When security researchers issued warnings about the Salesloft Drift issues last month, two prominent cybersecurity companies found themselves facing the same threat — but their stories ended up unfolding in different ways. 

Okta and Zscaler, among the larger players in the identity management space, were among the more than 700 Drift customers targeted in what has become one of the most significant supply chain attacks of the year.   Within a week of Google security researchers’ warning about the incident, which targeted the widespread theft of Salesforce customer data, both companies went to work in figuring out how bad the damage would be.  

The companies had very different experiences. While Okta’s security measures thwarted any lasting damage, Zscaler wasn’t as lucky, having to deal with unauthorized access of both customer and internal company data. Same threat actor. Same timeline. Opposite outcomes.

The divergence in incidents and responses offers a rare opportunity to understand how a cybersecurity strategy works in action. CyberScoop spoke with the security leaders of both companies to learn about how the attack went down from those directly in its crosshairs, and lessons learned that could bolster defenses of their companies and others going forward.

From warning to incident

Salesloft hasn’t publicly released a comprehensive root-cause analysis into the attack, but initial results of its investigation revealed a threat group gained access to its GitHub account as far back as March. The group, which Google tracks as UNC6395, achieved lateral movement and set up workflows in the Salesloft application environment before it accessed Drift’s Amazon Web Services environment and obtained OAuth tokens used by Drift customers. 

Those tokens allowed the threat group to access and steal data from separate platforms integrated with Drift, an AI chat agent primarily used by sales teams. Google said the “widespread data theft campaign” occurred during a 10-day period in mid-August. Nearly 40 companies, including more than 20 cybersecurity vendors, have publicly disclosed they were caught up in the attack spree.

Zscaler received its first security alert from Salesforce a week after the data theft concluded, warning the security vendor that unauthorized IP addresses were using the application programming interface (API) for its Drift OAuth token. Zscaler immediately revoked the token, “even though it didn’t really matter by that point,” said Sam Curry, the company’s chief information security officer.

The damage was already done. Data on a large number of Zscaler’s customers was exposed, including names, business email addresses, job titles, phone numbers, location details, Zscaler product licensing and commercial information, and plain text content from some support cases. 

IP limitations for defense

Since Okta uses Drift, it proactively hunted for signs of compromise when threat intel experts started warning about an issue with the service. The company found a “short burst of attempts” to use Drift tokens from locations outside of the manually configured IP range it set up for security purposes, David Bradbury, Okta’s chief security officer, told CyberScoop.

That control blocked the attack and kept Okta’s Drift integrations secure. Yet, many companies don’t take that approach because setting IP restrictions for API calls is a manual and often laborious process requiring input and support from every vendor in the supply chain. 

“If we can put our minds to these problems, we can come up with solutions so that you can implement IP restrictions in a matter of clicks, rather than in a matter of days and weeks of continuous testing, and investigation and discovery,” Bradbury said.

Okta’s investigation revealed a seemingly automated threat campaign. “They were not persistent,” Bradbury said. “The hypothesis that we have at the moment is that there was a single significant script that was engineered that hit all of these all at once and pulled down all of this information in a series of events.”

Zscaler’s compromise was particularly frustrating given the timing: the company had already stopped using Drift in July, a decision completely unrelated to security — and made before any indicators of the attack campaign came to light. 

“That OAuth token that was being used with [Drift] was still active,” Curry said. “It was due to be retired by the end of August,” he added, describing that decision as a deliberate delay to make sure the token was fully disconnected and no longer in use. 

Token theft cause remains a mystery

Salesloft hasn’t explained how the threat group accessed its GitHub account, nor how it accessed Drift’s AWS environment and ultimately obtained customers’ OAuth tokens. 

“I don’t actually know how they got the tokens out. I just know they did,” Curry said. “As for how they store it, I don’t know internally, except that they passed our security questionnaire and probably hundreds, if not thousands of others” for third-party risk management, he added. 

Okta also doesn’t know how the threat group accessed its Salesloft Drift OAuth token. That information would have to come from Salesloft, Bradbury said.

“The internet is connected by some very brittle, small pieces of information — these tokens that we constantly talk about, these combinations of letters and numbers in files that ultimately provide access to all of the applications that we use,” he said. 

“Those tokens need to be stored somewhere, and sadly there are mechanisms in place right now which doesn’t necessitate actually tying these tokens directly to something — to prevent their reuse,” Bradbury added. 

Most SaaS applications implement tokens and authentication in rather rudimentary means. “They’re doing what’s easy and what works, and what works is once you’ve granted access you’re actually storing these tokens somewhere,” he said. 

Lessons learned for collective defense

While their experiences in the wake of the Salesloft Drift attacks were quite different, Bradbury and Curry shared similar reflections and took many like-minded lessons from the third-party compromise that impacted hundreds of companies. 

“APIs are becoming a new highway of access that we need more control over, and we need better control of collectively,” Curry said. “APIs get wider in terms of what you can do with them, and you need the ability to monitor them and to put preventative controls on them to look for behavioral changes.”

Zscaler learned another lesson the hard way — the importance of limiting IP address ranges for API queries, and rotating tokens more frequently. 

“For me, this wake-up call is saying API is a new attack-and-control plane that’s far more exposed than most people realize from just a simple risk exercise,” Curry said.

“There are no small vendors in an API-connected world. It’s just like — if you think about border security — there’s no small and insignificant ports of entry,” he added. “They all use the same highway systems.”

Bradbury, who is expectedly pleased Okta wasn’t impacted by this malicious campaign, can’t help but feel frustrated because he believes there are better, more secure methods to protect unauthorized token use. The central issue in this supply-chain attack could have been avoided with Demonstrating Proof of Possession (DPoP), a mechanism that can constrain token use to a specific client and prevent the use of stolen tokens, he said. 

Once attackers steal tokens that can be reused without restriction, disastrous consequences await all, Bradbury added. 

“We need to see more SaaS vendors actually prioritizing security features on their roadmap, not just the features that will result in customer growth and revenue,” he said. 

Security leaders have an important role to play in demanding these changes from their vendors. “It’s about time that we started to use our collective ambitions to raise the bar for security to actually hold our vendors accountable,” Bradbury said. 

Curry is taking a similar forward-looking approach. “Let’s learn from one another, instead of bayoneting the wounded,” he said. 

“After the fact, in the cold light of day, we’ll all look at what happened,” Curry added. “I’m not interested in blame at this point. I’m interested in better security.”

The post Security leaders at Okta and Zscaler share lessons from Salesloft Drift attacks appeared first on CyberScoop.

North Korean nationals who conceal their identities to infiltrate businesses as employees or contractors continue to expand their presence beyond technology companies and America’s borders. 

Nearly every industry has been duped into hiring North Koreans in violation of sanctions, as technology companies represent only half of all targeted victims, threat researchers at Okta said in a report this week.

Okta Threat Intelligence found evidence confirming North Korean nationals have targeted and sought roles at any organization recruiting remote talent. The North Korean regime will pursue any opportunity to collect and launder payment if the application, interview process and work can be performed remotely, researchers said. 

North Koreans are no longer limiting themselves to IT and software engineering positions. According to Okta’s research, more North Koreans are now applying for remote finance positions, such as payments processors, and engineering roles.

While technology firms attract the highest volume of applications and job interviews, other verticals including finance and insurance, health care, manufacturing, public administration and professional services appeared often in Okta’s analysis. 

Researchers based the study on more than 130 identities used by facilitators and workers participating in the scheme, and linked those personas to more than 6,500 job interviews spread across about 5,000 companies over a four-year period through mid-2025.

Okta acknowledges this only reflects a small sample of North Korea’s scheme, but said it highlights the extent to which IT worker units are targeting more industries in more countries. 

“It’s possible that increased awareness of this threat — as well as government and private sector collaborative efforts to identify and disrupt their operations — may be an additional driver for them to increasingly target roles outside of the US and IT industries,” Okta threat researchers said in the report.

Indeed, threat intelligence firms and officials have consistently warned about the growing pervasiveness of North Korea’s scheme. In April, Mandiant said hundreds of Fortune 500 organizations have unwittingly hired North Korean IT workers. 

CrowdStrike, in August, said it observed a 220% year-over-year increase in North Korean IT worker activity, amounting to 320 incident response cases in the past year. The Justice and Treasury Departments have seized cryptocurrency, issued indictments and sanctioned people and entities allegedly involved in the yearslong scheme.

Okta analysis revealed a global expansion of the North Korea IT worker operation, with 27% of targeted roles based outside of the United States. Researchers observed North Korean operatives targeting roles in the United Kingdom, Canada and Germany, with each country accounting for about 150 to 250 roles. 

Other top targeted countries include India, Australia, Singapore, Switzerland, Japan, France and Poland.

Okta cautioned that non-U.S.-based companies are likely less skilled and concerned with finding North Korean job applicants because the scheme was largely viewed as a U.S. technology industry problem. This creates an elevated problem in newly targeted countries, researchers said. 

“Years of sustained activity against a broad range of U.S. industries have allowed Democratic People’s Republic of Korea-aligned facilitators and workers to refine their infiltration methods,” Okta said in the report. “Consequently, they are entering new markets with a mature, well-adapted workforce capable of bypassing basic screening controls and exploiting hiring pipelines more effectively.”

The post North Korea IT worker scheme swells beyond US companies appeared first on CyberScoop.

U.S. prosecutors last week levied criminal hacking charges against 19-year-old U.K. national Thalha Jubair for allegedly being a core member of Scattered Spider, a prolific cybercrime group blamed for extorting at least $115 million in ransom payments from victims. The charges came as Jubair and an alleged co-conspirator appeared in a London court to face accusations of hacking into and extorting several large U.K. retailers, the London transit system, and healthcare providers in the United States.

At a court hearing last week, U.K. prosecutors laid out a litany of charges against Jubair and 18-year-old Owen Flowers, accusing the teens of involvement in an August 2024 cyberattack that crippled Transport for London, the entity responsible for the public transport network in the Greater London area.

On July 10, 2025, KrebsOnSecurity reported that Flowers and Jubair had been arrested in the United Kingdom in connection with recent Scattered Spider ransom attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group.

That story cited sources close to the investigation saying Flowers was the Scattered Spider member who anonymously gave interviews to the media in the days after the group’s September 2023 ransomware attacks disrupted operations at Las Vegas casinos operated by MGM Resorts and Caesars Entertainment.

The story also noted that Jubair’s alleged handles on cybercrime-focused Telegram channels had far lengthier rap sheets involving some of the more consequential and headline-grabbing data breaches over the past four years. What follows is an account of cybercrime activities that prosecutors have attributed to Jubair’s alleged hacker handles, as told by those accounts in posts to public Telegram channels that are closely monitored by multiple cyber intelligence firms.

EARLY DAYS (2021-2022)

Jubair is alleged to have been a core member of the LAPSUS$ cybercrime group that broke into dozens of technology companies beginning in late 2021, stealing source code and other internal data from tech giants including Microsoft, Nvidia, Okta, Rockstar Games, Samsung, T-Mobile, and Uber.

That is, according to the former leader of the now-defunct LAPSUS$. In April 2022, KrebsOnSecurity published internal chat records taken from a server that LAPSUS$ used, and those chats indicate Jubair was working with the group using the nicknames Amtrak and Asyntax. In the middle of the gang’s cybercrime spree, Asyntax told the LAPSUS$ leader not to share T-Mobile’s logo in images sent to the group because he’d been previously busted for SIM-swapping and his parents would suspect he was back at it again.

The leader of LAPSUS$ responded by gleefully posting Asyntax’s real name, phone number, and other hacker handles into a public chat room on Telegram:

That story about the leaked LAPSUS$ chats also connected Amtrak/Asyntax to several previous hacker identities, including “Everlynn,” who in April 2021 began offering a cybercriminal service that sold fraudulent “emergency data requests” targeting the major social media and email providers.

In these so-called “fake EDR” schemes, the hackers compromise email accounts tied to police departments and government agencies, and then send unauthorized demands for subscriber data (e.g. username, IP/email address), while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.

EARTHTOSTAR

Prosecutors in New Jersey last week alleged Jubair was part of a threat group variously known as Scattered Spider, 0ktapus, and UNC3944, and that he used the nicknames EarthtoStar, Brad, Austin, and Austistic.

Beginning in 2022, EarthtoStar co-ran a bustling Telegram channel called Star Chat, which was home to a prolific SIM-swapping group that relentlessly used voice- and SMS-based phishing attacks to steal credentials from employees at the major wireless providers in the U.S. and U.K.

The group would then use that access to sell a SIM-swapping service that could redirect a target’s phone number to a device the attackers controlled, allowing them to intercept the victim’s phone calls and text messages (including one-time codes). Members of Star Chat targeted multiple wireless carriers with SIM-swapping attacks, but they focused mainly on phishing T-Mobile employees.

In February 2023, KrebsOnSecurity scrutinized more than seven months of these SIM-swapping solicitations on Star Chat, which almost daily peppered the public channel with “Tmo up!” and “Tmo down!” notices indicating periods wherein the group claimed to have active access to T-Mobile’s network.

The data showed that Star Chat — along with two other SIM-swapping groups operating at the same time — collectively broke into T-Mobile over a hundred times in the last seven months of 2022. However, Star Chat was by far the most prolific of the three, responsible for at least 70 of those incidents.

A review of EarthtoStar’s messages on Star Chat as indexed by the threat intelligence firm Flashpoint shows this person also sold “AT&T email resets” and AT&T call forwarding services for up to $1,200 per line. EarthtoStar explained the purpose of this service in post on Telegram:

“Ok people are confused, so you know when u login to chase and it says ‘2fa required’ or whatever the fuck, well it gives you two options, SMS or Call. If you press call, and I forward the line to you then who do you think will get said call?”

New Jersey prosecutors allege Jubair also was involved in a mass SMS phishing campaign during the summer of 2022 that stole single sign-on credentials from employees at hundreds of companies. The text messages asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page, saying recipients needed to review pending changes to their upcoming work schedules.

The phishing websites used a Telegram instant message bot to forward any submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website.

That weeks-long SMS phishing campaign led to intrusions and data thefts at more than 130 organizations, including LastPass, DoorDash, Mailchimp, Plex and Signal.

DA, COMRADE

EarthtoStar’s group Star Chat specialized in phishing their way into business process outsourcing (BPO) companies that provide customer support for a range of multinational companies, including a number of the world’s largest telecommunications providers. In May 2022, EarthtoStar posted to the Telegram channel “Frauwudchat”:

“Hi, I am looking for partners in order to exfiltrate data from large telecommunications companies/call centers/alike, I have major experience in this field, [including] a massive call center which houses 200,000+ employees where I have dumped all user credentials and gained access to the [domain controller] + obtained global administrator I also have experience with REST API’s and programming. I have extensive experience with VPN, Citrix, cisco anyconnect, social engineering + privilege escalation. If you have any Citrix/Cisco VPN or any other useful things please message me and lets work.”

At around the same time in the Summer of 2022, at least two different accounts tied to Star Chat — “RocketAce” and “Lopiu” — introduced the group’s services to denizens of the Russian-language cybercrime forum Exploit, including:

-SIM-swapping services targeting Verizon and T-Mobile customers;
-Dynamic phishing pages targeting customers of single sign-on providers like Okta;
-Malware development services;
-The sale of extended validation (EV) code signing certificates.

These two accounts on Exploit created multiple sales threads in which they claimed administrative access to U.S. telecommunications providers and asked other Exploit members for help in monetizing that access. In June 2022, RocketAce, which appears to have been just one of EarthtoStar’s many aliases, posted to Exploit:

Hello. I have access to a telecommunications company’s citrix and vpn. I would like someone to help me break out of the system and potentially attack the domain controller so all logins can be extracted we can discuss payment and things leave your telegram in the comments or private message me ! Looking for someone with knowledge in citrix/privilege escalation

On Nov. 15, 2022, EarthtoStar posted to their Star Sanctuary Telegram channel that they were hiring malware developers with a minimum of three years of experience and the ability to develop rootkits, backdoors and malware loaders.

“Optional: Endorsed by advanced APT Groups (e.g. Conti, Ryuk),” the ad concluded, referencing two of Russia’s most rapacious and destructive ransomware affiliate operations. “Part of a nation-state / ex-3l (3 letter-agency).”

2023-PRESENT DAY

The Telegram and Discord chat channels wherein Flowers and Jubair allegedly planned and executed their extortion attacks are part of a loose-knit network known as the Com, an English-speaking cybercrime community consisting mostly of individuals living in the United States, the United Kingdom, Canada and Australia.

Many of these Com chat servers have hundreds to thousands of members each, and some of the more interesting solicitations on these communities are job offers for in-person assignments and tasks that can be found if one searches for posts titled, “If you live near,” or “IRL job” — short for “in real life” job.

These “violence-as-a-service” solicitations typically involve “brickings,” where someone is hired to toss a brick through the window at a specified address. Other IRL jobs for hire include tire-stabbings, molotov cocktail hurlings, drive-by shootings, and even home invasions. The people targeted by these services are typically other criminals within the community, but it’s not unusual to see Com members asking others for help in harassing or intimidating security researchers and even the very law enforcement officers who are investigating their alleged crimes.

It remains unclear what precipitated this incident or what followed directly after, but on January 13, 2023, a Star Sanctuary account used by EarthtoStar solicited the home invasion of a sitting U.S. federal prosecutor from New York. That post included a photo of the prosecutor taken from the Justice Department’s website, along with the message:

“Need irl niggas, in home hostage shit no fucking pussies no skinny glock holding 100 pound niggas either”

Throughout late 2022 and early 2023, EarthtoStar’s alias “Brad” (a.k.a. “Brad_banned”) frequently advertised Star Chat’s malware development services, including custom malicious software designed to hide the attacker’s presence on a victim machine:

We can develop KERNEL malware which will achieve persistence for a long time,
bypass firewalls and have reverse shell access.

This shit is literally like STAGE 4 CANCER FOR COMPUTERS!!!

Kernel meaning the highest level of authority on a machine.
This can range to simple shells to Bootkits.

Bypass all major EDR’s (SentinelOne, CrowdStrike, etc)
Patch EDR’s scanning functionality so it’s rendered useless!

Once implanted, extremely difficult to remove (basically impossible to even find)
Development Experience of several years and in multiple APT Groups.

Be one step ahead of the game. Prices start from $5,000+. Message @brad_banned to get a quote

In September 2023 , both MGM Resorts and Caesars Entertainment suffered ransomware attacks at the hands of a Russian ransomware affiliate program known as ALPHV and BlackCat. Caesars reportedly paid a $15 million ransom in that incident.

Within hours of MGM publicly acknowledging the 2023 breach, members of Scattered Spider were claiming credit and telling reporters they’d broken in by social engineering a third-party IT vendor. At a hearing in London last week, U.K. prosecutors told the court Jubair was found in possession of more than $50 million in ill-gotten cryptocurrency, including funds that were linked to the Las Vegas casino hacks.

The Star Chat channel was finally banned by Telegram on March 9, 2025. But U.S. prosecutors say Jubair and fellow Scattered Spider members continued their hacking, phishing and extortion activities up until September 2025.

In April 2025, the Com was buzzing about the publication of “The Com Cast,” a lengthy screed detailing Jubair’s alleged cybercriminal activities and nicknames over the years. This account included photos and voice recordings allegedly of Jubair, and asserted that in his early days on the Com Jubair used the nicknames Clark and Miku (these are both aliases used by Everlynn in connection with their fake EDR services).

More recently, the anonymous Com Cast author(s) claimed, Jubair had used the nickname “Operator,” which corresponds to a Com member who ran an automated Telegram-based doxing service that pulled consumer records from hacked data broker accounts. That public outing came after Operator allegedly seized control over the Doxbin, a long-running and highly toxic community that is used to “dox” or post deeply personal information on people.

“Operator/Clark/Miku: A key member of the ransomware group Scattered Spider, which consists of a diverse mix of individuals involved in SIM swapping and phishing,” the Com Cast account stated. “The group is an amalgamation of several key organizations, including Infinity Recursion (owned by Operator), True Alcorians (owned by earth2star), and Lapsus, which have come together to form a single collective.”

The New Jersey complaint (PDF) alleges Jubair and other Scattered Spider members committed computer fraud, wire fraud, and money laundering in relation to at least 120 computer network intrusions involving 47 U.S. entities between May 2022 and September 2025. The complaint alleges the group’s victims paid at least $115 million in ransom payments.

U.S. authorities say they traced some of those payments to Scattered Spider to an Internet server controlled by Jubair. The complaint states that a cryptocurrency wallet discovered on that server was used to purchase several gift cards, one of which was used at a food delivery company to send food to his apartment. Another gift card purchased with cryptocurrency from the same server was allegedly used to fund online gaming accounts under Jubair’s name. U.S. prosecutors said that when they seized that server they also seized $36 million in cryptocurrency.

The complaint also charges Jubair with involvement in a hacking incident in January 2025 against the U.S. courts system that targeted a U.S. magistrate judge overseeing a related Scattered Spider investigation. That other investigation appears to have been the prosecution of Noah Michael Urban, a 20-year-old Florida man charged in November 2024 by prosecutors in Los Angeles as one of five alleged Scattered Spider members.

Urban pleaded guilty in April 2025 to wire fraud and conspiracy charges, and in August he was sentenced to 10 years in federal prison. Speaking with KrebsOnSecurity from jail after his sentencing, Urban asserted that the judge gave him more time than prosecutors requested because he was mad that Scattered Spider hacked his email account.

A court transcript (PDF) from a status hearing in February 2025 shows Urban was telling the truth about the hacking incident that happened while he was in federal custody. The judge told attorneys for both sides that a co-defendant in the California case was trying to find out about Mr. Urban’s activity in the Florida case, and that the hacker accessed the account by impersonating a judge over the phone and requesting a password reset.

Allison Nixon is chief research officer at the New York based security firm Unit 221B, and easily one of the world’s leading experts on Com-based cybercrime activity. Nixon said the core problem with legally prosecuting well-known cybercriminals from the Com has traditionally been that the top offenders tend to be under the age of 18, and thus difficult to charge under federal hacking statutes.

In the United States, prosecutors typically wait until an underage cybercrime suspect becomes an adult to charge them. But until that day comes, she said, Com actors often feel emboldened to continue committing — and very often bragging about — serious cybercrime offenses.

“Here we have a special category of Com offenders that effectively enjoy legal immunity,” Nixon told KrebsOnSecurity. “Most get recruited to Com groups when they are older, but of those that join very young, such as 12 or 13, they seem to be the most dangerous because at that age they have no grounding in reality and so much longevity before they exit their legal immunity.”

Nixon said U.K. authorities face the same challenge when they briefly detain and search the homes of underage Com suspects: Namely, the teen suspects simply go right back to their respective cliques in the Com and start robbing and hurting people again the minute they’re released.

Indeed, the U.K. court heard from prosecutors last week that both Scattered Spider suspects were detained and/or searched by local law enforcement on multiple occasions, only to return to the Com less than 24 hours after being released each time.

“What we see is these young Com members become vectors for perpetrators to commit enormously harmful acts and even child abuse,” Nixon said. “The members of this special category of people who enjoy legal immunity are meeting up with foreign nationals and conducting these sometimes heinous acts at their behest.”

Nixon said many of these individuals have few friends in real life because they spend virtually all of their waking hours on Com channels, and so their entire sense of identity, community and self-worth gets wrapped up in their involvement with these online gangs. She said if the law was such that prosecutors could treat these people commensurate with the amount of harm they cause society, that would probably clear up a lot of this problem.

“If law enforcement was allowed to keep them in jail, they would quit reoffending,” she said.

The Times of London reports that Flowers is facing three charges under the Computer Misuse Act: two of conspiracy to commit an unauthorized act in relation to a computer causing/creating risk of serious damage to human welfare/national security and one of attempting to commit the same act. Maximum sentences for these offenses can range from 14 years to life in prison, depending on the impact of the crime.

Jubair is reportedly facing two charges in the U.K.: One of conspiracy to commit an unauthorized act in relation to a computer causing/creating risk of serious damage to human welfare/national security and one of failing to comply with a section 49 notice to disclose the key to protected information.

In the United States, Jubair is charged with computer fraud conspiracy, two counts of computer fraud, wire fraud conspiracy, two counts of wire fraud, and money laundering conspiracy. If extradited to the U.S., tried and convicted on all charges, he faces a maximum penalty of 95 years in prison.

In July 2025, the United Kingdom barred victims of hacking from paying ransoms to cybercriminal groups unless approved by officials. U.K. organizations that are considered part of critical infrastructure reportedly will face a complete ban, as will the entire public sector. U.K. victims of a hack are now required to notify officials to better inform policymakers on the scale of Britain’s ransomware problem.

For further reading (bless you), check out Bloomberg’s poignant story last week based on a year’s worth of jailhouse interviews with convicted Scattered Spider member Noah Urban.

Multiple security and technology companies have been swept up in a far-reaching attack spree originating at Salesloft Drift, including Cloudflare, PagerDuty, Palo Alto Networks, SpyCloud and Zscaler. 

Victim organizations continue to come forward as customers of the third-party AI chat agent hunt for evidence of compromise or receive notices from Salesloft and other companies involved in response, recovery and ongoing attack investigations. 

Salesloft initially claimed exposure was limited to customers integrated with Salesforce. Yet, Google Threat Intelligence Group and Mandiant Consulting — Google’s incident response firm which is now working with Salesloft — said any platform integrated with Drift is potentially compromised. 

The root cause of the attacks, specifically how the threat group that Google tracks as UNC6395 gained initial access to Salesloft Drift, remains unconfirmed. “There is no evidence of any unusual or malicious activity with the Salesloft platform,” Salesloft said in an update Saturday.

On Monday, the company said “Drift will be taken offline in the very near future,” rendering the platform inaccessible and the Drift chatbot unavailable on customer websites. “This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality,” the company added.

Salesloft, which acquired Drift in February 2024, has not responded to requests for comment since news of the attacks first surfaced last week. 

The company announced an agreement to merge with Clari, a competitor in the customer-relationship management space, one day before the attacks started Aug. 8. In the merger announcement, the combined companies said they will serve more than 5,000 organizations globally across all industries.

The exposure caused by the attacks has cast widespread concern, as customers seek clarity about the unfolding disaster. Salesloft customers are assessing if they were impacted, and then sifting through data to determine the extent to which they or their customers were compromised. 

The attacks did not hit every Salesloft Drift customer. Some Salesloft Drift customers, when contacted by CyberScoop, confirmed they were not implicated by the attacks and found no evidence that corporate or customer data was compromised. 

Okta said it was not impacted by the incident, but confirmed it was a target based on indicators of compromise Google Threat Intelligence Group shared last week. “The threat actor attempted to use a compromised token to access our Salesforce instance, but the attack failed because the connection originated from an unauthorized IP address,” the company said in a blog post Tuesday.

Many other businesses were less fortunate.

Sam Curry, chief information security officer at Zscaler, said the company’s Salesloft Drift integration with Salesforce was the point of unauthorized access. The company was using Salesloft Drift integrated with other platforms, but they were not impacted, he added. 

Data on a large number of Zscaler’s customers was exposed, including names, business email addresses, job titles, phone numbers, location details, Zscaler product licensing and commercial information, and plain text content from some support cases. 

“No product, service, or infrastructure was affected,” Curry said. “We are looking to hear from Salesloft Drift and from Salesforce if there are any other findings since this happened in their infrastructure.”

Curry said Zscaler was already in the process of ending its relationship with Salesloft Drift for unrelated reasons. 

Palo Alto Networks on Tuesday confirmed that it, too, was one of hundreds of organizations impacted by the supply chain attack. The company’s incident response business Unit 42 confirmed the incident was limited to its Salesforce environment, adding that no Palo Alto Networks products or services were impacted. 

“Most of the exfiltrated data was business contact information,” a Palo Alto Networks spokesperson told CyberScoop in an email. “However, a small number of customers who included sensitive information, such as credentials, in their recent case notes might also have had that data compromised.”

Cloudflare said any information customers shared with the company’s support system — including logs, tokens or passwords — should be considered compromised. The company said it found 104 Cloudflare API tokens in the compromised data and, while it found no evidence of abuse, rotated the tokens out of an abundance of caution.

The company also maintained that no Cloudflare services or infrastructure were compromised. 

“We are responsible for the choice of tools we use in support of our business,” a group of Cloudflare security leaders said in a blog post Tuesday. “This breach has let our customers down. For that, we sincerely apologize.”

Former Salesloft Drift customers were impacted as well. In a blog post announcing some data contained in its Salesforce environment was exposed, SpyCloud said it was previously a customer of Salesloft and Drift, but not currently.

Google previously said the data theft campaign occurred over a 10-day period last month, potentially impacting more than 700 organizations.

The post Salesloft Drift attacks hit Cloudflare, Palo Alto Networks, Zscaler appeared first on CyberScoop.

A 23-year-old Scottish man thought to be a member of the prolific Scattered Spider cybercrime group was extradited last week from Spain to the United States, where he is facing charges of wire fraud, conspiracy and identity theft. U.S. prosecutors allege Tyler Robert Buchanan and co-conspirators hacked into dozens of companies in the United States and abroad, and that he personally controlled more than $26 million stolen from victims.

Scattered Spider is a loosely affiliated criminal hacking group whose members have broken into and stolen data from some of the world’s largest technology companies. Buchanan was arrested in Spain last year on a warrant from the FBI, which wanted him in connection with a series of SMS-based phishing attacks in the summer of 2022 that led to intrusions at Twilio, LastPass, DoorDash, Mailchimp, and many other tech firms.

As first reported by KrebsOnSecurity, Buchanan (a.k.a. “tylerb”) fled the United Kingdom in February 2023, after a rival cybercrime gang hired thugs to invade his home, assault his mother, and threaten to burn him with a blowtorch unless he gave up the keys to his cryptocurrency wallet. Buchanan was arrested in June 2024 at the airport in Palma de Mallorca while trying to board a flight to Italy. His extradition to the United States was first reported last week by Bloomberg.

Members of Scattered Spider have been tied to the 2023 ransomware attacks against MGM and Caesars casinos in Las Vegas, but it remains unclear whether Buchanan was implicated in that incident. The Justice Department’s complaint against Buchanan makes no mention of the 2023 ransomware attack.

Rather, the investigation into Buchanan appears to center on the SMS phishing campaigns from 2022, and on SIM-swapping attacks that siphoned funds from individual cryptocurrency investors. In a SIM-swapping attack, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls to the victim’s device — including one-time passcodes for authentication and password reset links sent via SMS.

In August 2022, KrebsOnSecurity reviewed data harvested in a months-long cybercrime campaign by Scattered Spider involving countless SMS-based phishing attacks against employees at major corporations. The security firm Group-IB called them by a different name — 0ktapus, because the group typically spoofed the identity provider Okta in their phishing messages to employees at targeted firms.

The complaint against Buchanan (PDF) says the FBI tied him to the 2022 SMS phishing attacks after discovering the same username and email address was used to register numerous Okta-themed phishing domains seen in the campaign. The domain registrar NameCheap found that less than a month before the phishing spree, the account that registered those domains logged in from an Internet address in the U.K. FBI investigators said the Scottish police told them the address was leased to Buchanan from January 26, 2022 to November 7, 2022.

Authorities seized at least 20 digital devices when they raided Buchanan’s residence, and on one of those devices they found usernames and passwords for employees of three different companies targeted in the phishing campaign.

“The FBI’s investigation to date has gathered evidence showing that Buchanan and his co-conspirators targeted at least 45 companies in the United States and abroad, including Canada, India, and the United Kingdom,” the FBI complaint reads. “One of Buchanan’s devices contained a screenshot of Telegram messages between an account known to be used by Buchanan and other unidentified co-conspirators discussing dividing up the proceeds of SIM swapping.”

U.S. prosecutors allege that records obtained from Discord showed the same U.K. Internet address was used to operate a Discord account that specified a cryptocurrency wallet when asking another user to send funds. The complaint says the publicly available transaction history for that payment address shows approximately 391 bitcoin was transferred in and out of this address between October 2022 and
February 2023; 391 bitcoin is presently worth more than $26 million.

In November 2024, federal prosecutors in Los Angeles unsealed criminal charges against Buchanan and four other alleged Scattered Spider members, including Ahmed Elbadawy, 23, of College Station, Texas; Joel Evans, 25, of Jacksonville, North Carolina; Evans Osiebo, 20, of Dallas; and Noah Urban, 20, of Palm Coast, Florida. KrebsOnSecurity reported last year that another suspected Scattered Spider member — a 17-year-old from the United Kingdom — was arrested as part of a joint investigation with the FBI into the MGM hack.

Mr. Buchanan’s court-appointed attorney did not respond to a request for comment. The accused faces charges of wire fraud conspiracy, conspiracy to obtain information by computer for private financial gain, and aggravated identity theft. Convictions on the latter charge carry a minimum sentence of two years in prison.

Documents from the U.S. District Court for the Central District of California indicate Buchanan is being held without bail pending trial. A preliminary hearing in the case is slated for May 6.