- Yet another supply chain compromise targeting Salesforce OAuth tokens
- A law enforcement disruption of one of the longest-running web-inject frameworks targeting users with malicious drive-by downloads
- Threat actors frustrated by AI slop and hallucinations – just like us
Plus, in case you missed it, we also link to our deep dives on:
- Device code phishing, a new type of AitM technique that leverages the OAuth 2.0 device authorization grant login flow intended for smart devices to steal victims’ access and refresh tokens
- FortiBleed, an aggressive brute-forcing campaign that captured credentials for 73,932 internet-facing FortiGate firewalls
Let’s get into it!
Icarus ransomware group compromises Klue and their customers
On June 17, Salesforce published an advisory stating that, due to a recent security incident, they proactively disabled all connections between customer Salesforce instances and the Klue Battlecards app, a third-party sales tool that can integrate with Salesforce. On June 18, details of the incident started to become clearer; Klue stated that attackers had gained access to Klue’s integrations infrastructure and used that access to exfiltrate customer data.
The next day, a relatively new ransomware group called Icarus named Klue as a victim on their data leak site (DLS), promising to leak the data if Klue did not pay them a ransom. They also advised “the companies who want to protect their data to contact us via Session” – appealing to Klue’s impacted customers directly. Icarus also posted data from some of the impacted organizations including the cybersecurity company Huntress, to their DLS on June 22.
Initial shame post from June 19 naming Klue as a victim on the Icarus data leak site.
Then on June 23 and into June 24, Klue told their customers that they had reached an agreement with Icarus to delete the data. At this point, it seems that there was some disagreement among the involved threat actors. According to Klue, Icarus told them that a second group of hackers affiliated with Icarus (who had access to at least some of the exfiltrated data) had gone rogue and were attempting to now extort Klue’s customers directly. This was despite the fact that Klue already had an agreement with the threat actor who had told them they were “taking steps to delete the data.”
At the time of writing, the Icarus DLS remains offline. Unpredictability of criminal threat actors, as in this scenario, is why many cybersecurity experts discourage victims of data-theft extortion attacks from paying a ransom.
This is yet another instance of a supply chain compromise aimed at stealing customer cloud service tokens (OAuth access and refresh tokens for Salesforce) and exfiltrating their data. As Reliaquest pointed out in their write-up on the incident, this compromise follows the same attack chain as the Salesloft Drift incident from last August and the Gainsight incident in November. In all three incidents, the attackers compromised environments of third-party applications commonly integrated with Salesforce, the world’s largest customer relationship management (CRM) cloud service provider. They then abused the trust relationship between the applications to access data that customers using the compromised third-party integrations had stored in Salesforce. Non-human identities – digital identities for a machine, application, service, or automated process such as service accounts, API keys, OAuth tokens, certificates, and SSH keys – are an important and increasingly targeted attack surface.
In a follow-on statement about the incident, Huntress noted that the exfiltrated data itself was less significant than initially feared, mostly system information and service logs.
Operation Endgame disrupts SocGholish, Amadey, and StealC malware
On June 24, EUROPOL announced enforcement actions against three malware families:
- SocGholish and Amadey, both loader malware used to gain initial access to computers, usually to drop other malware like infostealers and cryptominers
- StealC, a popular infostealer malware; it’s currently the fifth most prevalent commodity infostealer malware in our dataset in terms of observed infections over the last 30 days.
The most unique aspect of this disruption was the operation’s method of cleaning up SocGholish’s distribution infrastructure. SocGholish’s operators compromised legitimate WordPress-based websites, and used them to show visitors fake browser update prompts. When a victim clicked the prompt, they would download a malicious JScript payload instead. SocGholish infections have been documented as the initial access mechanism in a variety of ransomware incidents, including by the LockBit and Hades ransomware groups.
As part of the disruption action, the law enforcement agencies involved in Operation Endgame actually actively cleaned 14.9K infected WordPress sites that were distributing the malware. They also notified these website owners, encouraging them to patch their sites and strengthen their login credentials. It’s rare for law enforcement actions to actually remediate computer compromises in victim environments, but this action is an encouraging sign that law enforcement agencies are willing to take more aggressive steps to disrupt key cybercrime enablement services.
Keep an eye out for SpyCloud’s upcoming analysis of the StealC takedown and how it impacted the infostealer market.
AI slop annoys cybercriminals, too
Large language models (LLMs) have undoubtedly made certain aspects of cybercrime faster and easier, including assisting actors in more efficiently socially engineering victims and speeding up malware coding development.
However, e-crime actors are also plagued by the rise in AI slop, which can make it more difficult and time-consuming for threat actors to find and analyze quality stolen data. In June, we observed two interesting examples of this phenomenon:
01
SLSH issues a retraction about hallucinated exfil data:
SLSH – a data-theft extortion group linked to the Com – apparently acted on an AI hallucination (a slang term for when a LLM output contains nonfactual information) earlier this month. After using an LLM to summarize the 3.1TB of data that they had exfiltrated from the National Association of Insurance Commissioners (naic.org). The practice of using LLMs to quickly summarize large volumes of breached data is becoming more popular with threat actors in general. For example, the Titan Ransomware group has adopted a unique practice of posting a clearly AI-generated analysis of each of their breached datasets that highlights the most sensitive files in each of their breaches which they post directly to their data leak site alongside the data download links. SLSH seems to have realized and rectified the LLM’s error, updating their post and writing “the previous statement was overstated due to an analytical error and an AI-generated misinterpretation of the underlying data.”
Statement on the SLSH DLS in which the group retracted their previous analysis of the National Association of Insurance Commissioners breach.
02
Criminal complains about buying bogus data breaches
Other research insights from SpyCloud Labs
SpyCloud Labs analyzed the media-dubbed “FortiBleed” leak and found that initial reports left some key information out. See what we found after parsing and analyzing the data to understand the full impact.
Attackers are finding new ways to make MFA irrelevant, and device code phishing is their latest weapon. This adversary-in-the-middle (AiTM) technique exploits the legitimate OAuth 2.0 Device Authorization Grant flow, tricking users into entering an attacker-generated code that issues active session tokens directly to the attacker’s device. Here’s what you need to know.