Security Community

August 21st, 2025 🔍 What: • On Friday August 15th, Human Resources giant Workday disclosed a data breach targeting their third-party Customer Relationship Management (CRM) platform. • Attackers gained access using social engineering techniques, most prominently impersonation via. vishing and smishing. Most likely, attackers impersonated HR or IT and tricked users into linking a malicious OAuth application to their CRM instance. • Workday is just the latest company to have their CRM platform breached in an on-going campaign targeting companies that utilize Salesforce as their CRM platform. The group behind the attack, ShinyHunters, has conducted several successful attacks targeting major companies like Adidas, Qantas, Allianz Life, and Louis Vuitton, to name a few. ⚠️ Impact: • Data Breach: Workday did not disclose the amount of data that was exfiltrated, and asserts that no customer tenants were impacted and stolen data was mostly commonly available business contact information, such as names, phone numbers, email addresses, etc. However, it goes without saying that some of the customer data involved in the breach could be leveraged for subsequent attacks. • Third-Party Risk Factor: This breach emphasizes the need for organizations to remain diligent in vetting their third-party (and fourth-party) vendors. Since vendors providing third-party services can be seen as an attack vector to accessing the organizations they provide services to, these types of attacks are becoming increasingly more common. • Credibility & Trust: Despite Workday asserting that no sensitive data was compromised or exfiltrated, data containing customer and contact information was exfiltrated. This data can be harvested and used for future targeted attacks. Any compromise of systems and/or data, regardless of the classification of data involved, can be detrimental to reputation, and be a catalyst for the erosion of trust. 💡 Recommendations: 1. Strengthen Employee Awareness & Phishing Defense • Provide training on phishing and social engineering tactics, Include emphasis that your organization will never request passwords or secure credentials via unsolicited calls or texts. • Encourage employees to verify requests through official, trusted channels. 2. Enforce Robust Access Controls (MFA & PLP) • Apply stringent permission models, implement multi-factor authentication (MFA) wherever possible, and ensure granular access rights are in place across both primary and third-party systems. 3. Assess Third-Party Providers • Conduct regular assessments and audits of third-party service providers, ensuring their adherence to security best-practices. • Adopt a Third-Party Risk Management (TPRM) platform to streamline the management process and increase visibility on organizational attack surface. 4. Incident Preparedness • Document and standardize response procedures for attacks involving the compromise of systems and data. • Regularly review and update your organizations Incident Response Plan (IRP), and conduct tabletops and simulated attacks to cultivate a proactive security approach. Read the full article HERE

August 15th, 2025 ❓What: • The city of Saint Paul confirmed the cyber attack they experienced in late July to be a ransomware attack carried out by ransomware gang Interlock. Threat intel company PRODAFT reports that the actors were able to access the city's systems via custom SystemBC Remote Access Trojan (RAT) malware. • After the incident exceeded city response capacity, the state of Minnesota activated the National Guard's Cyber Protection Unit to work jointly with the city and the FBI in a recovery effort the Mayor has named Operation Secure St. Paul. • Interlock claims it stole ~66,000 files / 43 GB and has begun leaking data. The mayor said residents’ personal/financial info was "not impacted". • After the city made it clear that they would not pay the ransom, Interlock leaked over 42 GB of data stolen from the attack to their dark web portal. According to independent investigators, of the stolen files and documents, at least 280 files contain PII such as email archives, passport scans, and drivers licenses. ⚠️Impact: • Service disruption & revenue impact: Payment portals and some city services (e.g., libraries/recreation centers) were disrupted, delaying routine operations and billing. • Data exposure pressure: Despite the city claiming no confirmed exposure of residents’ financial data, Interlock’s leak claims increase extortion pressure and reputational risk. • Trend escalation: CISA/FBI warned days earlier of rising Interlock activity and double-extortion tactics—this incident reflects that risk to U.S. critical services. • Double extortion model: Interlock has been found to utilize an extortion model that not only encrypts data, but also threatens to upload stolen data to their dark web portal if the ransom is not paid. 💡Recommendations:  • Contain & restore with rigor: Keep impacted segments isolated; rotate credentials & keys; validate offline backups; rebuild from known-good images; maintain clear public status updates on service availability. • Target likely TTPs: Enforce MFA everywhere, patch rapidly (OS, apps, edge), tighten egress/DNS filtering, and hunt for RAT/beacon artifacts associated with Interlock campaigns (e.g., SystemBC/NodeSnake). • Data-handling & third-party checks: Assess least privilege controls, disable stale accounts, verify vendor access and logging, and enable DLP/anomalous transfer alerts—especially around HR/finance repositories highlighted in the leak claims. • Readiness & comms: Perform tabletop exercises on ransomware + public leak scenarios; pre-stage legal/PR and resident-notification templates; prepare credit monitoring guidance if exposure is confirmed. Engage in information sharing with industry partners, such as MS-ISAC's or relevant industry ISAC's. Read the full article HERE

July 31, 2025 ❓What: • On July 16, 2025, a threat actor used a social engineering technique to compromise a third-party, cloud-based CRM (Salesforce) platform used by Allianz Life Insurance of North America. • The breach exposed personally identifiable information of the majority of Allianz Life’s ~1.4 million U.S. customers, as well as financial professionals and select employees. • Allianz discovered the intrusion on July 17, responded promptly, and notified the FBI and regulators including Maine’s Attorney General. • There is no evidence that Allianz Life’s internal network, policy administration system, or other Allianz SE systems were compromised. • This attack is the latest among a months long campaign linked to the cyber-crime collective Scattered Spider (UNC3944), who have utilized voice phishing (vishing) to target various industries, including insurance providers. ⚠️ Impact: • Massive data exposure: Data includes names, Social Security numbers, contact details, policy numbers, and dates of birth—ripe for identity theft, phishing, wire fraud, or future ransomware attacks. • Regulatory and reputational fallout: Allianz must comply with disclosure mandates and faces increased scrutiny from regulators and the public. • Insurance sector at risk: This breach follows similar incidents at Aflac, Erie, and Philadelphia Indemnity, signaling a growing trend of social engineering campaigns targeting insurers. • Erosion of trust: The industry’s longevity is built on customer trust—exposing millions of policy holders undermines confidence and brand integrity. 💡Recommendations: • Strengthen third-party oversight: Implement a robust Third-Party Risk Management (TPRM) program—include rigorous due diligence, continuous monitoring, and enforceable security standards (e.g., ISO 27001, NIST) within vendor contracts, especially for critical cloud services like CRM platforms. • Adopt Zero Trust frameworks: Enforce granular access control, multi-factor authentication (with phishing-resistant factors), and least-privilege access—even for external vendors. Track and verify access continuously. • Plan for supply-chain breaches: Expand incident response playbooks to include vendor compromise scenarios. Conduct regular tabletop exercises simulating supply-chain attacks to test response coordination across internal and external teams. • Encrypt sensitive data end-to-end: Ensure encryption for data at rest and in transit within vendor eco-systems. Audit key management practices and mandate encryption compliance in vendor agreements. • Train employees and vendor staff relentlessly: Deploy security training to include frequent, realistic phishing resistance training and social engineering simulations for both internal teams and third-party personnel. Clarify data handling protocols and incident-reporting channels. Read the full article HERE