Risky Bulletin: APTeens Go After Salesforce Data

Release Date: June 6, 2025 | Host: Claire Aird | Source: Risky.biz

Overview

In this episode of Risky Bulletin, host Claire Aird delves into a series of recent cybersecurity incidents, highlighting threats ranging from sophisticated hacking groups targeting enterprise data to nation-state cyber maneuvers. The episode provides a comprehensive update on the evolving cyber threat landscape, offering insights into the methods employed by malicious actors and the responses from authorities and affected organizations.

Tractors UNC040 Targets Salesforce Data

A prominent focus of the episode is the activities of the hacking group Tractors UNC040, which has orchestrated a significant breach of Salesforce data across more than 20 companies.

"A hacking group has used a fake Salesforce app to breach and extort more than 20 companies." (00:10)

Methodology:

• Social Engineering: The group impersonated IT departments, contacting employees at large corporations.
• Malware Deployment: Employees were deceived into installing a modified Salesforce Data Loader app, granting the hackers unauthorized access to Salesforce databases.
• Origins: According to Google's security team, Tractors UNC040 hails from the underground community associated with the notorious Scattered Spider group.

UK Tax Authority Hit by Massive Fraud

Another significant incident involves cybercriminals stealing 47 million pounds from the UK Tax Authority, Her Majesty's Revenue and Customs (HMRC).

"Hackers compromised around 100,000 taxpayers' accounts and claimed fraudulent refunds." (00:35)

Details:

• Attack Vector: Primarily through phishing campaigns that harvested employee credentials.
• Response: HMRC is actively notifying affected individuals and reinforcing security measures to prevent further breaches.

DHS Shuts Down CISA's Mobile App Vetting Program

The U.S. Department of Homeland Security has announced the termination of CISA's Mobile App Vetting Program, a critical tool established in 2023 to evaluate mobile applications used by federal employees.

"The program was essential for assessing mobile apps to assist government agencies with their risk management." (01:10)

Implications:

• Staff Reductions: Since President Donald Trump took office, CISA has seen a significant reduction in its workforce, now operating with 2,649 employees compared to 3,732 last year.
• Government Accountability: Members of the House Homeland Security subcommittee have called for discussions with DHS Secretary Kristi Noem regarding the shutdown and its impact on federal cybersecurity efforts.

Romanian Telcos Combat Fraudulent Calls

Romanian telecommunications companies have been directed to block inbound international calls that masquerade as domestic communications, responding to a surge in fraud attempts targeting government institutions.

"The block won't eliminate all fraud, but it will prevent obvious attempts." (01:40)

Outcome:

• Enhanced Security Measures: This initiative aims to reduce the prevalence of fraudulent calls, safeguarding both government entities and the public from deceptive practices.

Interlock Ransomware Attacks Kettering Health

The Interlock Ransomware group has claimed responsibility for a breach at the Kettering Health hospital chain in Ohio, disrupting operations and leading to data leaks.

"Interlock leaked some of the stolen data after Kettering allegedly refused to pay the ransom demand." (02:05)

Consequences:

• Operational Disruption: The attack has left Kettering Health in recovery mode, addressing both data security and system integrity.
• Ransom Implications: The refusal to comply with ransom demands has resulted in the public exposure of sensitive information.

Ukraine's Cyber Offensive Against Tupolev

Ukraine's military intelligence has successfully hacked the Russian aircraft manufacturer Tupolev, extracting 4.4 gigabytes of sensitive data.

"The data will be useful for future operations against Russia's military industrial complex." (02:30)

Strategic Impact:

• Intelligence Gain: The stolen files include internal communications and personnel details, providing Ukraine with valuable insights for ongoing conflict scenarios.
• Countermeasures: This breach underscores the escalating cyber tactics employed in geopolitical conflicts.

China's Reward for Taiwanese Military Hacker Information

In a move reflecting ongoing tensions, China is offering a 10,000 yuan ($1,400) reward for information on 20 Taiwanese military hackers accused of cyberattacks against Chinese institutions.

"China has accused Taiwan's Information Communications and Electronic Force Command of hacking companies and government organizations in 11 Chinese provinces." (03:00)

Context:

• Cyber Warfare: This bounty highlights the intersection of cybersecurity and international relations, where cyber espionage serves as a tool for statecraft.
• US Involvement: Meanwhile, the US State Department has set a $10 million reward for information leading to the arrest of Russian national Maxim Rudomitov, indicted for developing the Redline Infostealer.

FBI Takes Down Biden Cash Carding Forum

The FBI has successfully seized 145 domains linked to the Biden Cash carding forum, an online marketplace for stolen credit card information.

"The site dumped millions of credit cards for free as a marketing strategy when it launched." (03:25)

Background:

• Operational Tactics: The marketplace, believed to be operated by Russian speakers, employed aggressive marketing by initially offering free credit card dumps to attract users.
• Law Enforcement Success: The takedown marks a significant win in combating online fraud and illicit marketplaces.

Sentencing of Vile Hacking Group Members

Two members of the Vile hacking group have been sentenced to prison for their cybercrimes targeting law enforcement portals.

"Sagar Steven Singh, also known as Weep, was sentenced to 27 months, while Nicholas Chiaraolo, also known as Convict, received a 25-month sentence." (04:00)

Criminal Activities:

• Doxing and Harassment: The individuals were involved in stealing data to harass and publicly shame victims, showcasing the personal harm cybercriminals can inflict.

Malicious GitHub Repositories Identified

Google's security team has identified that 8% of Model Context Protocol (MCP) servers hosted on GitHub may be malicious, with approximately 1,400 out of 18,000 repositories exhibiting suspicious activities.

"Suspicious functionality includes harvesting credentials or trying to run remote code." (04:25)

Risks:

• AI Integration Vulnerabilities: MCP servers are integral for integrating AI tools, meaning malicious repositories can compromise broader systems through credential theft and unauthorized code execution.

Exposure of Solar Panel Management Interfaces

Over 35,000 solar panel management interfaces are currently exposed to the internet, with 75% located in Europe, particularly Germany and Greece.

"Three quarters of the exposed systems are located in Europe, primarily in Germany and Greece." (04:50)

Security Concerns:

• Potential Exploits: Exposed management interfaces can be leveraged by attackers to manipulate solar panel operations or harvest sensitive data.
• Vendor Vulnerabilities: A significant portion of these exposures involves systems from German vendor SMA Solar, highlighting the need for enhanced security protocols in IoT devices.

Russian Data Wiper Malware in Ukraine

Russian hackers have deployed a new data wiper malware strain, Pathwise, within the network of an unnamed Ukrainian critical infrastructure operator, marking their ninth such deployment since the onset of the war.

"Pathwise is the ninth wiper deployed in Ukraine by Russian hackers since the war began." (05:15)

Impact:

• Data Destruction: The malware is designed to irreparably damage data, disrupting essential services and undermining confidence in Ukraine's critical infrastructure security.

Exploitation of Roundcube Webmail Vulnerability

Attackers are actively exploiting a recently patched vulnerability in the Roundcube Webmail server, with attacks commencing just two days post-patch release.

"The vulnerability impacts all versions of Roundcube released in the last decade." (05:40)

Threat Landscape:

• Rapid Exploitation: The swift action by threat actors underscores the persistent race between vulnerability patching and exploitation.
• Underground Market: The availability of the exploit on hacking forums facilitates widespread attacks despite official patches.

Critical Vulnerabilities in Infoblox and HPE Software

Recent assessments have unveiled multiple high-risk bugs in enterprise software solutions from Infoblox and Hewlett Packard Enterprise (HPE).

Infoblox NetMRI Vulnerabilities:

• Types of Flaws: Include remote authentication bypass via hard-coded credentials, privilege escalation through cookie forgery, unauthenticated command injection, and SQL injection.
• Risk Level: These vulnerabilities allow attackers to gain unauthorized access and execute malicious commands within affected systems.

HPE StoreOnce Enterprise Backup Flaws:

• Nature of Vulnerabilities: Comprise authentication bypass and remote code execution (RCE) weaknesses.
• Mitigation: HPE has issued patches for eight identified vulnerabilities, although they are not yet exploited in active attacks.

"The vulnerabilities include an authentication bypass and several remote code execution flaws." (06:10)

Recommendations:

• Immediate Patch Application: Organizations using Infoblox NetMRI and HPE StoreOnce Enterprise Backup are urged to apply the latest security updates to safeguard against potential exploits.

Conclusion

This episode of Risky Bulletin provides a thorough examination of the latest cybersecurity threats and responses. From sophisticated hacking groups targeting enterprise data to nation-state cyber operations and critical software vulnerabilities, the episode underscores the dynamic and multifaceted nature of the cyber threat environment. Organizations and individuals alike are encouraged to stay vigilant, implement robust security measures, and remain informed about emerging threats to mitigate risks effectively.

Timestamp Reference:

• 00:10 - Tractors UNC040 Targets Salesforce Data
• 00:35 - UK Tax Authority Hit by Massive Fraud
• 01:10 - DHS Shuts Down CISA's Mobile App Vetting Program
• 01:40 - Romanian Telcos Combat Fraudulent Calls
• 02:05 - Interlock Ransomware Attacks Kettering Health
• 02:30 - Ukraine's Cyber Offensive Against Tupolev
• 03:00 - China's Reward for Taiwanese Military Hacker Information
• 03:25 - FBI Takes Down Biden Cash Carding Forum
• 04:00 - Sentencing of Vile Hacking Group Members
• 04:25 - Malicious GitHub Repositories Identified
• 04:50 - Exposure of Solar Panel Management Interfaces
• 05:15 - Russian Data Wiper Malware in Ukraine
• 05:40 - Exploitation of Roundcube Webmail Vulnerability
• 06:10 - Critical Vulnerabilities in Infoblox and HPE Software