Author: Staff Writer

Summary Points The threat actor, dubbed Noisy Bear, has been targeting Kazakhstan’s oil and gas sector since April 2025, primarily using spear-phishing with malicious documents mimicking official communications. The attacks involve compromised email accounts, urgent messages about salaries, and malicious shortcuts (.LNK files) designed to download additional payloads. Noisy Bear’s tactics include the use of PowerShell, open-source post-exploitation tools like Metasploit, and hosting malicious content on sanctioned web providers, with indicators suggesting a possible Russian origin. Cyberattacks on the oil and gas industry have surged significantly, with ransomware increases of over 935% year-over-year, driven by automation and persistent security vulnerabilities.…

Fast Facts Threat actors accessed Salesloft’s GitHub account from March to June 2025, enabling reconnaissance that led to a widespread data theft campaign exploiting compromised OAuth tokens. The attackers used these tokens to extract large volumes of data, including AWS keys and access tokens, primarily targeting Salesforce and Drift AI environments. The breach impacted over a dozen companies across cybersecurity and tech sectors, affecting customer support data and various cloud services, though the exact number of organizations affected remains unconfirmed. Salesforce responded by disabling the affected integrations and later restoring them, with investigations confirming that the breach resulted from the…

Quick Takeaways The data breach at Salesloft originated from the compromise of its GitHub account, which allowed a threat actor to access multiple repositories and establish workflows. The attacker, tracked as UNC6395, accessed Salesloft’s GitHub from March to June 2025, impacting 22 companies and leading to reconnaissance activities within Salesloft and Drift environments. The intruder gained access to Drift’s AWS environment, stole OAuth tokens, and used them to compromise customer data via Drift integrations. Salesloft temporarily shut down the Drift application, reset credentials, reinforced security controls, and Salesforce re-enabled most integrations except for Drift, which remains disabled for ongoing investigation.…

Fast Facts Restoration of Integration: Salesloft has restored integration between its Drift platform and Salesforce following an August supply chain attack linked to a compromised GitHub account. Credential Harvesting Campaign: The threat group UNC6395 exploited Salesloft Drift to launch a credential harvesting campaign targeting numerous Salesforce instances using compromised OAuth tokens. Timeline of Compromise: Investigations revealed that hackers accessed the Salesloft GitHub account between March and June 2025, conducting reconnaissance and obtaining sensitive OAuth tokens. Widespread Impact: Major security firms, including Palo Alto Networks and Cloudflare, confirmed their Salesforce instances were compromised due to the supply chain attack, suggesting potential…

Summary Points APT37, a North Korean-aligned threat actor since 2012, primarily targets individuals connected to North Korea or involved in South Korean political/diplomatic affairs, leveraging advanced malware and social engineering tactics. Recent campaigns involve a unified command-and-control server coordinating multi-stage malware, including a novel Rust-based backdoor ("Rustonotto"), PowerShell malware ("Chinotto"), and a comprehensive surveillance tool ("FadeStealer") for data exfiltration and monitoring. The attack chain typically starts with initial infection via malicious Windows shortcuts or CHM files, deploying payloads through sophisticated techniques like process doppelgänger via Windows TxF, enabling stealthy code injection and persistence. APT37 employs targeted malware to gather sensitive…

Quick Takeaways AI-powered ransomware, exemplified by NYU’s Ransomware 3.0 prototype, uses large language models (LLMs) to automate all attack phases, including reconnaissance, payload delivery, and extortion, without human input. Real-world AI-assisted cyberattacks, such as those leveraging Anthropic’s Claude Code, have successfully conducted complex operations like data exfiltration and malware creation, targeting sensitive sectors with ransom demands exceeding $500,000. These advances make it increasingly difficult to distinguish between legitimate AI tools and malicious packages, raising concerns over the potential for AI to generate malicious code, probe networks, and establish command-and-control connections dynamically. Experts warn that the ease, speed, and cost reduction…

Fast Facts A September 2025 data breach revealed extensive Kimsuky operations targeting South Korean and Taiwanese entities, exposing their PKI and government networks through credential theft and reconnaissance. The attack employed sophisticated techniques, including custom shellcode, actively interception via TLS proxies, and a Linux rootkit (vmmisc.ko) to maintain stealth and persistence. Indicators include compromised cryptographic keys, administrative password rotations, and targeted reconnaissance of source repositories, highlighting a hybrid North Korea–China operational footprint. The infection chain combines low-level shellcode with open-source frameworks, emphasizing evolving, multi-stage, credential-centric tactics that organizations must now defend against. The Issue In September 2025, a cyber actor…

Top Highlights The Czech NÚKIB warns that critical infrastructure systems increasingly rely on technology from China, risking data transfer and remote management vulnerabilities. Chinese-linked threat groups like APT31 have conducted cyber espionage campaigns targeting Czech government and critical sectors, exploiting OT and ICS vulnerabilities. Due to legal and political controls in China enabling government access and interference, entities are urged to assess risks and implement security measures under the high threat level. Authorities recommend evaluating the cybersecurity risks of products and services sharing data with China, emphasizing global efforts like SBOM adoption to enhance supply chain security. Key Challenge The…

Top Highlights Wealthsimple experienced a data breach caused by a supply chain attack on a third-party software, affecting less than 1% of its customers. The compromised data includes personal details such as government IDs, Social Insurance Numbers, contact info, IP addresses, birth dates, and financial account numbers. The company contained the intrusion within hours, with no funds accessed or stolen, and no passwords were compromised. Affected individuals are being notified and offered free credit monitoring and identity theft protection services. Problem Explained On Friday, Canadian online investment company Wealthsimple announced that it had experienced a data breach affecting a small…

Fast Facts The Salesloft–Drift breach highlights the critical vulnerability of enterprise integrations, with attackers stealing OAuth tokens and accessing major tech company data, emphasizing the fragility of supply chain security. Several actively exploited CVEs, including Sitecore CVE-2025-53690 and Android vulnerabilities CVE-2025-38352 and CVE-2025-48543, demonstrate how unpatched weaknesses continue to be prime targets for threat actors. Advanced threat groups like APT28, GhostRedirector, and Iranian state-sponsored actors are deploying sophisticated malware, backdoors, and spear-phishing campaigns to target NATO countries, private sectors, and diplomatic entities. Emerging trends include the abuse of AI tools for exploitation (e.g., HexStrike AI), massive supply chain attacks like…