Black Hat NOC Detects Vulnerable Applications and Misconfigurations During 2025 Conference

The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.

UNC6395 exploited Salesloft OAuth tokens to exfiltrate data from Salesforce instances. The campaign, active from August 8 to 18, 2025, targeted over 700 organizations, exporting credentials and sensitive information. Zscaler, Palo Alto Networks, Cloudflare, Google, PagerDuty, Proofpoint, SpyCloud, Tanium, and Workiva were impacted by the breach, exposing customer information. Salesloft and Salesforce have taken remediation steps, and the threat actor demonstrated operational security awareness. The breach involved exporting large volumes of data from Salesforce instances, including AWS access keys, passwords, and Snowflake tokens. The actor deleted query jobs to cover tracks. Salesloft has revoked connections and advised customers to re-authenticate Salesforce integrations. The campaign may indicate a broader supply chain attack strategy. Salesloft has engaged Mandiant and Coalition for investigation and remediation. Drift customers are urged to update API keys for connected integrations. Salesforce removed the Drift application from the Salesforce AppExchange until further notice. Google has revealed that the campaign impacts all integrations, including Google Workspace email accounts, and has taken steps to mitigate the risk. Salesloft is temporarily taking Drift offline to review the application and build additional security measures. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications.

A large-scale campaign, codenamed ShadowCaptcha, has been exploiting over 100 compromised WordPress sites to spread ransomware, information stealers, and cryptocurrency miners. The campaign uses fake CAPTCHA verification pages to trick users into executing malicious payloads. The attacks began in August 2025 and target various sectors, including technology, hospitality, legal/finance, healthcare, and real estate. The primary objectives are data theft, illicit cryptocurrency mining, and ransomware deployment. The campaign employs social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to maintain persistence on targeted systems. The attacks start with malicious JavaScript code injected into compromised WordPress sites, redirecting users to fake CAPTCHA pages. From there, the attack chain forks into two paths: one using the Windows Run dialog and the other guiding victims to save and run an HTML Application (HTA) file. The compromised sites are primarily located in Australia, Brazil, Italy, Canada, Colombia, and Israel. The attackers likely gained access through known exploits in WordPress plugins and compromised credentials. The "Scattered Lapsus$ Hunters" group, linked to Shiny Hunters, Scattered Spider, and Lapsus$, has been identified as behind widespread data theft attacks targeting Salesforce data and other high-profile companies. The group has claimed access to Google's Law Enforcement Request System (LERS) and the FBI's eCheck background check system, raising concerns about potential impersonation of law enforcement and unauthorized access to sensitive user data. Mitigation strategies include user training, network segmentation, and securing WordPress sites with multi-factor authentication (MFA).

UNC6384, a China-nexus threat actor, has been deploying PlugX malware to diplomats in Southeast Asia and other global entities. The campaign, detected in March 2025, uses captive portal hijacks, adversary-in-the-middle (AitM) attacks, and valid code signing certificates to evade detection. The PlugX variant, SOGU.SEC, is delivered via a digitally signed downloader called STATICPLUGIN. The malware supports commands for file exfiltration, keystroke logging, remote command shells, and file upload/downloads. The attack chain involves redirecting web traffic through a captive portal to a threat actor-controlled website, where the malware is downloaded. The malware is disguised as an Adobe Plugin update, using a legitimate-looking HTTPS connection with a valid TLS certificate. The campaign highlights the sophistication of PRC-nexus threat actors and their evolving operational capabilities. The campaign targeted approximately two dozen victims, primarily Southeast Asian diplomats, between March and July 2025. The malware used a blank landing page with a valid TLS/SSL certificate issued by Let's Encrypt to evade browser security warnings. The STATICPLUGIN downloader employed a valid code-signing certificate from Chengdu Nuoxin Times Technology Co. Ltd. The downloader dropped a launcher called CANONSTAGER, which used legitimate Windows features and API hashing to evade detection. The CANONSTAGER launcher introduced the SOGU.SEC variant of the PlugX backdoor.

Murky Panda, also known as Silk Typhoon, Genesis Panda, and Glacial Panda, three China-nexus cyber espionage groups, have escalated their activities targeting cloud and telecom sectors. Murky Panda exploits trusted cloud relationships and zero-day vulnerabilities to breach enterprise networks. Genesis Panda targets cloud service providers to expand access and establish persistence. Glacial Panda targets telecommunications organizations to exfiltrate call detail records and related communications telemetry. The groups leverage various TTPs, including exploiting internet-facing appliances, known vulnerabilities, and living-off-the-land techniques. Their operations are driven by intelligence gathering and maintaining stealth and persistence. Murky Panda has been observed exploiting the CVE-2025-0282 vulnerability in Ivanti Pulse Connect VPN, zero-day vulnerabilities in SaaS providers' cloud environments, and delegated administrative privileges (DAP) in Microsoft cloud solution providers to gain Global Administrator rights across all downstream tenants. The group uses compromised SOHO devices as proxy servers to blend malicious traffic with normal traffic and deploys web shells like Neo-reGeorg and China Chopper to establish persistence.