Alex Medvediev’s Post

The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for a string of data theft and extortion attacks. "Both groups have recently been observed targeting organizations' Salesforce platforms via different initial access mechanisms," the FBI said. UNC6395 is a threat group that has been attributed a widespread data theft campaign targeting Salesforce instances in August 2025 by exploiting compromised OAuth tokens for the Salesloft Drift application. In an update issued this week, Salesloft said the attack was made possible due to the breach of its GitHub account from March through June 2025. https://lnkd.in/g-pnsPAC

FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks https://lnkd.in/gfUAa6eT The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for a string of data theft and extortion attacks. "Both groups have recently been observed targeting organizations' Salesforce platforms via different initial access mechanisms," the FBI said. UNC6395 is a threat group that has been attributed a widespread data theft campaign targeting Salesforce instances in August 2025 by exploiting compromised OAuth tokens for the Salesloft Drift application. In an update issued this week, Salesloft said the attack was made possible due to the breach of its GitHub account from March through June 2025. As a result of the breach, Salesloft has isolated the Drift infrastructure and taken the artificial intelligence (AI) chatbot application offline. The company also said it's in the process of implementing new multi-factor authentication processes and GitHub hardening measures.

#cyberNEWS FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks. The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for a string of data theft and extortion attacks. "Both groups have recently been observed targeting organizations' Salesforce platforms via different initial access mechanisms," the FBI said. https://lnkd.in/drmNuCtH

Overpass-the-Hash (aka Pass-the-Key) lets adversaries use a stolen NTLM hash to request Kerberos tickets (TGT/TGS), effectively converting a captured hash into Kerberos-based access and moving laterally without needing plaintext credentials. Vulnerabilities & Misconfigurations 🔴 Compromised endpoints that allow LSASS/credential dumping (e.g., Mimikatz) 🔴Excessive local or domain admin rights that enable hash access NTLM allowed and accepted across domains or trusts 🔴Weak segmentation between workstations, servers, and Domain Controllers 🔴Lack of Kerberos hardening (RC4/legacy ciphers permitted) ➡️ Business Impact Once attackers convert a hash into Kerberos tickets, they authenticate like legitimate users across services—rapidly expanding access and enabling persistence, data theft, or ransomware at scale. ➡️ Recent Incident Example Advanced intrusions repeatedly leverage hash-to-ticket techniques to bypass controls and escalate from a single compromised host to domain-level access, prolonging dwell time and complicating incident response. How to Detect It ☑️ Alert on unusual Kerberos requests originating from non-typical hosts or low-privilege accounts. ☑️ Monitor for authentication chains showing NTLM-derived tickets or anomalous AS-REQ/ TGS patterns. ☑️ Flag processes and hosts performing credential dumping (LSASS access, suspicious mimikatz indicators). ☑️ Correlate sudden service ticket requests with prior local admin activity or new tool execution. ☑️ Baseline normal Kerberos behaviour and alert on deviations in ticket lifetime, issuer, or source host. How to Fix & Prevent ✅ Protect secrets: enable LSA protection, Credential Guard, and restrict access to LSASS memory. ✅Reduce hash exposure: remove unnecessary local/domain admin rights and use JIT/JEA for admin tasks. ✅Minimize NTLM usage: disable or restrict NTLM where possible and enforce Kerberos (AES) only. ✅Harden Kerberos: disallow RC4/weak ciphers, enforce strong key policies, and protect KRBTGT credentials. ✅Segment networks and protect Domain Controllers—limit systems that can request or use high-privilege tickets. ✅Implement continuous identity telemetry and rapid remediation workflows to isolate compromised hosts immediately. Overpass-the-Hash turns stolen hashes into full-blown identity abuse. If you’re not monitoring Kerberos anomalies and protecting LSASS access, you’re leaving attackers a low-effort path to domain compromise. #OverpassTheHash #PassTheKey #Kerberos #IdentitySecurity #LateralMovement #ThreatDetection #ActiveDirectory #MITREATTACK #DelaSecurity Learn more: www.delasecurity.com

 FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations' Salesforce environments to steal data and extort victims... https://lnkd.in/ejqZ-CiW

Chess[.]com has revealed they were victim of a data breach Timing: Incident occurred in June 2025 Impact: Personal info of over 4.5k users were stolen from a third-party platform Remediation: - Law enforcement has been notified - External cybersecurity experts are engaged with the investigation - 1-2 years of free identity theft and credit monitoring is being offered to those affected #cybersecurity #databreach #chesscom https://lnkd.in/gaDJXgBt

Your network perimeter can no longer be protected by adding more firewalls, event monitoring, and pen testing. The digital identities that are used to access your business systems pose as hundreds and thousands of vulnerabilities in your network, that hackers take advantage of via identity fraud and theft. Read how a multi-layered identity verification and authentication approach is the first line of defense against cybercrime: https://lnkd.in/ga2Ev49G

The FBI is warning the public about malicious actors who are creating fake websites that mimic the official Internet Crime Complaint Center (IC3). The IC3, which launched in 2000, serves as a central hub for people to report various cybercrimes, including identity theft, hacking, and online scams. These fraudulent sites are designed to deceive unsuspecting individuals who are trying to file a report. The FBI explains that these spoofed websites are used to steal personal information and facilitate monetary fraud. The criminals behind these scams often use slight variations in spelling or different top-level domains, such as .com instead of the legitimate .gov, to trick users. This tactic is especially effective for people who are searching for the official IC3 site to submit a complaint. Once on the fake site, users may be prompted to enter sensitive data, which can then be stolen. According to the FBI, these threat actors create spoofed sites with the goal of harvesting personally identifiable information (PII). This can include everything from a user's name and address to their phone number, email address, and even banking information. The Bureau emphasizes that the IC3 will never ask for payment to recover lost funds or refer a user to a company that requires payment for such a service. This is a key indicator that a site is not legitimate. To avoid falling victim to these scams, the FBI recommends that users always type the official address, www.ic3.gov, directly into their browser's address bar. It's also crucial to avoid clicking on sponsored results that appear in search engines, as these can often lead to malicious sites. The FBI also advises users to verify that the website they are visiting ends in .gov, which signifies it is a legitimate government site. Finally, the FBI advises users to be wary of any URLs that look suspicious or differ from the official IC3 site. They should not click on links with unusual graphics or artifacts and should never share sensitive information unless they are absolutely certain the website is legitimate. The Bureau also reminds the public that the IC3 does not use social media and encourages anyone who encounters a suspicious site to report the incident. #cybersecurity #informationsecurity #IC3 #FBI #website #spoofing

𝘒𝘪𝘥𝘢𝘴 𝘪𝘴 𝘦𝘷𝘰𝘭𝘷𝘪𝘯𝘨. We’ve always protected vulnerable users, starting with children in online games. But the threat landscape has changed. Scams aren’t just targeting gamers or kids, they’re targeting everyone. So we’re expanding our mission. Kidas now delivers 𝗿𝗲𝗮𝗹-𝘁𝗶𝗺𝗲 𝘀𝗰𝗮𝗺 𝗱𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝗳𝗼𝗿 𝗮𝗹𝗹 𝗶𝗻𝗱𝗶𝘃𝗶𝗱𝘂𝗮𝗹𝘀, helping our partners protect users across voice, text, and digital communication platforms. From identity theft to phishing texts, we catch threats before the damage is done. We’re excited to bring our detection tech to a broader set of B2B2C partners in cybersecurity, telecom, insurance, and more. The mission hasn’t changed. The reach has. Full press release: https://lnkd.in/gznRSj4i