AI in Cybersecurity 02 Sep 2025

Weekly Cybersecurity Intelligence Report Cyber Threats & Breaches 26 Aug – 01 Sep, 2025

Priyanka Aash Co-Founder, FireCompass

Summarize and analyze this article with:

The past week has witnessed a sophisticated escalation in nation-state and organized crime group activities, with over 5 million individuals affected across six major cybersecurity incidents. The reporting period is dominated by supply chain attacks targeting OAuth integrations, advanced ransomware campaigns against critical infrastructure, and coordinated credential harvesting operations orchestrated by the Chinese-linked threat actor UNC6395.

Key developments include the emergence of cross-platform ransomware targeting design studios, the weaponization of trusted OAuth tokens for mass Salesforce data theft, and delayed breach disclosures spanning nearly a year of dwell time. The UNC6395 campaign alone compromised over 700 organizations through Salesloft Drift integrations, while the Qilin ransomware group demonstrated advanced capabilities by targeting automotive intellectual property with 4TB of proprietary design data. Combined financial impact exceeds $200 million, with downstream supply chain implications affecting thousands of downstream organizations.

>>Outpace Attackers With AI-Based Automated Penetration Testing

1. Nissan Design Studio Breach – Qilin’s Automotive IP Theft

Date of Attack: August 16, 2025
Affected Users: Internal intellectual property (4TB data)

Overview

Japanese automotive giant Nissan confirmed a devastating cyberattack on its wholly-owned design subsidiary, Creative Box Inc. (CBI), following claims by the Qilin ransomware group that they stole nearly 4 terabytes of proprietary design data including 3D vehicle models, virtual reality workflows, financial records, and confidential internal reports. The attack specifically targeted Nissan’s “design think tank” responsible for experimental and concept vehicle development.

Explanation

The Qilin ransomware group (also known as Agenda) executed a sophisticated attack against Creative Box Inc.’s data servers, exploiting the design studio’s creative-focused security posture that prioritized accessibility over stringent cybersecurity controls. The attack leveraged multiple initial access vectors including compromised Remote Desktop Protocol (RDP) credentials and exploitation of publicly-facing applications vulnerable to known CVEs including CVE-2024-21762 and CVE-2024-55591 in Fortinet infrastructure.

Multi-Stage Attack Analysis:

Initial Compromise: RDP credential compromise or vulnerability exploitation
Privilege Escalation: Domain account abuse and scheduled task creation
Defense Evasion: Safe mode boot to disable security tools
Data Discovery: Systematic enumeration of design databases and file shares
Data Exfiltration: 4TB+ theft via encrypted channels
Ransomware Deployment: File encryption with .qilin extension
Extortion: Dark web publication with competitive intelligence threats

Impact

The breach exposed 4 terabytes of Nissan’s most sensitive intellectual property including 3D vehicle design models, VR design workflows, financial documents, internal reports, manufacturing blueprints, and future product roadmaps. Qilin published 16 proof-of-concept images on their dark web extortion portal, threatening to provide competitors with detailed insights into Nissan’s experimental vehicle designs and proprietary manufacturing processes. The intellectual property theft creates competitive disadvantage risks, trade secret exposure, and potential supply chain disruption across Nissan’s global manufacturing network.

Details

MITRE ATT&CK Mapping:

Initial Access: T1190 (Exploit Public-Facing Application), T1078.002 (Domain Accounts)
Execution: T1055 (Process Injection)
Persistence: T1547.001 (Registry Run Keys/Startup Folder)
Privilege Escalation: T1068 (Exploitation for Privilege Escalation), T1053.005 (Scheduled Task)
Defense Evasion: T1027 (Obfuscated Files), T1562.009 (Safe Mode Boot), T1070.001 (Clear Windows Event Logs)
Discovery: T1082 (System Information Discovery), T1018 (Remote System Discovery)
Lateral Movement: T1021.001 (Remote Desktop Protocol), T1570 (Lateral Tool Transfer)
Collection: T1005 (Data from Local System)
Exfiltration: T1011.001 (Exfiltration Over Bluetooth), T1041 (Exfiltration Over C2 Channel)
Impact: T1486 (Data Encrypted for Impact), T1489 (Service Stop), T1490 (Inhibit System Recovery), T1529 (System Shutdown/Reboot)

Technical IOCs:

text

File Extensions: .qilin, .agenda

Ransom Note: README_FOR_DECRYPT.txt

Registry Persistence: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Process Injection: rundll32.exe, svchost.exe process hollowing

Network Communication: TOR-based C2 infrastructure

Encryption: ChaCha20, AES, RSA-4096 hybrid encryption

Threat Hunting Signatures:

Safe mode boot logs followed by mass file encryption
Unusual RDP sessions from external IP ranges during off-hours
Registry modifications creating persistence mechanisms
Large outbound data transfers to TOR exit nodes
Event log clearing activities post-compromise

Remediation:

Immediate isolation of all design studio networks
Comprehensive forensic imaging of affected systems
RDP access restriction and multi-factor authentication enforcement
Network segmentation between design and production environments
Enhanced monitoring of intellectual property access patterns

Takeaway for CISOs

The Nissan attack demonstrates the critical vulnerability of creative environments that balance innovation requirements with security controls. CISOs must implement intellectual property protection strategies including data classification, network microsegmentation, and behavioral analytics to detect anomalous access to design assets. The 4TB data theft underscores the importance of data loss prevention (DLP) technologies and egress filtering to prevent massive intellectual property exfiltration.

2. Salesloft Salesforce OAuth Token Breach – UNC6395 Supply Chain Campaign

Date of Attack: August 8-18, 2025
Date of Discovery: August 19, 2025
Affected Users: 700+ organizations

Overview

Chinese-linked threat actor UNC6395 orchestrated a massive supply chain attack targeting the Salesloft Drift integration with Salesforce, compromising OAuth tokens to gain unauthorized access to customer Salesforce instances across more than 700 organizations. The campaign represents one of the most significant SaaS supply chain attacks observed, with systematic credential harvesting targeting AWS access keys, Snowflake tokens, and sensitive corporate data.

Explanation

UNC6395 exploited vulnerabilities in the Salesloft Drift AI chat agent integration to harvest OAuth and refresh tokens, enabling persistent unauthorized access to victim Salesforce environments. The attack demonstrated sophisticated operational security awareness by systematically running SOQL (Salesforce Object Query Language) queries against critical Salesforce objects including Users, Accounts, Cases, and Opportunities while attempting to delete query jobs to obscure forensic evidence.

Advanced Attack Methodology:

Initial Compromise: Salesloft Drift OAuth token theft via unknown vector
Token Validation: Systematic reconnaissance to identify active tokens
Salesforce Access: Authentication bypass using compromised OAuth tokens
Data Reconnaissance: SOQL queries to measure record volumes across targets
Selective Exfiltration: Targeted theft of credentials and sensitive data
Operational Security: Query job deletion attempts to evade detection
Credential Monetization: AWS keys and Snowflake tokens for downstream attacks

Impact

The breach compromised 700+ organizations with exfiltrated data including Amazon Web Services (AWS) access keys (AKIA format), Snowflake-related access tokens, passwords, and comprehensive Salesforce customer records. The systematic credential harvesting enables downstream supply chain attacks, cloud infrastructure compromise, and data warehouse infiltration across the entire victim ecosystem. Google Workspace accounts configured with Drift integrations also suffered limited email access, expanding the attack surface beyond Salesforce environments.

Details

MITRE ATT&CK Mapping:

Initial Access: T1199 (Trusted Relationship)
Persistence: T1550.001 (Application Access Token), T1078.004 (Cloud Accounts)
Credential Access: T1552.007 (Container API)
Collection: T1213.002 (SharePoint), T1005 (Data from Local System)
Exfiltration: T1567.002 (Exfiltration to Cloud Storage), T1041 (Exfiltration Over C2 Channel)
Defense Evasion: T1070.008 (Clear Mailbox Data)

UNC6395 Technical Profile:

text

Attribution: Chinese-linked threat actor (assessed by Google GTIG)

Infrastructure: Tor exit nodes, VPS providers for data staging

User-Agent Patterns: Suspicious automation strings in HTTP requests

Query Patterns: Systematic SOQL reconnaissance across victim tenants

Operational Security: Query job deletion, log evasion attempts

Indicators of Compromise (IOCs):

OAuth tokens with anomalous usage patterns outside business hours
SOQL queries targeting credential fields: SELECT * FROM User WHERE API_Key__c != null
Bulk data export activities exceeding normal baselines
Suspicious User-Agent strings in Salesforce audit logs
Network traffic to Tor exit nodes from Salesforce integrations

Advanced IOCs from Astrix Research:

text

AWS Account ID: [REDACTED] – Systematic S3 bucket reconnaissance

IP Ranges: 183+ previously undisclosed Tor exit nodes

Google Workspace: Drift Email OAuth compromise for email exfiltration

Timeline: August 8-18, 2025 active campaign window

Remediation:

Immediate OAuth token revocation for all Drift integrations
Comprehensive Salesforce Event Monitoring log analysis
AWS CloudTrail review for suspicious S3 access attempts
Google Workspace audit for Drift Email application access
Implementation of OAuth application allowlisting policies

Takeaway for CISOs

The UNC6395 campaign highlights systemic weaknesses in OAuth trust models and third-party integration security. CISOs must implement zero-trust OAuth governance, continuous integration monitoring, and behavioral analytics for SaaS applications. The 700+ organization impact demonstrates the amplification effect of supply chain attacks requiring enhanced vendor risk management and shared responsibility security frameworks.

3. Healthcare Services Group Delayed Disclosure – 10-Month Dwell Time

Date of Attack: September 27 – October 3, 2024
Date of Discovery: October 7, 2024
Date of Disclosure: August 25, 2025
Affected Users: 624,496 individuals

Overview

Healthcare Services Group (HSGI), a $1.7 billion publicly traded company providing critical support services to healthcare facilities across the United States, disclosed a massive data breach affecting over 624,000 individuals nearly 10 months after the initial discovery. The unprecedented delay in breach notification raises serious questions about compliance with state and federal disclosure requirements while exposing comprehensive personal and financial data.

Explanation

The breach occurred through network intrusion with threat actors maintaining persistent access for six days (September 27 – October 3, 2024) before detection on October 7, 2024. The extensive 10-month investigation period before public disclosure on August 25, 2025, suggests sophisticated adversary tactics designed to evade detection and comprehensive data exfiltration across multiple systems. The delayed timeline indicates either complex forensic analysis requirements or potential regulatory negotiation regarding disclosure obligations.

Impact

The breach exposed comprehensive personal data including full names, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, and full access credentials for 624,496 individuals. The 10-month disclosure delay significantly amplified identity theft risks, as stolen credentials may have been actively monetized on criminal markets throughout 2025. HSGI’s role as a strategic healthcare support provider creates cascading risk across thousands of healthcare facilities and their patient populations.

Details

MITRE ATT&CK Mapping:

Initial Access: T1190 (Exploit Public-Facing Application)
Persistence: T1078 (Valid Accounts)
Discovery: T1083 (File and Directory Discovery)
Collection: T1005 (Data from Local System)
Credential Access: T1552 (Unsecured Credentials)
Exfiltration: T1041 (Exfiltration Over C2 Channel)

Regulatory Compliance Analysis:

HIPAA Breach Notification Rule: 60-day disclosure requirement potentially violated
State Breach Laws: Multiple state 30-90 day notification requirements exceeded
Potential Penalties: Multi-million dollar regulatory fines under various state laws

Timeline Anomalies:

text

September 27-October 3, 2024: Active breach period (6 days)

October 7, 2024: Breach discovery

October 2024 – August 2025: Investigation period (10 months)

August 25, 2025: First public notifications sent

Takeaway for CISOs

The HSGI incident demonstrates critical failures in breach response timelines and regulatory compliance management. CISOs must implement automated breach detection, predetermined disclosure workflows, and legal compliance tracking to meet statutory notification requirements. The 10-month delay represents a compliance failure that may result in regulatory enforcement action and class action litigation.

4. MathWorks Ransomware Attack – MATLAB Platform Disruption

Date of Attack: April 17 – May 18, 2025
Date of Discovery: May 18, 2025
Affected Users: 10,476 individuals

Overview

MathWorks, the $1.5 billion developer of MATLAB and Simulink platforms used by over 5 million customers globally, suffered a sophisticated ransomware attack that disrupted critical services for nearly a week while exposing personal data of 10,476 individuals. The attack targeted the company’s core infrastructure supporting mathematical simulation and computing software relied upon by over 100,000 organizations worldwide.

Explanation

The ransomware attack began with an undetected 31-day dwell time from April 17 through discovery on May 18, 2025. Threat actors conducted extensive reconnaissance and lateral movement across MathWorks’ network infrastructure before deploying ransomware payloads that encrypted critical systems supporting multi-factor authentication (MFA), single sign-on (SSO), cloud computing platforms, licensing services, and online store operations.

Service Impact Analysis:

MATLAB Online: Primary computation platform offline for 5+ days
Licensing Center: Software activation systems disrupted
Cloud Services: MathWorks Cloud Center inaccessible
Authentication Systems: MFA and SSO services compromised
Customer Portal: File exchange and download services offline

Impact

The attack exposed personal data including names, addresses, dates of birth, Social Security numbers, and non-U.S. national identification numbers for 10,476 individuals. Service disruptions affected 5 million global users and 100,000+ organizations dependent on MATLAB and Simulink for critical mathematical computing, data analysis, and simulation workflows. Academic institutions, research organizations, and engineering companies experienced significant operational disruption during the multi-day outage.

Details

MITRE ATT&CK Mapping:

Initial Access: T1566.001 (Spearphishing Attachment)
Execution: T1204.002 (Malicious File)
Persistence: T1055 (Process Injection)
Privilege Escalation: T1078 (Valid Accounts)
Discovery: T1083 (File and Directory Discovery)
Collection: T1005 (Data from Local System)
Impact: T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery)

Service Restoration Timeline:

text

May 18, 2025: Attack discovery and initial service disruption

May 19-22, 2025: Gradual service restoration with cybersecurity experts

May 23, 2025: MATLAB Online and MATLAB Mobile restored

May 24-27, 2025: Additional services brought online

Ongoing: Some services remain in degraded operational state

Threat Intelligence Assessment:

No ransomware group has claimed public responsibility
Suggests either ransom payment or ongoing negotiations
Unknown threat actor indicates sophisticated operational security
31-day dwell time demonstrates advanced persistent threat capabilities

Takeaway for CISOs

The MathWorks attack highlights critical infrastructure vulnerability in software platforms supporting global research and engineering communities. CISOs must implement business continuity planning for software-as-a-service dependencies and supply chain resilience strategies. The 31-day dwell time emphasizes the importance of continuous threat hunting and behavioral analytics to detect advanced persistent threats before encryption deployment.

5. TransUnion Salesforce Data Breach – Credit Bureau Compromise

Date of Attack: July 28, 2025
Date of Discovery: July 30, 2025
Affected Users: 4.4 million Americans

Overview

Consumer credit reporting giant TransUnion, one of the three major U.S. credit bureaus maintaining credit information on over 200 million Americans, suffered a massive data breach affecting 4.4 million individuals through compromise of a third-party Salesforce application. The incident represents the largest credit bureau breach of 2025 and has been directly linked to the ongoing ShinyHunters campaign targeting Salesforce CRM platforms across major corporations.

Explanation

The breach occurred through exploitation of a third-party Salesforce application supporting TransUnion’s U.S. consumer support operations. Threat actors gained unauthorized access using compromised OAuth tokens or social engineering techniques consistent with the ShinyHunters methodology that has successfully targeted multiple major corporations throughout 2025. The attack was contained within hours of detection but not before substantial customer data exfiltration.

ShinyHunters Campaign Integration:

Confirmed Attribution: ShinyHunters claimed responsibility for the attack
Data Volume: Over 13 million records stolen (4.4M U.S. residents)
Attack Pattern: Consistent with Salesforce-targeting campaign methodology
Data Evidence: Sample stolen data shared with cybersecurity researchers

Impact

The breach exposed highly sensitive personal information including names, billing addresses, phone numbers, email addresses, dates of birth, and unredacted Social Security numbers for 4.4 million U.S. consumers. Additionally, customer support tickets and transaction reasons (such as free credit report requests) were compromised, providing threat actors with comprehensive consumer financial profiles. The breach creates severe identity theft risks and potential financial fraud targeting victims across all 50 states.

Details

MITRE ATT&CK Mapping:

Initial Access: T1566.002 (Spearphishing Link)
Execution: T1204.002 (Malicious File)
Persistence: T1078.004 (Cloud Accounts)
Defense Evasion: T1550.001 (Application Access Token)
Collection: T1213.002 (SharePoint), T1005 (Data from Local System)
Exfiltration: T1567.002 (Exfiltration to Cloud Storage)

Compromised Data Categories:

text

Personal Identifiers: Full names, dates of birth

Contact Information: Email addresses, phone numbers, billing addresses

Financial Data: Unredacted Social Security numbers

Behavioral Data: Customer support interactions, transaction histories

Geographic Data: State residency information for regulatory notification

Regulatory Impact:

State Notifications: Filed with Maine (17,000 residents), Texas, and other states
Federal Oversight: Subject to Consumer Financial Protection Bureau jurisdiction
Class Action Risk: Multiple law firms investigating potential litigation
Credit Monitoring: 24 months free service provided to affected individuals

Remediation:

Third-party application access immediately revoked
Comprehensive forensic investigation with external cybersecurity experts
Enhanced monitoring of customer support systems
Strengthened authentication requirements for Salesforce integrations

Takeaway for CISOs

The TransUnion breach demonstrates systemic risks in the credit reporting ecosystem where compromise of a single organization affects millions of consumers nationwide. CISOs must implement enhanced third-party risk management, zero-trust access controls for customer support systems, and comprehensive data governance to protect sensitive financial information. The ShinyHunters attribution confirms the persistent threat to Salesforce-hosted data across major enterprises.

6. Zscaler Supply Chain Impact – Salesloft Drift Cascade

Date of Attack: August 8-18, 2025
Date of Discovery: August 31, 2025
Affected Users: Unknown (Customer contact data)

Overview

Cybersecurity firm Zscaler disclosed it became the latest victim of the UNC6395 supply chain campaign, with threat actors gaining unauthorized access to its Salesforce environment through compromised Salesloft Drift credentials. The breach exposes the cascading impact of supply chain attacks where even cybersecurity vendors become victims, potentially compromising their customer relationships and support data.

Explanation

The Zscaler breach stems directly from the broader UNC6395 campaign targeting Salesloft Drift OAuth integrations. Threat actors leveraged stolen OAuth and refresh tokens to authenticate against Zscaler’s Salesforce instance, accessing customer support cases and business contact information. The incident demonstrates how trusted third-party integrations create transitive trust relationships that enable adversaries to pivot between organizations within the same supply chain.

Supply Chain Attack Progression:

Initial Compromise: Salesloft Drift OAuth infrastructure breach
Token Harvesting: Mass collection of customer OAuth credentials
Target Identification: Systematic enumeration of high-value victims
Lateral Access: Zscaler Salesforce environment compromise
Data Exfiltration: Customer support cases and contact data theft
Operational Security: Coordinated timing with broader campaign

Impact

The breach compromised business contact details and Salesforce-related content including names, business email addresses, job titles, phone numbers, regional/location details, Zscaler product licensing information, commercial data, and plain text content from support cases (excluding attachments and files). While Zscaler’s core security services remained uncompromised, the incident creates phishing and social engineering risks for affected customers and partners.

Details

MITRE ATT&CK Mapping:

Initial Access: T1199 (Trusted Relationship)
Persistence: T1550.001 (Application Access Token), T1078.004 (Cloud Accounts)
Collection: T1213.002 (SharePoint), T1005 (Data from Local System)
Exfiltration: T1041 (Exfiltration Over C2 Channel)

Zscaler Response Actions:

Immediate revocation of Salesloft Drift access to Salesforce data
Proactive rotation of API access tokens across all integrations
Implementation of additional safeguards and strengthened protocols
Enhanced monitoring for potential misuse of exposed data

Supply Chain Risk Amplification:

Vendor-to-Customer Impact: Cybersecurity provider compromised
Trust Relationship Abuse: Legitimate integrations weaponized
Cascading Disclosure: Multiple organizations affected by single compromise
Operational Continuity: Core services unaffected, reputation risks elevated

Customer Protection Measures:

Heightened vigilance recommendations for phishing attempts
Social engineering awareness using exposed contact details
Enhanced verification procedures for Zscaler communications
Continuous monitoring for anomalous account activities

Takeaway for CISOs

The Zscaler incident exemplifies the amplification effects of modern supply chain attacks where cybersecurity vendors themselves become attack vectors. CISOs must implement continuous vendor risk assessment, zero-trust integration policies, and supply chain monitoring to detect and respond to transitive compromises. The incident reinforces the critical importance of OAuth security governance and third-party access controls across all SaaS integrations.