Neural Newscast

menu close

APT28 Spies on Ukraine and the Salesforce Data Scramble [Prime Cyber Insights]

/ 03:34/E1166
In this episode of Prime Cyber Insights, we analyze the sophisticated long-term surveillance campaign conducted by the Russian state-sponsored group APT28 against Ukrainian military personnel. Utilizing a diverse malware arsenal including BEARDSHELL, COVENANT, and the keylogger SLIMAGENT, the group leverages cloud storage services like Icedrive and Filen for command-and-control operations. We also examine a critical shift in the vulnerability landscape as reports from Intruder suggest time-to-exploit windows are shrinking to as little as 24 hours, highlighting the urgent need for proactive attack surface reduction over reactive patching. Finally, we cover a surge in threat actor activity targeting Salesforce Experience Cloud sites. A modified version of the open-source AuraInspector tool is being used to exploit permissive guest user configurations, with the group ShinyHunters claiming to have already breached hundreds of organizations. This briefing provides practitioners with the technical context needed to secure cloud instances and manage external exposure in a high-velocity threat environment.

Cybersecurity practitioners face a rapidly accelerating threat landscape as nation-state actors and opportunistic groups refine their automation. Today, we break down ESET's discovery of APT28’s dual-implant strategy in Ukraine, where the group is using highly modified versions of the COVENANT framework alongside custom malware to maintain years-long persistence. We shift focus to the logistical reality of zero-day defense, discussing why traditional scanning often misses high-risk exposures like internet-facing SharePoint servers. The episode concludes with a warning regarding Salesforce Experience Cloud; threat actors are now mass-scanning for guest user misconfigurations to harvest sensitive CRM data for follow-on vishing campaigns. We provide specific recommendations for hardening these environments and reducing the organizational attack surface before the next disclosure hits.

Topics Covered

  • ⚠️ APT28’s use of BEARDSHELL and COVENANT malware for Ukrainian military surveillance.
  • 🛡️ Strategies for proactive attack surface reduction to avoid the zero-day scramble.
  • 🔒 The exploitation of Salesforce Experience Cloud via modified AuraInspector tools.
  • 🌐 How shrinking time-to-exploit windows are forcing a shift in vulnerability management.
  • 📊 The rise of identity-based targeting and the risks of overly permissive cloud profiles.

The information provided in this podcast is for educational purposes only and does not constitute legal or professional security advice.

Neural Newscast is AI-assisted, human reviewed. View our AI Transparency Policy at NeuralNewscast.com.

  • (00:01) - Introduction
  • (00:25) - APT28’s Surveillance Arsenal
  • (01:25) - Conclusion
APT28 Spies on Ukraine and the Salesforce Data Scramble [Prime Cyber Insights]

headphones Listen Anywhere

More Options »
Broadcast by