EvilBit Threat Digest - OAuth Tokens and Other People's Problems

There are weeks when the threat landscape hands you a single, clean storyline--a zero-day that dominates the news cycle, a breach so spectacular it overshadows everything else. This was not one of those weeks. Instead, we got a sprawling mess of supply chain compromises, state-sponsored espionage campaigns targeting half the globe, insider threats at security vendors, mobile malware that casually bypasses end-to-end encryption, and enough router hijacking to stock a small botnet museum.

The headliner, though, is unquestionably the Gainsight breach--a supply chain compromise affecting Salesforce customers that demonstrates just how fragile OAuth trust really is. But we'll get to that. First, let's talk about what happens when the lawyers actually get it right for once.

SolarWinds: The SEC Blinks First

After nearly two years of legal wrangling, the SEC has voluntarily dismissed its fraud case against SolarWinds and its CISO Timothy G. Brown. The lawsuit, filed in October 2023, alleged that the company misled investors about its cybersecurity posture before and after the 2020 SUNBURST supply chain attack. A federal judge had already thrown out most of the claims earlier this year, citing that the SEC was essentially prosecuting the company for not predicting a Russian intelligence operation.

The dismissal is significant. It vindicates SolarWinds' transparency approach following one of the most consequential supply chain attacks in modern history and clarifies the boundaries of SEC cyber disclosure enforcement. More importantly, it reduces the specter of personal CISO liability for breach disclosures--a fear that has haunted security leadership since the lawsuit was filed. As SolarWinds noted in its response, the company remains committed to its Secure by Design pledge and ongoing transparency. For defenders navigating post-incident reporting, this sets a useful precedent: honesty without hindsight bias is the standard.

The Gainsight Disaster: When Third-Party Apps Go Rogue

Now, about that OAuth problem. ShinyHunters claims to have stolen data from approximately 200 to 300 Salesforce customer organizations by abusing compromised OAuth tokens from Gainsight, a customer success platform widely integrated with Salesforce via the AppExchange marketplace. According to Google Threat Intelligence Group's analysis, the actors--tracked as Scattered Lapsus$ Hunters and overlapping with Scattered Spider and Lapsus$--pivoted from a previous breach of Salesloft to target Gainsight apps, using stolen OAuth refresh tokens to access Salesforce customer data including contacts, support cases, and licensing information.

Salesforce responded by revoking all access and refresh tokens for Gainsight-published apps and temporarily pulling them from the AppExchange. Gainsight has confirmed the incident and is working with Mandiant on forensics. While there's no evidence of a vulnerability in Salesforce or Gainsight themselves, the breach underscores the inherent risks of OAuth-based third-party integrations. Once an attacker has valid tokens, they can impersonate legitimate apps and walk right through the front door.

For defenders, the immediate takeaways are clear: audit your connected apps, revoke and rotate OAuth tokens for any third-party integrations, and monitor API logs for unusual IP addresses or access patterns. Salesforce customers using Gainsight should follow the vendor's FAQ for specific remediation steps. And for the love of all that is secure, stop granting broad permissions to every SaaS integration that asks nicely.

APT Espionage: A Global Targeting Buffet

State-sponsored groups had a busy week, and their targets ranged from Taiwan tech firms to Russian IT contractors to aerospace suppliers.

APT24's BadAudio Campaign: Google's Threat Intelligence Group published a comprehensive analysis of a three-year espionage campaign by China-linked APT24 targeting Taiwan. The group deployed a custom downloader called BadAudio via supply chain compromises affecting over 1,000 domains, watering hole attacks, and targeted phishing. BadAudio uses obfuscated JavaScript loaders, DLL side-loading, and FingerprintJS for victim profiling before delivering Cobalt Strike payloads. The campaign is ongoing, and Google has released YARA rules and IOCs for defenders.

APT31 Turns East: In a fascinating reversal, Positive Technologies reports that China's APT31 has been targeting Russian IT firms and government contractors since at least 2022. The campaign uses phishing to deploy custom backdoors--including AufTime, COFFProxy, and OneDriveDoor--that leverage cloud services like Yandex Cloud, OneDrive, and even VirusTotal comment sections for command and control. Operations are timed for holidays and weekends to evade detection, and the group has demonstrated sophisticated persistence via scheduled tasks that mimic legitimate applications.

ToddyCat's Email Obsession: Kaspersky's first installment of a new series on the ToddyCat APT details tools designed to steal corporate email without triggering alarms. TomBerBil is a PowerShell script that remotely collects browser credentials over SMB, while TCSectorCopy and XstReader directly read Outlook OST files at the sector level to bypass file locks. A third tool uses ProcDump to extract Microsoft 365 tokens from running processes. The entire suite is designed to exfiltrate email and credentials for long-term access. Defenders should monitor SMB access to browser profile and DPAPI directories (Event IDs 5145/4663) and watch for ProcDump activity targeting Office 365 processes.

Operation WrtHug: 50,000 ASUS Routers Conscripted for Espionage

SecurityScorecard's STRIKE team uncovered Operation WrtHug, a China-linked campaign that has compromised over 50,000 end-of-life ASUS WRT routers to build a global Operational Relay Box (ORB) network. The attackers exploited six known vulnerabilities--CVE-2023-41345, CVE-2023-41346, CVE-2023-41347, CVE-2023-41348, CVE-2024-12912, and CVE-2025-2492--primarily targeting devices in Taiwan, the United States, Russia, and Southeast Asia.

The campaign is notable for its use of a unique self-signed TLS certificate with an unusually long 100-year expiration, shared across all compromised routers and providing a useful fingerprint for detection. The routers are used to relay espionage traffic, masking the true origin of attacks and complicating attribution. If you're still running end-of-life ASUS routers, now would be an excellent time to replace them. For those stuck with them, disable the AiCloud service, change default credentials, and monitor for anomalous traffic patterns.

Mobile Malware Bypasses the Unbypassed

The mobile threat landscape took a turn this week with the emergence of Sturnus, a new Android banking trojan that ThreatFabric reports is capable of "bypassing" end-to-end encryption in messaging apps. The scare quotes are intentional--Sturnus doesn't crack encryption; it simply waits until messages are decrypted for display and then records them using Android's Accessibility Services.

The malware captures screen content, UI events, and keystrokes from WhatsApp, Telegram, and Signal, along with traditional banking trojan features like overlay attacks and remote device takeover via a custom VNC implementation. It's currently in a testing phase targeting Southern and Central European banking apps, but the technique is broadly applicable. For defenders, the key mitigation is restricting Accessibility Services permissions and denying Device Administrator rights to untrusted apps.

Meanwhile, multiple Brazilian campaigns continue to abuse WhatsApp for malware distribution. Sophos documented a particularly effective one that hijacks WhatsApp Web sessions using ChromeDriver and Python scripts to propagate malicious ZIP files across a victim's contact list, eventually delivering the Astaroth banking trojan. It's a worm, essentially, and it's hit over 250 organizations. The TTPs are mapped to T1566.001 (spearphishing attachment) and T1539 (session cookie theft); defenders should focus on blocking the campaign's C2 domains and educating users about the risks of opening archive attachments from messaging apps.

Vulnerabilities Exploited in the Wild

Several critical vulnerabilities saw confirmed exploitation this week:

FortiWeb Gets Hit Again: Following last week's CVE-2025-64446, Fortinet disclosed a second exploited FortiWeb zero-day: CVE-2025-58034, an authenticated OS command injection flaw. While this one requires valid credentials, it still enables full system compromise and has been added to CISA's Known Exploited Vulnerabilities catalog. Patches are available; if you're running FortiWeb, you know the drill by now.

Oracle Identity Manager Pre-Auth RCE: Perhaps more concerning is CVE-2025-61757, a critical unauthenticated RCE in Oracle Identity Manager's REST WebServices. Searchlight Cyber reports evidence of exploitation attempts dating back to September, before Oracle released patches in its October Critical Patch Update. CISA has added this to the KEV catalog as well. If you're running OIM, especially exposed to the internet, assume compromise and begin hunting immediately.

Chrome V8 Type Confusion: Google patched the seventh Chrome zero-day of 2025 with the release of version 142. CVE-2025-13223 is a type confusion bug in the V8 JavaScript engine, confirmed by Google's Threat Analysis Group to be exploited in the wild. Update all Chrome browsers immediately.

WSUS Turns Into a Weapon: The Windows Server Update Services RCE (CVE-2025-59287) that Microsoft patched in October is now being actively exploited. Huntress observed attackers deploying Velociraptor--a legitimate DFIR tool--via the vulnerability to establish persistence and conduct reconnaissance using PowerShell. AhnLab also documented a separate campaign delivering ShadowPad via the same exploit. WSUS should never be internet-facing; if yours is, fix that immediately.

Insider Threats and the ShinyHunters Connection

In a twist that highlights the human element of security, CrowdStrike terminated an employee for sharing internal screenshots with members of the Scattered Lapsus$ Hunters group. The insider reportedly attempted to sell access for $25,000 but was detected before any network compromise occurred. The screenshots, which included internal Okta SSO views, were leaked on Telegram. CrowdStrike has referred the matter to law enforcement.

This incident is notable not because of its success--it failed--but because it demonstrates how threat actors are actively recruiting insiders at security vendors. ShinyHunters and its affiliates have been on a tear lately, and this attempted breach fits a pattern of targeting third-party access and trusted relationships.

The Usual Suspects: Ransomware and Bulletproof Hosting

Ransomware activity remains elevated. Cyfirma's October report counted 738 victims, the highest of 2025 year-to-date, with Qilin claiming 181 of them. The Professional Services, Manufacturing, IT, and Healthcare sectors bore the brunt.

On the enforcement side, the United States, Australia, and the United Kingdom issued coordinated sanctions against Russian bulletproof hosting providers Media Land LLC and Aeza Group, which have provided infrastructure for LockBit, BlackSuit, and Play ransomware operations. CISA released accompanying guidance for ISPs on identifying and blocking malicious hosting activity.

Meanwhile, the UK's National Crime Agency disrupted a billion-dollar money laundering network that, among other creative accounting maneuvers, purchased Keremet Bank in Kyrgyzstan to facilitate the laundering of cybercrime proceeds into Russia's military funding channels. It's an extraordinary example of how far organized cybercrime will go when motivated by geopolitics.

Closing Thoughts: Trust, But Verify--Especially the OAuth Parts

This week's been a reminder that security is fractal. Every layer of abstraction you add--cloud backups, third-party OAuth apps, remote management tools--introduces new opportunities for failure. The fundamentals remain the same: patch your systems, audit your integrations, enforce least privilege, and assume that anything exposed to the internet is already being scanned by someone with bad intentions.

And if you're a Salesforce admin, spend some quality time with your Connected Apps page. You might be surprised what's lurking there.

Until the next breach notification--and there's always a next one--keep your logs close and your backups closer.

-- KryptoKat

Patch Notes & Vendor Updates

For those tracking vendor advisories, here's the week's patch roundup:

Microsoft:

• November 2025 Patch Tuesday - 68 CVEs including exploited zero-day CVE-2025-62215 (Windows kernel EoP)

Fortinet:

• CVE-2025-64446 - FortiWeb path traversal RCE (exploited, CISA KEV)
• CVE-2025-58034 - FortiWeb authenticated OS command injection (exploited, CISA KEV)

SonicWall:

• CVE-2025-40601 - SonicOS SSL-VPN buffer overflow (DoS)
• CVE-2025-40604, CVE-2025-40605 - Email Security RCE and path traversal

Oracle:

• CVE-2025-61757 - Identity Manager unauthenticated RCE (exploited before patch, CISA KEV)

VMware/Broadcom:

• VMSA-2025-0016 - Multiple CVEs in Cloud Foundation, NSX, vCenter

Google:

• CVE-2025-13223 - Chrome V8 type confusion (exploited, CISA KEV)

SolarWinds:

• CVE-2025-40547, CVE-2025-40548, CVE-2025-40549 - Serv-U authenticated RCE vulnerabilities

D-Link:

• CVE-2025-60672, CVE-2025-60673, CVE-2025-60674, CVE-2025-60676 - DIR-878 router RCE (end-of-life, no patches)

Grafana:

• CVE-2025-41115 - Enterprise SCIM admin spoofing (CVSS 10.0)