Massive Salesforce Data Theft Orchestrated by ShinyHunters
ShinyHunters, a well-known cybercriminal group, has been identified as the perpetrator behind a recent widespread data breach involving Salesforce infrastructures. This incident has exposed sensitive information and demonstrates escalating threats targeting SaaS platforms with supply chain compromise and advanced access techniques.
Incident Overview and Breach Attribution
Security researchers have traced the attack chain to sophisticated phishing and credential harvesting tactics exploited by ShinyHunters. The group managed to access privileged Salesforce environments, leveraging stolen admin credentials obtained through spearphishing campaigns and pre-existing infostealer logs. Compromised accounts were used to manipulate internal permissions, giving attackers broad access to customer records, internal sales documentation, and payment data.
Attack Methodology
The adversaries demonstrated proficiency in bypassing two-factor authentication by exploiting OAuth token misconfigurations and abusing trusted app integrations within Salesforce. Once inside, they deployed custom scripts to exfiltrate data in API-consumable formats, reducing their visibility in standard logging. Investigators have found evidence of the group’s efforts to remove their traces by altering audit logs and disabling security alerts.
Potential Impact and Risk Analysis
Preliminary assessment reveals exposure of customer personally identifiable information (PII), contract documents, and sales pipelines, significantly impacting enterprise customers relying on Salesforce. The breach may enable follow-on attacks, such as supply chain letter fraud, targeted phishing, and BEC against corporate contacts. ShinyHunters are known to sell large datasets in underground forums, raising the likelihood of significant secondary threats.
Mitigation Efforts and Recommendations
Salesforce administrators are urged to validate OAuth app permissions, apply least-privilege principles, and monitor for anomalous API activity post-compromise. Organizations should conduct a thorough incident review and enforce enhanced MFA policies, especially for high-privilege accounts. Regularly reviewing and disabling legacy integrations can reduce attack surface in similar SaaS platforms.
SafePay Ransomware Threatens Ingram Micro with 35TB Data Leak
A newly-identified ransomware group, SafePay, claims to have exfiltrated 35 terabytes of sensitive data from global IT distributor Ingram Micro. This campaign underscores both the growing data exfiltration capacity of modern ransomware operations and the continued targeting of multinational enterprise supply chains.
Ransomware Operation Tactics
SafePay gained initial access via a vulnerable remote access software instance that had not received the latest patch. After establishing persistence, the group deployed living-off-the-land techniques using native administrative utilities to identify high-value file stores across distributed networks. Notably, the attackers intentionally delayed encryption to silently transfer massive data volumes—including contracts, customer financials, intellectual property, and internal communications—to offshore servers.
Threat to Data Confidentiality and Business Continuity
The threat actors have threatened to publicly leak the stolen data unless a multi-million-dollar ransom is paid, employing separated time-delayed release mechanisms as additional leverage. Subsequently, Ingram Micro faces both regulatory risk due to data protection legislation and reputational damage should the breach become public record. The attackers appear to be using multilayered extortion strategies, indicative of a mature ransomware-as-a-service (RaaS) operation.
Defensive Recommendations
Enterprises should reassess remote access tool deployments, immediately remediate unpatched instances, monitor outbound data transfer patterns, and implement robust incident response guidelines for exfiltration-centric ransomware. Enhanced segmentation and frequent off-network backups are critical to limiting impact from similar attacks.
Advances in BIOS-Level Malware: Shade Attack Evades Endpoint Security
Researchers have documented an advanced persistent threat wave using the Shade malware family, which now deploys attacks at the BIOS firmware level. The attack demonstrates that sophisticated actors are increasingly targeting system firmware to achieve persistence and evade conventional endpoint security controls.
Attack Discovery and Technical Mechanisms
The Shade BIOS implant is delivered through carefully crafted phishing emails containing malicious attachments that exploit vulnerabilities in legitimate IT management utilities. Once executed with system privileges, the malware flashes malicious code directly into the system’s BIOS firmware, thus persisting across reboots and operating system reinstalls.
Operational Risks
This technique poses a severe risk, as infected systems can reinfect themselves following any software-level remediation. Shade’s ability to mask its binary payload within legitimate OEM firmware update packages further evades detection by most antivirus and endpoint protection systems. Attackers are leveraging this capability primarily for credential theft, command-and-control, and staging further lateral movement inside enterprise networks.
Mitigation and Detection Strategies
Organizations are advised to update firmware exclusively from trusted sources, monitor for anomalous firmware update activity, and leverage EDR platforms that incorporate firmware integrity checks. Affected users should undertake a full forensic review of impacted systems and may need to perform out-of-band firmware reinstallation or physical replacement of compromised hardware.
Malicious Use of Google Firebase Platform by Spyware Operators
The Catwatchful spyware campaign has been exposed for leveraging Google Firebase as its backend infrastructure, allowing persistent exfiltration of sensitive data from victim Android devices. This case highlights how trusted cloud services can be subverted for coordinated spyware operations and illustrates critical failures in both technical and administrative oversight.
Discovery and Technical Details
Catwatchful masqueraded as a parental monitoring solution but was engineered to covertly access private content on victim devices. The app covertly siphoned messages, photos, and geolocations to Firebase-hosted storage and web portals accessible to operators. A major flaw in Catwatchful’s backend, discovered by security researchers, resulted in a secondary breach—exposing tens of thousands of user credentials and sensitive victim data in plaintext, raising additional concerns about secondary exploitation.
Cloud Abuse and Security Implications
Google’s delayed takedown response has illuminated procedural gaps in preventing abuse of its platforms, especially as covert operators increasingly exploit SaaS infrastructure to evade detection and facilitate large-scale data exfiltration. Furthermore, poor security controls within these spyware ecosystems amplify the risk to both stalkerware user’s privacy and that of their targets. Operators behind such apps often lack basic incident notification protocols, further compounding user risk.
Recommended Countermeasures
Mobile users should scrutinize monitoring apps for hidden surveillance features and review device permissions regularly. Cloud vendors are urged to fortify their abuse detection and incident response automation, while enterprises should examine trusted SaaS integrations for potential misuse as covert attack channels.
Zero-Day Exploits and Ransomware Surge with Non-Traditional Targets
Recent research presented at Black Hat USA has revealed a sharp 46% year-over-year increase in zero-day exploit campaigns during the first half of 2025, with Microsoft and Google products most frequently targeted. Ransomware attacks have also escalated, with operational focus shifting toward unconventional device types, exposing new risks across corporate environments.
Vulnerability Trends Among Global Organizations
Zero-day attacks surged amid a landscape of increasingly sophisticated threat actors. Approximately 40% of tracked adversaries are state-affiliated, led by groups motivated by nation-state interests. Product vulnerabilities in widely adopted enterprise software have enabled successful campaigns, often outpacing patch cycles and traditional security solutions.
Emerging Target Profiles for Ransomware
Unconventional endpoints—such as IP cameras and BSD-based servers—are now routinely attacked, with adversaries exploiting weak network segmentation and lateral movement capabilities to maximize impact. This expansion in the threat surface allows ransomware groups to bypass traditional endpoint defenses, sometimes leveraging device firmware vulnerabilities or leveraging core services like DNS to facilitate persistent access and exfiltration.
Strategic Mitigation Steps
Security teams are encouraged to prioritize comprehensive vulnerability management, adopt identity-aware segmentation, and enhance monitoring to include all connected assets, including OT and non-IT endpoints. Strong patch hygiene and continuous network behavior analytics are paramount to detect and contain emerging threats that exploit zero-day vulnerabilities and unconventional devices.
Chaos Ransomware Allegedly Operated by Former BlackSuit Members
The debut of “Chaos” ransomware-as-a-service (RaaS) has caught incident responders’ attention, as its core membership is believed to consist of ex-BlackSuit gang members. This development signals threat actor adaptation following law enforcement disruptions, and the group’s rapid operational growth highlights the commoditization and evolving methodologies of modern ransomware operations.
Campaign Characteristics and Technical Details
Chaos actors have adopted a tiered social engineering model—initial attacks feature mass spam campaigns, followed by targeted voice phishing to acquire credentials and deploy remote management tools stealthily. After achieving persistent access, attackers use legitimate file-sharing platforms to extract data, making tracing more elusive. The campaign’s focus includes Windows, Linux, NAS, and ESXi systems, reflecting a cross-platform capability shift.
Extortion Framework and Post-Incident Services
Victims are offered a so-called “penetration overview” that documents the main attack kill chain and proposes defensive recommendations in exchange for payment, blurring the lines between extortion and pseudo-consultative practices. Primary targets have been U.S.-based enterprises with both localized and networked resources compromised, indicating a broad targeting scope.
Posture Improvement Recommendations
Enterprises should enhance anti-phishing controls, restrict RMM tool usage, and closely monitor internal data movement to counter such multi-stage extortion models. User awareness campaigns and penetration testing may preempt some attack vectors common to this new breed of ransomware operators.
