Tag: mandiant
-
Clop-linked crims shake down Oracle execs with data theft claims
Extortion emails name-drop Big Red’s E-Business Suite, though Google and Mandiant yet to find proof of any breach First seen on theregister.com Jump to article: www.theregister.com/2025/10/02/clop_oracle_extortion/
-
Google Mandiant Probes New Oracle Extortion Wave Possibly Linked to Cl0p Ransomware
Google Mandiant and Google Threat Intelligence Group (GTIG) have disclosed that they are tracking a new cluster of activity possibly linked to a financially motivated threat actor known as Cl0p.The malicious activity involves sending extortion emails to executives at various organizations and claiming to have stolen sensitive data from their Oracle E-Business Suite.”This activity began…
-
Google Mandiant Probes New Oracle Extortion Wave Possibly Linked to Cl0p Ransomware
Google Mandiant and Google Threat Intelligence Group (GTIG) have disclosed that they are tracking a new cluster of activity possibly linked to a financially motivated threat actor known as Cl0p.The malicious activity involves sending extortion emails to executives at various organizations and claiming to have stolen sensitive data from their Oracle E-Business Suite.”This activity began…
-
Clop extortion emails claim theft of Oracle E-Business Suite data
Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/clop-extortion-emails-claim-theft-of-oracle-e-business-suite-data/
-
China-Linked Hackers Hit US Tech Firms with BRICKSTORM Malware
China-backed UNC5221 targets US legal and tech firms by deploying BRICKSTORM malware on neglected VMware and Linux/BSD appliances, Google’s Mandiant reports. First seen on hackread.com Jump to article: hackread.com/china-hackers-hit-us-tech-firms-brickstorm-malware/
-
BRICKSTORM Backdoor Hits Tech and Legal Firms with Stealthy New Campaign
Persistent, stealthy, and cross-platform, the BRICKSTORM backdoor has emerged as a significant threat to U.S. technology and legal organizations. Tracked by Google Threat Intelligence Group (GTIG) and investigated by Mandiant Consulting, BRICKSTORM campaigns have maintained undetected access for an average of 393 days, targeting legal services firms, SaaS providers, BPOs, and technology companies to harvest…
-
BRICKSTORM Backdoor Hits Tech and Legal Firms with Stealthy New Campaign
Persistent, stealthy, and cross-platform, the BRICKSTORM backdoor has emerged as a significant threat to U.S. technology and legal organizations. Tracked by Google Threat Intelligence Group (GTIG) and investigated by Mandiant Consulting, BRICKSTORM campaigns have maintained undetected access for an average of 393 days, targeting legal services firms, SaaS providers, BPOs, and technology companies to harvest…
-
Scattered Spider’s ‘retirement’ announcement: genuine exit or elaborate smokescreen?
Tags: ai, breach, crowdstrike, cybersecurity, data, data-breach, disinformation, google, group, hacking, infrastructure, international, law, mandiant, password, ransomware, tactics, threatLaw enforcement pressure: real but limited impact: The letter explicitly acknowledged the mounting international pressure that supposedly drove their decision.”We want to share a thought for the eight people that have been raided or arrested in relations to these campaigns, Scattered Spider and/or ShinyHunters groups since beginning on April 2024 and thereafter 2025, and especially…
-
Scattered Spider’s ‘retirement’ announcement: genuine exit or elaborate smokescreen?
Tags: ai, breach, crowdstrike, cybersecurity, data, data-breach, disinformation, google, group, hacking, infrastructure, international, law, mandiant, password, ransomware, tactics, threatLaw enforcement pressure: real but limited impact: The letter explicitly acknowledged the mounting international pressure that supposedly drove their decision.”We want to share a thought for the eight people that have been raided or arrested in relations to these campaigns, Scattered Spider and/or ShinyHunters groups since beginning on April 2024 and thereafter 2025, and especially…
-
GitHub Breach Exposed 700+ Companies in Months-Long Attack
Cybersecurity investigators say a massive supply-chain attack affecting over 700 companies began with a seemingly minor GitHub breach earlier this year. Salesloft first disclosed a security issue in the Drift application on Aug. 21, then shared more details about malicious OAuth token abuse five days later. According to an investigation by Mandiant, which is aiding…
-
Salesloft platform integration restored after probe reveals monthslong GitHub account compromise
An investigation by Mandiant found the attack began months ago, leading to a major supply chain attack. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/
-
Salesloft platform integration restored after probe reveals monthslong GitHub account compromise
An investigation by Mandiant found the attack began months ago, leading to a major supply chain attack. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/
-
Salesloft platform integration restored after probe reveals monthslong GitHub account compromise
An investigation by Mandiant found the attack began months ago, leading to a major supply chain attack. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/
-
Salesloft Drift integration restored after probe reveals monthslong GitHub account compromise
An investigation by Mandiant found the attack began months ago, leading to a major supply chain attack. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/
-
Salesloft Drift integration restored after probe reveals monthslong GitHub account compromise
An investigation by Mandiant found the attack began months ago, leading to a major supply chain attack. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/
-
Salesloft Drift integration restored after probe reveals monthslong GitHub account compromise
An investigation by Mandiant found the attack began months ago, leading to a major supply chain attack. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/
-
GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies
Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account.Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. So far, 22 companies have confirmed they were impacted by…
-
Salesloft Drift integration restored after probe reveals months-long GitHub account compromise
An investigation by Mandiant found the attack began months ago, leading to a major supply chain attack. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/
-
Salesloft Drift integration restored after probe reveals months-long GitHub account compromise
An investigation by Mandiant found the attack began months ago, leading to a major supply chain attack. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/salesloft-drift-restored-probe-github/759506/
-
Salesloft Drift Breach Traced to GitHub Compromise and Stolen OAuth Tokens
Salesloft Drift breach traced to GitHub compromise and stolen OAuth tokens, Mandiant confirms breach contained and Salesforce data targeted. First seen on hackread.com Jump to article: hackread.com/salesloft-drift-breach-github-compromise-oauth-tokens/
-
CISA orders federal agencies to patch Sitecore zero-day following hacking reports
Tags: cisa, cybersecurity, exploit, hacking, infrastructure, mandiant, update, vulnerability, zero-dayAfter the notices from Sitecore and Mandiant on Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its exploited bugs catalog, giving all federal civilian agencies three weeks to patch it. First seen on therecord.media Jump to article: therecord.media/cisa-orders-patch-for-sitecore-zero-day
-
Sitecore zero-day configuration flaw under active exploitation
__VIEWSTATE and can be signed and encrypted with keys, called ValidationKey and DecryptionKey, stored in the application configuration file.If these keys are stolen or leaked, attackers can use them to craft malicious ViewState payloads inside POST requests that the server will then decrypt, validate, and execute by loading them into the memory of its worker…
-
Attackers Exploit Sitecore Zero Day
Mandiant Reveals Critical Flaw Exposes Sitecore Products. Attackers exploited a now-patched zero-day vulnerability in a popular content management system that powers websites for companies including HSBC, L’Oréal, Toyota and United Airlines. Attackers used a cryptography key stored in some deployments to force the system into loading malware. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/attackers-exploit-sitecore-zero-day-a-29365
-
Researchers warn of zero-day vulnerability in SiteCore products
Mandiant said it was able to disarm a ViewState deserialization attack leveraging exposed ASP.NET keys. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/researchers-warn-zero-day-vulnerability-sitecore/759269/
-
CMS Provider Sitecore Patches Exploited Critical Zero Day
Google Cloud’s Mandiant successfully disrupted an active ViewState deserialization attack affecting Sitecore deployments First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/sitecore-patches-exploited/
-
Scattered Lapsus$ Hunters Demand Google Fire Security Experts or Face Data Leak
Scattered Lapsus$ Hunters threaten Google, demanding that two security experts, Austin Larsen of Google’s Threat Intelligence Group and Charles Carmakal of Mandiant, be fired or they will leak alleged stolen Google data. First seen on hackread.com Jump to article: hackread.com/scattered-lapsus-hunters-google-fire-experts-data-leak/
-
Salesloft Drift breach hits all integrations
Google warns that Salesloft Drift OAuth breach affects all integrations, not just Salesforce. All tokens should be treated as compromised. Google disclosed that the Salesloft Drift OAuth breach is broader than Salesforce, affecting all integrations. GTIG and Mandiant advise all customers to treat connected tokens as compromised. Attackers used stolen OAuth tokens to access some…
-
UNC6395 targets Salesloft in Drift OAuth token theft campaign
Hackers breached Salesloft to steal OAuth/refresh tokens for Drift AI chat; GTIG and Mandiant link the campaign to threat actor UNC6395. Google Threat Intelligence Group and Mandiant researchers investigate a large-scale data theft campaign carried out to hack the sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat…
-
Google Reveals UNC6395’s OAuth Token Theft in Salesforce Breach
A new advisory from Google and Mandiant reveals a widespread data breach in Salesforce. Learn how UNC6395 bypassed… First seen on hackread.com Jump to article: hackread.com/google-unc639s-oauth-token-theft-salesforce-breach/