CCTR.36.SEP.25
Monday morning cyber coffee read CCTR.36.SEP.25.
Between 8-18 Aug 2025, a threat actor (UNC6395) conducted a data theft campaign against Salesforce customer instances by abusing compromised OAuth tokens from the Salesloft Drift app. Large volumes of Salesforce data were exfiltrated, with attackers actively searching for credentials including Amazon Web Services (AWS) keys, Snowflake tokens and passwords.
Only organisations with SalesforceDrift integrations were affected. There is no vulnerability in the core Salesforce platform.
A full list of recommendations is available in the advisory link below. https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift
When attackers abuse legitimate DFIR tooling as command & control (C2) to compromise their victim networks….I think this is pretty neat.
Earlier in August, evidence showed that the open source Velociraptor DFIR tool was deployed as an initial foothold, with activity likely acting as a precursor to ransomware deployment. The attacker leveraged Visual Studio Code tunneling for persistence and lateral access, demonstrating how legitimate RMM/IR tools can be abused to minimise the malware footprint and evade detection.
I’ve seen IR teams install Velociraptor during active IR in client environments but fail to remove it afterwards. If you find Velociraptor lurking your environment, check with your SOC / IR teams to confirm whether it was a legitimate deployment or malicious activity.
Monitor for unauthorised DFIR/RMM tool use
https://docs.velociraptor.app/knowledge_base/tips/velocirator_misuse/
Mimecast has identified an active credentials harvesting campaign (MCTO3030) targeting ConnectWise SreenConnect cloud administrators. The campaign has been running since 2022, using low volume but persistent phishing to evade detection.
They’ve targeted senior IT staff with ScreenConnect super admin privileges, with stolen credentials enabling attackers to deploy malicious ScreenConnect clients across multiple endpoints for rapid ransomware distribution.
The campaign is linked to Qilin ransomware affiliates, indicating its role as an initial access vector for ransomware operations.
Train IT staff on ScreenConnect themed phishing and how AITM phishing bypasses MFA.
Restrict ScreenConnect admin access to organisation managed devices only
https://www.mimecast.com/threat-intelligence-hub/screenconnect-super-admin-credential/
A you know, Citrix Netscaler is Under Fire (Since the beginning of time).
In late June 2025, Citrix released a patch for the vulnerability CVE-2025-6543, describing it as a “memory overflow causing denial of service.” They failed to mention one important tiny bit of information at the time.
In reality, the flaw enabled remote code execution (RCE) and was used in a widespread campaign compromising Netscaler remote access systems. Threat actors deployed webshells to maintain persistence even after patching.
As you can imagine, the threat actor didn’t stop here. They chained together multiple Citrix Netscaler zero-days (CVE-2025-6543 for RCE + webshells, CVE-2025-5777 for session hijacking and possibly CVE-2025-7775) to gain access, stay persistent and expand control. It shows the Netscaler has become a favoured hunting ground for a skilled threat actor.
Netscaler customers face sustained, state-level threat actor exploitation. Patching after compromise is insufficient.
Internet facing Netscaler instances have halved since late 2023, suggesting mass customer attrition. Maybe this is something to think about. https://doublepulsar.com/citrix-forgot-to-tell-you-cve-2025-6543-has-been-used-as-a-zero-day-since-may-2025-d76574e2dd2c
Last updated