Shifting Ransomware Alliances, TPRM Remains Hard

Written By Shay Colson

9–15–2025 (Monday)

Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.

I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.

Today is Monday, September 15, 2025, and we have yet another update from the ransomware landscape, as well as some new data detailing the breach of the Salesloft tool, which has impacted dozens of high profile customers here in the US, and abroad.

Shifting Ransomware Alliances, TPRM Remains Hard

We’ll start this week with a note from the LockBit ransomware group, indicating that the LockBit, Qilin, and DragonForce groups are all joining forces in what they call both a “coalition” and a “cartel.”

As a reminder, these groups have accounted for more than 3,000 ransomware victims in the past few years(Qilin (752), LockBit (2016), DragonForce (250)) making a potentially formidable group, or at least knowledge sharing organization.

As we’re fond of noting on this channel, we don’t base our defenses on the TTPS of attackers, but there’s no doubt that these threat actor groups are reshaping themselves  in order to become more effective. We talked previously about the Scattered Lapsus$ Hunters pairing - and were somewhat surprised to see them announce on Friday that they’re shutting down.

Given their recent high profile attack on British automaker Jaguar Land Rover, color us skeptical.

We’re also skeptical because the fallout of another one of their attacks - this one on Salesforce’s SalesLoft platform - seems to have been so successful.

For those who missed it, there’s a good technical write-up at Databreaches.net, outlining just how this hack came to be. I want to also give the SalesLoft / Drift team some credit for sharing the results of this investigation on their Trust Portal.

In short, the attack happened like this:

  • In March through June 2025, the threat actor accessed the Salesloft GitHub account. With this access, the threat actor was able to download content from multiple repositories, add a guest user and establish workflows.

  • The threat actor then accessed Drift’s AWS environment and obtained OAuth tokens for Drift customers’ technology integrations.

  • The threat actor used the stolen OAuth tokens to access data via Drift integrations.

Third party risk remains really difficult to defend, but the part here that’s worth noting is the actual exfiltration path: using the stolen OAuth tokens.

What this means is that access to the platforms, and the underlying data, would have looked “valid” - it would’ve had an active token, and come in via an API call, which are regularly moving large volumes of data.

It’s also going to move data in and out of the tenant in a way that’s not necessarily visible to the data owner. If you’re using this platform, or any Salesforce product, for that matter, you’re not going to have access to the underlying platform or API logs that could indicate some anomalous or potentially malicious activity. In many cases, modern application platforms themselves lack this data or the ability to regularly review it.

So, like we always do on this channel, let’s look at what we can do better to defend against this threat. A reminder that Salesloft had all the certifications you’d expect - ISO 27001, SOC 2 Type 2, etc. They likely would have looked very good on a third-party risk assessment questionnaire.

We know that you’re not going to be monitoring your vendor’s GitHub repos, their AWS infrastructure, or their API logs.

So what’s left for us to do to manage this risk? There’s really only two things we can do:

  1. Develop and enforce strong contractual limitations, obligations, and SLAs. It’s reactive, it’s a fallback, it takes a long time to recoup, etc. I get that, but we really don’t have many moves left on the board in these sort of situations.

  2. Strong Key & Secret Management. Be willing to rotate keys at the slightest hint of possibility of an issue. It’s not convenient, it’s not easy - I get all that. But if your keys and secrets (like OAuth tokens) might have been compromised, you’re going to need to rotate them anyway, so why not rotate them as soon as possible? It’s a good muscle to start building, as is an understanding of the API integrations present across your environment. You can’t rotate what you don’t know about!

But really, those are the two best options we’ve got - even if they’re somewhat limited and entirely reactive. Sometimes, it just comes down doing the best you can with what you’ve got.

Fundraising

From a fundraising perspective, we noted more than $23B in newly committed capital last week, led by Veritas Capital raised $14.4b for its ninth flagship fund focused on companies at the intersection of tech and government.

We’ll see if that trend continues this week, and we’ve got a few IPOs to keep our eyes on. We also see some rumblings from the Trump Administration about moving from quarterly filings for public companies to every six months, which may make the IPO move more attractive (or at least seem less daunting / burdensome).

A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.

Links

https://www.bankinfosecurity.com/scattered-lapsus-hunters-announces-closure-a-29439

https://www.bankinfosecurity.com/jaguar-land-rover-hackers-stole-data-a-29407

https://databreaches.net/2025/09/07/salesloftdrift-update-on-investigation-results/

Shay Colson
Previous

Cascading Failures and Systems Thinking
Next

Defaults in Documentation = Vulnerability?