Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Security Weekly Briefing, 4-10 October
Massive extortion after Salesforce instance breaches
An extortion group calling itself "Scattered Lapsus$ Hunters," associating ShinyHunters, Scattered Spider and Lapsus$, has launched a new leak site to pressure dozens of companies affected by a wave of Salesforce instance breaches, posting samples of stolen data and demanding payments by Oct. 10.
The list includes major brands and organizations that, according to the attackers, have already been contacted and seen the samples downloaded, although many chose not to respond. The intrusions reportedly began with vishing campaigns that tricked employees into installing malicious OAuth applications in Salesforce environments, allowing the attackers to extract databases, tokens and credentials.
The operators further claim to have used stolen tokens to access third-party integrations and amplify the impact, and are holding Salesforce to ransom to prevent the mass release of around one billion records.
Salesforce states that there are no indications of platform compromise or vulnerabilities in its technology and that it is investigating the incidents with customers and authorities.
Cybercriminals and state actors step up attacks on Microsoft Teams using social engineering and malware
Microsoft Threat Intelligence warned that Microsoft Teams has become a priority target for cybercriminals and state actors, who abuse its messaging, calling and videoconferencing functions along the attack chain.
Among the techniques observed are the impersonation of technical support, the use of deepfakes and the distribution of malware such as DarkGate or ReedBed via chats or video calls. Groups such as Storm-1811, Octo Tempest and Midnight Blizzard use Teams to steal credentials, bypass multifactor authentication and run ransomware or data exfiltration campaigns. Exploitation of APIs and tools such as AADInternals or TeamFiltration for reconnaissance, persistence and lateral movement was also detected.
Microsoft recommends identity hardening measures, endpoint protection, E2E encryption, external access control and advanced detection with Defender XDR and Cloud Apps, reinforcing security policies within the framework of the Secure Future Initiative (SFI).
CSS abuse in emails: "hidden text salting" technique defies detection filters
Cisco Talos has detected an increase in the malicious use of cascading style sheets (CSS) to hide irrelevant text, a technique known as hidden text salting, used to evade email detection systems.
Attackers insert hidden content in the preheader, header, body or attachments of emails using CSS properties such as font-size, opacity, display or visibility, which make the added text invisible. Talos identifies three types of "salt": characters (including ZWSP and ZWNJ), irrelevant paragraphs and comments, used to confuse spam filters or static analysis.
These techniques are much more common in spam than in legitimate emails, and can even affect advanced AI-based systems or LLMs by altering message intent or sentiment detection. To mitigate this, Talos proposes hidden content detection and HTML sanitization mechanisms, in addition to the use of intelligent filters and machine learning-based defense solutions.
Clop had been exploiting the Oracle E-Business Suite 0-day since August
Clop and other actors have been actively exploiting critical vulnerability CVE-2025-61882 (CVSSv3 9.8 according to vendor) in Oracle E-Business Suite, located in the BI Publisher integration component, to achieve unauthenticated remote code execution via low-complexity HTTP requests.
CrowdStrike placed the first known exploit in early August and described mass theft campaigns of sensitive documents. Oracle released a patch on Oct. 4 and urged customers to update immediately. Researchers who reviewed a leaked PoC in October concluded that the flaw is actually a chain of vulnerabilities that allows RCE with a single request, and warn that the PoC release will likely encourage more groups to create exploits against exposed EBS instances.
In addition to technical intrusions, Clop has sent extortion emails to executives demanding payments in exchange for not publishing the stolen data.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
