SANS Stormcast Monday, September 15th, 2025: More Archives; Salesforce Attacks; White Cobra; BSides Augusta

September 14, 2025

Episode Transcript

Web Searches For Archives
Didier observed additional file types being searched for as attackers continue to focus on archive files as they spider web pages
https://isc.sans.edu/diary/Web%20Searches%20For%20Archives/32282
FBI Flash Alert: Salesforce Attacks
The FBI is alerting users of Salesforce of two different threat actors targeting Salesforce. There are no new vulnerabilities disclosed, but the initial access usually takes advantage of social engineering or leaked data from the Salesdrift compromise.
https://www.ic3.gov/CSA/2025/250912.pdf
VSCode Cursor Extensions Malware
Koe Security unmasked details about a recent malicious cursor extension campaign they call White Cobra.
https://www.koi.security/blog/whitecobra-vscode-cursor-extensions-malware
BSides Augusta
https://bsidesaugusta.org/

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Monday, September 15th, 2025 edition of the SANS and Internet Storm Centers Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Undergraduate Certificate Program in Applied Cybersecurity. Anyway, Didier this weekend published a brief post just confirming some of the scans that I've observed for archives and also filling in a couple of other archive types that are being searched for. Just a quick recap. This is all about our web honeypods. What we are seeing is over the last few months at least an increase in scans for .zip and similar archive files, often pointing that the attackers are looking, for example, to retrieve backups or such of configuration files that the system administrators may have left in the document route. Well, in addition to zip files, Didier also saw .rar, .7z, .gz and .tar files being looked for. And the file names being, well, backup mostly. But we have also seen a couple of other file names. So backup .back, backup.sh, various files that basically point to the attacker, hoping that careless administrators left these backup files behind. And of course, they often contain credentials and other goodies. So that's probably what they're ultimately after. And on Friday, the FBI released another one of its flash alerts focusing on particular threat actors. There are actually two distinct threat actors that this latest flash alert does focus on, both Salesforce related. The first one is just sort of your classic Salesforce social engineering and phishing attack, where then the attacker also often attempts to get the victim to approve various applications via OAuth and then essentially steals the OAuth tokens. So that's the first threat actor. The second one is one that we already covered here. And that's in relationship to the sales drift compromise, where OAuth tokens were stolen. And then they were, again, being used against Salesforce and other applications. Either way, these are actively ongoing attacks. The first one, I think, is probably the broader and more real threat in particular, not just against Salesforce, but any kind of enterprise application like this. One thing I want to note, and it has been pointed out by a couple people on X and other social media as well, is that this advisory includes lists of IP addresses and such. Never, ever just blindly, for example, block access to these IP addresses. There are Cloudflare, Microsoft, ZScaler IP addresses and such in that advisory that are definitely used by the threat actor here. But of course, also have lots of non-evil uses. So for detection, yes, that can be useful, but certainly not sort of from a blocking or enforcement point of view. As I always put it, also when it comes to data that we publish in Internet Storm Center, use it to color your logs, to better understand what a particular log entry is about. But using something like this as a block list can be dangerous. And security company Koi Security did reveal some interesting insight into how some of the fake browser extension and editor extension campaigns are working. They call this particular campaign, they unraveled here, White Cobra. And they're basically going over the playbook of that particular threat actor. Well, a couple of interesting things here. First of all, that they're manufacturing credibility by artificially increasing the number of downloads for malicious extensions they're uploading. For example, for Visual Studio Code extensions or such, they usually suggest about 50,000 fake downloads before they then start advertising a particular extension on social media to trick developers into installing that extension. That also leads to another caveat here. We often measure the impact of these sort of, you know, fake Visual Studio Code extensions and such based on the number of downloads and have to realize that this number is likely inflated because of the fake downloads that the attacker added before they started advertising their particular extension. In this particular case with White Cobra, we do know that they got at least one high value victim. There was one particular crypto influencer who stated that they lost something like $500,000 because, well, they installed one of these malicious extensions into their IDE and as a result, well, were compromised. Well, of course, attacks against developers is sort of one of my favorite topics. I've spoken about this multiple times on this podcast. Also have spoken about it before at conferences. I will be speaking again about attacks against developers at B-Sides in Augusta. I know there are a couple of Augusta listeners on the podcast, so hope to see some of them there. And that'll happen at the end of October. I'll add a link to the show notes. Well, that's it for today. So thanks again for listening and talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show