company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Data Breach

Banking

loading..
loading..
loading..

1.5M users of Flagstar Bank hit by a December cyberattack disclosed now

Flagstar Bank discloses a data breach affecting over 1.5 million customers following a cyberattack that occurred back in December…

21-Jun-2022
2 min read

No content available.

Related Articles

loading..

ShinyHunters

Cisco confirms July 2025 voice phishing attack compromised third-party CRM syste...

Cisco Systems, one of the world's largest manufacturers of networking equipment, has become the latest victim in an escalating wave of voice phishing (vishing) attacks targeting enterprise CRM systems. The breach, discovered on July 24, 2025, compromised a third-party cloud-based Customer Relationship Management system through a sophisticated social engineering attack that required no malware, no system vulnerabilities, and no technical exploits—just a convincing phone call that tricked a single employee. The attack exposed basic profile information for approximately **137,000 Cisco.com users**, including names, organization details, email addresses, phone numbers, and account metadata. While Cisco has not disclosed the exact number of affected individuals, cybersecurity researchers estimate the breach could cost the company up to **$4.9 million** based on current data breach averages, highlighting how human psychology has become the most exploited vulnerability in modern cybersecurity. This incident represents more than an isolated security lapse—it exemplifies a fundamental shift in cybercrime tactics where attackers have moved beyond exploiting technical vulnerabilities to weaponizing human trust and organizational processes. ## Anatomy of a Perfect Social Engineering Campaign ### Voice Phishing Methodology The Cisco breach demonstrates the sophisticated evolution of voice phishing attacks from crude cold-calling schemes to precision-targeted social engineering campaigns. According to the company's official statement, the attack began when a cybercriminal contacted a Cisco representative via telephone, impersonating a trusted entity to manipulate the employee into granting unauthorized access to the third-party CRM system. **Attack Timeline:** - **July 24, 2025**: Cisco discovers the breach and identifies vishing as the attack vector - **Immediate Response**: Company terminates attacker access and launches investigation - **August 5, 2025**: Public disclosure confirms scope and attribution ### Human Firewall Failure The success of this attack underscores a critical reality in modern cybersecurity: **traditional technical defenses are increasingly irrelevant when attackers can simply call employees and ask for access**. Voice phishing success rates have reached alarming levels, with research indicating: - **37% success rate** for standalone vishing attacks - **75% success rate** when vishing is combined with email phishing campaigns - **442% increase** in vishing attack frequency during Q2 2024 alone - **30% annual increase** in vishing incidents globally, with financial losses exceeding $1.2 billion in 2023 ### Third-Party Risk Amplification The Cisco incident highlights how third-party CRM systems have become prime targets for cybercriminals seeking high-value data with lower security oversight. Unlike internal corporate systems that typically receive intensive security attention, third-party platforms often operate with: - **Reduced security monitoring** from client organizations - **Simplified access controls** for ease of use - **Broader user permissions** for operational efficiency - **Limited incident response integration** with client security teams ## ShinyHunters Connection: Industrial-Scale CRM Targeting ### Attribution and Campaign Analysis While Cisco has not officially attributed the attack, cybersecurity researchers have linked the breach to the **ShinyHunters extortion group** (also tracked as UNC6040), which has orchestrated an unprecedented campaign targeting Salesforce and other CRM platforms throughout 2025. This attribution is based on: - **Tactical similarities** to confirmed ShinyHunters operations - **Target profile alignment** with the group's CRM-focused strategy - **Attack timing** correlating with peak ShinyHunters activity - **Social engineering methodology** matching established UNC6040 patterns ### Campaign Scale and Sophistication The ShinyHunters campaign represents one of the most systematic attacks on enterprise CRM systems ever documented, affecting major corporations across multiple industries: **Confirmed Victims (2025):** - **Allianz Life**: 1.4 million customer records exposed (July 2025) - **Chanel**: US customer database compromised (July 2025) - **LVMH Brands**: Louis Vuitton, Dior, Tiffany & Co. systems breached - **Adidas**: Customer information accessed via CRM platform - **Qantas**: Passenger data stolen from Salesforce instance - **Cisco**: 137,000+ user profiles compromised (July 2025) ### Economic Impact Assessment The cumulative impact of the ShinyHunters CRM campaign has reached unprecedented levels: - **Estimated 3+ million individuals** affected across all confirmed breaches - **$30+ million in direct breach costs** based on industry averages - **Immeasurable reputational damage** to affected global brands - **Regulatory compliance costs** spanning multiple jurisdictions - **Customer notification and credit monitoring expenses** exceeding $10 million collectively ## Voice Phishing Epidemic ### Statistical Landscape Voice phishing has emerged as one of the fastest-growing cybercrime vectors, with 2025 marking a watershed year for the technique's mainstream adoption: **Global Vishing Statistics:** - **30% of organizations** report weekly or daily vishing attempts - **59.4 million Americans** fell victim to voice phishing in 2021 alone - **168 million** phone-based scam attempts recorded in Thailand (2024) - **1,530% increase** in deepfake-assisted vishing cases (2022-2023) - **26.9% increase** in targeted voice attacks across APAC region ### Corporate Vulnerability Factors Modern organizations face unprecedented vulnerability to vishing attacks due to structural and cultural changes: **Organizational Risk Factors:** - **Remote work normalization** reducing in-person verification opportunities - **Outsourced IT support** creating legitimate pretexts for unsolicited calls - **Cloud service proliferation** expanding potential impersonation scenarios - **Digital transformation speed** outpacing security awareness programs ### Executive Targeting Trends Recent research reveals that senior executives face disproportionate vishing risk, with **23% higher susceptibility** to AI-driven personalized attacks. This increased vulnerability stems from: - **Busy schedules** limiting verification time - **Authority trust patterns** making executives more likely to comply with urgent requests - **High-value targets** providing greater financial incentive for attackers - **Public information availability** enabling detailed social engineering research ## CRM Attack Vector ### Salesforce Ecosystem Vulnerabilities The concentration of attacks on Salesforce-based systems reflects both the platform's market dominance and its particular susceptibility to social engineering: **Platform Risk Factors:** - **Connected app architecture** enabling OAuth token abuse - **Data Loader functionality** providing legitimate pretext for malicious apps - **Administrative delegation** allowing broad access permissions - **Integration complexity** creating multiple attack pathways ### Attack Methodology Evolution The ShinyHunters campaign has demonstrated remarkable tactical sophistication: **Phase 1: Reconnaissance** - Social media mining for organizational structure - Employee role identification and contact information gathering - IT support process research and documentation **Phase 2: Initial Contact** - Sophisticated vishing calls impersonating IT personnel - Creation of urgent, plausible scenarios requiring immediate action - Exploitation of remote work communication norms **Phase 3: Technical Exploitation** - Guidance to Salesforce connected app setup pages - Installation of malicious OAuth applications disguised as legitimate tools - Data exfiltration using authorized API connections **Phase 4: Persistence and Expansion** - Long-term data access through OAuth token abuse - Lateral movement to additional cloud platforms - Credential harvesting for future operations ## Financial and Regulatory Impact ### Cost Analysis Framework The financial impact of vishing-based CRM breaches extends far beyond initial response costs: **Direct Costs:** - **Incident response**: $280,000 average per breach - **Legal and regulatory**: $1.2 million average compliance costs - **Customer notification**: $150 per affected individual - **Credit monitoring**: $50-100 per individual annually **Indirect Costs:** - **Reputational damage**: 5-15% customer churn rates - **Business disruption**: $50,000 per day average downtime - **Regulatory fines**: Up to 4% annual revenue under GDPR - **Competitive disadvantage**: Long-term market position impacts ### Regulatory Landscape Evolution The wave of CRM-targeted attacks has prompted increased regulatory attention: **Emerging Requirements:** - **Third-party risk management** mandatory disclosure requirements - **Voice authentication controls** for sensitive system access - **Social engineering resistance** incorporated into compliance frameworks - **Incident response coordination** between vendors and clients ## Defensive Strategies and Mitigation Approaches ### Immediate Technical Controls Organizations can implement several technical measures to reduce vishing vulnerability: **Authentication Hardening:** - **Multi-factor authentication** mandatory for all administrative functions - **Hardware security keys** for high-privilege accounts - **IP address restrictions** for CRM administrative access - **Session monitoring** for unusual activity patterns **Communication Security:** - **Callback verification** requirements for all IT support requests - **Digital channels** for sensitive administrative communications - **Voice authentication** systems for phone-based verification - **Call recording** and monitoring for security purposes ### Organizational Process Improvements **Human-Centered Defenses:** - **Regular vishing simulations** to test employee response - **Authority verification** protocols for unusual requests - **Escalation procedures** for suspicious communications - **Cross-functional validation** for high-risk activities **Vendor Management:** - **Security requirements** incorporated into all third-party contracts - **Incident response coordination** agreements with CRM providers - **Access monitoring** and logging requirements - **Regular security assessments** of vendor environments ### Advanced Countermeasures **Behavioral Analytics:** - **AI-powered detection** of unusual administrative activities - **User behavior modeling** to identify compromised accounts - **Anomaly detection** for data export patterns - **Predictive threat intelligence** integration **Communication Monitoring:** - **Voice pattern analysis** to detect impersonation attempts - **Call metadata analysis** for suspicious communication patterns - **Social engineering attempt** documentation and sharing - **Threat intelligence integration** for known vishing campaigns ## Industry Response and Future Outlook ### Vendor Security Enhancements Major CRM providers have begun implementing enhanced security measures in response to the attack wave: **Salesforce Initiatives:** - Enhanced monitoring for unusual OAuth app installations - Improved detection of bulk data export activities - Strengthened user verification requirements - Expanded security awareness resources **Industry-Wide Changes:** - **Zero-trust architecture** adoption across CRM platforms - **Enhanced audit logging** for administrative activities - **Real-time security alerts** for suspicious behavior - **Improved incident response** coordination with customers ### Regulatory and Policy Responses The scale and sophistication of the ShinyHunters campaign has prompted regulatory action: **Legislative Developments:** - **Enhanced third-party liability** requirements under consideration - **Mandatory vishing prevention** training in some jurisdictions - **Stricter data handling** requirements for CRM platforms - **Coordinated response** requirements for multi-victim attacks ### Technology Evolution Trends The vishing threat is driving innovation in defensive technologies: **Emerging Solutions:** - **AI-powered voice authentication** to detect synthetic audio - **Behavioral biometrics** for continuous user verification - **Deepfake detection** systems for communication security - **Automated social engineering** detection platforms ## Lessons Learned and Strategic Implications ### The Human Element Paradox The Cisco breach exemplifies a fundamental paradox in modern cybersecurity: as technical defenses become more sophisticated, attackers increasingly target the human elements that these systems depend upon. This trend suggests that: - **Security investment** must balance technical and human-focused defenses - **Employee training** requires continuous evolution to address new social engineering tactics - **Organizational culture** must emphasize security skepticism without impeding operational efficiency - **Verification processes** must be both robust and practical for daily use ### Supply Chain Security Imperatives The concentration of attacks on third-party CRM systems highlights critical gaps in supply chain security: - **Vendor due diligence** must include comprehensive social engineering assessments - **Shared responsibility models** require clear delineation of security obligations - **Incident response coordination** between vendors and clients is essential - **Continuous monitoring** of third-party environments is increasingly necessary ### Future Threat Evolution The success of the ShinyHunters campaign suggests several concerning trends: - **Industrialization of social engineering** with professional-grade operations - **AI enhancement** of vishing attacks using deepfake and voice synthesis technology - **Cross-platform coordination** combining vishing with other attack vectors - **Extended persistence** with attacks continuing for months before detection

loading..   06-Aug-2025
loading..   9 min read
loading..

Orange

Orange suffers major cyberattack, impacting French customers and public services...

On **Friday, July 25, 2025**, Orange Group detected a cyberattack targeting one of its internal information systems. Its response, led by **Orange Cyberdefense**, involved rapid isolation of potentially affected services to contain the threat and prevent lateral movement across the network. This containment step, while essential for security, inadvertently caused **service disruptions**—impacting specific corporate management platforms and select consumer-facing services, particularly in **France**. ## 🗓️ Timeline of Key Events | Date | Event | | ------------- | ----------------------------------------------------------------------------- | | July 25, 2025 | Cyberattack detected; immediate isolation begins. | | July 25–28 | Disruptions reported across business and consumer services, mostly in France. | | July 28, 2025 | Orange files formal complaint and notifies authorities. | | July 30 (Wed) | Timeline for gradual restoration of key services. | By **Wednesday morning, July 30**, service restoration was planned to reach most affected platforms under heightened vigilance. ## 🧩 Impact Overview * **Affected systems**: Internal information systems and platforms, especially management tools for **enterprise clients** and a handful of **consumer services**, concentrated in **France**. * **Customers**: Business and public-sector customers experienced degraded or offline services; only a few consumer services were impacted. * **Scale**: Orange serves nearly **291–300 million customers** across **26 countries**, employs \~125–127 k staff, and in 2024 posted revenues of \~€40.3 billion . ## 🛡️ Security Response & Data Integrity * **Containment**: Rapid isolation of affected systems by Orange Cyberdefense helped avert further spread or escalation. * **Data exfiltration**: At this juncture, **no evidence of internal or customer data being stolen** has emerged. The company remains vigilant and continues forensic investigations. * **Regulatory action**: A formal complaint was lodged on **July 28**, and French/data protection authorities have been notified as required under GDPR rules. ## 🎯 Attribution & Threat Actor Speculation - Orange has not publicly identified any perpetrator or disclosed attack vectors. - The breach bears resemblance to earlier telecom compromises attributed to China-linked **Salt Typhoon**, known for stealthy persistence and targeting global operators—including U.S. giants like AT\&T, Verizon, Lumen, Comcast, Viasat, and others. - Such state-sponsored groups often linger within networks to enable disinformation, eavesdropping or disruption if geopolitical tensions escalate (e.g., over Taiwan). ## Orange’s Recent Cyberattack History * **Previous breach in Romania (Feb 2025)**: A non-critical app was compromised by a threat actor allegedly tied to **HellCat / “Rey”**, with claims of stolen data—including emails, contracts, and source code (\~12k files, 380 k email addresses). That incident is separate and unrelated to the current scenario but highlights Orange’s recurring threat exposure. * **ANSSI warnings**: France’s national cybersecurity authority has repeatedly highlighted state-sponsored risks targeting telecom infrastructure, including mobile network cores and satellite communications—consistent with patterns tied to [Salt Typhoon](https://www.secureblink.com/cyber-security-news/china-linked-hackers-exploit-cisco-flaw-in-escalating-espionage-campaign). ## Ongoing Recovery & Precautionary Measures 1. Core disrupted services were due to be gradually brought back online **by July 30**, under controlled verification and heightened monitoring. 2. Orange teams engaged directly with affected enterprise and consumer users, offering assistance and status updates. 3. Led by Orange Cyberdefense, continuing deep-dive to trace intrusion scope, assess lateral movement, and identify root cause. 4. Law enforcement and data protection authorities kept informed and cooperating through the official complaint process. ## Broader Implications - Telecom operators are foundational to connectivity, public services, and enterprise operations—making them high-value targets. - The suspected Salt Typhoon linkage suggests intelligence gathering and disruption capabilities remain active and persistent—particularly around telecoms in Europe. - Even in absence of data loss, prolonged outages erode customer trust, impact enterprise SLAs, and raise investor alarms. ## Incident Snapshot Table | Topic | Detail | | ----------------------- | ----------------------------------------------------------------------------- | | Date detected | July 25, 2025 | | Response action | Isolation of affected systems by Orange Cyberdefense | | Primary impact region | France (business & public sectors; select consumer platforms) | | Data breach status | **No confirmed exfiltration**; investigation ongoing | | Recovery timeline | Gradual service restoration by **Wednesday, July 30** | | Threat actor speculated | Patterns align with **Salt Typhoon** telecom breaches | | Regulatory response | Complaint filed July 28; GDPR authorities notified | | Organizational scope | \~291–300 million customers, 26 countries, \~125–127k employees, €40B revenue | ## Expert Insights & Considerations With no disclosure of initial infiltration method—phishing, zero-day, VPN compromise—security teams operate without clarity, which risks hidden persistence. While isolating systems curtailed spread, it triggered significant downtime in critical management platforms—highlighting the careful balance between containment and continuity. Filing formal complaints and GDPR notifications suggests seriousness; any subsequent findings could result in penalties or compliance reviews. Past breaches (e.g. in Romania) and the evolving threat landscape underline the necessity for regular red teaming, network segmentation, and stronger threat detection. Orange’s disclosure of a **suspected cyberattack on July 25, 2025**, and its swift isolation measures, led to service disruptions across business and some consumer platforms—especially in France. While **no data loss** has been confirmed so far, the incident fits a worrying global pattern tied to sophisticated, state-linked actors like Salt Typhoon. With a formal complaint lodged and recovery underway by July 30, the episode underscores the strategic vulnerability of telecom infrastructure and the criticality of advanced detection, incident response, and regulatory compliance in a digital-first world.

loading..   04-Aug-2025
loading..   5 min read
loading..

Bybit

North Korean TraderTraitor group executed largest crypto theft in history throug...

The threat landscape witnessed an unprecedented breach in February 2025 when North Korea's TraderTraitor hacking collective orchestrated the largest cryptocurrency theft in history, stealing $1.5 billion from Bybit exchange through a sophisticated supply chain compromise targeting Safe{Wallet}'s multisignature platform. ## **Attack Methodology and Timeline** The operation began on February 4, 2025, when TraderTraitor operatives compromised a Safe{Wallet} developer's macOS workstation through a targeted social engineering campaign[3][4]. The attackers, masquerading as recruiters on LinkedIn, lured the developer into downloading a malicious Docker container named "MC-Based-Stock-Invest-Simulator-main," which established communication with the command-and-control domain getstockprice[.]com. Following the initial compromise, the threat actors gained access to Safe{Wallet}'s Amazon Web Services infrastructure on February 5 by hijacking the developer's AWS session tokens, effectively bypassing multi-factor authentication controls. The attackers operated within the compromised environment for nearly two weeks, conducting reconnaissance and preparing for the final assault. The critical phase occurred on February 19, when the attackers injected malicious JavaScript code into Safe{Wallet}'s web interface resources hosted on AWS S3 buckets. This code was specifically engineered to target Bybit's cold wallet transactions while remaining dormant for other users, demonstrating the precision and sophistication of the attack. ## **Technical Execution** On February 21, 2025, when Bybit employees initiated what appeared to be a routine $7 million transfer from their cold wallet to a warm wallet, the malicious JavaScript code intercepted and modified the transaction parameters. The user interface displayed the legitimate transaction details to the three required signers, but the underlying smart contract logic was altered to transfer 401,000 ETH (approximately $1.5 billion) to attacker-controlled wallets. The sophistication of the attack extended to its immediate aftermath, with the malicious code being automatically removed from Safe{Wallet}'s infrastructure just two minutes after the successful theft, demonstrating advanced operational security practices. This rapid cleanup complicated forensic investigations and highlighted the threat actors' experience in covering their tracks. ## **Attribution & Strategic Context** The Federal Bureau of Investigation formally attributed the attack to TraderTraitor, a financially motivated subgroup operating under North Korea's Lazarus Group umbrella. TraderTraitor, also tracked as Jade Sleet, UNC4899, and Slow Pisces, represents one of several elite hacking units controlled by North Korea's Reconnaissance General Bureau (RGB). This attack continues a pattern of escalating North Korean cryptocurrency theft, with the regime stealing an estimated $1.34 billion across 47 incidents in 2024 alone. Intelligence assessments indicate that up to 50% of North Korea's foreign currency income derives from malicious cyber activities, with these funds directly supporting the country's nuclear weapons and ballistic missile programs. ## **Broader Campaign Activities** The Bybit heist represents the culmination of TraderTraitor's evolving tactics, building upon previous successful operations including the $308 million DMM Bitcoin theft in May 2024. In that attack, operatives used similar social engineering techniques, targeting a Ginco cryptocurrency wallet developer through a fake LinkedIn recruitment scheme that delivered Python-based malware designated as RN Loader and RN Stealer. TraderTraitor's methodology consistently leverages supply chain vulnerabilities, as demonstrated in the 2023 JumpCloud compromise where the group infiltrated the cloud identity management provider to access downstream cryptocurrency customers. This approach exploits the trust relationships inherent in modern software development and deployment pipelines. ## **Defensive Implications and Industry Response** The attack exposed critical vulnerabilities in multisignature wallet implementations, particularly the risk of user interface manipulation in web-based signing processes. Security researchers emphasized that while the underlying smart contract remained secure, the compromise of the presentation layer enabled the deception of authorized signers. Bybit maintained solvency through emergency bridge loans and implemented a "Lazarus Bounty Program" offering rewards for the recovery of stolen assets. However, blockchain intelligence firms confirmed that over $300 million of the stolen cryptocurrency had already been successfully laundered through mixing services and decentralized exchanges. The incident prompted renewed scrutiny of supply chain security practices across the cryptocurrency industry, with particular focus on the verification of software dependencies and the implementation of code signing verification mechanisms. Organizations utilizing multisignature solutions have initiated comprehensive reviews of their transaction signing processes and user interface integrity controls. This unprecedented breach underscores the sophisticated capabilities of state-sponsored threat actors in exploiting complex software supply chains, demonstrating how traditional security boundaries become ineffective against advanced persistent threats with strategic patience and significant resources.

loading..   01-Aug-2025
loading..   4 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.