unc6395: The Breach the Keeps On Breaching!

Just when you thought the Salesloft/Salesforce/Drift OAuth token compromise might quietly fade into the background, it’s back — and it brought friends.

The latest victim? The Law Enforcement Request System (LERS).

No? What if I said Blues Brothers SCMODS? But on GCP and on the internet!

Yes, that LERS — the secure portal used by law enforcement to request user data from tech companies. Think subpoenas, emergency disclosures, and court orders. Now imagine that system compromised.

This isn’t just a data breach. It’s a trust breach. And it’s a signal: UNC6395 isn’t done.

What’s the Risk?

LERS is supposed to be the Fort Knox of legal data exchange. If attackers have access:

• They could impersonate law enforcement.

• They could extract sensitive user data.

• They could manipulate legal requests.

It was caught early by Mandiant and the fine folks at GCP - but consider the level of effort securing it initially and the ease with which it as still compromised.

This is no longer about OAuth tokens floating in support case notes. This is about infrastructure-level compromise.

Rotate Your Secrets. Yes, Yours.

Even if you didn’t use Drift, you’re not off the hook.

Support agents — bless them — sometimes paste API keys into case notes. Those notes live in Salesforce. Salesforce talks to Salesloft. Salesloft got breached. You see where this is going.

If your secrets haven’t been rotated since August, they’re stale.

If you don’t know where your secrets are, I’ll help you find them.

If you think this will blow over, it won’t.

📎 Source Article

Here’s the latest

How to Hunt Down SaaS Secrets in AWS and Azure Before They Hunt You

Rotating secrets is great. Knowing where they are is better. Here’s how to track down stale or exposed SaaS credentials in AWS IAM and Azure AD, especially those tied to integrations like Drift, Salesforce, or other OAuth-happy platforms.

AWS: Finding IAM Roles That Need Rotation

AWS doesn’t hand you a “compromised secrets” dashboard, but you can get close:

1. Use IAM Access Advisor

• Go to the IAM console → Roles → Access Advisor tab.

• See which services a role has accessed and when.

• If a role hasn’t been used in months, it’s either stale or a sleeper cell.

2. Search for Access Keys

• In the IAM console, use the Search box to find access keys:

    • Type the full access key ID.

    ��� It’ll show you the user or role it belongs to 1.

3. CloudTrail Lookup

Use this CLI command to find who assumed a role and what they did:

aws cloudtrail lookup-events \

  --lookup-attributes AttributeKey=ResourceName,AttributeValue=arn:aws:iam::<account>:role/<role-name> \

  --query "Events[*].[CloudTrailEvent]" \

  --output json

This helps you spot unexpected usage or over-permissioned roles 2.

4. Rotate Keys

• Go to the IAM user or role.

• Disable old keys.

• Create new ones.

• Store them in AWS Secrets Manager or Parameter Store.

Azure: Auditing App Registrations and Rotating Secrets

Azure AD app registrations are the usual suspects for leaked secrets. Here’s how to audit and rotate them:

1. Audit Azure AD Roles and Secrets

• Go to Azure AD → Monitoring → Audit Logs.

• Look for changes to app registrations, role assignments, and sign-ins 3.

2. Use Azure Key Vault + Event Grid

• Set up Key Vault to fire alerts when secrets are about to expire.

• Use Azure Functions to auto-rotate secrets and update them in Key Vault 4.

3. Automate with Terraform or Bicep

• Use modules like azuread_application_password to rotate secrets.

• Store new secrets in Key Vault or Azure DevOps variable groups 5.

4. Multi-Tenant? Use Lighthouse

If you manage secrets across tenants, Azure Lighthouse helps centralize control and automate rotation 6.

Pro Tip: Don’t Just Rotate — Revoke

Rotation is good. Revocation is better. If you suspect a secret was exposed:

• Disable it immediately.

• Audit downstream systems for usage.

• Reissue with tighter scopes.

Tags:

#UNC6395 #CyberSecurity #SaaSSecurity #CloudSecurity #IncidentResponse #KeyRotation #LERS #SalesforceBreach

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →