Google Uncovers a New Scam—And Becomes Its Victim

Google’s Salesforce Instance Compromised: A Closer Look at Recent Cybersecurity Breach

In a significant cybersecurity breach, Google has confirmed that its Salesforce instance was among those affected by unauthorized access. The intrusion took place in June, but the company only disclosed the incident recently, suggesting that it took some time to fully understand the extent of the breach.

According to Google, their analysis indicated that data was accessed by the threat actor during a brief window prior to the termination of access. While the data retrieved included business-related information such as names and contact details, Google stated that this information is predominantly public.

Initial investigations attributed the attacks to a group known as UNC6040. However, it has come to light that an additional group, UNC6042—operating under the name ShinyHunters—has been involved in extortion efforts, which sometimes occur months after the initial breaches attributed to UNC6040.

Google’s statement highlighted potential future threats, indicating that ShinyHunters may be gearing up to escalate their extortion strategies through the launch of a data leak site. This development could impose increased pressure on victims, especially those impacted by the recent Salesforce-related breaches.

The implications of this breach are significant, extending beyond Google. The litany of companies falling victim to similar scams raises concerns about undisclosed instances that may still be ongoing. It is imperative for all Salesforce customers to conduct thorough audits of their systems and assess which external entities have access. Implementing multifactor authentication and training personnel to recognize scam attempts are essential steps to mitigate risk.

Given the tactics employed in this breach, it is important to consider how MITRE ATT&CK adversary tactics such as initial access and privilege escalation may have been applied. The initial access could have involved social engineering techniques, potentially allowing attackers to gain entry followed by escalation to achieve deeper network infiltration.

As businesses navigate this evolving threat landscape, a proactive approach to cybersecurity is critical. The recent breach serves as a poignant reminder of the vulnerabilities that exist and the necessity for constant vigilance in securing sensitive information against sophisticated cyber threats.

Source

Related Posts

Advanced DownEx Malware Campaign Targets Central Asian Governments

May 10, 2023
Malware / Cyber Attack

Central Asian government entities are under threat from a sophisticated espionage operation utilizing a previously unidentified strain of malware known as DownEx. In a report shared with The Hacker News, cybersecurity firm Bitdefender indicated that the malicious activities are ongoing, with indications pointing towards involvement from Russia-based threat actors. The malware was first detected in a highly targeted assault on foreign government institutions in Kazakhstan in late 2022, followed by an attack in Afghanistan. The use of a diplomat-themed lure document and the campaign’s emphasis on data exfiltration imply the actions of a state-sponsored group, although the exact identity of the hacking organization remains unclear. The campaign’s initial breach method appears to involve spear-phishing emails containing a malicious payload disguised as a Microsoft Word file.

Researchers Discover Advanced Backdoor and Custom Implant in Year-Long Cyber Operation

May 15, 2023
Cyber Threat / Malware

A fresh cyber threat has emerged, targeting government, aviation, education, and telecom sectors across South and Southeast Asia. This campaign, linked to a newly identified hacking group, began in mid-2022 and extended into early 2023. Symantec, a division of Broadcom Software, has dubbed this activity “Lancefly,” identifying a sophisticated backdoor known as Merdoor. Investigation reveals that this custom implant may have been in use as early as 2018. The campaign’s objectives appear to focus on intelligence gathering, given the tools employed and the specific targets chosen. According to Symantec’s analysis shared with The Hacker News, “The backdoor is deployed very selectively, impacting only a limited number of networks and devices over the years, indicating a highly targeted approach.” Additionally, the attackers appear to possess an updated version of the ZXShell rootkit.

Mustang Panda Hackers from China Target TP-Link Routers for Ongoing Attacks

May 16, 2023
Network Security / Threat Intelligence

The Chinese state-sponsored group known as Mustang Panda has been connected to a series of sophisticated, targeted attacks aimed at European foreign affairs entities since January 2023. According to researchers Itay Cohen and Radoslaw Madej from Check Point, these intrusions involve a custom firmware implant specifically designed for TP-Link routers. This implant includes several malicious components, featuring a custom backdoor dubbed “Horse Shell” that allows attackers to maintain persistent access, establish anonymous infrastructure, and facilitate lateral movement within compromised networks. Furthermore, the implant’s firmware-agnostic design enables its components to be integrated into various firmware from different vendors. The Israeli cybersecurity firm is monitoring this threat group, also known as Camaro Dragon, along with other aliases such as BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich.