Alice Carruth

You're listening to the Cyberwire network. Powered by N2K.

Dave Bittner

The DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot. Think your certificate security is covered by March 2026 TLS, certificate lifespans will be cut in half, meaning double today' renewals. And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal volume. That's exponential complexity, operational workload and risk. Unless you modernize your strategy, Cyberark proven in identity security is your partner in certificate security. Cyberark simplifies lifecycle management with visibility, automation and control at scale. Master the 47 day shift with CyberArk Scan for vulnerabilities, streamline operations, scale security visit cyberark.com 47day that's cyberark.com the numbers 47day hackers disrupt a cyber campaign by Russia's Midnight Blizzard the sales loft Drift breach continues to ripple outward. WhatsApp patches a critical flaw in its iOS and Mac apps. A fake PDF editing tool delivers the Tamperchef Infosteeler. A hacker finds crash data Tesla claimed not to have Spain cancels a 10 million euro contract with Huawei. A fraudster bilks Baltimore for over $1.5 million. We got a breakdown of the latest business news in our Threat Vector segment. Michael Sikorsky and guest Thomas P. Bossert explore the path from policy and national security strategy to building operational cyber defense. And we preview our spicy new episode of Only Malware in the building. It's Tuesday, September 2, 2020. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. Researchers at Amazon have disrupted a cyber campaign by Midnight Blizzard and a Russian state backed group tied to the svr. The hackers compromised legitimate websites in a watering hole attack, redirecting about 10% of visitors to fake Cloudflare verification pages. From there, victims were funneled into a malicious Microsoft device code authentication flow, tricking them into authorizing attacker controlled devices. Amazon's Threat Intelligence team uncovered the scheme, noting the attackers used randomization cookies and basic obfuscated JavaScript to avoid detection. Working with Microsoft and Cloudflare. Amazon cut off the group's domains and infrastructure. APT29 quickly tried to rebuild on new cloud services, highlighting its persistence. The campaign reflects a shift away from MFA bypass tactics towards stealthier credential theft. Users are urged to enforce MFA monitor logins and review device authorization policies. Hackers have stolen authentication tokens from SalesLoft's Drift chatbot, exposing not just Salesforce data but hundreds of other connected services, including Slack, Google Workspace, AWS, Azure and OpenAI. Google's Threat Intelligence Group warned the campaign, active from August 8th through the 18th, allowed attackers to siphon corporate Salesforce data, search for cloud credentials and even access some Google Workspace email accounts. The attackers tracked as UNC 6395 may overlap with extortion groups like Shiny Hunters or Scattered Spider, though attribution remains unclear. Google advised companies to treat all Salesloft linked integrations as compromised and invalidate tokens immediately. In response, Salesforce blocked Drift integrations. Salesloft has enlisted Mandiant to investigate the breach, which highlights the growing risk of authorization sprawl attackers abusing legitimate tokens instead of malware. The Salesloft Drift breach continues to ripple outward following Google's warning about stolen OAuth tokens being used to access Salesforce and other cloud services. Zscaler confirmed that attackers obtained limited access to its Salesforce data. The exposed details include employee contact information, product licensing data and some plain text support case content, but no sensitive files or infrastructure were affected. Zscaler revoked Drift access, rotated tokens and tightened customer authentication. The company urges vigilance against phishing attempts exploiting leaked contact details. WhatsApp has patched a critical flaw in its iOS and Mac apps, which was exploited in a zero click spyware campaign used with a separate Apple vulnerability. The attack allowed hackers to compromise devices and steal data, including private messages, without user interaction. Amnesty International reports fewer than 200 WhatsApp users were targeted since late May. Meta confirmed the bugs were fixed weeks ago but offered no attribution, leaving the responsible spyware vendor or group unidentified. Researchers have uncovered a large scale malware campaign distributing a fake PDF editing tool called App Suite PDF Editor through Google Ads. The app, signed with fraudulent certificates from at least four companies, initially appeared legitimate but received a malicious update on August 21, activating the Tampered Chef infostealer. The malware steals credentials, browser cookies and system data while checking for security tools. Over 50 domains hosted these deceptive apps, suggesting a coordinated effort. Some variants also attempted to enroll devices into residential proxy networks. Further monetizing victims. Trusec and Expel found the campaign began in mid-2024 and includes related apps like OneStart and Manual Finder, which download each other and execute hidden commands. Though some certificates were revoked, users with active installations remain at risk. A Miami jury has ordered Tesla to pay $243 million in damages over a 2019 crash in Florida after critical autopilot data initially missing was uncovered by a hacker known as Green the only the hacker extracted a collision snapshot from the car's autopilot unit, revealing what Tesla's system detected in the moments before the fatal crash. Tesla later admitted it had the data on its servers but failed to produce it. Jurors found Tesla 33% liable, concluding its technology and handling of crash data contributed to the tragedy. The verdict marks a major setback for Tesla's Autopilot defense strategy, raising questions about transparency in crash investigations, and has already fueled shareholder and wrongful death lawsuits nationwide. Tesla says it will appeal. Spain has canceled a 10 million euro contract that would have deployed Huawei equipment in its Red Iris academic and research network, which links universities, research centers and parts of the Defense Ministry. The government cited digital strategy and strategic autonomy in reversing the deal awarded to Telefonica just a week earlier. The move follows growing concerns from NATO allies about Chinese technology and critical infrastructure. While Huawei faces restrictions across Europe, Spain has maintained a case by case approach, creating friction with allies over security risks. The city of Baltimore lost more than $1.5 million after a fraudster spoofed a vendor and tricked employees into changing bank account details, the city's inspector general reported. Using a fake supplier contact form in December 2024, the scammer gained access to the vendor's workday account and submitted multiple account change requests, which were approved without verification. Payments of $800,000 and $721,000 followed. Only the latter was recovered. This marks Baltimore's third vendor scam since 2019, highlighting persistent weaknesses in financial controls despite prior promised reforms. We've got a new segment here for you today. Each week we're going to surface the biggest stories from across the cybersecurity business landscape in our weekly Business Briefing newsletter. We bring you the highlights here on the Cyberwire Daily. In our business breakdown last week, we saw just over $500 million raised across three investments and three acquisitions. First, a look at investments and exits. California headquartered SASE provider Netscope has filed for an IPO and will go public on the Nasdaq as ntsk. Netscope hasn't disclosed the price of its stock, but Reuters reports that the IPO is expected to raise more than $500 million, which could value the company at over? 5 billion. While still not profitable, the company has increased its ARR by 33% year over year to just over $700 million. InnerWorks, a UK fraud prevention firm, raised $4 million in seed funding, which it plans to use to improve its defenses against AI cybercrime and expand its platform. Turning to acquisitions, one of the standouts was Canadian quantum secure infrastructure firm Scope Technologies, acquiring Indian SSO provider Cloud Codes from Pluraloc for $1.7 million Canadian. With this acquisition, Scope Technologies aims to deploy the world's first commercial quantum resistant SSO platform. Also making headlines, Cryptic Vector, a US Government contractor, is acquiring the offensive cyber R and D firm Caesar Creek Software. The acquisition aims to improve Cryptic Vector's position as one of the largest offensive cyber solution providers and better support the dod. And that wraps up this week's business breakdown. For deeper analysis on major business moves shaping the cybersecurity landscape, subscribe to N2K Pro and check out TheCyberWire.com every Wednesday for the latest business updates. Coming up after the break in our Threat Vector segment, Michael Sikorsky and Thomas P. Bossert explore the path from policy and national security strategy to building operational cyber defense. And we preview our spicy new episode of Only Malware in the Building. Stick around at Talas. They know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Talas. T H A L E S. Learn more@thalesgroup.com cyber and now a word from our sponsor, ThreatLocker, the powerful Zero Trust Enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker. On today's Threat Vector segment, Michael Sikorsky and guest Thomas P. Bossert explore the path from policy and national security strategy to building operational cyber defense.

David Moulton

Hi, I'm David Moulton, host of the Threat Vector Podcast where We break down cybersecurity threats, resilience, and the industry trends that matter most. What you're about to hear is a snapshot from a high stakes conversation between Michael Sikorsky, CTO of Unit 42, and Tom Bossert, President of Trinity Cyber and former US Homeland Security Advisor. This episode isn't about theory, it's a wake up call. In this episode, Tom and Sicko pull the curtain back on the next evolution in cyber defense. Proactive interference, not just blocking attacks, disrupting them in real time. If you've ever wondered how to shift from reaction to resistance, from alert to action, this is it. Because if you're still relying on last gen perimeter models, you're already behind and the attackers know it.

Michael Sikorski

I'm Michael Sikorski, the CTO of Unit 42 at Palo Alto Networks and I'm stepping in as guest host. Today I'm joined by my friend Tom Bossert, President at Trinity Cyber, distinguished fellow, Atlantic Council, and former US Homeland Security Advisor. Tom's been a policy powerhouse and now leads one of the most innovative cybersecurity companies out there, focusing on proactive threat interference. Think of it like messing with the attackers mid operation in a way that changes the game entirely. There's been a lot of talk lately about the concepts of more offensive security, more interference, more technologies that are kind of getting back at the attacker. I mean, you've heard a lot of rhetoric like that in the last few months even. Do you have any sort of where do you think that's going and what is going to be the impact of that, do you think for the next four years longer, do you think there's going to be a lasting effect to that kind of talk? Is there going to be more action taken in the private space with that kind of thing?

Thomas P. Bossert

Yeah, I think you have a really technical listening base here to this podcast and so we'll just kind of jump into it. But one of my biggest fears is the massive disconnect between those policymakers that say that and what you know to be the case and how the tech works and what it really means. So what does offensive mean? What does defensive mean? You get into these debates, but yeah, listen, at this level it's easy to say. At one high level, people can't see me. I'm saying at the 30,000 foot level, I'm all for not just cyber induced, but any kind of policy lever inducing a change in the incentive structure. So listen, there are bad actors out there. Do things to them to punish them, to impose consequences, all for it. You don't have to limit yourself to just offensive cyber. I think one of the things that troubles the United States and Western countries on the offensive debate is we say, I'm mad. I want to get back at these guys for taking advantage of us. Check, check. Me too. And then, well, so let's start hacking them. Well, what do you mean? What do you want to hack? Do you want to just hack in general? You want to shut down?

Michael Sikorski

You kind of have to define what that is. Right?

Thomas P. Bossert

Once you get into that debate, this is what I used to do for you. Once you get into the debate of figuring out what's the target, how much is it going to cost? What effect are you going to achieve? Are you actually going to change the behavior of that country by hacking into more of its private businesses? Do they care about their private businesses? Is there a fundamental misunderstanding about how we can.

Michael Sikorski

It's harder to be tit for tat. Right. Because China's hacking every single business that we have. Everything we're doing. Like, would they even care if we.

Thomas P. Bossert

Did, if we did the same to them? And the late Ash Carter said, I'm soaked in gasoline and you want to get me into a match throwing contest. And I thought, that's pretty good, right? So there's a lot of parallels to the tariff debate that we're having right now. But, yeah, listen, in targeted, useful way, I don't shy away from offensive cyber operations if they have a meaning and a purpose. But you know, for me, tell me how to frame it better. But what I just described about what Trinity's doing is. It's here. I'll direct this to the current president. It's reciprocal. Okay, it's reciprocal. The idea here is that we're not going to do anything to impose any consequence on you unless you first start it. And for us, we're only interfering with that, which. It's like judo, where you take the energy of the attacker back on himself. To me, we have to get better at doing that. That's a starting point. Because offensive operations take a long time. They are executed in a different place with singular authorities. And often it would be much easier and more effective to use a different lever or a different type of national power to change the calculus of the adversary. You want to hack all the Chinese businesses to get China to behave differently? I don't know. I don't think that's the best way. It's anyway. But it's got to be in a mix of all the other ways that you've got going for you.

Dave Bittner

But.

Thomas P. Bossert

And the US Has a lot of power. We don't have to sit around and just hack people back. At some point, we reserve the right to use bigger force.

Michael Sikorski

Yeah, that's interesting. I'm wondering where. If things could get more privatized, at least I think of it as like, you got to go work for an agency or something like that to really do the offensive stuff. And that's what people have always talked about. I wonder if this would open the door for that not to be the case longer term.

Thomas P. Bossert

Well, you know, and then.

Michael Sikorski

And then where do you. Where do you draw the line? Who's. Who's watching the companies? Who would be doing that?

Thomas P. Bossert

Right. There's a thousand answers to that, but one of the simplest ones is, honestly, it's like the rule of artillery in the military. You know what you're allowed to do if somebody starts shooting at you? Shoot back. You don't shoot first, but you shoot back. And there's. There's a misnomer in the cyber world that shoot back is kind of a. Is kind of a pause thing where you get hacked and then you get together and you call a bunch of experts and you say, okay, now we're going to hack back to, like, kind of a pain type of application. We're going to. We're going to apply pain to them for doing that. Like, it's a. Like it's a spite thing. But that's not what I'm suggesting. What we're trying to do here is to create friction, the kind of pain, like I described earlier, that throws off their operations, that stops them from so unimpededly imposing costs on us. It's not about getting into a fight where I'm mad and I want to have my emotion vindicated. It's about trying to achieve a better operational outcome.

David Moulton

This conversation is a blueprint for what comes next in cyber defense. Don't miss it. The episode is called From Policy to Cyber Interference, and it's live now in your Threat Vector feed. Thanks for listening. Stay secure. Goodbye for now.

Dave Bittner

And be sure to check out the complete Threat Vector podcast, wherever you get your favorite podcasts. Today we published a special, spicy new episode of our Only Malware in the Building podcast. Here's our podcast producer, Liz Stokes, speaking with N2K Director of Enterprise Content Strategy, Mayan Plot. About the show.

Liz Stokes

Hi, Liz.

Alice Carruth

Hi.

Liz Stokes

Hi.

Alice Carruth

Hi.

Liz Stokes

I am here to ask you lots of questions about only malware in the building, and in particular, the newest special edition that's coming out in September. Can you tell us a Little bit of background about what we're making and why it fits into the Only Malware universe.

Alice Carruth

Yeah, absolutely. First, thank you so much for having me. I'd love to tell you a little bit more about one of the shows that I work on, specifically called Only Malware in the Building, and especially the special edition that's going to be coming out in September. So Only Malware in the Building is kind of one of our little niches that we have on the show. It's this malware infused podcast where we have Dave Bittner, Keith Milarsky and Selena Larson all come on and talk about social engineering, different malware strings that are out there, all kinds of different stuff that's, that's out there in the world right now. And they just kind of come on and vibe. But this idea really came from a show that we all like, which wink, wink, if anybody can guess what it is. And we kind of thought it would be fun that of our hosts kind of took on the Personas of those people on the show and shared malware through the eyes of the podcast like the show. And so from basically, I believe it was last year that we started doing this, it kind of transformed into this fun, creative show every month that comes out where we have a different cold open each episode, where I work on the script with my good colleague Trey Hester, the audio engineer of the show. We kind of just basically put Dave and Selena and Keith in all of these weird crazy scenarios every month and they have to figure it out while also talking about malware. So it's this amazingly fun episode each month that we get to work on and it's very creative and it really just brings out the best of our creative flow here at N2K. And specifically the September episode that's coming out, we kind of took this idea of having all three hosts eat ridiculously hot sauces with wings and kind of answer some, get to know your questions about their past, like different questions that involve them coming up in cyber, them coming up in the careers, and just kind of like getting to deep dive into their personalities and their careers a little bit. So I'm really excited about this show to come out. I'm really excited for this episode to come out. I'm so excited for the audience to see it. But it's just, it's mainly something that we've been working on for the past year now. And so it's going to be great when it comes out.

Liz Stokes

It really will, without teasing too much because we want to make sure that people see the whole episode, when it comes out, can you talk a little bit about how we went about recording it? Like, who was involved? What were all of the pieces that went into this? Any sort of, like, exciting things that happened along the way?

Alice Carruth

Oh, yeah. So I think, as I said before, this episode has been probably a year in the making that we've been working towards this. And this has probably been one of the longest projects that I personally have worked on ever in my career. And the reason behind that is because so much went into making sure that the hosts had everything that they needed. So that when we sat down and actually shot this, everything was perfect. And I want to start by saying that our team has worked incredibly hard to make this something special for our audience to sit down and watch. I mean, this isn't going to be like something that we've ever done before. And I think that's the beauty of this episode, is that it's going to bring into ties of things that we have done, but also things that you're not going to want to miss when this episode comes out. There are certainly things that I want to share with the audience right now, but we are holding off on sharing all of the things because we want it to be such a big surprise. We want the audience to get that wow factor when it comes out. And so we are dropping little teasers and hints every once in a while on social media, trying to get people hyped up about it. And I think. I think for the majority of the part, everybody is getting hyped about this. And I think especially people in N2K are hyped about this. I mean, we have worked so hard on this project, and we just want to make sure that the audience sees how hard we've worked on this project.

Liz Stokes

Yeah. Well, without teasing too, too much, I think the biggest thing about this episode that's different than the others in the past is that it is very focused on a video product. There's obviously going to be an audio podcast, because that is a thing that we do here at N2K all the time. But I'm curious how things differ between an audio first or audio only to a video first production this time.

Alice Carruth

Yeah. You know, sitting down each month, Trey and I can bump out a script in like, a couple days, and then we can turn it into audio pretty much within a couple of weeks. This video project, like I said, it took a year in the making. And so starting from, okay, let's have this concept turn into a reality. It kind of turned into, well, what all goes into this video project. You know, like it's not just three hosts sitting down eating some very spicy sauces and wings. You know, it's, it's something bigger than that. It's what kinds of questions are going to get the audience the most involved? You know, what kind of teasers can we put out that'll really get everybody hyped up about this episode? What type of sauce are we going to choose that'll make Dave scream his head off, you know, like anything like that? And so while we were putting all of the little pieces together, trying to turn them into something bigger, it was really the team behind this project that led this into becoming what it is today. I don't want to give too much away, but this video project is something that I think all of us are incredibly proud of to put out onto our network and to share with our audience. Because we've worked so hard on this and every account that we've taken into consideration to make this thing. I think it's going to be a really beautiful thing once we put it out for our audience.

Dave Bittner

There is an audio version of Only Malware in the Building, but I highly recommend you view the episode on YouTube for added enjoyment. He'll have a link in the show Notes Abercrombie is an official fashion partner of the NFL and I'm CeeDee Lamb, wide receiver for the Dallas Cowboys. You know, I'm here for Abercrombie's Cowboys gear. That's not a question, but I need a whole wardrobe to go with it. No shade to the guys, but I'm used to having the best tunnel fits. This season, Abercrombie has me covered. Shop NFL by Abercrombie in the app, online and in store.

Liz Stokes

Running a business comes with a lot of what ifs, but luckily there's a simple answer to Shopify. It's the commerce platform behind millions of businesses including Thrive Cosmetics and Momofuku, and it'll help you with everything you need. From website design and marketing to boosting sales and expanding operations, Shopify can get the job done and make your dream a reality. Turn those what ifs into sign up for your $1 per month trial@shopify.com specialoffer.

Dave Bittner

And finally, Taco Bell is discovering that teaching AI to handle late night cravings isn't quite as simple as asking for extra hot sauce. Chief Digital and Technology Officer Dane Matthews admitted the company's voice AI has had its share of meltdowns, sometimes delightfully accurate, sometimes like a burrito that unravels in your lap. Customers have gleefully documented the chaos, including one viral exchange where the AI, when asked for a large Mountain Dew, simply kept asking what drink the man wanted. With that, another prankster managed to order 18,000 water cups. Still, Taco Bell says its AI has successfully handled 2 million orders across 500 restaurants. Apparently, progress, like tacos, is best served messy. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show. Every week you can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixing Next by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Sa.