Singaporean Organizations Report Increased Cloud Cyberattacks

The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.

The Akira ransomware group has been actively exploiting SonicWall SSL VPN flaws and misconfigurations to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting SonicWall devices to facilitate ransomware operations. The group leverages a combination of security vulnerabilities, including a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings, to bypass access controls and infiltrate networks. Organizations are advised to rotate passwords, remove unused accounts, enable multi-factor authentication, and restrict access to the Virtual Office Portal to mitigate risks. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of SonicWall SSL VPNs and issued alerts about the increased exploitation of CVE-2024-40766.

Threat actors are increasingly targeting web browsers as a primary attack vector. This shift is driven by the browser's central role in accessing sensitive data and cloud applications, making it an attractive target for credential theft and session hijacking. High-profile incidents, such as the Snowflake breach, underscore the need for enhanced browser security measures. The browser's role in accessing sensitive data and cloud applications makes it a prime target for attackers. The Snowflake breach, which exploited stolen credentials, highlights the risks associated with browser-based attacks. Experts emphasize the need for stronger browser security to mitigate these threats. Browser-based attacks include phishing for credentials and sessions, malicious copy & paste (ClickFix), malicious OAuth integrations, malicious browser extensions, malicious file delivery, and exploiting stolen credentials and MFA gaps. These attacks exploit the browser's role in accessing business applications and data, making it crucial for security teams to focus on browser security.

APT28, a Russian state-sponsored threat group, has been using a new backdoor malware called NotDoor to target Microsoft Outlook. NotDoor leverages Outlook as a covert communication, data exfiltration, and malware delivery channel. The malware is deployed via a legitimate signed binary, Microsoft's OneDrive.exe, which is vulnerable to DLL sideloading. The backdoor is triggered by specific strings in incoming emails, allowing attackers to execute commands, exfiltrate data, and upload files. NotDoor illustrates APT28's continued evolution in bypassing established defense mechanisms. The malware has been observed targeting multiple companies from different sectors in NATO member countries. NotDoor is designed as an obfuscated Visual Basic for Applications (VBA) project for Outlook that makes use of the Application.MAPILogonComplete and Application.NewMailEx events to run the payload every time Outlook is started or a new email arrives. The malware supports four different commands: cmd, cmdno, dwn, and upl. Files exfiltrated by the malware are saved in the folder, encoded using the malware's custom encryption, sent via email, and then deleted from the system. The attacks are notable for the abuse of Microsoft Dev Tunnels (devtunnels.ms) as C2 domains for added stealth. Attack chains entail the use of bogus Cloudflare Workers domains to distribute a Visual Basic Script like PteroLNK, which can propagate the infection to other machines by copying itself to connected USB drives, as well as download additional payloads.

An exploit chain has been identified in the Sitecore Experience Platform, combining cache poisoning and remote code execution vulnerabilities. The chain leverages four new flaws (CVE-2025-53693, CVE-2025-53691, CVE-2025-53694, CVE-2025-53690) to achieve unauthorized access and code execution. The exploit chain involves HTML cache poisoning through unsafe reflections and insecure deserialization, potentially leading to full compromise of Sitecore instances. The vulnerabilities were disclosed by watchTowr Labs and patches were released by Sitecore in June and July 2025. Additionally, a new zero-day vulnerability (CVE-2025-53690) was exploited by threat actors to deliver malware and perform extensive internal reconnaissance. The attackers targeted the '/sitecore/blocked.aspx' endpoint to achieve remote code execution and executed reconnaissance commands including whoami, hostname, tasklist, ipconfig /all, and netstat -ano. The vulnerability is a ViewState deserialization flaw under active exploitation in the wild, affecting several Sitecore products including Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud. The attack leveraged a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. CISA has ordered immediate patching of the vulnerability by September 25, 2025. The wider impact of the vulnerability has not yet surfaced, but it is expected to do so.