal threat analyst at Google Threat Intelligence Group.

Salesloft Drift provides integrations with 58 third-party tools for customer relationship management, automation, analytics, sales, communications and support, according to a third-party integration guide the vendor updated last month.

Salesloft updated its security blog to confirm that impact is much more severe and widespread. The company said it’s working with Mandiant, Google Cloud’s incident response division, and cyber insurer Coalition to assist in an ongoing investigation.

The sales engagement platform, a variant of CRM, is now recommending all Drift customers who manage connections to third-party applications via API key to revoke the existing key and rotate to a new key. Salesloft, which acquired Drift in February 2024, did not respond to a request for comment. 

In response to the widening security incident, Salesforce said late Wednesday it disabled the connection between Drift and Salesforce, rendering those integrations defunct. Salesforce declined to answer questions and maintains the issue does not involve a vulnerability in the Salesforce platform.

While the number of victims has grown, Google is sticking to the estimates it shared Tuesday, reiterating that more than 700 organizations are potentially impacted. Yet, it’s clear researchers are still working to identify all potential paths of compromise. 

“We’ve seen evidence of other platforms that were impacted as well,” Carmakal said.

The exposure could also involve former Drift customers. Mandiant identified one victim that may have been a former Drift customer, but researchers are still working to confirm those details. 

GTIG said the financially motivated threat group UNC6395 has also retrieved OAuth tokens for multiple services, including some that allowed it to “access email from a very small number of Google Workspace accounts.” The attackers primarily sought to steal credentials to compromise other systems connected to initial victims, as it specifically searched for Amazon Web Services access keys, virtual private network credentials and Snowflake credentials.

The root cause of the attacks, specifically how UNC6395 gained initial access to Salesloft Drift, remains unconfirmed. Researchers are also working to determine the full extent of the compromise within Salesloft Drift’s infrastructure.

“We are working with Salesloft Drift to investigate the root cause of what occurred and then it’ll be up to them to publish that,” Carmakal said. “There will be a lot more tomorrow, and the next day, and the next day.”

The post Salesloft Drift compromised en masse, impacting all third-party integrations appeared first on CyberScoop.

Google Threat Intelligence Group warned about a “widespread data theft campaign” that compromised hundreds of Salesforce customers over a 10-day span earlier this month. 

According to a report published Tuesday, researchers say a threat group Google tracks as UNC6395 stole large volumes of data from Salesforce customer instances by using stolen OAuth tokens from Salesloft Drift, a third-party AI chat agent for sales and leads. Google said the attack spree occurred from at least Aug. 8 to Aug. 18.

“GTIG is aware of over 700 potentially impacted organizations,” Austin Larsen, principal threat analyst at GTIG, told CyberScoop. “The threat actor used a Python tool to automate the data theft process for each organization that was targeted.”

The attackers primarily sought to steal credentials to compromise other systems connected to the initial victims, according to Google. UNC6395 specifically searched for Amazon Web Services access keys, virtual private network credentials and Snowflake credentials.

“Using a single token stolen from Salesloft, the threat actor was able to access tokens for any Drift linked organization. The threat actor then used the Salesforce tokens to directly access that data and exfiltrate it to servers, where they looked for plaintext credentials including Amazon, Snowflake and other passwords,” said Tyler McLellan, principal threat analyst at GTIG.

Mandiant Consulting, Google’s incident response firm, hasn’t observed further use of the stolen credentials in any current investigations, he said. 

Salesloft confirmed the intrusions in a security update Monday and said all impacted customers have been notified. The company first issued an alert about malicious activity targeting Salesloft Drift applications integrated with Salesforce Aug. 19. 

Salesloft said it worked with Salesforce to revoke all active access and refresh tokens for the application and asserts the impact is limited to customers integrated with Salesforce. Google said the attacks stopped once Salesloft and Salesforce revoked access on Aug. 20. 

Salesforce, in a statement Tuesday, said a “small number of customers” were impacted, adding “this issue did not stem from a vulnerability within the core Salesforce platform, but rather from a compromise of the app’s connection.” 

Google advised Salesloft Drift customers integrated with Salesforce to consider their data compromised, search for secrets contained in their Salesforce instances and remediate by revoking API keys, rotating credentials and investigating further. 

Google hasn’t yet determined UNC6395’s origins or motivations. The attack spree was “broad and opportunistic, and appeared to take advantage of any organization using the Salesloft Drift integration with Salesforce,” McLellan said.

AppOmni CSO Cory Michal said the compromise and abuse of OAuth tokens and cloud-to-cloud integrations are a longtime known blind spot in most enterprises. Yet, the sheer scale and discipline of the attacks is surprising, he said. 

“The attacker methodically queried and exported data across many environments,” Michal added. “They demonstrated a high level of operational discipline, running structured queries, searching specifically for credentials, and even attempting to cover their tracks by deleting jobs. The combination of scale, focus and tradecraft makes this campaign stand out.”

The post Hundreds of Salesforce customers impacted by attack spree linked to third-party AI agent appeared first on CyberScoop.

Citing a July 30 report in The Hacker News, SC Media reports: Following recent arrests of alleged Scattered Spider members in the UK, Google Cloud’s Mandiant Consulting has reported a noticeable pause in the group’s activities, offering a “critical window of opportunity” for organizations to bolster their defenses, reports The Hacker News. THN had reported,...

Microsoft said two China nation-state threat groups and a separate attacker based in China are exploiting the zero-day vulnerabilities that first caused havoc to SharePoint servers over the weekend.

Linen Typhoon and Violet Typhoon — the Chinese government-affiliated threat groups — and an attacker Microsoft tracks as Storm-2603 are exploiting the pair of zero-day vulnerabilities affecting on-premises SharePoint servers, Microsoft Threat Intelligence said in a blog post Tuesday.

The zero-days — CVE-2025-53770 and CVE-2025-53771 — have been exploited en masse to intrude hundreds of organizations globally, spanning multiple sectors, including government agencies, according to researchers. 

Both defects are variants of previously disclosed vulnerabilities that Microsoft had already addressed in its security update earlier this month. After discovering the new flaws, Microsoft scrambled to develop patches, releasing the updates for all versions of SharePoint by late Monday.

The attack spree is ongoing and spreading. 

“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” Microsoft Threat Intelligence researchers said in the blog post.

Underscoring the widespread alarm caused by the attacks, the Cybersecurity and Infrastructure Security Agency issued a rare weekend alert about active attacks and added the defect to its known exploited vulnerabilities catalog Sunday.

Microsoft’s initial attribution assessment tracks with other incident responders and researchers who are swarming to combat the threat the attacks pose to critical infrastructure. The motivations and origins of threat groups behind the attacks have also spread beyond China and its government.

Charles Carmakal, chief technology officer at Mandiant Consulting, said the early zero-day exploitation was broad and opportunistic. 

“At least one of the actors responsible for this early exploitation is a China-nexus threat actor,” he said in an email. “It’s critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well.”

Microsoft researchers said Linen Typhoon, Violet Typhoon and Storm-2603 attempted to exploit the previously disclosed SharePoint vulnerabilities — CVE-2025-49706 and CVE-2025-49704 — as early as July 7. Typhoon is the family name Microsoft applies to nation-state threat groups originating from China, and Storm is a moniker the company uses for threat groups in development.

Linen Typhoon, which has been active since 2012, has focused on stealing intellectual property from organizations in government, defense, strategic planning and human rights, according to Microsoft. 

Violet Typhoon, which emerged in 2015, is an espionage threat group targeting former government and military personnel, non-governmental organizations, think tanks, higher education, media, finance and health-related industries in the United States, Europe and East Asia. “This group persistently scans for vulnerabilities in the exposed web infrastructure of targeting organizations, exploiting discovered weaknesses to install web shells,” Microsoft researchers said.

Storm-2603 is the China-based attacker that’s attempting to steal MachineKeys from compromised SharePoint servers, according to Microsoft. Researchers have warned that the theft of cryptographic keys could allow attackers to maintain persistent access to victim environments after the patch has been applied.

The post Microsoft SharePoint zero-day attacks pinned on China-linked ‘Typhoon’ threat groups appeared first on CyberScoop.