FBI Issues Warning on Advanced Threat Groups Targeting Salesforce Platforms
In September 2025, the FBI issued an alert regarding two advanced persistent threat (APT) groups, UNC6040 and UNC6395, which have been actively targeting organizations using Salesforce platforms. This campaign constitutes one of the most significant data theft operations of the year, leveraging sophisticated attack vectors aimed at exfiltrating sensitive business and consumer data stored in cloud-based customer relationship management (CRM) solutions.
Technical Attack Vector and Initial Access
The observed attacks begin with targeted spear-phishing aimed at privileged Salesforce administrators. These emails, augmented by generative AI, are remarkably convincing and often include fabricated internal conversation threads to lure victims into revealing credentials or clicking malicious links. Once credentials are compromised, the attackers bypass multi-factor authentication using a combination of session hijacking, token theft, and manipulation of trusted device lists.
Data Exfiltration Tactics
Post-compromise, the APT groups utilize legitimate Salesforce APIs to enumerate large data sets, identifying and extracting customer contact information, proprietary business intelligence, and financial data. The attackers make use of “low and slow” data exfiltration techniques, operating during non-peak hours to evade anomaly-based detection. To further obfuscate their activity, the groups deploy scripts that mimic normal user behavior and rotate IP addresses through residential proxies.
Persistence and Defense Evasion
The adversaries establish persistence by creating hidden API clients and assigning them privileges to survive credential resets or role changes. They modify audit logs using available administrative functionality, making incident response and forensic analysis particularly challenging. The attacks exploit the complexity of large Salesforce deployments, where overlapping user roles, legacy integrations, and extensive permissions complicate effective monitoring.
Mitigation and Industry Recommendations
The FBI and industry partners recommend immediate review of administrative privileges, enhanced anomaly detection focused on API usage patterns, and strict limitations on third-party application permissions in Salesforce environments. Regular audits of device and application whitelists, coupled with employee training on AI-driven phishing, are considered essential for reducing overall risk. Organizations are urged to deploy dedicated Data Loss Prevention (DLP) controls for cloud platforms and enforce periodic credential rotation for administrative accounts.
Jaguar Land Rover Suffers Production Disruption from Cyberattack
Jaguar Land Rover (JLR), one of the world’s leading automakers, has been forced to extend a multi-week shutdown of its production facilities following a cyberattack that disrupted key operational technologies and supply chain management systems. This incident highlights the growing vulnerability of manufacturing environments to targeted cyberthreats with significant economic and operational consequences.
Attack Details and Initial Exploitation
The attack began with the compromise of a networked supplier management portal, leveraging a previously unknown vulnerability in third-party middleware common to automotive industry software. Malicious actors gained lateral access to JLR’s internal operational technology (OT) infrastructure, quickly escalating privileges and deploying ransomware payloads designed to encrypt file stores and disrupt production line control systems.
Impact on Manufacturing and Supply Chain
As a result of the attack, JLR halted assembly operations at several plants. Integrated supply chain systems—responsible for just-in-time delivery of auto parts and inventory—were rendered inoperable, forcing the company to revert to manual logistics tracking. Delays in supplier communications and parts delivery cascaded downstream, impacting both domestic and international production schedules.
Technical Response and Recovery Efforts
JLR’s cybersecurity team initiated a coordinated incident response, isolating affected segments of the OT network and deploying forensic tools to identify lateral movement by attackers. Recovering encrypted data required restoring from secured backups, during which time external consultants were brought in to harden network segmentation and review third-party application security controls. The company is now assessing advanced intrusion detection systems and migrating critical portions of its OT stack onto a zero trust security model.
Lessons for Industrial Cybersecurity
This incident underscores the importance of continuous monitoring for vulnerabilities in embedded supply chain platforms, rigorous third-party risk management, and regular testing of backup and recovery procedures. Industrial firms are encouraged to conduct penetration testing specific to OT environments, and to segment production networks from business IT as a best practice to limit adversary movement during an incident.
FBI and CISA Alert: Velociraptor IR Tool Abuse in Targeted Attacks
Recent investigations by the FBI and CISA have revealed multiple threat actors abusing Velociraptor, a widely used incident response (IR) and endpoint monitoring tool, as part of targeted attacks against U.S. and European enterprises. This exploitation exemplifies the increasing trend of legitimate cybersecurity tools being repurposed for malicious goals, complicating efforts to differentiate authorized usage from nefarious activity.
Attack Chain and Abuse of Velociraptor
Threat actors gained initial access to victim networks through exposed remote desktop and VPN services, often exploiting weak configurations or brute-forcing credentials. They then deployed Velociraptor binaries, leveraging its powerful querying and remote execution functions to search for credentials, exfiltrate sensitive documents, and disable protective controls. In several cases, Velociraptor’s live response capability was used to drop additional payloads and create backdoors for ongoing persistence.
Detection and Challenges
Because Velociraptor is an open-source tool with legitimate uses in IT and security departments, detection of its malicious deployment is particularly troublesome. Attackers obscure their activity by running Velociraptor under benign service names and leveraging encrypted communications for command and control (C2). Security experts recommend tracking all endpoint agent deployment events, enforcing application whitelisting, and establishing strong baselines for legitimate tool usage.
Recommendations for Defenders
Organizations are urged to routinely audit endpoints for unauthorized software installation, monitor for anomalous remote queries, and enforce strong authentication on all remote access services. Incident response teams should consider deploying additional behavioral analytics that can help distinguish legitimate tool use from attack activity, and educate staff on emerging trends in the offensive use of defensive toolkits.
NSA, CISA, and Partners Promote Software Bill of Materials (SBOM) for Supply Chain Security
Early September 2025 saw the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and allied organizations release a joint vision advocating for the wide integration of Software Bill of Materials (SBOM) processes within government and commercial software supply chains. This guidance represents a significant push by the public sector towards greater transparency and systemic risk reduction in complex software ecosystems.
SBOM: Definition and Strategic Importance
An SBOM is a machine-readable inventory that lists all components, libraries, and dependencies contained within a software product. By codifying what software is made of, organizations gain the ability to rapidly identify vulnerabilities, track open source risk, and verify software integrity in both development and operational contexts.
Integration and Adoption Challenges
The new guidance details standardized methods for generating, sharing, and analyzing SBOMs, emphasizing automation and integration into continuous integration and delivery (CI/CD) pipelines. Major challenges include harmonizing SBOM formats across the industry, ensuring supply chain partners provide accurate inventories, and developing automated tools for real-time analysis and vulnerability tracking.
Implications for Security Operations
Widespread adoption of SBOMs is expected to transform vulnerability management, making it feasible to link new threat intelligence rapidly to affected software assets. The guidance also highlights the need for secure SBOM storage, access control, and sharing protocols to prevent disclosure of sensitive application architecture details. Enterprises are encouraged to update procurement policies and DevSecOps practices to mandate SBOMs from all vendors and third-party software suppliers.
npm ‘Nx’ Supply-Chain Attack Leaks Sensitive Developer Files
Security researchers identified a major supply-chain attack involving the npm package ‘Nx’, resulting in the leakage of approximately 20,000 sensitive developer files. This attack is one of the largest source code and credential exposures linked to supply chain tampering on the npm registry to date, with wide repercussions for enterprise software maintainers and application developers.
Attack Vector and Initial Discovery
The attack exploited the dependency resolution behavior of the npm ecosystem. Malicious actors uploaded a trojanized version of the ‘Nx’ package, which, when installed, executed post-install scripts to enumerate developer file systems for configuration files, API keys, and SSH credentials. Stolen data was then exfiltrated via anonymized HTTP POST requests to attacker-controlled infrastructure.
Scope and Impact
The breach was uncovered after several organizations noticed unusual network traffic coinciding with developer builds. Analysis of the rogue package revealed a sophisticated design to evade traditional signature-based detection and ensure persistence across multiple installation attempts. Compromised data sets included internal configuration, environment files, and private code repositories, raising the risk for broader organizational compromise.
Supply Chain Security Recommendations
The incident has prompted renewed calls for strict supply-chain hygiene, including pinning dependencies to verified versions, deploying automated dependency auditing tools, and segmenting build environments from sensitive file stores. Developers are advised to review all installed npm packages for suspicious updates and employ code signing for proprietary packages wherever feasible.