Latest news with #GoogleThreatIntelligenceGroup
Time of India
11 hours ago
- Business
- Time of India
Hackers abuse modified Salesforce app to steal data, extort companies, Google says
By AJ Vicens Hackers are tricking employees at companies in Europe and the Americas into installing a modified version of a Salesforce-related app, allowing the hackers to steal reams of data, gain access to other corporate cloud services and extort those companies, Google said on Wednesday. The hackers - tracked by the Google Threat Intelligence Group as UNC6040 - have "proven particularly effective at tricking employees" into installing a modified version of Salesforce 's Data Loader, a proprietary tool used to bulk import data into Salesforce environments, the researchers said. The hackers use voice calls to trick employees into visiting a purported Salesforce connected app setup page to approve the unauthorized, modified version of the app, created by the hackers to emulate Data Loader. If the employee installs the app, the hackers gain "significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments," the researchers said. The access also frequently gives the hackers the ability to move throughout a customer's network, enabling attacks on other cloud services and internal corporate networks. Technical infrastructure tied to the campaign shares characteristics with suspected ties to the broader and loosely organized ecosystem known as "The Com," known for small, disparate groups engaging in cybercriminal and sometimes violent activity, the researchers said. A Google spokesperson did not share additional details about how many companies have been targeted as part of the campaign, which has been observed over the past several months. A Salesforce spokesperson told Reuters in an email that "there's no indication the issue described stems from any vulnerability inherent in our platform." The spokesperson said the voice calls used to trick employees "are targeted social engineering scams designed to exploit gaps in individual users' cybersecurity awareness and best practices." The spokesperson declined to share the specific number of affected customers, but said that Salesforce was "aware of only a small subset of affected customers," and said it was "not a widespread issue." Salesforce warned customers of voice phishing , or "vishing," attacks and of hackers abusing malicious, modified versions of Data Loader in a March 2025 blog post.
Scoop
08-05-2025
- Business
- Scoop
Navigating The UNC3944 Threat: Strategic Imperatives For Business Resilience
The threat posed by UNC3944 and similar financially motivated actors demands a proactive, strategic, and business-centric approach to cybersecurity. Mandiant Incident Response Analysis The cyber threat landscape continues to evolve, demanding a proactive and strategic approach from businesses across all sectors. Among the persistent and adaptable threat actors is UNC3944, a financially motivated group with a history of targeting telecommunications for SIM swap fraud that has since expanded its operations to encompass ransomware and data theft extortion across a broader range of industries. Notably, recent targeting of financial services in late 2023 and food services in May 2024 signals a potential shift in focus, possibly driven by a desire for higher-profile victims. While observations from Google Threat Intelligence Group (GTIIG) suggest a possible temporary lull in UNC3944 activity following recent law enforcement interventions in 2024, businesses must not become complacent. Disruptions to threat actor operations are often temporary, and existing infrastructure and toolsets can be leveraged by other malicious actors within the cybercriminal ecosystem. Recent public reports linking tactics consistent with the Scattered Spider group to ransomware attacks on UK retail organizations, involving the DragonForce ransomware which reportedly gained control of the RansomHub RaaS affiliate program (a program UNC3944 was previously affiliated with), underscore the interconnectedness of the threat landscape. While direct attribution remains unconfirmed by GTIIG, the historical links and tactical overlaps warrant serious consideration for businesses, particularly within the retail sector. The increasing targeting of retail organizations for data theft and extortion is further evidenced by the rising percentage of retail victims listed on data leak sites (DLS). This figure has climbed steadily, reaching 11 percent in 2025, up from 8.5 percent in 2024 and 6 percent in the preceding two years. This trend highlights the growing financial incentive for cybercriminals to target the retail industry. For business leaders, understanding the evolving threat posed by UNC3944 and similar actors is paramount. A reactive, compliance-driven approach to cybersecurity is no longer sufficient. Organizations must adopt a strategic, risk-based framework that prioritizes proactive defense and business continuity. The following strategic imperatives are crucial for building resilience against these threats: 1. Implement a Zero-Trust Security Model: Embrace a security philosophy that assumes no user or device is inherently trustworthy. Implement strict access controls, micro-segmentation, and continuous verification across the network to limit the impact of potential breaches. 2. Invest in Advanced Threat Detection and Response Capabilities: Deploy and actively manage sophisticated EDR and Network Detection and Response (NDR) solutions. These technologies provide real-time visibility into endpoint and network activity, enabling early detection of malicious behavior and facilitating rapid incident response. 3. Prioritize Data Protection and Governance: Implement robust data loss prevention (DLP) strategies and enforce strict data governance policies. Understand where sensitive data resides, implement appropriate access controls, and establish procedures to prevent unauthorized access and exfiltration. 4. Cultivate a Security-Aware Culture: Invest in comprehensive and ongoing security awareness training for all employees. Educate them on the risks of phishing, social engineering, and other common attack vectors. Empower employees to be the first line of defense by fostering a culture of vigilance and responsible security practices. 5. Develop and Test a Comprehensive Incident Response Plan: A well-defined and regularly tested incident response plan is critical for minimizing the impact of a successful cyberattack. This plan should outline clear roles and responsibilities, communication protocols, and procedures for containment, eradication, and recovery. Specific attention should be paid to scenarios involving ransomware and data extortion. 6. Conduct Regular Risk Assessments and Penetration Testing: Proactively identify vulnerabilities and weaknesses in the security infrastructure through regular risk assessments and penetration testing. These exercises provide valuable insights into potential attack vectors and inform necessary security enhancements. 7. Foster Collaboration and Information Sharing: Engage with industry peers, threat intelligence providers, and government agencies to stay informed about emerging threats and best practices. Sharing threat intelligence can enhance collective defense and improve overall cybersecurity posture. 8. Ensure Business Continuity and Disaster Recovery Planning: Develop and regularly update comprehensive business continuity and disaster recovery plans. These plans should outline procedures for maintaining critical business functions in the event of a cyber incident, including data recovery and system restoration. 9. Evaluate and Manage Third-Party Risks: Understand the security posture of third-party vendors and service providers. Implement contractual requirements and conduct due diligence to ensure that external partners adhere to appropriate security standards. 10. Align Cybersecurity Strategy with Business Objectives: Cybersecurity should not be viewed as a purely technical function but rather as a strategic imperative that is aligned with overall business goals. Security investments should be prioritized based on potential business impact and risk mitigation. In conclusion, the threat posed by UNC3944 and similar financially motivated actors demands a proactive, strategic, and business-centric approach to cybersecurity. By prioritizing these strategic imperatives, organizations can build greater resilience, protect critical assets, and minimize the potential financial and reputational damage associated with sophisticated cyberattacks. Leadership must champion a culture of security and ensure that cybersecurity investments are viewed as essential for long-term business sustainability.
Indian Express
08-05-2025
- Indian Express
Google identifies new malware linked to Russia-based hacking group
The malware 'marks a new development in the toolset' of Cold River, Wesley Shields, a researcher with Google Threat Intelligence Group, said in a blog. Cold River, a name used to track hacking campaigns previously linked to Russia's Federal Security Service, is primarily known for stealing login credentials for high-profile targets, including those within NATO governments, non-governmental organizations and former intelligence and diplomatic officers, Shields said in the blog. The central goal was intelligence collection in support of Russian strategic interests.
Scoop
08-05-2025
- Business
- Scoop
Navigating The UNC3944 Threat: Strategic Imperatives For Business Resilience
Mandiant Incident Response Analysis The cyber threat landscape continues to evolve, demanding a proactive and strategic approach from businesses across all sectors. Among the persistent and adaptable threat actors is UNC3944, a financially motivated group with a history of targeting telecommunications for SIM swap fraud that has since expanded its operations to encompass ransomware and data theft extortion across a broader range of industries. Notably, recent targeting of financial services in late 2023 and food services in May 2024 signals a potential shift in focus, possibly driven by a desire for higher-profile victims. While observations from Google Threat Intelligence Group (GTIIG) suggest a possible temporary lull in UNC3944 activity following recent law enforcement interventions in 2024, businesses must not become complacent. Disruptions to threat actor operations are often temporary, and existing infrastructure and toolsets can be leveraged by other malicious actors within the cybercriminal ecosystem. Recent public reports linking tactics consistent with the Scattered Spider group to ransomware attacks on UK retail organizations, involving the DragonForce ransomware which reportedly gained control of the RansomHub RaaS affiliate program (a program UNC3944 was previously affiliated with), underscore the interconnectedness of the threat landscape. While direct attribution remains unconfirmed by GTIIG, the historical links and tactical overlaps warrant serious consideration for businesses, particularly within the retail sector. Advertisement - scroll to continue reading The increasing targeting of retail organizations for data theft and extortion is further evidenced by the rising percentage of retail victims listed on data leak sites (DLS). This figure has climbed steadily, reaching 11 percent in 2025, up from 8.5 percent in 2024 and 6 percent in the preceding two years. This trend highlights the growing financial incentive for cybercriminals to target the retail industry. For business leaders, understanding the evolving threat posed by UNC3944 and similar actors is paramount. A reactive, compliance-driven approach to cybersecurity is no longer sufficient. Organizations must adopt a strategic, risk-based framework that prioritizes proactive defense and business continuity. The following strategic imperatives are crucial for building resilience against these threats: 1. Implement a Zero-Trust Security Model: Embrace a security philosophy that assumes no user or device is inherently trustworthy. Implement strict access controls, micro-segmentation, and continuous verification across the network to limit the impact of potential breaches. 2. Invest in Advanced Threat Detection and Response Capabilities: Deploy and actively manage sophisticated EDR and Network Detection and Response (NDR) solutions. These technologies provide real-time visibility into endpoint and network activity, enabling early detection of malicious behavior and facilitating rapid incident response. 3. Prioritize Data Protection and Governance: Implement robust data loss prevention (DLP) strategies and enforce strict data governance policies. Understand where sensitive data resides, implement appropriate access controls, and establish procedures to prevent unauthorized access and exfiltration. 4. Cultivate a Security-Aware Culture: Invest in comprehensive and ongoing security awareness training for all employees. Educate them on the risks of phishing, social engineering, and other common attack vectors. Empower employees to be the first line of defense by fostering a culture of vigilance and responsible security practices. 5. Develop and Test a Comprehensive Incident Response Plan: A well-defined and regularly tested incident response plan is critical for minimizing the impact of a successful cyberattack. This plan should outline clear roles and responsibilities, communication protocols, and procedures for containment, eradication, and recovery. Specific attention should be paid to scenarios involving ransomware and data extortion. 6. Conduct Regular Risk Assessments and Penetration Testing: Proactively identify vulnerabilities and weaknesses in the security infrastructure through regular risk assessments and penetration testing. These exercises provide valuable insights into potential attack vectors and inform necessary security enhancements. 7. Foster Collaboration and Information Sharing: Engage with industry peers, threat intelligence providers, and government agencies to stay informed about emerging threats and best practices. Sharing threat intelligence can enhance collective defense and improve overall cybersecurity posture. 8. Ensure Business Continuity and Disaster Recovery Planning: Develop and regularly update comprehensive business continuity and disaster recovery plans. These plans should outline procedures for maintaining critical business functions in the event of a cyber incident, including data recovery and system restoration. 9. Evaluate and Manage Third-Party Risks: Understand the security posture of third-party vendors and service providers. Implement contractual requirements and conduct due diligence to ensure that external partners adhere to appropriate security standards. 10. Align Cybersecurity Strategy with Business Objectives: Cybersecurity should not be viewed as a purely technical function but rather as a strategic imperative that is aligned with overall business goals. Security investments should be prioritized based on potential business impact and risk mitigation. In conclusion, the threat posed by UNC3944 and similar financially motivated actors demands a proactive, strategic, and business-centric approach to cybersecurity. By prioritizing these strategic imperatives, organizations can build greater resilience, protect critical assets, and minimize the potential financial and reputational damage associated with sophisticated cyberattacks. Leadership must champion a culture of security and ensure that cybersecurity investments are viewed as essential for long-term business sustainability.
Sky News
02-05-2025
- Business
- Sky News
North Korean hacker who tried to get a job at US tech company caught red-handed - here's how
A North Korean hacker who attempted to infiltrate the ranks of a US tech company has been caught red-handed. He had applied for an engineering role at the Kraken cryptocurrency exchange, which knew he was a malicious actor from the very start. But instead of rejecting his CV, executives allowed him to advance through the recruitment process so they could gather intelligence about his tactics. 1:22 The first red flag emerged when the hacker joined a video call using a different name to the one on his resume, with his voice occasionally switching throughout the interview. It was also discovered that the dodgy candidate's email address was linked to a large network of fake identities and aliases used by a hacking group. Forensic examination of his ID showed that it appeared to have been altered - and may have featured details from victims of identity theft. Traps were also set in the final interview, when the hacker was asked to verify their location and recommend nice restaurants in the city they claimed to live in. Kraken said this caused the candidate to unravel - and they were unable to convincingly answer simple questions because they were flustered and caught off guard. "By the end of the interview, the truth was clear: this was not a legitimate applicant, but an imposter attempting to infiltrate our systems," the company added. 1:00 Its chief security officer Nick Percoco has warned state-sponsored attacks are a "global threat" - and while some hackers break in, others try to walk through the front door. Although artificial intelligence is making it easier to deceive businesses, he doesn't believe this technology is foolproof, as real-time verification tests can often wrong-foot fraudsters. Research from the Google Threat Intelligence Group suggests this is a growing problem - with North Korean IT workers gaining employment at major companies in the US and Europe. Their salaries help generate revenue for the secretive state - and in some cases, malicious actors also extort their employers by threatening to release commercially sensitive information.
