Signals, scams, and a Salesforce snatch. - CyberWire Daily

Summary6 min read

CyberWire Daily – “Signals, scams, and a Salesforce snatch.”
Date: March 10, 2026
Host: Dave Bittner (N2K Networks)
Guest: Brian Baskin (Sublime Security)

Episode Overview

This episode delivers a rapid-fire roundup of the latest cybersecurity threats, defenses, and regulatory shifts affecting organizations and individuals. Major stories span Russian state hackers targeting messaging apps, phishing campaigns exploiting local government systems, lawsuits over Pentagon AI blacklists, techniques in Salesforce data theft, new malware targeting macOS, AWS credential phishing, and the latest in enterprise vulnerability management. The episode also features an in-depth interview with Brian Baskin, threat researcher at Sublime Security, focusing on tax-season scams and the evolution of phishing attacks using AI. It wraps up by examining the pitfalls of AI-powered “fact checkers.”

Key Discussion Points

1. Russian Hackers Target Messaging Apps ([00:47])

Summary: Russian state hackers are actively trying to compromise Signal and WhatsApp accounts belonging to government officials, military staff, and journalists, including Dutch government employees.
Methods:
- Social engineering: Impersonating Signal support chatbots to solicit verification or PIN codes.
- Exploiting legitimate app features, such as linking attacker-controlled devices to victim accounts.
Notable Quote:

"Dutch authorities stress that the messaging platforms themselves remain secure, but individual accounts are vulnerable."
(Dave Bittner, 01:30)
Advice: Remain vigilant for suspicious activity, and report issues to organizational security teams.

2. Permit Scammers Impersonate Local Officials ([02:01])

Summary: Cybercriminals are impersonating US city and county officials to dupe individuals applying for land use permits, leveraging real permit details to increase legitimacy.
Tactics:
- Fraudulent emails from non-government domains.
- Pressured payments via wire transfer, peer-to-peer apps, or cryptocurrency.
FBI Recommendations:
Verify sender domains, contact local government directly, and report incidents to the Internet Crime Complaint Center.

3. Anthropic’s Lawsuit Over Pentagon Blacklist ([03:01])

Summary: Following Pentagon’s designation of Anthropic as a supply chain risk (banning its Claude AI from defense work), the company is suing to overturn the decision.
Impact:
- “Anthropic estimates the decision could jeopardize hundreds of millions of dollars in the near term and potentially reduce its 2026 revenue by billions.”
  (Dave Bittner, 03:50)
Request: Anthropic seeks a judicial pause on policy and a formal review.

4. White House Moves on Cybercrime & Victim Restitution ([04:30])

Summary: The Trump administration has issued an executive order ramping up the government’s fight against cybercrime, focusing on dismantling transnational scam centers and setting up victim restitution.
Key Actions:
- Coordinated agencies’ effort within 120 days.
- Creation of a restitution program to return seized funds to victims in 90 days.
- New operational units and intelligence sharing.

5. Salesforce “Shiny Hunters” Data Theft ([05:41])

Summary: Salesforce reports a widespread breach campaign linked to the Shiny Hunters group, exploiting misconfigured Experience Cloud Guest user settings, not platform vulnerabilities.
Attack Tools:
- Modified AURA inspector tool for data extraction.
Threats: Extortion demands and data leak threats to hundreds of potential victims.

6. Ericsson Breach ([06:30])

Summary: A breach at a third-party provider exposed personal data of over 15,000 Ericsson employees and customers.
Details:
Potentially exposed information includes social security numbers, financial and medical data, though no misuse reported yet.

7. macOS ClickFix/Shub Stealer Malware ([07:22])

Summary: New social engineering attack targets Mac users via a fake CleanMyMac website, using the ClickFix technique to bypass protections.
Attack Flow:
Victims voluntarily run malicious terminal commands, installing malware that steals system, authentication, and cryptocurrency wallet information.

8. AWS Credential Phishing via Adversary-in-the-Middle ([08:16])

Summary: Attackers use typo-squatted domains and real-time authentication proxies to phish AWS Console credentials.
Timeline:
Account compromise observed within 20 minutes of credential capture (using Mullvad VPN addresses).

9. Ivanti Vulnerability – CISA Alert ([09:26])

Summary: CISA warns of an actively exploited Ivanti Endpoint Manager flaw (authentication bypass/Cross-Site Scripting), with a federal mandate to patch within three weeks.
Risk: “Significant risks to federal networks” – defenders urged to patch immediately.

Interview Spotlight: Brian Baskin on Tax Season Employee Impersonation Scams ([14:37–20:15])

The Tax Season Scam Landscape

Motivation & Tactics:

“Tax season … is a great time for actors to come in, target people with … very targeted unique attacks. … It really preys upon people's fears and urgency.”
(Brian Baskin, 14:37)
- Criminals capitalize on deadline panic and trust in government communications.
- Attackers don’t even need to invent urgency—the IRS and tax deadlines do it for them.

Types of Scams Observed ([16:07])

Impersonation Attacks:
- Pretending to be the IRS, requesting personal info, “updated” forms or W2s.
Delivery Methods:
- Malicious attachments (e.g., PDFs)
- Fake websites, phishing forms.
Two Target Audiences:

“One is … your more consumer-level person … typically smaller amounts of money, … versus your more enterprise-level person … in charge of tens of thousands of dollars [and] get the much more complicated and sophisticated attacks.”
(Brian Baskin, 17:05)

Defending the Organization ([17:44–19:55])

Phishing Is More Convincing Than Ever:
- Advances in AI enable nearly flawless language in phishing emails.
- Classic signals of scam emails (bad grammar, spelling mistakes) are no longer reliable.
- “Modern phishing is actually operationally mature. We moved away from the sloppy attacks.”
Key User Advice:
- Scrutinize destination URLs, QR codes, callback numbers.
- Cross-check official contacts via independent search.
Organization Defenses:
- Strong email security tools.
- Multi-factor authentication for sensitive portals (like HR).
- Rigid internal policies for financial requests (e.g., layered approvals).
Staff Education:

“A real educational component here [is] making your employees aware of these things.”
(Dave Bittner, 19:12)

AI and Fact-Checking: Who Watches the Watchers? ([21:54])

Insight by Dorsof Salemi (University of Montreal):
- AI-based fake news detectors do not truly verify facts. They identify patterns based on (sometimes biased) training data.
Key Problem:

“Instead, they calculate probabilities … behave less like journalists and more like mirrors, reflecting … biases and gaps … in the data.”
(Dave Bittner, 21:59)
Risks: Biases and non-transparent definitions of misinformation.
Proposed Solution:
Human-centered tools that show sources and explanations, keeping judgment with the user—not the algorithm.

Notable Quotes & Memorable Moments

On tax phishing sophistication:

“Modern phishing is actually operationally mature. ... They're using legitimate services, legitimate emails. So the real protection comes from knowing where that email is leading you.”
(Brian Baskin, 18:38)
On urgency and human fallibility:

“The IRS has really put the fear out there ... a lot of people fear that if they don’t [file by the deadline], big, horrible things were going to happen ... but the IRS doesn’t actually happen that fast.”
(Brian Baskin, 15:21)
On AI fact-checkers:

“Those promises are doing a bit of exaggerating themselves. … [AI fact checkers] behave less like journalists and more like mirrors.”
(Dave Bittner, 21:54)

Timestamps for Key Segments

00:47: Russian hackers target Signal/WhatsApp
02:01: Permit phishing campaign
03:01: Anthropic sues Pentagon
04:30: White House anti-cybercrime order
05:41: Salesforce/Shiny Hunters campaign
06:30: Ericsson third-party breach
07:22: macOS ClickFix/Shub Stealer campaign
08:16: AWS adversary-in-the-middle phishing
09:26: CISA/Avanti high-risk vulnerability
14:37–20:15: Brian Baskin interview – tax season scams
21:54: AI fact-checking limitations

Conclusion

This episode underscores a crucial theme: attack sophistication is rising, driven by improved social engineering and AI, even as organizations race to defend themselves with both technology and policy. From government agencies to global enterprises and individual taxpayers, the threat landscape is increasingly relentless—and demands vigilance, layered defenses, and critical thinking, especially in the age of AI-fueled misinformation.

For more details, visit theCyberWire.com and check out the daily briefing for source links.

Loading summary

Transcript17 lines

[00:02]
A
You're listening to the Cyberwire Network powered by N2K. When cyber threats strike, minutes matter. Booz Allen brings the same battle tested expertise trusted to protect national security to defend today's leading global organizations. They safeguard their data, strengthen enterprise resilience and mobilize in minutes across energy, healthcare, financial services and medicine manufacturing. Their teams don't just respond, they anticipate, outthink and stay ahead of evolving threats. This is powerful protection for commercial leaders only. From Booz Allen See how your organization can prepare today@booz allen.com Commercial. Russian hackers Target signal and WhatsApp permit scammers impersonate local officials Anthropic sues over a Pentagon blacklist the White House moves to restore fraud victims Shiny hunters target salesforce data Ericsson reports a breach macOS users face click fix malware AWS credentials are phished CISA warns of an exploited Avanti flaw Our guest is Brian Baskin, threat researcher at Sublime Security, discussing tax season employee impersonation scams and who fact checks the fact checkers. It's Tuesday, march 10, 2026. I'm dave bittner and this is your cyberwire intel brief. Foreign. Thanks for joining us here today. It's great as always to have you with us. Russian state hackers are conducting a global cyber campaign aimed at gaining access to Signal and WhatsApp accounts belonging to government officials, military personnel, and other individuals of interest. Dutch intelligence services MiVID and AIVD confirmed that Dutch government employees are among the targets, and journalists may also be at risk. The attackers rely on social engineering rather than technical vulnerabilities. They often impersonate a signal support chatbot to trick victims into revealing verification or PIN codes, which allow the attackers to take over accounts. In other cases, they exploit the app's legitimate linked devices feature to connect attacker controlled devices to a victim's account. Once compromised, attackers can read messages, including group chats, and potentially access sensitive information. Dutch authorities stress that the messaging platforms themselves remain secure, but individual accounts are vulnerable. They advise users to remain vigilant, watch for suspicious group members or duplicate accounts, and to report suspected compromises to their organization's security team. The FBI is warning about a phishing campaign in which criminals impersonate US City and county planning or zoning officials to target people and businesses applying for land use permits. Attackers use publicly available information about permit applications, such as zoning numbers or property addresses to make fraudulent emails appear legitimate. Victims receive unsolicited messages referencing their permit details and are asked to pay related fees through wire transfers, peer to peer payment apps or cryptocurrency. The FBI says warning signals include emails sent from non government domains, attachments that prompt recipients to request further details and pressure to pay quickly. To avoid permit delays. The bureau advises recipients to verify messages by checking email domains and contacting local government offices directly. Suspected victims should report incidents to the FBI's Internet Crime Complaint Center. Anthropic has filed a lawsuit against the Trump administration after the Pentagon designated the AI company a supply chain risk, a move that effectively blocks its technology from defense related work. The complaint, filed in U.S. district Court in California, argues the designation is unlawful and causing significant financial and reputational harm. Under the Pentagon's decision, defense contractors must certify that they are not using Anthropic's AI models, known as claude, in work tied to the Department of Defense. The company says federal contracts are already being canceled and private sector deals are now uncertain. Anthropic estimates the decision could jeopardize hundreds of millions of dollars in the near term and potentially reduce its 2026 revenue by billions. Anthropic is asking the court to overturn the designation and pause the policy while the case proceeds. The company has also requested a formal review in a federal appeals court. The Trump administration issued an executive order directing federal agencies to strengthen the US Response to cybercrime and the growing financial losses Americans face from online scams. The order instructs multiple agencies to develop a coordinated action plan within 120 days to prevent, investigate and dismantle transnational criminal organizations that operate scam centers and cyber fraud schemes. The order also requires the creation of a victim restoration program within 90 days designed to return funds seized from criminal networks to victims of cyber enabled fraud. A new operational unit within the National Coordination center will coordinate efforts among agencies including the Department of State, Treasury, Defense, Homeland Security and Justice. Officials say the effort will combine government intelligence, law enforcement operations and private sector cybersecurity expertise to track and disrupt criminal infrastructure. The administration also signaled potential sanctions and diplomatic pressure against companies that allow cybercrime groups to operate within their borders. Salesforce is warning customers about an ongoing cyber campaign linked to the Shiny Hunters group involving data theft and extortion. Since mid-2025, the attackers have targeted organizations salesforce environments using social engineering, phishing and misconfigured settings rather than platform vulnerabilities. The latest campaign exploits overly permissive Experience Cloud Guest user configurations, which can allow attackers to access more data than intended. Threat actors are reportedly using a modified version of the open source AURA inspector tool to extract exposed data. Shiny Hunters claims the operation has targeted hundreds of companies and has threatened to leak stolen data if victims refuse extortion demands. Ericsson Incorporated, the US Subsidiary of Swedish Telecom. Ericsson says a breach at a third party service provider exposed personal data belonging to over 15,000 employees and customers. The provider detected the intrusion on April 28 of last year and determined that unauthorized access to a limited set of files likely occurred between April 17 and April 22. Exposed information may include names, addresses, Social Security numbers, driver's license or government ID numbers, financial details, medical information and dates of birth. Erickson says there's currently no evidence the stolen data has been misused. The company is offering affected individuals free identity protection and credit monitoring services while the incident remains under investigation. Researchers have identified a campaign targeting macOS users with a fake website impersonating the popular CleanMyMac utility. The site tricks visitors into installing Shub Stealer malware through a social engineering technique known as the ClickFix attack. Victims are instructed to run a terminal command that appears to install legitimate software, but instead downloads and executes a malicious script, bypassing macOS security protections because the user runs the command themselves. Once installed, the malware collects system information and attempts to steal credentials by by displaying a fake macOS authentication prompt. If the password is entered, attackers can access the macOS keychain to harvest stored credentials and sensitive data. SH Hub Stealer also targets cryptocurrency wallets, displaying fake prompts that capture recovery seed phrases and enable attackers to steal funds. Researchers say the malware maintains persistence through a hidden background task disguised as a legitimate system updater. Researchers at Datadog have identified an active adversary in the middle phishing campaign targeting AWS Management Console credentials. The operation uses typo squatted domains that mimic AWS infrastructure and hosts a high fidelity clone of the AWS Sign in page. The phishing kit proxies authentication requests to the real AWS login service in real time, allowing attackers to capture validated credentials and likely intercept one time password codes. The campaign uses multistage redirects and spoofed security alerts to lure victims. Once credentials are submitted, attackers can quickly access compromised accounts. In one observed case, unauthorized console access occurred within 20 minutes from a Mullvad VPN IP address. Researchers emphasize the campaign does not exploit AWS vulnerabilities but relies on credential theft through phishing. AWS has been notified and is working on disruption efforts, while defenders are urged to monitor authentication activity for suspicious logins. CISA has added a high severity Ivanti endpoint Manager vulnerability to its known exploited VULNERABILITIES catalog and ordered federal agencies to patch within three weeks. The flaw allows remote attackers to bypass authentication and steal credentials through a low complexity cross site scripting attack requiring no user interaction. Avanti patched the issue last month. While Avanti says it has not seen confirmed exploitation before disclosure, CISL warns the bug is actively exploited and poses significant risks to federal networks. Coming up after the break, my conversation with Brian Baskin from Sublime Security. We're discussing tax season, employee impersonations and who fact checks the fact checkers stick around. Foreign. How enterprises operate and how they stay protected. It's time to eliminate risk and protect innovation. From March 23rd through the 26th, join Trend AI for actionable AI security insights catch impactful sessions at RSAC, then unwind and grab a bite at their lounge in Trapezoeno. Experience industry leading AI security in person. Engage with the experts and get your chance to win $500,000. San Francisco lets AI fearlessly. Learn more@trendmicro.com RSA. If you're defending a network today, there's a simple question worth asking. What does the attacker see when they look at your organization? Nord Stellar helps answer that. Nord Stellar is a threat exposure management platform that gives security teams visibility into external risks, including leaked credentials, active session tokens, impersonation attempts and exposed assets across the surface web and the dark web. It's built to help organizations detect the consequences of breaches early before attackers turn access into action. From monitoring for infostealer malware logs to identifying cybersquatting and brand abuse, Nord Stellar helps teams focus on the threats that actually matter. Executives get clear, actionable insights tied to business risk security teams get real time alerts and one of the largest deep and dark web intelligence pools in the industry. Cybercriminals may already be looking for your weak spots. Don't make it easy for them. Be the one that's prepared. Defend your business with Nordstellar. Use the code CYBERWIRE10 to unlock your exclusive discount. Go to nordstellar.com cyberwire daily and learn more. Brian Baskin is a threat researcher at Sublime Security. I recently caught up with him to discuss tax season, employee impersonation scams.
[14:37]
B
Yeah, tax season and the beginning of the year where benefits HR enrollments, all these major tectivities occur. Is a great time for actors to come in. Target people with some very targeted unique attacks related to tax forms, tax procedures and really put a sense of urgency that you need to perform an action now and involves your money and involves your career and involves some very important things about your life in order to actually continue. So it really preys upon people's fears and urgency.
[15:11]
A
Yeah, I mean, I guess that's a really solid point there that most of us, when we get some kind of notice from the IRS here in the States anyway, it gets our attention.
[15:22]
B
And it's honestly, the tax season is a great thing to adversaries. They don't need to invent a reason for urgency. It's given to them for free. The IRS has really put the fear out there to the general people that you have very important deadlines, you must get things done by this date. And generally a lot of people fear that if they don't, big, horrible things were going to happen, that the IRS would tell them immediately you made a mistake, you need to correct your mistake. And honestly, what most people don't realize is IRS doesn't actually happen that fast. They will let you know by actual physical mail six months later that you made a mistake. You won't know right then.
[16:08]
A
Well, let's walk through some of the things that you and your colleagues at Sublime Security are tracking here. I mean, what are some of the more common scams you'll see this time of year?
[16:18]
B
We get a lot of attacks impersonating the irs, asking for personal information about the victim, asking them to fill out a new form to log into the IRS website, asking for updated W2s, the general tax forms and sessions that they would expect. And realistically, they are hoping that the user will open an attachment, look at a PDF, run some sort of malicious payload inside the PDF, or go to a fake website and type in the credentials to let the actor log in as them on the actual websites.
[16:52]
A
Is it fair to say that there are a couple of different groups here? I mean, there's the folks who are after our credentials, but then is there a separate group who are chasing after our potential refunds?
[17:06]
B
There is, and I think that's a very specific target audience they also go after. So, yes, there's actually two different audiences that we see for phishing attacks. One is going to be your more consumer level person who is looking for their quick refunds. It's typically smaller amounts of money, you know, a few thousand dollars. They just want to get really quick access to that versus your more enterprise level person who is typically in charge of accounts, your hr, your financial workers who are in charge of tens of thousands of dollars that typically get the very much more complicated and sophisticated attacks against them.
[17:45]
A
And so if my responsibility is to help protect my organization here, what sort of things should I be on the lookout for and what kind of defenses should I put in place?
[17:55]
B
So we like to say that AI has changed a field and it actually has, and we've in the tax season. So AI has definitely changed what we look for inside of the emails that we receive. Typically, we would tell people to look for bad grammar, look for bad spelling. We would look for things that just look out of the norm. However, now emails are coming in very professional, very correct. There would be exactly what you would expect from the agency. So the idea is that modern phishing is actually operationally mature. We moved away from the sloppy attacks. They're using legitimate services, they're using legitimate emails. So the real protection comes from the basics of knowing where that email is leading you to. Is it trying to get you to scan a malicious QR code? Is it trying to take you to a site that's not legitimate? Is it trying to take you to a fake IRS site? Is it actually trying to make you call back a number that's not actually related to the irs? And a lot of that is just typical. This is a bad place they're trying to take you. That's not official and really could be overcome by someone just simply searching for that one item on the Internet, the phone number, the email address, the website, and seeing if that's legit or not.
[19:13]
A
So it sounds like there's a real educational component here of making your employees aware of these things. Are there technical things folks can put in place as well to help tamp down on this?
[19:27]
B
There are multiple ways that you can protect an organization from attacks like these, and some are on the actual email side, and that's looking for, you know, the emails that look malicious or have some malicious component to them. There's also the idea that you would have multi factor on some of these websites that a employee we'd be connecting to, and that's including your internal HR sites that collects forms as well as the ultimate outcome of these emails. If they're here to try to steal money from your company, they're really targeting your internal procedures. So having actual strong procedures as far as if money is requested, what should you be doing to perform that action? Who should you raise for authorization? Who should you be raising for approval?
[20:16]
A
That's Brian Baskin from Sublime Security. No, it's not your imagination. Risk and regulation really are ramping up and customers expect proof of security before they'll sign that deal. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer Trust together. On one AI powered platform. Whether you're preparing for SoC2 or managing an enterprise governance risk and compliance program, Banta helps keep you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits with Vanta. That's not just faster compliance, that's more time for growth. Take it from me, if you're thinking about compliance, take the time to check out Vanta. Get started@vanta.com cyber.
[21:26]
C
Close your eyes, exhale, feel your body relax and let go of whatever you're carrying today. Well, I'm letting go of the worry that I wouldn't get my new contacts in time for this class. I got them delivered free from 1-800-contacts. Oh my gosh, they're so fast.
[21:42]
B
And breathe.
[21:43]
C
Oh sorry. I almost couldn't breathe when I saw the discount they gave me on my first order. Oh sorry. Namaste. Visit 1-800-contacts.com today to save on your first order.
[21:54]
A
1-800-contacts. And finally, a suspicious link arrives from a friend. The headline is outrageous. The video looks slightly off. In the age of online misinformation, artificial intelligence promises to help sort truth from nonsense. Unfortunately, according to researcher Dorsof Salemi of the University of Montreal, those promises are doing a bit of exaggerating themselves. For her doctoral research, Salemi examined AI systems designed to detect fake news and found they don't actually fact check. Instead, they calculate probabilities based on patterns in their training data. In other words, they behave less like journalists and more like mirrors, reflecting whatever biases and gaps were present in the data they learned from. That creates problems. The definition of misinformation is often disputed, the training labels are not always transparent, and the models can inherit biases, sometimes even flagging content differently depending on gender or geography. Salemi proposes a more human centered approach. She's even created a browser extension that helps users verify claims by showing sources, explanations and fact checks, leaving the final judgment where it arguably belongs with the human reading the headline. And that's the CyberWire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k. N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazis. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26. I'll see you in San Francisco.