ShinyHunters Behind Major Salesforce Data Theft
In August 2025, cybersecurity researchers uncovered a significant data breach orchestrated by the threat actor group ShinyHunters, who successfully exfiltrated a substantial cache of user data from Salesforce. This incident demonstrates the evolving sophistication of threat actors in targeting high-profile SaaS platforms and the increasing pressure on cloud providers to enhance internal security measures while customers remain concerned about third-party risk.
Technical Details of the Attack
The ShinyHunters exploit is reported to have leveraged a combination of credential stuffing and OAuth abuse, taking advantage of enterprises with inadequate multi-factor authentication enforcement. Attackers targeted Salesforce user credentials gathered from recent data dumps and used automated tools to bypass IP restrictions. Once they established access, attackers utilized Salesforce’s rich administrative APIs to enumerate available objects, exfiltrate sensitive CRM records, and create unauthorized connected app integrations, sustaining persistent access even after initial credential resets.
Impact and Mitigation
The breached data includes customer contact information, sales histories, and in some cases, internal notes. Early estimates suggest the disclosure affects more than 80,000 business entities worldwide. In response, Salesforce has issued emergency guidance urging tenants to audit recent connected app authorizations, enable multi-factor authentication tenant-wide, and monitor for anomalous API usage patterns. Security teams are also advised to employ threat detection rules that flag suspicious admin activity, particularly from new IP ranges and unusual API clients.
SafePay Ransomware Threatens Data Leak from Ingram Micro
The SafePay ransomware group has launched an extortion campaign targeting Ingram Micro, one of the world’s largest IT distributors, threatening to leak 35TB of exfiltrated data if ransom demands are not met. This represents one of the largest publicly reported datasets threatened by a ransomware group to date, increasing concern over the risk of mass data exposure in supply chain networks.
Attack Vector and Tactics
Initial compromise traces back to exploitation of a legacy VPN appliance lacking recent firmware updates. Once inside the Ingram Micro network, SafePay operators deployed a combination of living-off-the-land binaries (LOLBins) and custom ransomware payloads to lateral move and exfiltrate data prior to encryption. The group is leveraging new double extortion tactics, threatening to release confidential client contracts, supply chain vendor lists, and operational documentation on public leak sites.
Defensive Strategies
Incident responders emphasize immediately isolating impacted infrastructure, revoking all VPN credentials, and implementing network segmentation to contain further spread. Affected organizations should also prepare for regulatory inquiries concerning supply-chain data exposure and proactively engage with law enforcement and cyber insurance partners to manage the broader risks associated with large-scale data breaches.
Shade BIOS Attack Defeats Endpoint Security Measures
Researchers have analyzed a new wave of persistent malware dubbed the Shade BIOS attack, which circumvents traditional operating system–level defenses by persisting solely at the system firmware layer. This technique marks a concerning evolution in attacker capabilities, enabling the compromise of endpoint security products and defying conventional malware eradication approaches.
Technical Analysis
The Shade BIOS attack involves implanting a malicious module within the motherboard’s UEFI firmware, executed during system boot before the operating system and endpoint agents are active. This grants attackers a foothold that is resilient to disk formatting, OS reinstallation, and most current antivirus products. The malware features anti-debugging capabilities, updates itself from a remote C2 infrastructure, and can facilitate re-dropping of payloads after remediation attempts.
Detection and Remediation
Forensic analysis requires specialized tooling capable of extracting and verifying UEFI firmware images for known or anomalous code structures. Remediation often entails flashing motherboard firmware with trusted images, a process necessitating IT downtime and potential hardware replacement in critical cases.
Android August 2025 Update: QualComm Adreno GPU Vulnerability Patched
The August 2025 Android security patch addresses a critical Adreno GPU vulnerability exploited in the wild throughout June, underscoring a surge in attacks against mobile device hardware drivers. This update is essential for mitigating privilege escalation and remote code execution scenarios on affected Android devices.
Exploit Mechanics and Threat Profile
The vulnerability allowed malicious applications to gain unintended access to system resources by exploiting memory handling errors within the GPU driver stack. Attackers deployed exploit chains via malicious apps distributed outside the Google Play ecosystem, allowing privilege escalation and the loading of additional payloads including credential stealers and spyware modules.
Mitigation Guidance
Android users and enterprise device administrators are advised to install the August 2025 security update immediately. Additional defensive recommendations include restricting sideloading of applications, enabling Google Play Protect, and monitoring for abnormal device performance indicative of local privilege escalation.
Ransomware Spike Linked to Potential SonicWall Zero-Day Vulnerability
Security researchers have observed a significant increase in ransomware attacks attributed to exploitation of a suspected zero-day vulnerability in SonicWall security devices. The Akira ransomware group is believed to be using this flaw to gain a foothold in enterprise networks, raising concerns over widespread exposure among organizations reliant on SonicWall products for perimeter security.
Attack Details and Indicators
The suspected zero-day enables attackers to bypass authentication or escalate privileges within affected SonicWall appliances. Once compromised, threat actors deploy Akira ransomware to encrypt corporate data while also stealing sensitive files for further extortion. The attack chain often involves lateral movement post-compromise, targeting assets that lack comprehensive segmentation from perimeter devices.
Response Recommendations
Organizations are urged to monitor vendor advisories for updates or mitigations for impacted SonicWall models. Security teams should increase perimeter logging, enhance anomaly detection for external device access, and review segmentation in network topologies to reduce the blast radius of any breach involving hardware security appliances.
Ongoing Exploitation of Microsoft SharePoint: New Tactics and Malware Analysis
Active exploitation of multiple Microsoft SharePoint vulnerabilities continues to impact enterprises globally. Recent updates detail evolving threat actor tactics as well as the release of a CISA Malware Analysis Report, highlighting a persistent threat landscape centered on remote code execution and network spoofing vulnerabilities within SharePoint deployments.
Vulnerabilities and Exploitation Patterns
Confirmed active CVEs include CVE-2025-49706 (network spoofing) and CVE-2025-49704 (remote code execution). Attackers are deploying new webshell variants enabling ongoing post-exploitation, ransomware deployment, and data theft operations. Techniques are evolving rapidly, with threat actors modifying attack chains, deploying custom malware, and conducting lateral movement after initial intrusion.
Updated Defensive Posture
The latest CISA guidance recommends urgent SharePoint patching, the implementation of advanced EDR solutions, and comprehensive audits of IIS server configurations. Security operation centers should look for indicators such as unauthorized webshell installation, anomalous process executions under IIS worker processes, and suspicious outbound network traffic.
