Telephone: 1-844-NETIZEN
Tel: 1-844-NETIZEN
Email: team (at) Netizen.net
slider

Netizen: Monday Security Brief (9/15/2024)

Posted on 15 Sep 2025 at https://www.Netizen.net/news Source Link: https://blog.netizen.net

Today’s Topics:

  • Hackers Leak 600 GB of Data on China’s Great Firewall
  • FBI Warns of Hackers Targeting Salesforce to Steal Corporate Data
  • How can Netizen help?

Hackers Leak 600 GB of Data on China’s Great Firewall

On September 11, 2025, what is being described as the largest leak tied to the Great Firewall of China surfaced online. Nearly 600 GB of data, including source code, internal communications, work logs, and technical documentation, was published by the hacktivist group Enlace Hacktivista, the same collective linked to the Cellebrite data leak.

The leaked material is believed to come from Geedge Networks and the MESA Lab at the Chinese Academy of Sciences’ Institute of Information Engineering, two organizations central to developing and maintaining China’s censorship infrastructure. Geedge was founded in 2018 under Fang Binxing, widely known as the “Father of the Great Firewall,” and has worked closely with MESA researchers to advance censorship capabilities.

The data, distributed via BitTorrent and direct links, includes a massive 500 GB archive of an RPM packaging server, as well as compressed document sets from Geedge and MESA. These contain thousands of internal reports, project descriptions, and technical proposals. Analysts have already flagged filenames such as BRI.docx and CPEC.docx that suggest ties to Belt and Road Initiative projects and international collaborations.

Project management records, communication drafts, and even routine administrative files point to the scale and bureaucracy of the censorship effort. The repository of software packages shows that the Great Firewall operates much like any large enterprise software system, with packaging servers and code repositories supporting day-to-day operations.

According to the documents, the reach of these programs extends well beyond China. The leaked files suggest that censorship and surveillance technologies have been exported to governments in Myanmar, Pakistan, Ethiopia, Kazakhstan, and other countries connected to the Belt and Road Initiative.

The material also offers a timeline of how MESA grew after its 2012 founding through talent programs, research grants, and contracts. By 2016, it was handling projects worth tens of millions of yuan annually. When Geedge was launched in 2018, it quickly became a key partner to Chinese authorities and an exporter of surveillance solutions.

The scale of this breach is unusual. Unlike prior leaks that involved small sets of emails or whistleblower documents, this trove is an extensive collection of raw operational data that tracks years of development. Experts note it will take months to analyze the source code, but even the project records already confirm long-suspected details about how China’s censorship system is built, maintained, and expanded abroad.

Hacktivists caution that anyone examining the archives should do so in isolated environments due to the possibility of embedded malware or tracking mechanisms. For researchers and rights groups, though, the leak provides an unprecedented opportunity to study how the Great Firewall functions and how its influence extends internationally.

Analysts at Net4People and the GFW Report are continuing to examine the source code and documents. More findings are expected in the coming weeks. For now, this leak represents a rare, large-scale glimpse into one of the world’s most sophisticated censorship systems and its export to partners abroad.

FBI Warns of Hackers Targeting Salesforce to Steal Corporate Data

The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations’ Salesforce environments to steal sensitive data and extort victims.

According to the advisory, both groups have recently used different techniques to infiltrate Salesforce platforms, enabling them to exfiltrate corporate information. The FBI shared indicators of compromise (IOCs), including suspicious user agent strings, IP addresses, and URLs, to help defenders identify malicious activity and strengthen security controls.

The first cluster, UNC6040, was originally disclosed by Mandiant in June 2025. Since late 2024, these actors have relied heavily on vishing and social engineering tactics, impersonating IT support staff to trick employees into connecting malicious Salesforce Data Loader OAuth apps to company accounts. One variant, branded “My Ticket Portal,” provided attackers with persistent access once authorized.

With OAuth permissions in place, the attackers were able to mass-exfiltrate Salesforce data, primarily the “Accounts” and “Contacts” tables that store customer information. The stolen data was later leveraged by the ShinyHunters extortion group, which attempted to pressure victims into ransom payments.

High-profile companies including Google, Adidas, Cisco, Allianz Life, Qantas, Louis Vuitton, Dior, and Tiffany & Co. were among those impacted by these early campaigns.

A newer wave of activity, tracked as UNC6395, surfaced in August 2025. In these intrusions, attackers leveraged stolen Salesloft Drift OAuth and refresh tokens to access Salesforce instances and extract support case data. Investigators say this campaign likely ran between August 8 and 18.

Support cases often contained highly sensitive information such as AWS keys, Snowflake tokens, and customer passwords. By extracting this data, attackers could pivot into other cloud environments for deeper compromise.

Salesloft confirmed that its GitHub repositories were breached as far back as March, allowing attackers to steal Drift OAuth tokens. In response, Salesforce and Salesloft revoked all active Drift tokens and required customers to reauthenticate.

The campaign also involved misuse of Drift Email tokens, which allowed access to a small number of Google Workspace email accounts.

Well-known security and tech companies, including Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, and Palo Alto Networks, were among those reportedly affected.

While the FBI did not formally attribute the campaigns, members of ShinyHunters told BleepingComputer they were involved, along with actors identifying as “Scattered Lapsus$ Hunters.” These groups claim to have overlap with Lapsus$ and Scattered Spider, two cybercrime gangs known for aggressive extortion.

On Thursday, the hackers announced via a BreachForums-linked domain that they planned to “go dark” and stop publicizing operations on Telegram. However, in a final post, they claimed to have accessed the FBI’s E-Check background check system and Google’s Law Enforcement Request system, publishing screenshots as proof.

If authentic, this level of access could allow impersonation of law enforcement and unauthorized retrieval of sensitive records.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

News and Updates

Sign up to get the latest news and threat briefs:

Get in Touch

Telephone: 1-844-NETIZEN
Email: Team (at) Netizen.net
Office Locations:
Allentown, PA (Headquarters)
 Arlington, VA (DC Region)
 Charleston, SC (Southeast Region)

Connect With Us

    Facebook
    Twitter
    LinkedIn
    Instagram
    GitHub

Copyright © Netizen Corporation. All Rights Reserved.