Tag: mandiant
-
Salesloft Drift Breach Traced to GitHub Compromise and Stolen OAuth Tokens
Salesloft Drift breach traced to GitHub compromise and stolen OAuth tokens, Mandiant confirms breach contained and Salesforce data targeted. First seen on hackread.com Jump to article: hackread.com/salesloft-drift-breach-github-compromise-oauth-tokens/
-
CISA orders federal agencies to patch Sitecore zero-day following hacking reports
Tags: cisa, cybersecurity, exploit, hacking, infrastructure, mandiant, update, vulnerability, zero-dayAfter the notices from Sitecore and Mandiant on Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its exploited bugs catalog, giving all federal civilian agencies three weeks to patch it. First seen on therecord.media Jump to article: therecord.media/cisa-orders-patch-for-sitecore-zero-day
-
Sitecore zero-day configuration flaw under active exploitation
__VIEWSTATE and can be signed and encrypted with keys, called ValidationKey and DecryptionKey, stored in the application configuration file.If these keys are stolen or leaked, attackers can use them to craft malicious ViewState payloads inside POST requests that the server will then decrypt, validate, and execute by loading them into the memory of its worker…
-
Attackers Exploit Sitecore Zero Day
Mandiant Reveals Critical Flaw Exposes Sitecore Products. Attackers exploited a now-patched zero-day vulnerability in a popular content management system that powers websites for companies including HSBC, L’Oréal, Toyota and United Airlines. Attackers used a cryptography key stored in some deployments to force the system into loading malware. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/attackers-exploit-sitecore-zero-day-a-29365
-
Researchers warn of zero-day vulnerability in SiteCore products
Mandiant said it was able to disarm a ViewState deserialization attack leveraging exposed ASP.NET keys. First seen on cybersecuritydive.com Jump to article: www.cybersecuritydive.com/news/researchers-warn-zero-day-vulnerability-sitecore/759269/
-
CMS Provider Sitecore Patches Exploited Critical Zero Day
Google Cloud’s Mandiant successfully disrupted an active ViewState deserialization attack affecting Sitecore deployments First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/sitecore-patches-exploited/
-
Scattered Lapsus$ Hunters Demand Google Fire Security Experts or Face Data Leak
Scattered Lapsus$ Hunters threaten Google, demanding that two security experts, Austin Larsen of Google’s Threat Intelligence Group and Charles Carmakal of Mandiant, be fired or they will leak alleged stolen Google data. First seen on hackread.com Jump to article: hackread.com/scattered-lapsus-hunters-google-fire-experts-data-leak/
-
Salesloft Drift breach hits all integrations
Google warns that Salesloft Drift OAuth breach affects all integrations, not just Salesforce. All tokens should be treated as compromised. Google disclosed that the Salesloft Drift OAuth breach is broader than Salesforce, affecting all integrations. GTIG and Mandiant advise all customers to treat connected tokens as compromised. Attackers used stolen OAuth tokens to access some…
-
UNC6395 targets Salesloft in Drift OAuth token theft campaign
Hackers breached Salesloft to steal OAuth/refresh tokens for Drift AI chat; GTIG and Mandiant link the campaign to threat actor UNC6395. Google Threat Intelligence Group and Mandiant researchers investigate a large-scale data theft campaign carried out to hack the sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat…
-
Google Reveals UNC6395’s OAuth Token Theft in Salesforce Breach
A new advisory from Google and Mandiant reveals a widespread data breach in Salesforce. Learn how UNC6395 bypassed… First seen on hackread.com Jump to article: hackread.com/google-unc639s-oauth-token-theft-salesforce-breach/
-
Salesloft OAuth Breach via Drift AI Chat Agent Exposes Salesforce Customer Data
A widespread data theft campaign has allowed hackers to breach sales automation platform Salesloft to steal OAuth and refresh tokens associated with the Drift artificial intelligence (AI) chat agent.The activity, assessed to be opportunistic in nature, has been attributed to a threat actor tracked by Google Threat Intelligence Group and Mandiant, tracked as UNC6395.”Beginning as…
-
Attackers steal data from Salesforce instances via compromised AI live chat tool
What Salesloft Drift users should do next: The GTIG report and the Salesloft advisories include indicators of compromise such as IP addresses used by the attackers and User-Agent strings for the tools they used to access the data. Mandiant advises companies to also search logs for any activity from known Tor exit nodes in addition…
-
Scattered Spider Hacker Arrests Halt Attacks, But Copycat Threats Sustain Security Pressure
Google Cloud’s Mandiant Consulting has revealed that it has witnessed a drop in activity from the notorious Scattered Spider group, but emphasized the need for organizations to take advantage of the lull to shore up their defenses.”Since the recent arrests tied to the alleged Scattered Spider (UNC3944) members in the U.K., Mandiant Consulting hasn’t observed…
-
Lazarus Subgroup ‘TraderTraitor’ Targets Cloud Platforms and Contaminates Supply Chains
Tags: cloud, cyber, cybersecurity, group, lazarus, mandiant, microsoft, north-korea, supply-chain, threatThe North Korean state-sponsored advanced persistent threat (APT) known as TraderTraitor, a subgroup of the notorious Lazarus Group, has emerged as a formidable actor specializing in digital asset heists. Tracked under aliases such as UNC4899, Jade Sleet, TA444, and Slow Pisces by various cybersecurity firms including Mandiant, Microsoft, Proofpoint, and Unit42, TraderTraitor operates under the…
-
UNC3886 Hackers Target Singapore’s Critical Infrastructure by Exploiting 0-Day Vulnerabilities
Tags: china, cyber, cyberattack, exploit, finance, government, group, hacker, infrastructure, mandiant, service, threat, vulnerability, zero-daySingapore’s critical infrastructure sectors, including energy, water, telecommunications, finance, and government services, are facing an active cyberattack from UNC3886, a sophisticated China-linked advanced persistent threat (APT) group renowned for leveraging zero-day exploits and custom malware. First identified by Mandiant in 2022, UNC3886 has been operational since at least 2021, with confirmed activities exploiting vulnerabilities in…
-
Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure
Tags: attack, cybercrime, google, group, infrastructure, mandiant, phone, ransomware, software, tactics, vmwareThe notorious cybercrime group known as Scattered Spider is targeting VMware ESXi hypervisors in attacks targeting retail, airline, and transportation sectors in North America.”The group’s core tactics have remained consistent and do not rely on software exploits. Instead, they use a proven playbook centered on phone calls to an IT help desk,” Google’s Mandiant team…
-
China-Based Threat Actor Involved In Microsoft SharePoint Attacks: Mandiant CTO
Among the attackers now actively exploiting vulnerable on-premises Microsoft SharePoint servers, at least one has shown indications of originating from China, according to the assessment of researchers at Google Cloud-owned Mandiant. First seen on crn.com Jump to article: www.crn.com/news/security/2025/china-based-threat-actor-involved-in-microsoft-sharepoint-attacks-mandiant-cto
-
Ransomware actors target patched SonicWall SMA devices with rootkit
Tags: access, attack, backdoor, control, credentials, exploit, flaw, incident response, malware, mandiant, network, password, ransomware, security-incident, startup, vpn, vulnerabilitytemp.db and persist.db, that store sensitive information, including user account credentials, session tokens, and OTP seed values.Although the flaw has been publicly documented and analyzed in detail by researchers as potentially leading to the exposure of admin credentials, GTIG and Mandiant don’t have evidence this is the flaw that was exploited. It is also possible…
-
Wiz Deal Highlights Google’s Multi-Cloud Security Strategy
COO Francis deSouza Explains Google Cloud’s Push for Unified Multi-Cloud Security. COO Francis deSouza shares insights into Google Cloud’s security priorities as it pursues the $32 billion acquisition of Wiz. He explains the need for seamless multi-cloud protection, the value of Mandiant’s threat intelligence, and how AI is changing threat detection and response at scale.…
-
iCounter Debuts With Mission to Defeat AI-Enabled Threats
Startup Raises $30M, Uses Risk Intelligence to Preempt Reconnaissance Attacks. Former FireEye and Mandiant leader John Watters unveils iCounter, a new cyber risk intelligence startup focused on targeted attacks and AI-enabled adversaries. Backed by Syn Ventures, the firm aims to transform threat detection with deeper visibility into attacker reconnaissance. First seen on govinfosecurity.com Jump to…
-
Vulnerable Protection Relays Put Power Grid at Risk
Google’s Mandiant Warns About Remote Attacks Disrupting Grid Stability. Vulnerabilities in networked devices programmed to instantaneously trip power grid substation circuit breakers could be the means hackers use to cause the next blackout, warn researchers. There are systemic patterns across substations, utilities and industrial sites worldwide, Mandiant warned. First seen on govinfosecurity.com Jump to article:…
-
Aviatrix Cloud Controller Flaw Enables Remote Code Execution via Authentication Bypass
Tags: attack, authentication, cloud, cyber, flaw, injection, mandiant, password, RedTeam, remote-code-execution, software, vulnerabilityA Mandiant Red Team engagement has uncovered two critical vulnerabilities in Aviatrix Controller”, cloud networking software used to manage multi-cloud environments. The flaws enable full system compromise through an authentication bypass (CVE-2025-2171) followed by authenticated command injection (CVE-2025-2172). Authentication Bypass (CVE-2025-2171) The attack chain begins with a weak password reset mechanism. Attackers can brute-force 6-digit…
-
Mandiant finds more than 30 fake AI websites spreading malware
First seen on scworld.com Jump to article: www.scworld.com/news/mandiant-finds-more-than-30-fake-ai-websites-spreading-malware
-
Fake AI Video Tool Ads on Facebook, LinkedIn Spread Infostealers
Mandiant Threat Defense uncovers a campaign where Vietnam-based group UNC6032 tricks users with malicious social media ads for… First seen on hackread.com Jump to article: hackread.com/fake-ai-video-tool-ads-facebook-linkedin-infostealers/
-
Threat Actors Weaponize Fake AI-Themed Websites to Deliver Python-based infostealers
Mandiant Threat Defense has uncovered a malicious campaign orchestrated by the threat group UNC6032, which capitalizes on the global fascination with artificial intelligence (AI). Since at least mid-2024, UNC6032 has been deploying fake AI video generator websites to distribute malware, specifically targeting users through deceptive social media ads on platforms like Facebook and LinkedIn. These…
-
Google warns of Vietnam-based hackers using bogus AI video generators to spread malware
Hackers likely based in Vietnam advertised websites offering AI-powered video generation tools, according to Google’s Mandiant unit, and then used the sites to spread infostealers and other malware. First seen on therecord.media Jump to article: therecord.media/malvertising-vietnam-hackers-fake-ai-video-generators