Home 
The past week has witnessed a sophisticated escalation in nation-state and organized crime group activities, with over 5 million individuals affected across six major cybersecurity incidents. The reporting period is dominated by supply chain attacks targeting OAuth integrations, advanced ransomware campaigns against critical infrastructure, and coordinated credential harvesting operations orchestrated by the Chinese-linked threat actor UNC6395.
Key developments include the emergence of cross-platform ransomware targeting design studios, the weaponization of trusted OAuth tokens for mass Salesforce data theft, and delayed breach disclosures spanning nearly a year of dwell time. The UNC6395 campaign alone compromised over 700 organizations through Salesloft Drift integrations, while the Qilin ransomware group demonstrated advanced capabilities by targeting automotive intellectual property with 4TB of proprietary design data. Combined financial impact exceeds $200 million, with downstream supply chain implications affecting thousands of downstream organizations.
>>Outpace Attackers With AI-Based Automated Penetration Testing
1. Nissan Design Studio Breach – Qilin’s Automotive IP Theft
Date of Attack: August 16, 2025
Affected Users: Internal intellectual property (4TB data)
Overview
Japanese automotive giant Nissan confirmed a devastating cyberattack on its wholly-owned design subsidiary, Creative Box Inc. (CBI), following claims by the Qilin ransomware group that they stole nearly 4 terabytes of proprietary design data including 3D vehicle models, virtual reality workflows, financial records, and confidential internal reports. The attack specifically targeted Nissan’s “design think tank” responsible for experimental and concept vehicle development.
Explanation
The Qilin ransomware group (also known as Agenda) executed a sophisticated attack against Creative Box Inc.’s data servers, exploiting the design studio’s creative-focused security posture that prioritized accessibility over stringent cybersecurity controls. The attack leveraged multiple initial access vectors including compromised Remote Desktop Protocol (RDP) credentials and exploitation of publicly-facing applications vulnerable to known CVEs including CVE-2024-21762 and CVE-2024-55591 in Fortinet infrastructure.
Multi-Stage Attack Analysis:
- Initial Compromise: RDP credential compromise or vulnerability exploitation
- Privilege Escalation: Domain account abuse and scheduled task creation
- Defense Evasion: Safe mode boot to disable security tools
- Data Discovery: Systematic enumeration of design databases and file shares
- Data Exfiltration: 4TB+ theft via encrypted channels
- Ransomware Deployment: File encryption with .qilin extension
- Extortion: Dark web publication with competitive intelligence threats
Impact
The breach exposed 4 terabytes of Nissan’s most sensitive intellectual property including 3D vehicle design models, VR design workflows, financial documents, internal reports, manufacturing blueprints, and future product roadmaps. Qilin published 16 proof-of-concept images on their dark web extortion portal, threatening to provide competitors with detailed insights into Nissan’s experimental vehicle designs and proprietary manufacturing processes. The intellectual property theft creates competitive disadvantage risks, trade secret exposure, and potential supply chain disruption across Nissan’s global manufacturing network.
Details
MITRE ATT&CK Mapping:
- Initial Access: T1190 (Exploit Public-Facing Application), T1078.002 (Domain Accounts)
- Execution: T1055 (Process Injection)
- Persistence: T1547.001 (Registry Run Keys/Startup Folder)
- Privilege Escalation: T1068 (Exploitation for Privilege Escalation), T1053.005 (Scheduled Task)
- Defense Evasion: T1027 (Obfuscated Files), T1562.009 (Safe Mode Boot), T1070.001 (Clear Windows Event Logs)
- Discovery: T1082 (System Information Discovery), T1018 (Remote System Discovery)
- Lateral Movement: T1021.001 (Remote Desktop Protocol), T1570 (Lateral Tool Transfer)
- Collection: T1005 (Data from Local System)
- Exfiltration: T1011.001 (Exfiltration Over Bluetooth), T1041 (Exfiltration Over C2 Channel)
- Impact: T1486 (Data Encrypted for Impact), T1489 (Service Stop), T1490 (Inhibit System Recovery), T1529 (System Shutdown/Reboot)
Technical IOCs:
text
File Extensions: .qilin, .agenda
Ransom Note: README_FOR_DECRYPT.txt
Registry Persistence: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Process Injection: rundll32.exe, svchost.exe process hollowing
Network Communication: TOR-based C2 infrastructure
Encryption: ChaCha20, AES, RSA-4096 hybrid encryption
Threat Hunting Signatures:
- Safe mode boot logs followed by mass file encryption
- Unusual RDP sessions from external IP ranges during off-hours
- Registry modifications creating persistence mechanisms
- Large outbound data transfers to TOR exit nodes
- Event log clearing activities post-compromise
Remediation:
- Immediate isolation of all design studio networks
- Comprehensive forensic imaging of affected systems
- RDP access restriction and multi-factor authentication enforcement
- Network segmentation between design and production environments
- Enhanced monitoring of intellectual property access patterns
Takeaway for CISOs
The Nissan attack demonstrates the critical vulnerability of creative environments that balance innovation requirements with security controls. CISOs must implement intellectual property protection strategies including data classification, network microsegmentation, and behavioral analytics to detect anomalous access to design assets. The 4TB data theft underscores the importance of data loss prevention (DLP) technologies and egress filtering to prevent massive intellectual property exfiltration.
2. Salesloft Salesforce OAuth Token Breach – UNC6395 Supply Chain Campaign
Date of Attack: August 8-18, 2025
Date of Discovery: August 19, 2025
Affected Users: 700+ organizations
Overview
Chinese-linked threat actor UNC6395 orchestrated a massive supply chain attack targeting the Salesloft Drift integration with Salesforce, compromising OAuth tokens to gain unauthorized access to customer Salesforce instances across more than 700 organizations. The campaign represents one of the most significant SaaS supply chain attacks observed, with systematic credential harvesting targeting AWS access keys, Snowflake tokens, and sensitive corporate data.
Explanation
UNC6395 exploited vulnerabilities in the Salesloft Drift AI chat agent integration to harvest OAuth and refresh tokens, enabling persistent unauthorized access to victim Salesforce environments. The attack demonstrated sophisticated operational security awareness by systematically running SOQL (Salesforce Object Query Language) queries against critical Salesforce objects including Users, Accounts, Cases, and Opportunities while attempting to delete query jobs to obscure forensic evidence.
Advanced Attack Methodology:
- Initial Compromise: Salesloft Drift OAuth token theft via unknown vector
- Token Validation: Systematic reconnaissance to identify active tokens
- Salesforce Access: Authentication bypass using compromised OAuth tokens
- Data Reconnaissance: SOQL queries to measure record volumes across targets
- Selective Exfiltration: Targeted theft of credentials and sensitive data
- Operational Security: Query job deletion attempts to evade detection
- Credential Monetization: AWS keys and Snowflake tokens for downstream attacks
Impact
The breach compromised 700+ organizations with exfiltrated data including Amazon Web Services (AWS) access keys (AKIA format), Snowflake-related access tokens, passwords, and comprehensive Salesforce customer records. The systematic credential harvesting enables downstream supply chain attacks, cloud infrastructure compromise, and data warehouse infiltration across the entire victim ecosystem. Google Workspace accounts configured with Drift integrations also suffered limited email access, expanding the attack surface beyond Salesforce environments.
Details
MITRE ATT&CK Mapping:
- Initial Access: T1199 (Trusted Relationship)
- Persistence: T1550.001 (Application Access Token), T1078.004 (Cloud Accounts)
- Credential Access: T1552.007 (Container API)
- Collection: T1213.002 (SharePoint), T1005 (Data from Local System)
- Exfiltration: T1567.002 (Exfiltration to Cloud Storage), T1041 (Exfiltration Over C2 Channel)
- Defense Evasion: T1070.008 (Clear Mailbox Data)
UNC6395 Technical Profile:
text
Attribution: Chinese-linked threat actor (assessed by Google GTIG)
Infrastructure: Tor exit nodes, VPS providers for data staging
User-Agent Patterns: Suspicious automation strings in HTTP requests
Query Patterns: Systematic SOQL reconnaissance across victim tenants
Operational Security: Query job deletion, log evasion attempts
Indicators of Compromise (IOCs):
- OAuth tokens with anomalous usage patterns outside business hours
- SOQL queries targeting credential fields: SELECT * FROM User WHERE API_Key__c != null
- Bulk data export activities exceeding normal baselines
- Suspicious User-Agent strings in Salesforce audit logs
- Network traffic to Tor exit nodes from Salesforce integrations
Advanced IOCs from Astrix Research:
text
AWS Account ID: [REDACTED] – Systematic S3 bucket reconnaissance
IP Ranges: 183+ previously undisclosed Tor exit nodes
Google Workspace: Drift Email OAuth compromise for email exfiltration
Timeline: August 8-18, 2025 active campaign window
Remediation:
- Immediate OAuth token revocation for all Drift integrations
- Comprehensive Salesforce Event Monitoring log analysis
- AWS CloudTrail review for suspicious S3 access attempts
- Google Workspace audit for Drift Email application access
- Implementation of OAuth application allowlisting policies
Takeaway for CISOs
The UNC6395 campaign highlights systemic weaknesses in OAuth trust models and third-party integration security. CISOs must implement zero-trust OAuth governance, continuous integration monitoring, and behavioral analytics for SaaS applications. The 700+ organization impact demonstrates the amplification effect of supply chain attacks requiring enhanced vendor risk management and shared responsibility security frameworks.
3. Healthcare Services Group Delayed Disclosure – 10-Month Dwell Time
Date of Attack: September 27 – October 3, 2024
Date of Discovery: October 7, 2024
Date of Disclosure: August 25, 2025
Affected Users: 624,496 individuals
Overview
Healthcare Services Group (HSGI), a $1.7 billion publicly traded company providing critical support services to healthcare facilities across the United States, disclosed a massive data breach affecting over 624,000 individuals nearly 10 months after the initial discovery. The unprecedented delay in breach notification raises serious questions about compliance with state and federal disclosure requirements while exposing comprehensive personal and financial data.
Explanation
The breach occurred through network intrusion with threat actors maintaining persistent access for six days (September 27 – October 3, 2024) before detection on October 7, 2024. The extensive 10-month investigation period before public disclosure on August 25, 2025, suggests sophisticated adversary tactics designed to evade detection and comprehensive data exfiltration across multiple systems. The delayed timeline indicates either complex forensic analysis requirements or potential regulatory negotiation regarding disclosure obligations.
Impact
The breach exposed comprehensive personal data including full names, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, and full access credentials for 624,496 individuals. The 10-month disclosure delay significantly amplified identity theft risks, as stolen credentials may have been actively monetized on criminal markets throughout 2025. HSGI’s role as a strategic healthcare support provider creates cascading risk across thousands of healthcare facilities and their patient populations.
Details
MITRE ATT&CK Mapping:
- Initial Access: T1190 (Exploit Public-Facing Application)
- Persistence: T1078 (Valid Accounts)
- Discovery: T1083 (File and Directory Discovery)
- Collection: T1005 (Data from Local System)
- Credential Access: T1552 (Unsecured Credentials)
- Exfiltration: T1041 (Exfiltration Over C2 Channel)
Regulatory Compliance Analysis:
- HIPAA Breach Notification Rule: 60-day disclosure requirement potentially violated
- State Breach Laws: Multiple state 30-90 day notification requirements exceeded
- Potential Penalties: Multi-million dollar regulatory fines under various state laws
Timeline Anomalies:
text
September 27-October 3, 2024: Active breach period (6 days)
October 7, 2024: Breach discovery
October 2024 – August 2025: Investigation period (10 months)
August 25, 2025: First public notifications sent
Takeaway for CISOs
The HSGI incident demonstrates critical failures in breach response timelines and regulatory compliance management. CISOs must implement automated breach detection, predetermined disclosure workflows, and legal compliance tracking to meet statutory notification requirements. The 10-month delay represents a compliance failure that may result in regulatory enforcement action and class action litigation.
4. MathWorks Ransomware Attack – MATLAB Platform Disruption
Date of Attack: April 17 – May 18, 2025
Date of Discovery: May 18, 2025
Affected Users: 10,476 individuals
Overview
MathWorks, the $1.5 billion developer of MATLAB and Simulink platforms used by over 5 million customers globally, suffered a sophisticated ransomware attack that disrupted critical services for nearly a week while exposing personal data of 10,476 individuals. The attack targeted the company’s core infrastructure supporting mathematical simulation and computing software relied upon by over 100,000 organizations worldwide.
Explanation
The ransomware attack began with an undetected 31-day dwell time from April 17 through discovery on May 18, 2025. Threat actors conducted extensive reconnaissance and lateral movement across MathWorks’ network infrastructure before deploying ransomware payloads that encrypted critical systems supporting multi-factor authentication (MFA), single sign-on (SSO), cloud computing platforms, licensing services, and online store operations.
Service Impact Analysis:
- MATLAB Online: Primary computation platform offline for 5+ days
- Licensing Center: Software activation systems disrupted
- Cloud Services: MathWorks Cloud Center inaccessible
- Authentication Systems: MFA and SSO services compromised
- Customer Portal: File exchange and download services offline
Impact
The attack exposed personal data including names, addresses, dates of birth, Social Security numbers, and non-U.S. national identification numbers for 10,476 individuals. Service disruptions affected 5 million global users and 100,000+ organizations dependent on MATLAB and Simulink for critical mathematical computing, data analysis, and simulation workflows. Academic institutions, research organizations, and engineering companies experienced significant operational disruption during the multi-day outage.
Details
MITRE ATT&CK Mapping:
- Initial Access: T1566.001 (Spearphishing Attachment)
- Execution: T1204.002 (Malicious File)
- Persistence: T1055 (Process Injection)
- Privilege Escalation: T1078 (Valid Accounts)
- Discovery: T1083 (File and Directory Discovery)
- Collection: T1005 (Data from Local System)
- Impact: T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery)
Service Restoration Timeline:
text
May 18, 2025: Attack discovery and initial service disruption
May 19-22, 2025: Gradual service restoration with cybersecurity experts
May 23, 2025: MATLAB Online and MATLAB Mobile restored
May 24-27, 2025: Additional services brought online
Ongoing: Some services remain in degraded operational state
Threat Intelligence Assessment:
- No ransomware group has claimed public responsibility
- Suggests either ransom payment or ongoing negotiations
- Unknown threat actor indicates sophisticated operational security
- 31-day dwell time demonstrates advanced persistent threat capabilities
Takeaway for CISOs
The MathWorks attack highlights critical infrastructure vulnerability in software platforms supporting global research and engineering communities. CISOs must implement business continuity planning for software-as-a-service dependencies and supply chain resilience strategies. The 31-day dwell time emphasizes the importance of continuous threat hunting and behavioral analytics to detect advanced persistent threats before encryption deployment.
5. TransUnion Salesforce Data Breach – Credit Bureau Compromise
Date of Attack: July 28, 2025
Date of Discovery: July 30, 2025
Affected Users: 4.4 million Americans
Overview
Consumer credit reporting giant TransUnion, one of the three major U.S. credit bureaus maintaining credit information on over 200 million Americans, suffered a massive data breach affecting 4.4 million individuals through compromise of a third-party Salesforce application. The incident represents the largest credit bureau breach of 2025 and has been directly linked to the ongoing ShinyHunters campaign targeting Salesforce CRM platforms across major corporations.
Explanation
The breach occurred through exploitation of a third-party Salesforce application supporting TransUnion’s U.S. consumer support operations. Threat actors gained unauthorized access using compromised OAuth tokens or social engineering techniques consistent with the ShinyHunters methodology that has successfully targeted multiple major corporations throughout 2025. The attack was contained within hours of detection but not before substantial customer data exfiltration.
ShinyHunters Campaign Integration:
- Confirmed Attribution: ShinyHunters claimed responsibility for the attack
- Data Volume: Over 13 million records stolen (4.4M U.S. residents)
- Attack Pattern: Consistent with Salesforce-targeting campaign methodology
- Data Evidence: Sample stolen data shared with cybersecurity researchers
Impact
The breach exposed highly sensitive personal information including names, billing addresses, phone numbers, email addresses, dates of birth, and unredacted Social Security numbers for 4.4 million U.S. consumers. Additionally, customer support tickets and transaction reasons (such as free credit report requests) were compromised, providing threat actors with comprehensive consumer financial profiles. The breach creates severe identity theft risks and potential financial fraud targeting victims across all 50 states.
Details
MITRE ATT&CK Mapping:
- Initial Access: T1566.002 (Spearphishing Link)
- Execution: T1204.002 (Malicious File)
- Persistence: T1078.004 (Cloud Accounts)
- Defense Evasion: T1550.001 (Application Access Token)
- Collection: T1213.002 (SharePoint), T1005 (Data from Local System)
- Exfiltration: T1567.002 (Exfiltration to Cloud Storage)
Compromised Data Categories:
text
Personal Identifiers: Full names, dates of birth
Contact Information: Email addresses, phone numbers, billing addresses
Financial Data: Unredacted Social Security numbers
Behavioral Data: Customer support interactions, transaction histories
Geographic Data: State residency information for regulatory notification
Regulatory Impact:
- State Notifications: Filed with Maine (17,000 residents), Texas, and other states
- Federal Oversight: Subject to Consumer Financial Protection Bureau jurisdiction
- Class Action Risk: Multiple law firms investigating potential litigation
- Credit Monitoring: 24 months free service provided to affected individuals
Remediation:
- Third-party application access immediately revoked
- Comprehensive forensic investigation with external cybersecurity experts
- Enhanced monitoring of customer support systems
- Strengthened authentication requirements for Salesforce integrations
Takeaway for CISOs
The TransUnion breach demonstrates systemic risks in the credit reporting ecosystem where compromise of a single organization affects millions of consumers nationwide. CISOs must implement enhanced third-party risk management, zero-trust access controls for customer support systems, and comprehensive data governance to protect sensitive financial information. The ShinyHunters attribution confirms the persistent threat to Salesforce-hosted data across major enterprises.
6. Zscaler Supply Chain Impact – Salesloft Drift Cascade
Date of Attack: August 8-18, 2025
Date of Discovery: August 31, 2025
Affected Users: Unknown (Customer contact data)
Overview
Cybersecurity firm Zscaler disclosed it became the latest victim of the UNC6395 supply chain campaign, with threat actors gaining unauthorized access to its Salesforce environment through compromised Salesloft Drift credentials. The breach exposes the cascading impact of supply chain attacks where even cybersecurity vendors become victims, potentially compromising their customer relationships and support data.
Explanation
The Zscaler breach stems directly from the broader UNC6395 campaign targeting Salesloft Drift OAuth integrations. Threat actors leveraged stolen OAuth and refresh tokens to authenticate against Zscaler’s Salesforce instance, accessing customer support cases and business contact information. The incident demonstrates how trusted third-party integrations create transitive trust relationships that enable adversaries to pivot between organizations within the same supply chain.
Supply Chain Attack Progression:
- Initial Compromise: Salesloft Drift OAuth infrastructure breach
- Token Harvesting: Mass collection of customer OAuth credentials
- Target Identification: Systematic enumeration of high-value victims
- Lateral Access: Zscaler Salesforce environment compromise
- Data Exfiltration: Customer support cases and contact data theft
- Operational Security: Coordinated timing with broader campaign
Impact
The breach compromised business contact details and Salesforce-related content including names, business email addresses, job titles, phone numbers, regional/location details, Zscaler product licensing information, commercial data, and plain text content from support cases (excluding attachments and files). While Zscaler’s core security services remained uncompromised, the incident creates phishing and social engineering risks for affected customers and partners.
Details
MITRE ATT&CK Mapping:
- Initial Access: T1199 (Trusted Relationship)
- Persistence: T1550.001 (Application Access Token), T1078.004 (Cloud Accounts)
- Collection: T1213.002 (SharePoint), T1005 (Data from Local System)
- Exfiltration: T1041 (Exfiltration Over C2 Channel)
Zscaler Response Actions:
- Immediate revocation of Salesloft Drift access to Salesforce data
- Proactive rotation of API access tokens across all integrations
- Implementation of additional safeguards and strengthened protocols
- Enhanced monitoring for potential misuse of exposed data
Supply Chain Risk Amplification:
- Vendor-to-Customer Impact: Cybersecurity provider compromised
- Trust Relationship Abuse: Legitimate integrations weaponized
- Cascading Disclosure: Multiple organizations affected by single compromise
- Operational Continuity: Core services unaffected, reputation risks elevated
Customer Protection Measures:
- Heightened vigilance recommendations for phishing attempts
- Social engineering awareness using exposed contact details
- Enhanced verification procedures for Zscaler communications
- Continuous monitoring for anomalous account activities
Takeaway for CISOs
The Zscaler incident exemplifies the amplification effects of modern supply chain attacks where cybersecurity vendors themselves become attack vectors. CISOs must implement continuous vendor risk assessment, zero-trust integration policies, and supply chain monitoring to detect and respond to transitive compromises. The incident reinforces the critical importance of OAuth security governance and third-party access controls across all SaaS integrations.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
