SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Monday, September 15th, 2025: More Archives; Salesforce Attacks; White Cobra; BSides Augusta
5 snips
Sep 15, 2025 Archive files are becoming prime targets as attackers search for vulnerabilities. The FBI warns of social engineering threats aimed at Salesforce, with no new vulnerabilities but significant risks. A new campaign named 'White Cobra' showcases malicious cursor extensions that threaten users. The episode dives into the financial consequences of these cyber threats and emphasizes the importance of securing misconfigured backups.
AI Snips
Chapters
Transcript
Episode notes
Remove Backups From Web Roots
- Remove or securely store backup archives from web document roots and restrict direct access to them.
- Assume backups may contain credentials and treat them as sensitive data when configuring web servers.
Archives Are Primary Targets
- Attackers increasingly scan web roots for archive backups like .zip, .rar, .7z, and .tar files named backup.*.
- These backup archives often contain credentials and configuration files that provide easy access if left exposed.
Two Salesforce Threat Patterns
- The FBI flash highlights two active Salesforce-focused threat actors using social engineering and stolen OAuth tokens.
- One actor uses phishing/OAuth approval tricks and the other leverages tokens from the Salesdrift compromise.