Daily Brief

Cloudflare revealed a data breach affecting its Salesforce databases, linked to the Salesloft Drift incident, impacting customer contact information and support case data. The breach allowed unauthorized access to Cloudflare's Salesforce instance, potentially exposing sensitive customer information, including access tokens and support interactions. Cloudflare attributed the breach to the threat group GRUB1, which shares characteristics with groups tracked by Google as UNC6395 and ShinyHunters. In response, Cloudflare rotated all security tokens as a precautionary measure and informed affected customers of the potential data exposure. The breach occurred between August 12 and August 17, with Cloudflare publishing a detailed timeline of the events leading to data exfiltration. Cloudflare plans to release an in-depth analysis of GRUB1's methods to aid the cybersecurity community in defending against similar threats. The incident is part of a broader pattern, with other companies like Google and Palo Alto Networks also reporting breaches linked to the same compromise. Organizations are advised to regularly rotate API keys and monitor third-party integrations for unusual activity to mitigate future risks.

Surveillanceware firms are experiencing significant growth, driven by increased demand from government agencies despite ongoing misuse against activists, journalists, and political figures. The cost of surveillanceware has surged, with prices rising from €1,100 per infection in 2011 to €6 million for comprehensive services by 2022. Surveillanceware vendors are leveraging zero-day vulnerabilities and stealthier command-and-control infrastructures, complicating detection and mitigation efforts. Despite international sanctions and regulatory calls, key players like the NSO Group continue operations, often through corporate restructuring and resellers. Legal actions, such as Meta's $168 million judgment against the NSO Group, highlight the tech industry's resistance to unauthorized surveillance activities. Surveillanceware techniques are increasingly infiltrating the criminal malware market, evidenced by nation-state groups using these flaws for cyber espionage. The Pall Mall Process, signed by 27 countries, seeks better regulation, yet many signatories, including Italy, remain active users of such technologies. Surveillanceware companies adeptly evade oversight, raising concerns about the lack of effective political and regulatory safeguards to protect potential targets.

Cloudflare experienced a data breach linked to a Salesloft Drift supply chain attack, affecting its Salesforce instance used for customer support and case management. The breach led to unauthorized access to 104 Cloudflare API tokens, though no suspicious activity has been detected with these tokens so far. Cloudflare proactively rotated all compromised tokens and notified affected customers, advising them to update credentials shared through Salesforce support channels. The breach occurred between August 12 and August 17, with attackers exfiltrating text-based data from Salesforce case objects, including customer support tickets. ShinyHunters, an extortion group, is suspected of being behind the attack, leveraging social engineering tactics like vishing to target Salesforce customers. The attack is part of a broader trend impacting hundreds of organizations, with potential for future targeted attacks using harvested credentials. Other companies, including Palo Alto Networks, also reported similar breaches, emphasizing the need for vigilant monitoring and robust security measures in supply chain systems.

Zscaler reported a data breach involving Salesforce information, joining Google and Palo Alto Networks in a recent supply chain compromise linked to Salesloft Drift. The breach exposed customer data, including names, email addresses, job titles, and product licensing details, but excluded attachments and images. The incident occurred between August 8 and August 18, with attackers leveraging stolen OAuth tokens from Salesloft Drift's Salesforce integration. Palo Alto Networks' Unit 42 confirmed mass data exfiltration from Salesforce objects, indicating potential further attacks through credential scanning. Zscaler advised customers to revoke Salesloft Drift access and rotate API tokens, echoing similar guidance from Google and Palo Alto Networks. The breach underscores the risks associated with third-party integrations, emphasizing the need for vigilant credential management and access monitoring. No evidence of data misuse has been reported, but affected companies are urged to review login histories and API access logs for suspicious activity.

The Lazarus Group, linked to North Korea, has launched a social engineering campaign targeting the DeFi sector, deploying multiple malware variants. The attack involved impersonating a trading company employee on Telegram to initiate contact with the victim, leveraging fake scheduling websites. Key malware tools used include PondRAT, ThemeForestRAT, and RemotePE, each serving different stages of the attack with varying sophistication. The initial access vector remains uncertain, but evidence suggests a zero-day Chrome exploit may have been utilized. PondRAT acts as the initial payload, enabling file operations and process execution, while ThemeForestRAT offers enhanced capabilities for stealthy network infiltration. RemotePE, a more advanced RAT, is reserved for high-value targets, indicating a strategic approach to target prioritization. The campaign's technical complexity and strategic execution highlight the persistent threat posed by state-sponsored actors in critical financial sectors.

Cloudflare successfully blocked the largest recorded DDoS attack, peaking at 11.5 terabits per second, showcasing its robust defense capabilities against volumetric threats. The attack was a UDP flood originating primarily from Google Cloud, lasting approximately 35 seconds, demonstrating the rapid execution and mitigation of such attacks. This incident follows a series of significant DDoS attacks, including a 7.3 Tbps attack in June, indicating a rising trend in attack scale and frequency. Cloudflare reported a 198% quarter-over-quarter increase in DDoS attacks in 2024, with a 358% year-over-year surge, highlighting escalating threats in the cybersecurity landscape. The company mitigated 21.3 million DDoS attacks targeting its customers and infrastructure last year, emphasizing the persistent threat environment. Network-layer DDoS attacks saw a 509% year-over-year increase, reflecting a significant spike in attack intensity and complexity. The continued evolution of DDoS strategies, including multi-vector campaigns, underscores the necessity for robust, adaptive defense mechanisms in protecting digital infrastructure.

Palo Alto Networks reported unauthorized access to its Salesforce environment due to OAuth tokens stolen from Salesloft's Drift platform breach, affecting customer data. The breach involved exfiltration of customer business contact information, but no technical support files or sensitive attachments were compromised. Palo Alto Networks swiftly disconnected the compromised third-party application from its Salesforce CRM to contain the breach. The incident was isolated to the Salesforce environment, ensuring that other Palo Alto Networks products and services remained secure and operational. The Unit42 team is actively monitoring systems and the dark web for potential misuse of the exfiltrated data, while advising on enhanced security measures. Google has not confirmed a connection between this breach and other recent Salesforce data thefts attributed to ShinyHunters. Organizations are advised to review Salesforce and Salesloft integrations, revoke tokens, and scrutinize authentication activities for suspicious activities. The breach at Salesloft's Drift platform has led to supply chain attacks affecting numerous organizations, emphasizing the need for vigilant third-party risk management.

Cybersecurity researchers have identified MystRodX, a stealthy backdoor leveraging DNS and ICMP triggers for covert operations, capable of capturing sensitive data from compromised systems. MystRodX, also known as ChronosRAT, was linked to Liminal Panda, a China-nexus cyber espionage group, suggesting potential nation-state involvement. The backdoor is implemented in C++ and features file management, port forwarding, reverse shell, and socket management, offering significant flexibility and stealth. MystRodX employs encryption to obscure its source code and payloads, dynamically adjusting its functions based on configuration, including network communication protocols and encryption methods. The malware can operate in passive mode, activated by specially crafted DNS or ICMP packets, enhancing its ability to remain undetected. Delivered via a dropper, MystRodX uses debugger and virtual machine checks to avoid detection before decrypting and executing its payload. Organizations are advised to enhance monitoring of DNS and ICMP traffic and employ robust detection mechanisms to counter such sophisticated threats.

Jaguar Land Rover (JLR) experienced a cyberattack that forced the shutdown of key systems, impacting production and retail operations significantly. The company assured that customer data remains secure, with no evidence of data theft, despite the operational disruptions. Immediate mitigation steps included proactively shutting down systems, affecting operations at the Solihull plant, where popular models are manufactured. JLR is working rapidly to restore global applications in a controlled manner, though no timeline for full recovery has been provided. The attack occurred over the weekend, a common time for cyber incidents due to reduced monitoring, but no group has claimed responsibility yet. The disruption was first reported by UK dealers who faced challenges in registering new cars and supplying parts. JLR, a subsidiary of Tata Motors India, produces over 400,000 vehicles annually with a workforce of 39,000, highlighting the scale of the impact.

Palo Alto Networks experienced a data breach affecting customer information and support cases due to compromised OAuth tokens from a Salesloft Drift breach. The breach was part of a larger supply-chain attack impacting hundreds of companies, exploiting stolen authentication tokens to access Salesforce data. Exfiltrated data included business contact details, account records, and basic case data, but not technical support files or attachments. Attackers used automated tools and custom Python scripts to exfiltrate data, deleting logs to evade detection and employing Tor for anonymity. The breach led to the revocation of tokens and credential rotation by Palo Alto Networks, with Drift integrations disabled during ongoing investigations. The attack is linked to broader trends of Salesforce data thefts, with previous incidents involving social engineering tactics by groups like ShinyHunters. Organizations are advised to treat the incident with urgency, ensuring security measures are updated to prevent further exploitation.

The Pennsylvania Attorney General's Office experienced a two-week service outage due to a ransomware attack, impacting systems including the public website, email, and phone lines. Attorney General David W. Sunday Jr. confirmed no ransom payment was made, and an active investigation is underway with other agencies involved. Staff have adapted by using alternative communication methods, while courts have issued time extensions for ongoing criminal and civil cases. The office reassured that criminal prosecutions and investigations remain unaffected, although the full extent of data impact is still under investigation. No ransomware group has claimed responsibility for the attack, marking the third such incident targeting a Pennsylvania state entity in recent years. The possibility of data exfiltration remains unconfirmed; affected individuals will be notified if any data theft is discovered.

Palo Alto Networks experienced a data breach affecting customer data and support cases due to compromised OAuth tokens from a Salesloft Drift breach. The breach, part of a larger supply-chain attack, targeted hundreds of companies, exploiting authentication tokens for unauthorized Salesforce access. Exposed data includes business contact details and internal sales information, but no products, systems, or services were impacted. Attackers focused on extracting sensitive data such as authentication tokens and passwords to potentially access other cloud services. Automated tools facilitated data theft, with threat actors deleting logs and using Tor for anonymity to evade detection. Palo Alto Networks responded by revoking tokens, rotating credentials, and disabling Drift integrations with Salesforce and Google. The incident is part of a series of attacks linked to the ShinyHunters group, known for using social engineering tactics like vishing. The ongoing investigation seeks to determine the full extent and connections of the attack, impacting companies such as Zscaler and Google.

A recent report reveals over 90% of employees use AI tools daily, often bypassing corporate controls, raising concerns about a "Shadow AI Economy." Research indicates 45.4% of sensitive AI interactions occur via personal email accounts, complicating enterprise oversight and governance. Traditional "block and wait" strategies fail as AI tools are embedded in many SaaS applications, making them difficult to restrict effectively. The EU AI Act mandates AI asset inventories, emphasizing the need for organizations to maintain visibility into both sanctioned and unsanctioned AI use. Different AI tools present varied risks, including potential exposure of proprietary data and sensitive information to jurisdictions with lax data protections. Harmonic Security offers solutions for continuous monitoring of Shadow AI, enabling organizations to apply smart policies based on data sensitivity and employee roles. Effective AI governance requires a proactive approach to discovery, ensuring regulatory compliance and safeguarding data while enhancing employee productivity.

Cybersecurity firm Intrinsec reports that Ukrainian network FDN3 launched extensive brute-force and password spraying attacks targeting SSL VPN and RDP devices in mid-2025. The attacks are linked to a network infrastructure involving two other Ukrainian networks and a Seychelles-based system, all associated with abusive activities since 2021. FDN3's IPv4 prefixes, previously used by Russian and U.S. networks, facilitated the attacks, reaching peak activity between July 6 and 8, 2025. These tactics are commonly employed by ransomware groups like Black Basta and RansomHub to gain initial access to corporate networks. The network's operations are supported by bulletproof hosting services, often using shell companies to obscure ownership and avoid accountability. Investigations reveal connections to Russian company Alex Host LLC, known for hosting malicious infrastructure, further complicating attribution efforts. The case exemplifies how offshore ISPs, like those in Seychelles, provide anonymity, enabling persistent cybercriminal activities without direct repercussions. Concurrently, Censys identified a proxy management system linked to the PolarEdge botnet, indicating sophisticated infrastructure management capabilities.

Huawei's UK revenue fell to £188.2 million in 2024, an 85% drop from 2019, due to Western bans and restrictions. The UK Telecommunications (Security) Act mandates removal of Huawei tech from 5G networks by 2027, impacting local telecom infrastructure. Huawei's UK operations have downsized significantly, now focusing on servicing existing network products and limited consumer tech sales. The company employed 176 people in the UK in 2024, a sharp decline from 885 in 2019, reflecting reduced market presence. Despite UK setbacks, Huawei's global business grew 22% in 2024, with strategic focus on Asia Pacific and non-Western regions. Political decisions to restrict Huawei have delayed 5G deployment and impacted network performance in the UK, affecting economic productivity. Huawei continues to deny allegations of espionage, maintaining its stance against claims of spying for the Chinese government.