Tag: mandiant
-
China-Linked Hackers Hit US Tech Firms with BRICKSTORM Malware
China-backed UNC5221 targets US legal and tech firms by deploying BRICKSTORM malware on neglected VMware and Linux/BSD appliances, Google’s Mandiant reports. First seen on hackread.com Jump to article: hackread.com/china-hackers-hit-us-tech-firms-brickstorm-malware/
-
BRICKSTORM Backdoor Hits Tech and Legal Firms with Stealthy New Campaign
Persistent, stealthy, and cross-platform, the BRICKSTORM backdoor has emerged as a significant threat to U.S. technology and legal organizations. Tracked by Google Threat Intelligence Group (GTIG) and investigated by Mandiant Consulting, BRICKSTORM campaigns have maintained undetected access for an average of 393 days, targeting legal services firms, SaaS providers, BPOs, and technology companies to harvest…
-
BRICKSTORM Backdoor Hits Tech and Legal Firms with Stealthy New Campaign
Persistent, stealthy, and cross-platform, the BRICKSTORM backdoor has emerged as a significant threat to U.S. technology and legal organizations. Tracked by Google Threat Intelligence Group (GTIG) and investigated by Mandiant Consulting, BRICKSTORM campaigns have maintained undetected access for an average of 393 days, targeting legal services firms, SaaS providers, BPOs, and technology companies to harvest…
-
Scattered Spider’s ‘retirement’ announcement: genuine exit or elaborate smokescreen?
Tags: ai, breach, crowdstrike, cybersecurity, data, data-breach, disinformation, google, group, hacking, infrastructure, international, law, mandiant, password, ransomware, tactics, threatLaw enforcement pressure: real but limited impact: The letter explicitly acknowledged the mounting international pressure that supposedly drove their decision.”We want to share a thought for the eight people that have been raided or arrested in relations to these campaigns, Scattered Spider and/or ShinyHunters groups since beginning on April 2024 and thereafter 2025, and especially…
-
Scattered Spider’s ‘retirement’ announcement: genuine exit or elaborate smokescreen?
Tags: ai, breach, crowdstrike, cybersecurity, data, data-breach, disinformation, google, group, hacking, infrastructure, international, law, mandiant, password, ransomware, tactics, threatLaw enforcement pressure: real but limited impact: The letter explicitly acknowledged the mounting international pressure that supposedly drove their decision.”We want to share a thought for the eight people that have been raided or arrested in relations to these campaigns, Scattered Spider and/or ShinyHunters groups since beginning on April 2024 and thereafter 2025, and especially…
-
GitHub Breach Exposed 700+ Companies in Months-Long Attack
Cybersecurity investigators say a massive supply-chain attack affecting over 700 companies began with a seemingly minor GitHub breach earlier this year. Salesloft first disclosed a security issue in the Drift application on Aug. 21, then shared more details about malicious OAuth token abuse five days later. According to an investigation by Mandiant, which is aiding…
-
Salesloft platform integration restored after probe reveals monthslong GitHub account compromise
An investigation by Mandiant found the attack began months ago, leading to a major supply chain attack. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/
-
Salesloft platform integration restored after probe reveals monthslong GitHub account compromise
An investigation by Mandiant found the attack began months ago, leading to a major supply chain attack. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/
-
Salesloft platform integration restored after probe reveals monthslong GitHub account compromise
An investigation by Mandiant found the attack began months ago, leading to a major supply chain attack. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/
-
Salesloft Drift integration restored after probe reveals monthslong GitHub account compromise
An investigation by Mandiant found the attack began months ago, leading to a major supply chain attack. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/
-
Salesloft Drift integration restored after probe reveals monthslong GitHub account compromise
An investigation by Mandiant found the attack began months ago, leading to a major supply chain attack. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/
-
GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies
Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account.Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. So far, 22 companies have confirmed they were impacted by…
-
Salesloft Drift integration restored after probe reveals monthslong GitHub account compromise
An investigation by Mandiant found the attack began months ago, leading to a major supply chain attack. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/
-
Salesloft Drift integration restored after probe reveals months-long GitHub account compromise
An investigation by Mandiant found the attack began months ago, leading to a major supply chain attack. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/
-
Salesloft Drift integration restored after probe reveals months-long GitHub account compromise
An investigation by Mandiant found the attack began months ago, leading to a major supply chain attack. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/
-
Salesloft Drift Breach Traced to GitHub Compromise and Stolen OAuth Tokens
Salesloft Drift breach traced to GitHub compromise and stolen OAuth tokens, Mandiant confirms breach contained and Salesforce data targeted. First seen on hackread.com Jump to article: hackread.com/salesloft-drift-breach-github-compromise-oauth-tokens/
-
CISA orders federal agencies to patch Sitecore zero-day following hacking reports
Tags: cisa, cybersecurity, exploit, hacking, infrastructure, mandiant, update, vulnerability, zero-dayAfter the notices from Sitecore and Mandiant on Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its exploited bugs catalog, giving all federal civilian agencies three weeks to patch it. First seen on therecord.media Jump to article: therecord.media/cisa-orders-patch-for-sitecore-zero-day
-
Sitecore zero-day configuration flaw under active exploitation
__VIEWSTATE and can be signed and encrypted with keys, called ValidationKey and DecryptionKey, stored in the application configuration file.If these keys are stolen or leaked, attackers can use them to craft malicious ViewState payloads inside POST requests that the server will then decrypt, validate, and execute by loading them into the memory of its worker…
-
Attackers Exploit Sitecore Zero Day
Mandiant Reveals Critical Flaw Exposes Sitecore Products. Attackers exploited a now-patched zero-day vulnerability in a popular content management system that powers websites for companies including HSBC, L’Oréal, Toyota and United Airlines. Attackers used a cryptography key stored in some deployments to force the system into loading malware. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/attackers-exploit-sitecore-zero-day-a-29365
-
Researchers warn of zero-day vulnerability in SiteCore products
Mandiant said it was able to disarm a ViewState deserialization attack leveraging exposed ASP.NET keys. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/researchers-warn-zero-day-vulnerability-sitecore/759269/
-
CMS Provider Sitecore Patches Exploited Critical Zero Day
Google Cloud’s Mandiant successfully disrupted an active ViewState deserialization attack affecting Sitecore deployments First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/sitecore-patches-exploited/
-
Scattered Lapsus$ Hunters Demand Google Fire Security Experts or Face Data Leak
Scattered Lapsus$ Hunters threaten Google, demanding that two security experts, Austin Larsen of Google’s Threat Intelligence Group and Charles Carmakal of Mandiant, be fired or they will leak alleged stolen Google data. First seen on hackread.com Jump to article: hackread.com/scattered-lapsus-hunters-google-fire-experts-data-leak/
-
Salesloft Drift breach hits all integrations
Google warns that Salesloft Drift OAuth breach affects all integrations, not just Salesforce. All tokens should be treated as compromised. Google disclosed that the Salesloft Drift OAuth breach is broader than Salesforce, affecting all integrations. GTIG and Mandiant advise all customers to treat connected tokens as compromised. Attackers used stolen OAuth tokens to access some…
-
UNC6395 targets Salesloft in Drift OAuth token theft campaign
Hackers breached Salesloft to steal OAuth/refresh tokens for Drift AI chat; GTIG and Mandiant link the campaign to threat actor UNC6395. Google Threat Intelligence Group and Mandiant researchers investigate a large-scale data theft campaign carried out to hack the sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat…
-
Google Reveals UNC6395’s OAuth Token Theft in Salesforce Breach
A new advisory from Google and Mandiant reveals a widespread data breach in Salesforce. Learn how UNC6395 bypassed… First seen on hackread.com Jump to article: hackread.com/google-unc639s-oauth-token-theft-salesforce-breach/
-
Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data
A widespread data theft campaign has allowed hackers to breach sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent.The activity, assessed to be opportunistic in nature, has been attributed to a threat actor tracked by Google Threat Intelligence Group and Mandiant, tracked as UNC6395.”Beginning as…
-
Attackers steal data from Salesforce instances via compromised AI live chat tool
What Salesloft Drift users should do next: The GTIG report and the Salesloft advisories include indicators of compromise such as IP addresses used by the attackers and User-Agent strings for the tools they used to access the data. Mandiant advises companies to also search logs for any activity from known Tor exit nodes in addition…
-
Scattered Spider Hacker Arrests Halt Attacks, But Copycat Threats Sustain Security Pressure
Google Cloud’s Mandiant Consulting has revealed that it has witnessed a drop in activity from the notorious Scattered Spider group, but emphasized the need for organizations to take advantage of the lull to shore up their defenses.”Since the recent arrests tied to the alleged Scattered Spider (UNC3944) members in the U.K., Mandiant Consulting hasn’t observed…
-
Lazarus Subgroup ‘TraderTraitor’ Targets Cloud Platforms and Contaminates Supply Chains
Tags: cloud, cyber, cybersecurity, group, lazarus, mandiant, microsoft, north-korea, supply-chain, threatThe North Korean state-sponsored advanced persistent threat (APT) known as TraderTraitor, a subgroup of the notorious Lazarus Group, has emerged as a formidable actor specializing in digital asset heists. Tracked under aliases such as UNC4899, Jade Sleet, TA444, and Slow Pisces by various cybersecurity firms including Mandiant, Microsoft, Proofpoint, and Unit42, TraderTraitor operates under the…