Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Corporate data. Show all posts
Social Engineering
Corporate data Data Breach Extortion Scheme FBI Hackers Salesforce Social Engineering

FBI Warns of Hackers Exploiting Salesforce to Steal Corporate Data

 



The Federal Bureau of Investigation (FBI) has issued a pressing security alert regarding two cybercriminal groups that are breaking into corporate Salesforce systems to steal information and demand ransoms. The groups, tracked as UNC6040 and UNC6395, have been carrying out separate but related operations, each using different methods to compromise accounts.

In its official advisory, the FBI explained that attackers are exploiting weaknesses in how companies connect third-party tools to Salesforce. To help organizations defend themselves, the agency released a list of warning signs, including suspicious internet addresses, user activity patterns, and malicious websites linked to the breaches.


How the Attacks took place 

The first campaign, attributed to UNC6040, came to light in mid-2024. According to threat intelligence researchers, the attackers relied on social engineering, particularly through fraudulent phone calls to employees. In these calls, criminals pretended to be IT support staff and convinced workers to link fake Salesforce apps to company accounts. One such application was disguised under the name “My Ticket Portal.” Once connected, the attackers gained access to sensitive databases and downloaded large amounts of customer-related records, especially tables containing account and contact details. The stolen data was later used in extortion schemes by criminal groups.

A newer wave of incidents, tied to UNC6395, was detected a few months later. This group relied on stolen digital tokens from tools such as Salesloft Drift, which normally allow companies to integrate external platforms with Salesforce. With these tokens, the hackers were able to enter Salesforce systems and search through customer support case files. These cases often contained confidential information, including cloud service credentials, passwords, and access keys. Possessing such details gave the attackers the ability to break into additional company systems and steal more data.

Investigations revealed that the compromise of these tokens originated months earlier, when attackers infiltrated the software provider’s code repositories. From there, they stole authentication tokens and expanded their reach, showing how one breach in the supply chain can spread to many organizations.


The Scale of this Campaign 

The campaigns have had far-reaching consequences, affecting a wide range of businesses across different industries. In response, the software vendors involved worked with Salesforce to disable the stolen tokens and forced customers to reauthenticate. Despite these steps, the stolen data and credentials may still pose long-term risks if reused elsewhere.

According to industry reports, the campaigns are believed to have impacted a number of well-known organizations across sectors, including technology firms such as Cloudflare, Zscaler, Tenable, and Palo Alto Networks, as well as companies in finance, retail, and enterprise software. Although the FBI has not officially attributed the intrusions, external researchers have linked the activity to criminal collectives with ties to groups known as ShinyHunters, Lapsus$, and Scattered Spider.


FBI Recommendations

The FBI is urging organizations to take immediate action by reviewing connected third-party applications, monitoring login activity, and rotating any keys or tokens that may have been exposed. Security teams are encouraged to rely on the technical indicators shared in the advisory to detect and block malicious activity.

Although the identity of the hackers remains uncertain, the scale of the attacks highlights how valuable cloud-based platforms like Salesforce have become for criminals. The FBI has not confirmed the groups’ claims about further breaches and has declined to comment on ongoing investigations.

For businesses, the message is clear: protecting cloud environments requires not only technical defenses but also vigilance against social engineering tactics that exploit human trust.



Read more »
IT Industry
AI technology AI tools Corporate data Cyber Security cybersecurity posture cybersecurity risks data security Data Visualisation Generative AI IT Industry

How Generative AI Is Accelerating the Rise of Shadow IT and Cybersecurity Gaps

 

The emergence of generative AI tools in the workplace has reignited concerns about shadow IT—technology solutions adopted by employees without the knowledge or approval of the IT department. While shadow IT has always posed security challenges, the rapid proliferation of AI tools is intensifying the issue, creating new cybersecurity risks for organizations already struggling with visibility and control. 

Employees now have access to a range of AI-powered tools that can streamline daily tasks, from summarizing text to generating code. However, many of these applications operate outside approved systems and can send sensitive corporate data to third-party cloud environments. This introduces serious privacy concerns and increases the risk of data leakage. Unlike legacy software, generative AI solutions can be downloaded and used with minimal friction, making them harder for IT teams to detect and manage. 

The 2025 State of Cybersecurity Report by Ivanti reveals a critical gap between awareness and preparedness. More than half of IT and security leaders acknowledge the threat posed by software and API vulnerabilities. Yet only about one-third feel fully equipped to deal with these risks. The disparity highlights the disconnect between theory and practice, especially as data visibility becomes increasingly fragmented. 

A significant portion of this problem stems from the lack of integrated data systems. Nearly half of organizations admit they do not have enough insight into the software operating on their networks, hindering informed decision-making. When IT and security departments work in isolation—something 55% of organizations still report—it opens the door for unmonitored tools to slip through unnoticed. 

Generative AI has only added to the complexity. Because these tools operate quickly and independently, they can infiltrate enterprise environments before any formal review process occurs. The result is a patchwork of unverified software that can compromise an organization’s overall security posture. 

Rather than attempting to ban shadow IT altogether—a move unlikely to succeed—companies should focus on improving data visibility and fostering collaboration between departments. Unified platforms that connect IT and security functions are essential. With a shared understanding of tools in use, teams can assess risks and apply controls without stifling innovation. 

Creating a culture of transparency is equally important. Employees should feel comfortable voicing their tech needs instead of finding workarounds. Training programs can help users understand the risks of generative AI and encourage safer choices. 

Ultimately, AI is not the root of the problem—lack of oversight is. As the workplace becomes more AI-driven, addressing shadow IT with strategic visibility and collaboration will be critical to building a strong, future-ready defense.
Read more »
Third Party Access Audit
Corporate data Cyber Security Cyberattacks CyberCrime Data Safety Third Party Access Audit

Securing Corporate Data: The Crucial Role of Third-Party Access Audits

 


Organizations' data and systems can be compromised by seemingly benign entities—third-party contractors, vendors, and outsourced service providers—when those entities are seemingly innocent. External entities that perform these tasks must have access to sensitive data and systems. However, improper management of these access rights often results in data breaches and other security incidents when they are not properly managed. 

According to a Security Scorecard study (via Security magazine) published in February 2024, third parties pose a continuing security risk to organizations. According to the report, 98% of all companies have been compromised by a third party, and 29% of all breaches have been attributed to third-party attacks. Consequently, organizations should consider implementing efficient and effective third-party risk management strategies to safeguard their assets from the threat of external threats. 

Keeping an organization's security, compliance, and operational concerns in mind is essential when it comes to auditing the access rights of external vendors and contractors. In addition to protecting data integrity, confidentiality, and availability, it also serves multiple other important functions within an organization. Security Posture Enhanced by Auditor: Audits ensure that only authorized third parties can access sensitive systems, and as a result, security incidents can be prevented by monitoring activity for abnormal behaviour. Data Access Control over data access is part of several compliance standards across regulated industries. 

By conducting regular third-party access audits, companies can ensure compliance with regulations such as GDPR, HIPAA, and SOX, document access specifics, and prevent potential legal and financial repercussions. To ensure the continuity of business, organizations need to enforce access controls that align with the roles of third parties to prevent unauthorized changes or disruptions that may hurt their operations. Critical systems will benefit from this approach in terms of operational integrity. 

Third-Party Access Auditing: Third-party access auditing helps prevent the risk of security breaches and privacy incidents, which could result in significant financial losses, legal fees, and fines in the future due to remediation costs and legal fees. In addition to protecting their data, organizations can protect their financial health from the negative impacts of data breaches by proactively managing and auditing third-party access. It is important to maintain stakeholder trust and reputation by conducting regular audits that demonstrate users' commitment to data security, which in turn strengthens stakeholder trust. The process assists in preventing breaches of customer trust, which can result in loss of customer trust as well as damage to users' reputations, thereby fostering long-term customer relationships. 

There is a potential risk associated with third-party access, which is why organizations need to manage and audit these permissions continuously. This article will provide users with five key steps they can follow to effectively audit their third-party access. Identify and catalogue third-party accounts by identifying and cataloguing them. Users' enterprise resource planning (ERP) systems could contain vendor accounts, while their project management tools may contain contractor accounts. The need to list these accounts, describe their access levels, and make clear the data or systems they can interact with is extremely important. 

Check the scope of access, and ensure that it is necessary. This involves reviewing the third party's roles and responsibilities concerning the scope of access. There must be no more access granted to third parties than is necessary to fulfil their contractual obligations and they should follow the principle of least privilege. It is vital to understand how third-party entities manage employee lifecycles. Engage with these entities to learn, in particular, how they manage the creation, modification, and termination of access rights. Having an audit trail is imperative because a mistake in deactivating the access of an ex-employee could result in unauthorized access and potential security breaches. 

Establish a regular audit trail. Invest in implementing a system that will audit the access of third parties regularly, such as a platform for identity governance and administration. It involves logging all access events as well as reviewing these logs to detect any unauthorized or abnormal patterns of access. It is important to determine how frequently these audits should be conducted based on the sensitivity of the information being accessed and the history of the third party. The third-party access policy should be integrated into the overall security policy of users' organizations. 

For a firm's security policy to function effectively, third-party access controls and auditing also need to become a standard part of it. Using this policy control, users can ensure that any access granted to third parties is subject to the same security measures and scrutiny as any access granted to internal users. Access by third parties raises several red flags Organizations must keep an eye out for certain warning signs that may indicate that third-party access rights are being misused or mismanaged. The use of generic email accounts or shared log-ins should be avoided by third parties. 

This can cause challenges in attributing actions to specific users since a generic email address or shared login allows them to use multiple accounts. Accessing data unexpectedly during unusual hours, accessing data unexpectedly or making too many attempts to log in can all be indicators that the account of a third party has been compromised. Offboarding Processes Lack: Make sure that there are processes in place that will make sure not only that new third-party access is obtained, but that these third-party access processes will make sure it is effectively offboarded when the contract expires or changes. 

A third-party attack poses a significant risk that is often overlooked until it leads to a breach of the security system. To mitigate this risk, organizations can rely on robust auditing practices to ensure that they are handling it correctly. It is not just about protecting sensitive data, it is also about maintaining the integrity of the IT environment and maintaining customers' and stakeholders' trust in it, as well as ensuring that data is kept confidential. Achieving and managing third-party access is imperative for businesses today. It is both a security measure and an imperative for business operations.
Read more »
Subscribe to: Posts (Atom)