A new data leak platform has emerged on the TOR network, operated by a group known as the “Trinity of Chaos.” This ransomware collective is reportedly connected to the infamous Lapsus$, Scattered Spider, and ShinyHunters groups. In a significant escalation of their cybercriminal activities, the site has listed 39 major global corporations whose data has allegedly been compromised.
The Trinity of Chaos has not announced any new attacks but has instead opted to release previously undisclosed data from previous breaches. Companies named in the leaks include prominent names such as Toyota, FedEx, Disney, UPS, Marriott, and Google. Notably, the group has made threats against Salesforce, asserting they possess substantial amounts of corporate data after exploiting vulnerabilities within Salesforce’s environment. Salesforce has refuted these claims, insisting that no new vulnerabilities have been identified, although they did acknowledge the possibility of data exposure from past breaches.
Brian Soby, Chief Technology Officer and co-founder of AppOmni, commented on the situation, stating that the assumed elimination of ShinyHunters was short-lived. Reports now indicate that the group is not only continuing its extortion tactics but is also attempting to leverage ongoing litigation against Salesforce regarding previous breaches. They have warned that failure to engage with them could result in the group approaching regulatory bodies, potentially causing criminal negligence charges. This strategy mirrors tactics employed by other ransomware groups that use regulatory threats to pressure companies, particularly under EU General Data Protection Regulation (GDPR) rules.
In terms of data integrity, Resecurity has confirmed that the leaked information comprises significant personally identifiable information (PII), although few passwords were included. This suggests that the data may have been acquired through stolen OAuth tokens and social engineering techniques associated with Salesloft’s Drift AI integration. The FBI has issued a flash alert to assist organizations in identifying similar breaches. Soby pointed out that ShinyHunters utilized phishing tactics to obtain customer credentials, highlighting the importance of customer responsibility in monitoring and mitigating such threats.
The ongoing leak site features numerous recent victims including Stellantis and Aeroméxico, the latter facing a data breach that affected 39 million records. Incidents also involve well-known airlines like Air France, KLM, Qantas, and Vietnam Airlines, the latter having suffered compromise for nearly three years.
As the group asserts possession of over 1.5 billion records from 760 companies, the data leak encompasses a range of sensitive files from Google AdWords and Cisco, among others. The records attributed to Google appear to be connected to corporate Salesforce environments, which could significantly impact digital advertisers and media partners. For Cisco, the compromised files include sensitive information involving employees and customers from agencies such as the FBI, DHS, and NASA.
The unfolding situation raises serious concerns about the effectiveness of security practices among many SaaS customers in meeting their Shared Responsibility obligations. October 10 has been set as the deadline for negotiation, after which further data releases can be expected. Experts are sounding alarms, suggesting that if this data is made public, it could trigger large-scale phishing attempts, identity theft, and AI-driven data exploitation.
The techniques likely employed in these breaches can be analyzed through the lens of the MITRE ATT&CK framework. Initial access may have been gained through phishing and social engineering techniques, while persistence could have been maintained through methods like credential dumping and exploitation of vulnerabilities. The potential for privilege escalation is significant, especially given the sensitive nature of the compromised data, inviting scrutiny into the defensive measures employed by the affected organizations.
