North Korean operatives that dupe job seekers into installing malicious code on their devices have been spotted using new malware strains and techniques, resulting in the theft of credentials or cryptocurrency and ransomware deployment, according to researchers from Cisco Talos and Google Threat Intelligence Group.
Cisco Talos said it observed an attack linked to Famous Chollima that involved the use of BeaverTail and OtterCookie — separate but complementary malware strains frequently used by the North Korea-aligned threat group. Researchers said their analysis determined the extent to which BeaverTail and OtterCookie have merged and displayed new functionality in recent campaigns.
GTIG said it observed UNC5342 using EtherHiding, malicious code in the form of JavaScript payloads that turn a public blockchain into a decentralized command and control server. Researchers said UNC5342 incorporated EtherHiding into a North Korea-aligned social engineering campaign previously dubbed Contagious Interview by Palo Alto Networks.
Cisco and Google both said North Korean threat groups’ use of more specialized and evasive malware underscores the efforts the nation-state attackers are taking to achieve multiple goals while avoiding more common forms of detection.
By installing EtherHiding on the blockchain, UNC5342 can remotely update the malware’s functionality and maintain continuous control over their operations without worry about infrastructure takedowns or disruptions.
“This development signals an escalation in the threat landscape, as nation-state threat actors are now utilizing new techniques to distribute malware that is resistant to law enforcement takedowns and can be easily modified for new campaigns,” Robert Wallace, consulting leader at Mandiant, Google’s incident response firm, said in an email.
Google researchers described North Korea’s social engineering campaign as a sophisticated and ongoing effort to commit espionage, gain persistent access to corporate networks and steal sensitive data or cryptocurrency during the job application and interview process.
The crux of these attacks often occur during a fake technical assessment when job candidates are asked to download files that unbeknownst to them contain malicious code, according to Google. Researchers observed a multi-stage malware infection process involving JadeSnow, BeaverTail and InvisibleFerret.
Cisco Talos researchers uncovered a Famous Chollima attack on an undisclosed organization based in Sri Lanka that likely originated from a user that fell for a fake job offer. The organization wasn’t targeted by the attackers, according to the report.
Researchers observed a previously undocumented keylogging and screenshotting module in the campaign that they traced to OtterCookie samples. The information-stealing malware contained a module that listens for keystrokes and periodically takes screenshots of the desktop session, which are automatically uploaded to the OtterCookie command and control server, Cisco Talos said.
Cisco and Google both shared indicators of compromise in their respective reports to help threat hunters find additional artifacts of the North Korea threat groups’ malicious activity.
The post North Korean operatives spotted using evasive techniques to steal data and cryptocurrency appeared first on CyberScoop.
How much private and sensitive data can you get by pointing $600 worth of satellite equipment at the sky?
Quite a bit, it turns out.
Researchers from the University of Maryland and the University of California, San Diego say they were able to intercept sensitive data from the U.S. military, telecommunications firms, major businesses and organizations by passively scanning and collecting unencrypted data from the satellites responsible for beaming that information across the globe.
The satellites they focused on — geostationary satellites — provide modern high-speed communications and services to rural or remote parts of the globe, including television, IP communications, internet and in-flight Wi-Fi capabilities. They also provide backhaul internet services — the links between a core telecom or internet network and its end users — for private networks operating sensitive remote commercial and military equipment.
Using cheap, commercially available equipment, researchers scanned 39 satellites across 25 distinct longitudinal points over seven months.
The goal was to see how much sensitive data they could intercept by “passively scanning as many GEO transmissions from a single vantage point on Earth as possible.” It was also to prove that you don’t need to be a well-resourced foreign intelligence service or have deep pockets to pull it off.
What they found was unsettling: “Many organizations appear to treat satellite[s] as any other internal link in their private networks. Our study provides concrete evidence that network-layer encryption protocols like IPSec are far from standard on internal networks,” write authors Wenyi Zhang, Annie Dai, Keegan Ryan, Dave Levin, Nadia Heninger and Aaron Schulman.
They note that “severity” of their findings suggest “many organizations do not routinely monitor the security of their own satellite communication links” and that content scrambling “is surprisingly unlikely to be used for private networks using GEO satellite to backhaul IP network traffic from remote areas.”
“Given that any individual with a clear view of the sky and $600 can set up their own GEO interception station from Earth, one would expect that GEO satellite links carrying sensitive commercial and government network traffic would use standardized link and/or network layer encryption to prevent eavesdroppers,” the researchers wrote.
Wired first reported on the academic study.
Researchers reached out to major businesses and organizations that were leaking data via satellite communications to notify them and address the vulnerabilities, but said they declined to engage in any bug bounties that included a nondisclosure agreement.
The researchers said discussions with the U.S. military, the Mexican government, T-Mobile, AT&T, IntelSat, Panasonic Avionics, WiBo and KPU all took place between December 2024 and July 2025 as the study was ongoing.
Satellites are outfitted with multiple transponders to collect different kinds of telemetry, and here the research focuses on a single type — Ku-Band transponders — that are heavily used for internet and television services. Using their consumer-grade equipment, the researchers were able to tap into 411 different transponders around the globe, collecting reams of sensitive data in the process.
They observed unencrypted data for T-Mobile users, including plaintext user SMS messages, voice call contents, user internet traffic, metadata, browsing history and cellular network signaling protocols, leaking out over the skies. Over a single, nine-hour listening session, the dish picked up phone numbers and metadata for 2,711 individuals. Similar leakages were spotted for calls over Mexican telecoms TelMex and WiBo, and Alaskan telecom KPU Telecommunications.
They also picked up unencrypted and encrypted traffic coming from U.S. military sea vessels, including plaintext that included the ships’ names — something the researchers said allowed them to determine they were all “formerly privately-owned ships” that are now owned by the government. Meanwhile, unencrypted HTTP traffic leaking out through the satellites gave them details into internal applications and systems used for infrastructure, logistics and administrative management.
The researchers say that while this kind of capability isn’t novel, previous research has suggested that only foreign governments and well-resourced companies have the capabilities to conduct such widespread monitoring. Their study, which developed a new way to parse through issues around signal quality, suggests that the barrier of entry is far lower than previously thought, requiring technical knowhow and just a few hundred dollars worth of commercial tech.
“To our knowledge, our threat model of using low-cost consumer grade satellite equipment to comprehensively survey GEO satellite usage has not been explored before in the academic literature.”
The findings underscore how much governments and businesses rely on standard satellite communications today to move their data around, and the lack of security attention these critical nodes receive compared to other technologies.The federal government has designated 16 sectors of society and industry as “critical infrastructure” and prioritized these sectors for additional security investment and assistance. Space is not one of those sectors, though policymakers have pushed the idea as a means to quickly retrofit our space-based communications for security.
The post Researchers find a startlingly cheap way to steal your secrets from space appeared first on CyberScoop.
For more than a year, hackers from a Chinese state-backed espionage group maintained backdoor access to a popular software mapping tool by turning one of its own features into a webshell, according to new research from ReliaQuest.
In a report published Tuesday, researchers said that Flax Typhoon — a group that has been spying on entities in the U.S., Europe and Taiwan since at least 2021 — has had access for more than a year to a private ArcGIS server. To achieve and maintain that access, the group leveraged “an unusually clever attack chain” that allowed them to both blend in with normal traffic and maintain access even if the victim tried to restore their system from backups.
ArcGIS, made by Esri, is one of the most popular software programs for geospatial mapping and used widely by both private organizations and government agencies. Like many programs, however, it relies on backend servers and various other technical infrastructure to fully function.
For example, many ArcGIS users will use what is known as a Server Object Extension (SOE), which allows you to create service operations to extend the base functionality of map or image services” and implement custom code, according to ArcGIS documentation.
The attackers found a public-facing ArcGIS server connected to another private backend server used by the program to perform computations. They compromised a portal administrator account for the backend server and deployed a malicious extension, instructing the public-facing server to create a hidden directory to serve as the group’s “private workspace.” They also locked off access to others with a hardcoded key and maintained access long enough for the flaw to be included in the system’s backup files.
In doing so, the Chinese hackers effectively weaponized ArcGIS, turning it into a webshell to launch further attacks, and mostly did so using the software program’s own internal processes and functionality.
ReliaQuest researchers wrote that by structuring their requests to appear as routine system operations, they were able to evade detection tools, while the hardcoded key “prevented other attackers, or even curious admins, from tampering with its access.”
Infecting the backups, meanwhile, gave Flax Typhoon an insurance plan if their presence ultimately was discovered.
“By ensuring the compromised component was included in system backups, they turned the organization’s own recovery plan into a guaranteed method of reinfection,” ReliaQuest researchers claimed. “This tactic turns a safety net into a liability, meaning incident response teams must now treat backups not as failsafe, but as a potential vector for reinfection.”
This continues a consistent trend around Flax Typhoon’s behavior observed by researchers: the group’s propensity for quietly turning an organization’s own tools against itself rather than using sophisticated malware or exploits.
In 2023, Microsoft’s threat intelligence team detailed what it described as Flax Typhoon’s “distinctive” pattern of cyber-enabled espionage. The group was observed achieving long-term access to “dozens” of organizations in Taiwan “with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks.”
Earlier this year, the U.S. Treasury Department placed economic sanctions on Integrity Technology Group, a Beijing company the agency says has provided technical support and infrastructure for Flax Typhoon cyberattacks, including operating a massive botnet taken down by the FBI last year.
That may be why ReliaQuest researchers emphasized that the true threat revealed by their research isn’t about Esri or any specific vendor or their product. The real worry is that most enterprise software relies on the same kind of third-party applications and extensions that Flax Typhoon exploited to hijack an ArcGIS server. The same vulnerability exists wherever an external tool needs access that can be turned against the user when compromised.
“When a vendor has to rewrite its own security guidelines, it proves the flawed belief that customers treat every public-facing tool as a high-risk asset,” they wrote. “This attack is a wake-up call: Any entry point with backend access must be treated as a top-tier priority, no matter how routine or trusted.”
The post Flax Typhoon can turn your own software against you appeared first on CyberScoop.
Fortra, in its most forceful admission yet, confirmed a maximum-severity defect it disclosed in GoAnywhere MFT has been actively exploited in attacks, yet researchers are still pressing the vendor to be more forthcoming about how attackers obtained a private key required to achieve exploitation.
The vendor published a summary of its investigation into CVE-2025-10035 Thursday, three weeks after it publicly addressed the vulnerability in its file-transfer service for the first time. “At this time, we have a limited number of reports of unauthorized activity related to CVE-2025-10035,” the company said.
“It is positive to see Fortra increase their transparency surrounding the CVE-2025-10035 saga,” Ben Harris, founder and CEO at watchTowr, told CyberScoop. “However, the mystery remains — watchTowr researchers and others are still unclear how this vulnerability could be exploited without access to a private key that only Fortra is believed to have access to.”
Researchers at watchTowr, Rapid7 and VulnCheck last month rang alarm bells about the private key after they independently confirmed the steps attackers would have to take to achieve exploitation.
“The fact that Fortra has now opted to confirm ‘unauthorized activity related to CVE-2025-10035,’ confirms yet again that the vulnerability was not theoretical, and that the attacker has somehow circumvented, or satisfied, the cryptographic requirements needed to exploit this vulnerability,” Harris said.
The scope of compromise has continued to grow during the past month as Fortra and researchers continue hunting for evidence of active exploitation. Fortra also shared more details about the timeline and actions it took behind the scenes prior to publicly disclosing and addressing the vulnerability.
Security staff at Fortra began investigating a potential vulnerability after a customer reported suspicious activity Sept. 11. After inspecting customer logs, the company started notifying potentially impacted customers and reported the malicious activity to law enforcement that same day.
The vendor also said it found three instances in its cloud-based GoAnywhere MFT environment “with potentially suspicious activity related to the vulnerability.” Fortra said it isolated those instances for further investigation and alerted customers using those managed services of potential exposure.
The company deployed the patch to cloud-based services it hosts for customers Sept. 17, but it has not described the extent to which the vulnerability has been exploited in on-premises customer environments and Fortra-hosted services. The vendor said it updated all company-hosted instances of GoAnywhere MFT, including infrastructure rebuilds.
Fortra did not answer questions submitted by CyberScoop on Monday.
The Cybersecurity and Infrastructure Security Agency added CVE-2025-10035 to its known exploited vulnerabilities catalog Sept. 29, noting the defect has been used in ransomware campaigns. Microsoft Threat Intelligence followed up on that last week, noting that a cybercriminal group it tracks as Storm-1175 has exploited CVE-2025-10035 to initiate multi-stage attacks including ransomware.
Fortra repeatedly declined to confirm it was aware of active exploitation in the wake of those reports. The company previously added indicators of compromise to its security advisory, but didn’t say it was aware of reports of unauthorized activity related to the defect until Thursday.
The post Fortra cops to exploitation of GoAnywhere file-transfer service defect appeared first on CyberScoop.
A brute-force attack exposed firewall configuration files of every SonicWall customer who used the company’s cloud backup service, the besieged vendor said Wednesday.
An investigation aided by Mandiant confirmed the totality of compromise that occurred when unidentified attackers hit a customer-facing system of SonicWall controls. The company previously said less than 5% of its firewall install base stored backup firewall configuration files in the cloud-based service.
SonicWall did not answer questions about the extent to which the investigation revealed a more widespread impact for its customers, or if its assessment of that 5% figure remained accurate. The company initially revised its disclosure to clarify the scope of exposure was less than 5% of firewalls as of Sept. 17, but has since removed that detail from the blog post.
“The investigation confirmed that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service,” the company said in a statement.
The convoluted phrasing reignited criticism from threat researchers who have been tracking developments since SonicWall first reported the attack.
Attackers accessed a “treasure trove of sensitive data, including firewall rules, encrypted credentials, routing configurations and more,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said in an email.
“This raises questions about why the vendor didn’t implement basic protections like rate limiting and stronger controls around public APIs,” he added.
SonicWall customers have confronted a barrage of actively exploited vulnerabilities in SonicWall devices for years.
Fourteen defects affecting the vendor’s products have been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities (KEV) catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA, including a wave of about 40 Akira ransomware attacks between mid-July and early August.
While those attacks were linked to exploited vulnerabilities in SonicWall devices, the latest attack marked a direct hit on SonicWall’s internal infrastructure and practices.
The company said it has notified all impacted customers, released tools to assist with threat detection and remediation and encouraged all customers to log in to the MySonicWall.com platform to check for potential exposure.
“Although the passwords were encrypted, attackers have all the time in the world to crack them offline at their leisure,” Dewhurst said.
“If the passwords used were weak in the first place, it’s almost certain that the threat actor has the plaintext versions already,” he added. “If the threat actor is unable to crack the passwords, you’re not out of the woods, as the information leaked will help in more complex targeted attacks.”
SonicWall said it has implemented additional security hardening measures and is working with Mandiant to improve the security of its cloud infrastructure and monitoring systems.
The post SonicWall admits attacker accessed all customer firewall configurations stored on cloud portal appeared first on CyberScoop.
Clop, the notorious ransomware group, began targeting Oracle E-Business Suite customers three months ago and started exploiting a zero-day affecting the enterprise platform to steal massive amounts of data from victims as early as Aug. 9, Google Threat Intelligence Group and Mandiant said in a report Thursday.
“We’re still assessing the scope of this incident, but we believe it affected dozens of organizations. Some historic Clop data extortion campaigns have had hundreds of victims,” John Hultquist, chief analyst at GTIG, said in a statement. “Unfortunately large scale zero-day campaigns like this are becoming a regular feature of cybercrime.”
The new timeline provided by Google’s incident response firm and security researchers confirms malicious activity against Oracle E-Business Suite customers began almost three months before Clop sent extortion emails to executives of alleged victim organizations demanding payment on Sept. 29.
Oracle disclosed the critical zero-day vulnerability — CVE-2025-61882 — Saturday, two days after it said its customers had received extortion emails following exploitation of vulnerabilities it previously identified and addressed in a July security update.
The widespread attack spree actually involved at least five distinct defects, including the zero-day, that were chained together to achieve pre-authenticated remote code execution, watchTowr researchers said earlier this week.
Researchers at watchTowr reproduced the full exploit chain after obtaining a proof of concept and published a flow chart depicting how attackers chained multiple vulnerabilities together.
“It’s currently unclear which specific vulnerabilities or exploit chains correspond to CVE-2025-61882, however, GTIG assesses that Oracle EBS servers updated through the patch released on Oct. 4 are likely no longer vulnerable to known exploitation chains,” Google said in the report.
Researchers identified suspicious traffic that may point to early attempts at exploitation prior to Oracle’s July security update, but Google has not confirmed the precise nature of that activity.
Many customers remain exposed and potentially vulnerable to attacks. Shadowserver scans found 576 potentially vulnerable instances of Oracle E-Business Suite on Oct. 6, with the majority of those IPs based in the United States.
Clop’s ransom demands have reached up to $50 million, according to Halcyon. “We have seen seven- and eight-figure demands thus far,” Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, told CyberScoop.
Investigations into Clop’s activity underscore the stealthy nature of the threat group’s operations, including the use of multi-stage fileless malware designed to evade file-based detection. Other critical details remain unknown and cybercriminals from other groups have complicated analysis through unsubstantiated claims.
Mandiant said it observed artifacts on Oct. 3 that overlap with an exploit leaked in a Telegram group dubbed “Scattered LAPSUS$ Hunters.” Yet, Google hasn’t gathered enough evidence to definitively link the malicious July 2025 activity with this exploit.
“At this time, GTIG does not assess that actors associated with UNC6240 (also known as “Shiny Hunters”) were involved in this exploitation activity,” Google said in the report.
While multiple pieces of evidence indicate Clop is behind the attacks, Google said it’s possible other threat groups are involved.
Clop has successfully intruded multiple technology vendors’ systems, particularly file-transfer services, allowing it to steal data on many downstream customers. The threat group achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.
The post Dozens of Oracle customers impacted by Clop data theft for extortion campaign appeared first on CyberScoop.
Microsoft Threat Intelligence said a cybercriminal group it tracks as Storm-1175 has exploited a maximum-severity vulnerability in GoAnywhere MFT to initiate multi-stage attacks including ransomware. Researchers observed the malicious activity Sept. 11, Microsoft said in a blog post Monday.
Microsoft’s research adds another substantive chunk of evidence to a growing collection of intelligence confirming the defect in Fortra’s file-transfer service was exploited as a zero-day before the company disclosed and patched CVE-2025-10035 on Sept. 18.
Despite this mounting pile of evidence, Fortra has yet to confirm the vulnerability is under active exploitation. The company has not answered questions or provided additional information since it updated its security advisory Sept. 18 to include indicators of compromise.
Storm-1175, a financially motivated cybercrime group known for exploiting public vulnerabilities to gain access and deploy Medusa ransomware, exploited CVE-2025-10035 to achieve remote code execution, according to Microsoft.
“They used this access to install remote monitoring tools such as SimpleHelp and MeshAgent, drop web shells, to move laterally across networks using built-in Windows utilities,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, told CyberScoop in an email. “In at least one instance, the intrusion led to data theft via Rclone and a Medusa ransomware deployment.”
Microsoft’s findings bolster research from other firms including watchTowr, which said it obtained credible evidence of active exploitation of the GoAnywhere vulnerability dating back to Sept. 10, a day before Fortra maintains the vulnerability was discovered.
“Microsoft has now linked the attacks to a known Medusa ransomware affiliate, confirming what we feared. Organizations running GoAnywhere MFT have effectively been under silent assault since at least Sept. 11, with little clarity from Fortra,” said Ben Harris, founder and CEO at watchTowr.
“Microsoft’s confirmation now paints a pretty unpleasant picture — exploitation, attribution, and a month-long head start for the attackers. What’s still missing are the answers only Fortra can provide,” Harris added.
This includes details about how the attackers accessed private keys required to achieve exploitation, as researchers from multiple firms flagged as a worrying signal last month. “Customers deserve transparency, not silence,” Harris said.
Federal cyber authorities have confirmed active exploitation of GoAnywhere’s defect as well. The Cybersecurity and Infrastructure Security Agency added CVE-2025-10035 to its known exploited vulnerabilities catalog Sept. 29, noting the defect has been used in ransomware campaigns.
DeGrippo said Storm-1175’s attacks are opportunistic, and have affected organizations in the transportation, education, retail, insurance and manufacturing sectors. “Their tactics reflect the broader pattern we’re seeing, which is blending legitimate tools with stealthy techniques to stay under the radar and monetize access through extortion and data theft,” she added.
Researchers haven’t said how many organizations are impacted by GoAnywhere attacks, but Fortra customers went through this before when a zero-day vulnerability in the same file-transfer service was widely exploited two years ago, resulting in attacks on more than 100 organizations.
The post Microsoft pins GoAnywhere zero-day attacks to ransomware affiliate Storm-1175 appeared first on CyberScoop.
Federal cyber authorities and threat hunters are on edge following Oracle’s Saturday disclosure of an actively exploited zero-day vulnerability the Clop ransomware group used to initiate a widespread data theft and extortion campaign researchers initially warned about last week.
Oracle addressed the critical vulnerability — CVE-2025-61882 affecting Oracle E-Business Suite — in a security advisory Saturday and advised customers to apply the patch as soon as possible. The tech giant previously said it was aware some customers had received extortion emails and said vulnerabilities it addressed in its July security update were potentially involved.
Rob Duhart, chief security officer at Oracle Security, updated his blog post Saturday to alert customers to the zero-day. Oracle did not say the zero-day is actively exploited but it provided indicators of compromise, which indirectly confirm the defect has been exploited in the wild.
The Cybersecurity and Infrastructure Security Agency added CVE-2025-61882 to its known exploited vulnerabilities catalog Monday, noting that it has been used in ransomware campaigns.
Brett Leatherman, assistant director of the FBI’s Cyber Division, described the zero-day as an emergency putting Oracle E-Business Suite environments at risk of full compromise.
“Oracle E-Business Suite remains a backbone enterprise resource planning system for major enterprises and public-sector environments, which means attackers have every incentive to weaponize this one fast,” he said in a LinkedIn post.
The zero-day isn’t the only problem confronting Oracle and its customers. Clop exploited multiple vulnerabilities, including the zero-day, in Oracle E-Business Suite to steal large amounts of data from several victims in August, according to Mandiant Consulting CTO Charles Carmakal.
Researchers at watchTowr reproduced the full exploit chain after a proof of concept and published a flow chart depicting how attackers chained multiple vulnerabilities together.
“The chain demonstrates a high level of skill and effort, with at least five distinct bugs orchestrated together to achieve pre-authenticated remote code execution,” watchTowr researchers wrote in a blog post Monday. The cybersecurity firm said there is a high probability more vulnerabilities will be found in Oracle E-Business Suite tied to this campaign.
The zero-day vulnerability, which has a CVSS rating of 9.8, can be exploited remotely without authentication, resulting in remote code execution.
The significant lag time between when the attacks occurred and Oracle’s zero-day vulnerability disclosure indicates Clop was breaking into and stealing data from Oracle E-Business Suite customers’ environments for months. Researchers were not aware of the attacks until executives of alleged victim organizations received extortion emails demanding payment.
CrowdStrike researchers said the first known exploitation occurred Aug. 9, eight weeks before Oracle disclosed and patched the zero-day defect.
The number of organizations impacted by Clop’s attack spree remains unknown, yet researchers have identified victims across multiple sectors and geographies. Clop’s ransom demands have reached up to $50 million, according to Halcyon.
“We have seen seven- and eight-figure demands thus far,” Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, told CyberScoop.
“This group is notorious for stealthy, mass data theft that heightens their leverage in ransom negotiations,” she said.
Clop is a ransomware group that has successfully intruded multiple technology vendors’ systems, allowing it to steal data on many downstream customers. The threat group specializes in exploiting vulnerabilities in file-transfer services to conduct large-scale attacks.
Clop achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.
The group is driven by profit, as it operates within a Russia-aligned cybercrime environment, Kaiser said. “Clop’s operations can simultaneously extract financial value and produce outcomes useful to state actors, such as data collection, disruption, or pressure on targeted organizations.”
The post Oracle zero-day defect amplifies panic over Clop’s data theft attack spree appeared first on CyberScoop.
When security researchers issued warnings about the Salesloft Drift issues last month, two prominent cybersecurity companies found themselves facing the same threat — but their stories ended up unfolding in different ways.
Okta and Zscaler, among the larger players in the identity management space, were among the more than 700 Drift customers targeted in what has become one of the most significant supply chain attacks of the year. Within a week of Google security researchers’ warning about the incident, which targeted the widespread theft of Salesforce customer data, both companies went to work in figuring out how bad the damage would be.
The companies had very different experiences. While Okta’s security measures thwarted any lasting damage, Zscaler wasn’t as lucky, having to deal with unauthorized access of both customer and internal company data. Same threat actor. Same timeline. Opposite outcomes.
The divergence in incidents and responses offers a rare opportunity to understand how a cybersecurity strategy works in action. CyberScoop spoke with the security leaders of both companies to learn about how the attack went down from those directly in its crosshairs, and lessons learned that could bolster defenses of their companies and others going forward.
Salesloft hasn’t publicly released a comprehensive root-cause analysis into the attack, but initial results of its investigation revealed a threat group gained access to its GitHub account as far back as March. The group, which Google tracks as UNC6395, achieved lateral movement and set up workflows in the Salesloft application environment before it accessed Drift’s Amazon Web Services environment and obtained OAuth tokens used by Drift customers.
Those tokens allowed the threat group to access and steal data from separate platforms integrated with Drift, an AI chat agent primarily used by sales teams. Google said the “widespread data theft campaign” occurred during a 10-day period in mid-August. Nearly 40 companies, including more than 20 cybersecurity vendors, have publicly disclosed they were caught up in the attack spree.
Zscaler received its first security alert from Salesforce a week after the data theft concluded, warning the security vendor that unauthorized IP addresses were using the application programming interface (API) for its Drift OAuth token. Zscaler immediately revoked the token, “even though it didn’t really matter by that point,” said Sam Curry, the company’s chief information security officer.
The damage was already done. Data on a large number of Zscaler’s customers was exposed, including names, business email addresses, job titles, phone numbers, location details, Zscaler product licensing and commercial information, and plain text content from some support cases.
Since Okta uses Drift, it proactively hunted for signs of compromise when threat intel experts started warning about an issue with the service. The company found a “short burst of attempts” to use Drift tokens from locations outside of the manually configured IP range it set up for security purposes, David Bradbury, Okta’s chief security officer, told CyberScoop.
That control blocked the attack and kept Okta’s Drift integrations secure. Yet, many companies don’t take that approach because setting IP restrictions for API calls is a manual and often laborious process requiring input and support from every vendor in the supply chain.
“If we can put our minds to these problems, we can come up with solutions so that you can implement IP restrictions in a matter of clicks, rather than in a matter of days and weeks of continuous testing, and investigation and discovery,” Bradbury said.
Okta’s investigation revealed a seemingly automated threat campaign. “They were not persistent,” Bradbury said. “The hypothesis that we have at the moment is that there was a single significant script that was engineered that hit all of these all at once and pulled down all of this information in a series of events.”
Zscaler’s compromise was particularly frustrating given the timing: the company had already stopped using Drift in July, a decision completely unrelated to security — and made before any indicators of the attack campaign came to light.
“That OAuth token that was being used with [Drift] was still active,” Curry said. “It was due to be retired by the end of August,” he added, describing that decision as a deliberate delay to make sure the token was fully disconnected and no longer in use.
Salesloft hasn’t explained how the threat group accessed its GitHub account, nor how it accessed Drift’s AWS environment and ultimately obtained customers’ OAuth tokens.
“I don’t actually know how they got the tokens out. I just know they did,” Curry said. “As for how they store it, I don’t know internally, except that they passed our security questionnaire and probably hundreds, if not thousands of others” for third-party risk management, he added.
Okta also doesn’t know how the threat group accessed its Salesloft Drift OAuth token. That information would have to come from Salesloft, Bradbury said.
“The internet is connected by some very brittle, small pieces of information — these tokens that we constantly talk about, these combinations of letters and numbers in files that ultimately provide access to all of the applications that we use,” he said.
“Those tokens need to be stored somewhere, and sadly there are mechanisms in place right now which doesn’t necessitate actually tying these tokens directly to something — to prevent their reuse,” Bradbury added.
Most SaaS applications implement tokens and authentication in rather rudimentary means. “They’re doing what’s easy and what works, and what works is once you’ve granted access you’re actually storing these tokens somewhere,” he said.
While their experiences in the wake of the Salesloft Drift attacks were quite different, Bradbury and Curry shared similar reflections and took many like-minded lessons from the third-party compromise that impacted hundreds of companies.
“APIs are becoming a new highway of access that we need more control over, and we need better control of collectively,” Curry said. “APIs get wider in terms of what you can do with them, and you need the ability to monitor them and to put preventative controls on them to look for behavioral changes.”
Zscaler learned another lesson the hard way — the importance of limiting IP address ranges for API queries, and rotating tokens more frequently.
“For me, this wake-up call is saying API is a new attack-and-control plane that’s far more exposed than most people realize from just a simple risk exercise,” Curry said.
“There are no small vendors in an API-connected world. It’s just like — if you think about border security — there’s no small and insignificant ports of entry,” he added. “They all use the same highway systems.”
Bradbury, who is expectedly pleased Okta wasn’t impacted by this malicious campaign, can’t help but feel frustrated because he believes there are better, more secure methods to protect unauthorized token use. The central issue in this supply-chain attack could have been avoided with Demonstrating Proof of Possession (DPoP), a mechanism that can constrain token use to a specific client and prevent the use of stolen tokens, he said.
Once attackers steal tokens that can be reused without restriction, disastrous consequences await all, Bradbury added.
“We need to see more SaaS vendors actually prioritizing security features on their roadmap, not just the features that will result in customer growth and revenue,” he said.
Security leaders have an important role to play in demanding these changes from their vendors. “It’s about time that we started to use our collective ambitions to raise the bar for security to actually hold our vendors accountable,” Bradbury said.
Curry is taking a similar forward-looking approach. “Let’s learn from one another, instead of bayoneting the wounded,” he said.
“After the fact, in the cold light of day, we’ll all look at what happened,” Curry added. “I’m not interested in blame at this point. I’m interested in better security.”
The post Security leaders at Okta and Zscaler share lessons from Salesloft Drift attacks appeared first on CyberScoop.
Emails sent to Oracle customers by members of the Clop ransomware group assert that the cybercriminals are solely interested in a financial payout, framing the extortion as a business transaction rather than a politically motivated attack.
The extortion emails were sent to executives of alleged victim organizations earlier this week, with attackers claiming they would provide victims copies of any three files or data rows upon request to verify their organization’s data was stolen.
“But, don’t worry,” the attackers wrote in an extortion email, which CyberScoop obtained a copy of Thursday. “You can always save your data for payment. We do not seek political power or care about any business.”
Broken English and poor spelling appears throughout the email. The sender begins the message by introducing themselves as “CL0P team” and encourages the recipient to search for information about Clop on the internet if they haven’t heard of the highly prolific threat group.
The extortion email is designed to achieve several goals: intimidate recipients, apply a deadline to create urgency, show proof of compromise and provide contact info to negotiate an extortion payment.
“We always fulfil all promises and obligations,” the email said. “We are not interested in destroying your business. We want to take the money and you not hear from us again.”
Clop hasn’t made the claims public through its leak site. Researchers have yet to verify if a breach occurred or if the threat group is behind the attacks, yet the contact info in the emails has been previously used by the group.
Oracle on Thursday confirmed it’s aware some Oracle E-Business Suite customers have received extortion emails.
“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 critical patch update,” Rob Duhart, chief security officer at Oracle Security, said in a blog post.
Oracle did not say which vulnerabilities are under active exploitation, nor did it confirm if its customers’ data was stolen. The July security update included 309 patches, including nine that addressed defects in Oracle E-Business Suite.
The vendor, at the time, said three of the Oracle E-Business Suite vulnerabilities, all of which it designated as medium-severity, can be remotely exploited without authentication. Three additional Oracle E-Business Suite vulnerabilities addressed in July were designated high severity.
The company has not responded to multiple requests for comment.
The emails were sent from hundreds of compromised third-party accounts beginning on or before Monday, researchers said.
“The compromised accounts belong to various, unrelated organizations,” Austin Larsen, principal analyst at Google Threat Intelligence Group, told CyberScoop. “This is a common tactic where threat actors acquire credentials for legitimate accounts, often from infostealer malware logs sold on underground forums, to add a layer of legitimacy to their campaigns and help bypass spam filters.”
In the email obtained by CyberScoop, the sender claims to have carefully examined the data they allegedly stole, warning “that estimated financial losses, harm to reputation and regulatory fines are likely to materially exceed the amount claimed.”
This tactic has appeared in previous extortion attacks wherein hackers mention accompanying effects of a compromise, such as legal penalties, as a reason to pay the ransom.
The extortion email ends with a threatening call to action, claiming the clock is ticking and data will be published in a few days.
“Please convey this information to your executive and managers as soon as possible,” the attackers said in the email. “We advice not reach point of no return.”
The full text of the email is below:
Dearest executive,
We are CL0P team. If you haven’t heard about us, you can google about us on internet.
We have recently breached your Oracle E-Business Suite application and copied a lot of documents. All the private files and other information are now held on our systems.
But, don’t worry. You can always save your data for payment. We do not seek political power or care about any business.
So, your only option to protect your business reputation is to discuss conditions and pay claimed sum. In case you refuse, you will lose all abovementioned data: some of it will be sold to the black actors, the rest will be published on our blog and shared on torrent trackers.
We always fulfil all promises and obligations.
We have carefully examined the data we got. And, regrettably for your company, this analysis shows that estimated financial losses, harm to reputation , and regulatory fines are likely to materially exceed the amount claimed.
Lower you see our contact email addresses:
[REDACTED]
[REDACTED]
As evidence, we can show any 3 files you ask or data row.
We are also ready to continue discussing the next steps after you confirm that you are a legitimate representative of the company.
We are not interested in destroying your business. We want to take the money and you not hear from us again.
Time is ticking on clock and in few days if no payment we publish and close chat.
Please convey this information to your executive and managers as soon as possible.
After a successful transaction and receipt of payment we promise
1) technical advice
2) We will never publish you data
3) Everything we download will be delete w/proof
4) Nothing will ever disclose
Decide soon and recall that no response result in blog posting. Name is first and soon data after. We advice not reach point of no return.
KR CL0P
Update: 10/02/25, 5:30 p.m: This story has been updated with information about Oracle’s alert.
The post Here is the email Clop attackers sent to Oracle customers appeared first on CyberScoop.
North Korean nationals who conceal their identities to infiltrate businesses as employees or contractors continue to expand their presence beyond technology companies and America’s borders.
Nearly every industry has been duped into hiring North Koreans in violation of sanctions, as technology companies represent only half of all targeted victims, threat researchers at Okta said in a report this week.
Okta Threat Intelligence found evidence confirming North Korean nationals have targeted and sought roles at any organization recruiting remote talent. The North Korean regime will pursue any opportunity to collect and launder payment if the application, interview process and work can be performed remotely, researchers said.
North Koreans are no longer limiting themselves to IT and software engineering positions. According to Okta’s research, more North Koreans are now applying for remote finance positions, such as payments processors, and engineering roles.
While technology firms attract the highest volume of applications and job interviews, other verticals including finance and insurance, health care, manufacturing, public administration and professional services appeared often in Okta’s analysis.
Researchers based the study on more than 130 identities used by facilitators and workers participating in the scheme, and linked those personas to more than 6,500 job interviews spread across about 5,000 companies over a four-year period through mid-2025.
Okta acknowledges this only reflects a small sample of North Korea’s scheme, but said it highlights the extent to which IT worker units are targeting more industries in more countries.
“It’s possible that increased awareness of this threat — as well as government and private sector collaborative efforts to identify and disrupt their operations — may be an additional driver for them to increasingly target roles outside of the US and IT industries,” Okta threat researchers said in the report.
Indeed, threat intelligence firms and officials have consistently warned about the growing pervasiveness of North Korea’s scheme. In April, Mandiant said hundreds of Fortune 500 organizations have unwittingly hired North Korean IT workers.
CrowdStrike, in August, said it observed a 220% year-over-year increase in North Korean IT worker activity, amounting to 320 incident response cases in the past year. The Justice and Treasury Departments have seized cryptocurrency, issued indictments and sanctioned people and entities allegedly involved in the yearslong scheme.
Okta analysis revealed a global expansion of the North Korea IT worker operation, with 27% of targeted roles based outside of the United States. Researchers observed North Korean operatives targeting roles in the United Kingdom, Canada and Germany, with each country accounting for about 150 to 250 roles.
Other top targeted countries include India, Australia, Singapore, Switzerland, Japan, France and Poland.
Okta cautioned that non-U.S.-based companies are likely less skilled and concerned with finding North Korean job applicants because the scheme was largely viewed as a U.S. technology industry problem. This creates an elevated problem in newly targeted countries, researchers said.
“Years of sustained activity against a broad range of U.S. industries have allowed Democratic People’s Republic of Korea-aligned facilitators and workers to refine their infiltration methods,” Okta said in the report. “Consequently, they are entering new markets with a mature, well-adapted workforce capable of bypassing basic screening controls and exploiting hiring pipelines more effectively.”
The post North Korea IT worker scheme swells beyond US companies appeared first on CyberScoop.
An elusive, persistent, newly confirmed China espionage group has hit almost 10 victims of geopolitical importance in the Middle East, Africa and Asia using specific tactics and extreme stealth to avoid detection, according to Palo Alto Networks’ Unit 42.
Phantom Taurus uses tools and a distinct homegrown set of malware and backdoors that sets them apart from other China threat groups, said Assaf Dahan, who’s led an investigation into the group since 2022 as director of threat research at Palo Alto Networks’ Cortex unit.
The discovery of an undocumented threat group conducting long-term intelligence-gathering operations aligned with Beijing’s interests underscores the spread of China’s offensive espionage operations globally. Roughly 3 in 4 nation-state threats originate from or are operating on behalf of the Chinese government’s interests, Dahan told CyberScoop.
Unit 42 did not name Phantom Taurus’ victims but said the group has infiltrated networks operated by ministries of foreign affairs, embassies, diplomats and telecom networks to steal sensitive and timely data around major summits between government leaders or political and economic events.
Phantom Taurus seeks sustained access to highly targeted networks so it can periodically and opportunistically steal data they want at any time. Unit 42 researchers responded to one case involving access going back almost two years, Dahan said.
The threat group remains active and has expanded its scope over time by targeting more organizations. “The latest activity was just a couple of months ago when we saw them highly active in at least two regions of the world,” Dahan said.
Unit 42 expects more victims to be identified as a result of its report, which includes details about the group’s specialized malware, indicators of compromise and tactics, techniques and procedures.
Phantom Taurus uses multiple pieces of malware, including the newly identified NET-STAR malware suite, which consists of three distinct web-based backdoors. These backdoors support in-memory execution of command-line arguments, arbitrary commands and payloads, and the loading and execution of .NET payloads with evasive capabilities designed to avoid detection in more heavily monitored environments, according to Unit 42.
“These pieces of malware are designed for extreme stealth, allowing them to operate clandestinely, under the radar, and infiltrate into really sensitive organizations,” Dahan said. While Phantom Taurus uses some infrastructure and tools that are commonly shared among multiple Chinese espionage groups, Unit 42 isn’t aware of any other groups using the suite of specialized malware.
The group most often breaks into networks by locating internet-facing devices that can be exploited via known vulnerabilities, Dahan said. “The level of sophistication that we’ve seen from this group is really off the charts. But when it comes to how they actually put a foot in the door, it’s as basic as exploiting an unpatched server most of the time,” he added.
Phantom Taurus’ tools, capabilities, targets and other fingerprints left behind by its activities gives Unit 42 confidence the group is unique and does not overlap with a group previously identified by other research firms.
“Their entire playbook seems distinct and quite apart from other Chinese threat actors,” Dahan said. “It’s not something that you can mistake for another group.”
The post Palo Alto Networks spots new China espionage group showcasing advanced skills appeared first on CyberScoop.
Anthropic’s new coding-focused large language model, Claude Sonnet 4.5, is being touted as one of the most advanced models on the market when it comes to safety and security, with the company claiming the additional effort put into the model will make it more difficult for bad actors to exploit and easier to leverage for cybersecurity specific-tasks.
“Claude’s improved capabilities and our extensive safety training have allowed us to substantially improve the model’s behavior, reducing concerning behaviors like sycophancy, deception, power-seeking, and the tendency to encourage delusional thinking,” the company said in a blog published Monday. “For the model’s agentic and computer use capabilities, we’ve also made considerable progress on defending against prompt injection attacks, one of the most serious risks for users of these capabilities.”
The company says the goal is to make Sonnet a “helpful, honest and harmless assistant” for users. The model was trained at AI Safety Level 3, a designation that means Anthropic used “increased internal security measures that make it harder to steal model weights” and added safeguards to limit jailbreaking and refuse queries around certain topics, like how to develop or acquire chemical, biological and nuclear weapons.
Because of this heightened scrutiny, Sonnet 4.5’s safeguards “might sometimes inadvertently flag normal content.”
“We’ve made it easy for users to continue any interrupted conversations with Sonnet 4, a model that poses a lower … risk,” the blog stated. “We’ve already made significant progress in reducing these false positives, reducing them by a factor of ten since we originally described them, and a factor of two since Claude Opus 4 was released in May.”
Anthropic says Sonnet 4.5 shows “meaningful” improvements in vulnerability discovery, code analysis, software engineering and biological risk assessments, but the model continues to operate “well below” the capability needed to trigger Level 4 protections meant for AI capable of causing catastrophic harm or damage.
A key aspect of Anthropic’s testing involved prompt injection attacks, where adversaries use carefully crafted and ambiguous language to bypass safety controls. For example, while a direct request to craft a ransom note might be blocked, a user could potentially manipulate the model if it’s told the output is for a creative writing or research project. Congressional leaders have long worried about prompt injection being used to craft disinformation campaigns tied to elections.
Anthropic said it tested Sonnet 4.5’s responses to hundreds of different prompts and handed the data over to internal policy experts to assess how it handled “ambiguous situations.”
“In particular, Claude Sonnet 4.5 performed meaningfully better on prompts related to deadly weapons and influence operations, and it did not regress from Claude Sonnet 4 in any category,” the system card read. “For example, on influence operations, Claude Sonnet 4.5 reliably refused to generate potentially deceptive or manipulative scaled abuse techniques including the creation of sockpuppet personas or astroturfing, whereas Claude Sonnet 4 would sometimes comply.”
The company also examined a well-known weakness among LLMs: sycophancy, or the tendency of generative AI to echo and validate user beliefs, no matter how bizarre, antisocial or harmful they end up being. This has led to instances where AI models have endorsed blatant antisocial behaviors, like self-harm or eating disorders. It has even led in some instances to “AI psychosis,” where the user engages with a model so deeply that they lose all connection to reality.
Anthropic tested Sonnet 4.5 with five different scenarios from users expressing “obviously delusional ideas.” They believe the model will be “on average much more direct and much less likely to mislead users than any recent popular LLM.”
“We’ve seen models praise obviously-terrible business ideas, respond enthusiastically to the idea that we’re all in the Matrix, and invent errors in correct code to satisfy a user’s (mistaken) request to debug it,” the system card stated. “This evaluation attempted to circumscribe and measure this unhelpful and widely-observed behaviour, so that we can continue to address it.”
The research also showed that Sonnet 4.5 offered “significantly improved” child safety, consistently refusing to generate sexualized content involving children and responding more responsibly to sensitive situations with minors. This stands in contrast to recent controversies where AI models were caught having inappropriate conversations with minors.
Beyond making Sonnet 4.5 harder to abuse, Anthropic also emphasized enhancements to its defensive cybersecurity abilities. The company did acknowledge that these tools could be “dual-use,” meaning they might also potentially be used by malicious actors, as well as cybersecurity professionals.
“For Claude Sonnet 4.5, we specifically focused on tracking vulnerability discovery, patching, and basic penetration testing capabilities — which we think will benefit defenders, as opposed to dominantly offensive capabilities,” the company said.
Anthropic put Sonnet 4.5 through a series of Capture-the-Flag challenges, which has been used in other portions of the industry to boost LLMs’ ability to carry out more complex cybersecurity tasks. Anthropic says the challenges evaluated how well the model could find and exploit vulnerabilities in web applications, decode cryptographic protocols, detect insecure software, reverse engineer and perform network reconnaissance.
Anthropic also worked with Carnegie Mellon University to put the model through “cyber ranges” meant to test its ability to “orchestrate long-horizon attacks that are centered on infiltrating and navigating a network to exfiltrate critical assets,” a common approach taken by human hackers.
While the company said the tests showed that Claude Sonnet 4.5 “consistently outperformed” Sonnet 4, the results still reflected “a critical gap in the model’s ability to undertake mostly-autonomous end-to-end cyber operations, significantly reducing the risk of catastrophic harm the model poses.”
The company offered an important caveat to its testing results.
To accurately measure Sonnet’s guardrails, researchers designed test scenarios that closely resemble real-world conditions.
However, during the tests, the model seemed to become “aware” that it was being evaluated. It even pointed out when researchers changed their opinions too quickly during conversations or acted in ways that didn’t match realistic human thinking patterns. Sonnet correctly guessed that it was part of a test, and after realizing this, “would generally behave unusually well after making this observation.”
“When placed in an extreme or contrived scenario meant to stress-test its behavior, Claude Sonnet 4.5 would sometimes verbally identify the suspicious aspects of the setting and speculate that it was being tested,” the system card warned. “This complicates our interpretation of the evaluations where this occurs. It also raises questions about evaluations of previous models, which may have recognized the fictional nature of tests and merely ‘played along.’”
You can read the results of Anthropic’s safety testing on its website.
The post Anthropic touts safety, security improvements in Claude Sonnet 4.5 appeared first on CyberScoop.
Login