CyberWire Daily: "Blizzard Warning: Amazon Freezes Midnight Hack"

Date: September 2, 2025
Host: Dave Bittner, N2K Networks

Episode Overview

This episode covers a wide swath of timely cybersecurity news, with lead stories on Amazon's disruption of a Russian state-backed cyber campaign (“Midnight Blizzard”), expanding fallout from the SalesLoft/Drift breach, a WhatsApp zero-click spyware vulnerability, Trojanized PDF tools distributing infostealers, the role of hackers in Tesla crash investigations, Spain reneging on a Huawei contract, and a multi-million dollar fraud against Baltimore. The show also features a deep-dive Threat Vector segment on the evolution from policy to operational cyber defenses, and lively banter about upcoming creative podcast content.

Key News Highlights

1. Amazon and Partners Disrupt Russian "Midnight Blizzard" Hack ([03:06])

Incident: Amazon researchers, in partnership with Microsoft and Cloudflare, disrupted a campaign by APT29 (“Midnight Blizzard”; linked to the Russian SVR).
Tactics: The group compromised legitimate websites for a watering hole attack, redirecting 10% of visitors to fake Cloudflare verification pages and funneling them into a malicious Microsoft authentication flow.
Technical Approach: Attackers used randomization cookies and obfuscated JavaScript to avoid detection.
Response: Amazon, Microsoft, and Cloudflare cut off attacker domains and infrastructure, but APT29 quickly tried to rebuild on new cloud services.
Trend: Attackers shifting away from MFA bypass toward stealthier credential theft.
Advice: Enforce MFA, monitor logins, and review device authorization policies.

“The campaign reflects a shift away from MFA bypass tactics towards stealthier credential theft. Users are urged to enforce MFA, monitor logins and review device authorization policies.” – Dave Bittner [04:15]

2. Expanding Impact: SalesLoft/Drift Breach ([05:25])

Event: Hackers stole authentication tokens from SalesLoft's Drift chatbot, exposing hundreds of connected services (Salesforce, Slack, Google Workspace, AWS, Azure, OpenAI).
Actors: Tracked as UNC 6395, possibly linked to Shiny Hunters or Scattered Spider; attribution unclear.
Response: Google advised treating all SalesLoft-linked integrations as compromised and to invalidate tokens. Salesforce blocked Drift integrations; Mandiant is investigating.
Significance: Highlights risk of authorization sprawl—attackers abusing legitimate tokens, not malware.

“The breach... highlights the growing risk of authorization sprawl—attackers abusing legitimate tokens instead of malware.” – Dave Bittner [07:00]

Outward Ripple Effects ([07:22])

Zscaler: Attackers gained limited Salesforce data, but no sensitive files were impacted. The company urges vigilance for phishing exploiting leaked details.

3. WhatsApp Zero-Click Spyware Flaw ([08:10])

Issue: Critical vulnerability in WhatsApp iOS and Mac apps, used in combination with an Apple bug, allowed zero-click compromise.
Impact: Hackers could steal private messages and data without user interaction.
Response: Meta patched the bug; fewer than 200 targeted since late May (per Amnesty International).

4. Trojanized PDF Editor Campaign ([09:00])

Vector: Fake PDF tool (“App Suite PDF Editor”) distributed via Google Ads, initially legitimate but updated with “Tamperchef” infostealer.
Impact: Stealing credentials, browser cookies, and system context data; over 50 domains involved.
Research: Trusec and Expel attribute campaign start to mid-2024; similar malware seen in related apps.
User Risk: Active installations still at risk despite certificate revocations.

5. Tesla Crash Data Drama Uncovered by Hacker ([10:10])

Court Case: Miami jury orders Tesla to pay $243M over a 2019 crash after hacker "Green the Only" extracted critical autopilot data previously unproduced by Tesla.
Significance: Exposed system data changed the course of the verdict, highlighting transparency issues.
Tesla's Position: Will appeal the verdict.

“The verdict marks a major setback for Tesla's Autopilot defense strategy, raising questions about transparency in crash investigations.” – Dave Bittner [11:19]

6. Spain Cancels Huawei Red Iris Contract ([12:00])

Policy: Spain cancels a €10 million contract with Huawei for academic/research infrastructure, citing national strategy and autonomy.
Broader Context: Follows NATO allies’ concerns, though Spain has previously taken a case-by-case approach.

7. Baltimore Loses $1.5M to Vendor Fraud ([12:46])

Attack: Fraudster spoofed a vendor, changed banking details, and convinced city employees to authorize payments ($800K & $721K; only latter recovered).
Larger Issue: Third such vendor scam since 2019, indicating persistent financial control weaknesses.

8. Cybersecurity Business Briefing ([13:53])

Notable Business Moves:
- Netskope files for IPO; could raise $500M.
- UK’s InnerWorks raises $4M for AI-focused fraud prevention.
- Canada’s Scope Technologies acquires Indian SSO firm CloudCodes to launch quantum-resistant SSO.
- Cryptic Vector (US) acquires Caesar Creek Software to boost offensive cyber capabilities.

Threat Vector Segment: From Cyber Policy to Interference ([14:53])

Setting the Scene ([14:53])

Host: David Moulton introduces a “wake up call” conversation between Michael Sikorski (CTO, Unit 42, Palo Alto Networks) and Thomas P. Bossert (President, Trinity Cyber; ex-US Homeland Security Advisor).
Theme: Moving beyond passive defenses to proactive, real-time interference with attackers.

Proactive Cyber Operations: Industry & Policy Perspectives ([15:51–21:24])

Defining “Offensive” Cyber Action ([16:55])

Bossert: Emphasizes gap between “rhetoric and reality,” and that policymakers often fail to grasp operational nuance.
Urges for reciprocal, targeted interference rather than impulsive “hacking back.”

“What I just described about what Trinity's doing... It’s reciprocal. The idea here is that we’re not going to do anything to impose any consequence on you unless you first start it. And for us, we’re only interfering with that, which... It’s like judo, where you take the energy of the attacker back on himself.” – Thomas P. Bossert [18:26]

Private Sector Boundaries ([19:53])

Sikorski: Wonders if this philosophy might privatize “offensive” operations, removing the agency-state barrier.
Bossert: Draws analogy to “rule of artillery”—shoot only if shot at. Suggests cyber responses are about operational disruption over emotional “revenge.”

“What we're trying to do here is to create friction, the kind of pain... that throws off their operations, that stops them from so unimpededly imposing costs on us.” – Thomas P. Bossert [20:20]

Strategic Insight

Bossert: Stresses that US has many tools; not all adversarial responses require cyber means.

Notable Quotes

On Policy vs. Operations:

“One of my biggest fears is the massive disconnect between those policymakers that say that and what you know to be the case and how the tech works and what it really means.” – Thomas P. Bossert [16:55]
On Creating Adversary Friction:

“It's about trying to achieve a better operational outcome.” – Thomas P. Bossert [21:20]

Preview: Only Malware in the Building – Special Edition ([22:17])

Liz Stokes introduces Alice Carruth to discuss the upcoming video-focused episode.
Show Format: Podcast regulars take on playful personas and discuss malware in creative scenarios, inspired by a familiar TV show.
Special Feature: September’s episode puts hosts through a “ridiculously hot sauce” challenge while sharing their security journeys (“like getting to deep dive into their personalities and their careers a little bit.” – Alice Carruth [24:34]).
Production Value: A year in the making, marking N2K’s transition to a video-first format for this special instalment.

Lighter Note: Taco Bell’s AI Turmoil ([30:15])

Taco Bell’s order-taking AI struggles: from failing to identify drinks to allowing wild exploits (e.g., a prankster ordering 18,000 water cups), underscoring the messiness of fast-food AI deployment.

Episode Flow & Timestamps

News Rapid Roundup – [03:06–13:53]
Business Briefing – [13:53–14:53]
Threat Vector Deep-Dive – [14:53–21:24]
Only Malware in the Building Preview – [22:17–28:50]
Taco Bell & Miscellaneous – [30:15–End]

Summary

This episode dives into a packed day of cybersecurity news, highlighting the increasing sophistication and persistence of state-aligned attacks (notably Russian APT29/Midnight Blizzard), chain-reaction risks of SaaS integrations, spyware targeting, and complex questions at the policy–operations interface in modern cyber defense. In addition to practical reporting and analysis, it previews innovative and creative content, underscoring the industry’s mix of technical gravitas and community spirit.

CyberWire Daily: "Blizzard Warning: Amazon Freezes Midnight Hack"

Date: September 2, 2025
Host: Dave Bittner, N2K Networks

Episode Overview

Key News Highlights

1. Amazon and Partners Disrupt Russian "Midnight Blizzard" Hack ([03:06])

Incident: Amazon researchers, in partnership with Microsoft and Cloudflare, disrupted a campaign by APT29 (“Midnight Blizzard”; linked to the Russian SVR).
Tactics: The group compromised legitimate websites for a watering hole attack, redirecting 10% of visitors to fake Cloudflare verification pages and funneling them into a malicious Microsoft authentication flow.
Technical Approach: Attackers used randomization cookies and obfuscated JavaScript to avoid detection.
Response: Amazon, Microsoft, and Cloudflare cut off attacker domains and infrastructure, but APT29 quickly tried to rebuild on new cloud services.
Trend: Attackers shifting away from MFA bypass toward stealthier credential theft.
Advice: Enforce MFA, monitor logins, and review device authorization policies.

“The campaign reflects a shift away from MFA bypass tactics towards stealthier credential theft. Users are urged to enforce MFA, monitor logins and review device authorization policies.” – Dave Bittner [04:15]

2. Expanding Impact: SalesLoft/Drift Breach ([05:25])

Event: Hackers stole authentication tokens from SalesLoft's Drift chatbot, exposing hundreds of connected services (Salesforce, Slack, Google Workspace, AWS, Azure, OpenAI).
Actors: Tracked as UNC 6395, possibly linked to Shiny Hunters or Scattered Spider; attribution unclear.
Response: Google advised treating all SalesLoft-linked integrations as compromised and to invalidate tokens. Salesforce blocked Drift integrations; Mandiant is investigating.
Significance: Highlights risk of authorization sprawl—attackers abusing legitimate tokens, not malware.

“The breach... highlights the growing risk of authorization sprawl—attackers abusing legitimate tokens instead of malware.” – Dave Bittner [07:00]

Outward Ripple Effects ([07:22])

Zscaler: Attackers gained limited Salesforce data, but no sensitive files were impacted. The company urges vigilance for phishing exploiting leaked details.

3. WhatsApp Zero-Click Spyware Flaw ([08:10])

Issue: Critical vulnerability in WhatsApp iOS and Mac apps, used in combination with an Apple bug, allowed zero-click compromise.
Impact: Hackers could steal private messages and data without user interaction.
Response: Meta patched the bug; fewer than 200 targeted since late May (per Amnesty International).

4. Trojanized PDF Editor Campaign ([09:00])

Vector: Fake PDF tool (“App Suite PDF Editor”) distributed via Google Ads, initially legitimate but updated with “Tamperchef” infostealer.
Impact: Stealing credentials, browser cookies, and system context data; over 50 domains involved.
Research: Trusec and Expel attribute campaign start to mid-2024; similar malware seen in related apps.
User Risk: Active installations still at risk despite certificate revocations.

5. Tesla Crash Data Drama Uncovered by Hacker ([10:10])

Court Case: Miami jury orders Tesla to pay $243M over a 2019 crash after hacker "Green the Only" extracted critical autopilot data previously unproduced by Tesla.
Significance: Exposed system data changed the course of the verdict, highlighting transparency issues.
Tesla's Position: Will appeal the verdict.

“The verdict marks a major setback for Tesla's Autopilot defense strategy, raising questions about transparency in crash investigations.” – Dave Bittner [11:19]

6. Spain Cancels Huawei Red Iris Contract ([12:00])

Policy: Spain cancels a €10 million contract with Huawei for academic/research infrastructure, citing national strategy and autonomy.
Broader Context: Follows NATO allies’ concerns, though Spain has previously taken a case-by-case approach.

7. Baltimore Loses $1.5M to Vendor Fraud ([12:46])

Attack: Fraudster spoofed a vendor, changed banking details, and convinced city employees to authorize payments ($800K & $721K; only latter recovered).
Larger Issue: Third such vendor scam since 2019, indicating persistent financial control weaknesses.

8. Cybersecurity Business Briefing ([13:53])

Notable Business Moves:
- Netskope files for IPO; could raise $500M.
- UK’s InnerWorks raises $4M for AI-focused fraud prevention.
- Canada’s Scope Technologies acquires Indian SSO firm CloudCodes to launch quantum-resistant SSO.
- Cryptic Vector (US) acquires Caesar Creek Software to boost offensive cyber capabilities.

Threat Vector Segment: From Cyber Policy to Interference ([14:53])

Setting the Scene ([14:53])

Host: David Moulton introduces a “wake up call” conversation between Michael Sikorski (CTO, Unit 42, Palo Alto Networks) and Thomas P. Bossert (President, Trinity Cyber; ex-US Homeland Security Advisor).
Theme: Moving beyond passive defenses to proactive, real-time interference with attackers.

Proactive Cyber Operations: Industry & Policy Perspectives ([15:51–21:24])

Defining “Offensive” Cyber Action ([16:55])

Bossert: Emphasizes gap between “rhetoric and reality,” and that policymakers often fail to grasp operational nuance.
Urges for reciprocal, targeted interference rather than impulsive “hacking back.”

“What I just described about what Trinity's doing... It’s reciprocal. The idea here is that we’re not going to do anything to impose any consequence on you unless you first start it. And for us, we’re only interfering with that, which... It’s like judo, where you take the energy of the attacker back on himself.” – Thomas P. Bossert [18:26]

Private Sector Boundaries ([19:53])

Sikorski: Wonders if this philosophy might privatize “offensive” operations, removing the agency-state barrier.
Bossert: Draws analogy to “rule of artillery”—shoot only if shot at. Suggests cyber responses are about operational disruption over emotional “revenge.”

“What we're trying to do here is to create friction, the kind of pain... that throws off their operations, that stops them from so unimpededly imposing costs on us.” – Thomas P. Bossert [20:20]

Strategic Insight

Bossert: Stresses that US has many tools; not all adversarial responses require cyber means.

Notable Quotes

On Policy vs. Operations:

“One of my biggest fears is the massive disconnect between those policymakers that say that and what you know to be the case and how the tech works and what it really means.” – Thomas P. Bossert [16:55]
On Creating Adversary Friction:

“It's about trying to achieve a better operational outcome.” – Thomas P. Bossert [21:20]

Preview: Only Malware in the Building – Special Edition ([22:17])

Liz Stokes introduces Alice Carruth to discuss the upcoming video-focused episode.
Show Format: Podcast regulars take on playful personas and discuss malware in creative scenarios, inspired by a familiar TV show.
Special Feature: September’s episode puts hosts through a “ridiculously hot sauce” challenge while sharing their security journeys (“like getting to deep dive into their personalities and their careers a little bit.” – Alice Carruth [24:34]).
Production Value: A year in the making, marking N2K’s transition to a video-first format for this special instalment.

Lighter Note: Taco Bell’s AI Turmoil ([30:15])

Taco Bell’s order-taking AI struggles: from failing to identify drinks to allowing wild exploits (e.g., a prankster ordering 18,000 water cups), underscoring the messiness of fast-food AI deployment.

Episode Flow & Timestamps

News Rapid Roundup – [03:06–13:53]
Business Briefing – [13:53–14:53]
Threat Vector Deep-Dive – [14:53–21:24]
Only Malware in the Building Preview – [22:17–28:50]
Taco Bell & Miscellaneous – [30:15–End]

Blizzard warning: Amazon freezes midnight hack.

Powered by Wave AI

Summary

CyberWire Daily: "Blizzard Warning: Amazon Freezes Midnight Hack"

Episode Overview

Key News Highlights

1. Amazon and Partners Disrupt Russian "Midnight Blizzard" Hack ([03:06])

2. Expanding Impact: SalesLoft/Drift Breach ([05:25])

Outward Ripple Effects ([07:22])

3. WhatsApp Zero-Click Spyware Flaw ([08:10])

4. Trojanized PDF Editor Campaign ([09:00])

5. Tesla Crash Data Drama Uncovered by Hacker ([10:10])

6. Spain Cancels Huawei Red Iris Contract ([12:00])

7. Baltimore Loses $1.5M to Vendor Fraud ([12:46])

8. Cybersecurity Business Briefing ([13:53])

Threat Vector Segment: From Cyber Policy to Interference ([14:53])

Setting the Scene ([14:53])

Proactive Cyber Operations: Industry & Policy Perspectives ([15:51–21:24])

Defining “Offensive” Cyber Action ([16:55])

Private Sector Boundaries ([19:53])

Strategic Insight

Notable Quotes

Preview: Only Malware in the Building – Special Edition ([22:17])

Lighter Note: Taco Bell’s AI Turmoil ([30:15])

Episode Flow & Timestamps

Summary

Summary

CyberWire Daily: "Blizzard Warning: Amazon Freezes Midnight Hack"

Episode Overview

Key News Highlights

1. Amazon and Partners Disrupt Russian "Midnight Blizzard" Hack ([03:06])

2. Expanding Impact: SalesLoft/Drift Breach ([05:25])

Outward Ripple Effects ([07:22])

3. WhatsApp Zero-Click Spyware Flaw ([08:10])

4. Trojanized PDF Editor Campaign ([09:00])

5. Tesla Crash Data Drama Uncovered by Hacker ([10:10])

6. Spain Cancels Huawei Red Iris Contract ([12:00])

7. Baltimore Loses $1.5M to Vendor Fraud ([12:46])

8. Cybersecurity Business Briefing ([13:53])

Threat Vector Segment: From Cyber Policy to Interference ([14:53])

Setting the Scene ([14:53])

Proactive Cyber Operations: Industry & Policy Perspectives ([15:51–21:24])

Defining “Offensive” Cyber Action ([16:55])

Private Sector Boundaries ([19:53])

Strategic Insight

Notable Quotes

Preview: Only Malware in the Building – Special Edition ([22:17])

Lighter Note: Taco Bell’s AI Turmoil ([30:15])

Episode Flow & Timestamps

Summary