Transcript
A (0:02)
You're listening to the Cyberwire Network powered by N2K. When cyber threats strike, minutes matter. Booz Allen brings the same battle tested expertise trusted to protect national security to defend today's leading global organizations. They safeguard their data, strengthen enterprise resilience and mobilize in minutes across energy, healthcare, financial services and medicine manufacturing. Their teams don't just respond, they anticipate, outthink and stay ahead of evolving threats. This is powerful protection for commercial leaders only. From Booz Allen See how your organization can prepare today@booz allen.com Commercial. Russian hackers Target signal and WhatsApp permit scammers impersonate local officials Anthropic sues over a Pentagon blacklist the White House moves to restore fraud victims Shiny hunters target salesforce data Ericsson reports a breach macOS users face click fix malware AWS credentials are phished CISA warns of an exploited Avanti flaw Our guest is Brian Baskin, threat researcher at Sublime Security, discussing tax season employee impersonation scams and who fact checks the fact checkers. It's Tuesday, march 10, 2026. I'm dave bittner and this is your cyberwire intel brief. Foreign. Thanks for joining us here today. It's great as always to have you with us. Russian state hackers are conducting a global cyber campaign aimed at gaining access to Signal and WhatsApp accounts belonging to government officials, military personnel, and other individuals of interest. Dutch intelligence services MiVID and AIVD confirmed that Dutch government employees are among the targets, and journalists may also be at risk. The attackers rely on social engineering rather than technical vulnerabilities. They often impersonate a signal support chatbot to trick victims into revealing verification or PIN codes, which allow the attackers to take over accounts. In other cases, they exploit the app's legitimate linked devices feature to connect attacker controlled devices to a victim's account. Once compromised, attackers can read messages, including group chats, and potentially access sensitive information. Dutch authorities stress that the messaging platforms themselves remain secure, but individual accounts are vulnerable. They advise users to remain vigilant, watch for suspicious group members or duplicate accounts, and to report suspected compromises to their organization's security team. The FBI is warning about a phishing campaign in which criminals impersonate US City and county planning or zoning officials to target people and businesses applying for land use permits. Attackers use publicly available information about permit applications, such as zoning numbers or property addresses to make fraudulent emails appear legitimate. Victims receive unsolicited messages referencing their permit details and are asked to pay related fees through wire transfers, peer to peer payment apps or cryptocurrency. The FBI says warning signals include emails sent from non government domains, attachments that prompt recipients to request further details and pressure to pay quickly. To avoid permit delays. The bureau advises recipients to verify messages by checking email domains and contacting local government offices directly. Suspected victims should report incidents to the FBI's Internet Crime Complaint Center. Anthropic has filed a lawsuit against the Trump administration after the Pentagon designated the AI company a supply chain risk, a move that effectively blocks its technology from defense related work. The complaint, filed in U.S. district Court in California, argues the designation is unlawful and causing significant financial and reputational harm. Under the Pentagon's decision, defense contractors must certify that they are not using Anthropic's AI models, known as claude, in work tied to the Department of Defense. The company says federal contracts are already being canceled and private sector deals are now uncertain. Anthropic estimates the decision could jeopardize hundreds of millions of dollars in the near term and potentially reduce its 2026 revenue by billions. Anthropic is asking the court to overturn the designation and pause the policy while the case proceeds. The company has also requested a formal review in a federal appeals court. The Trump administration issued an executive order directing federal agencies to strengthen the US Response to cybercrime and the growing financial losses Americans face from online scams. The order instructs multiple agencies to develop a coordinated action plan within 120 days to prevent, investigate and dismantle transnational criminal organizations that operate scam centers and cyber fraud schemes. The order also requires the creation of a victim restoration program within 90 days designed to return funds seized from criminal networks to victims of cyber enabled fraud. A new operational unit within the National Coordination center will coordinate efforts among agencies including the Department of State, Treasury, Defense, Homeland Security and Justice. Officials say the effort will combine government intelligence, law enforcement operations and private sector cybersecurity expertise to track and disrupt criminal infrastructure. The administration also signaled potential sanctions and diplomatic pressure against companies that allow cybercrime groups to operate within their borders. Salesforce is warning customers about an ongoing cyber campaign linked to the Shiny Hunters group involving data theft and extortion. Since mid-2025, the attackers have targeted organizations salesforce environments using social engineering, phishing and misconfigured settings rather than platform vulnerabilities. The latest campaign exploits overly permissive Experience Cloud Guest user configurations, which can allow attackers to access more data than intended. Threat actors are reportedly using a modified version of the open source AURA inspector tool to extract exposed data. Shiny Hunters claims the operation has targeted hundreds of companies and has threatened to leak stolen data if victims refuse extortion demands. Ericsson Incorporated, the US Subsidiary of Swedish Telecom. Ericsson says a breach at a third party service provider exposed personal data belonging to over 15,000 employees and customers. The provider detected the intrusion on April 28 of last year and determined that unauthorized access to a limited set of files likely occurred between April 17 and April 22. Exposed information may include names, addresses, Social Security numbers, driver's license or government ID numbers, financial details, medical information and dates of birth. Erickson says there's currently no evidence the stolen data has been misused. The company is offering affected individuals free identity protection and credit monitoring services while the incident remains under investigation. Researchers have identified a campaign targeting macOS users with a fake website impersonating the popular CleanMyMac utility. The site tricks visitors into installing Shub Stealer malware through a social engineering technique known as the ClickFix attack. Victims are instructed to run a terminal command that appears to install legitimate software, but instead downloads and executes a malicious script, bypassing macOS security protections because the user runs the command themselves. Once installed, the malware collects system information and attempts to steal credentials by by displaying a fake macOS authentication prompt. If the password is entered, attackers can access the macOS keychain to harvest stored credentials and sensitive data. SH Hub Stealer also targets cryptocurrency wallets, displaying fake prompts that capture recovery seed phrases and enable attackers to steal funds. Researchers say the malware maintains persistence through a hidden background task disguised as a legitimate system updater. Researchers at Datadog have identified an active adversary in the middle phishing campaign targeting AWS Management Console credentials. The operation uses typo squatted domains that mimic AWS infrastructure and hosts a high fidelity clone of the AWS Sign in page. The phishing kit proxies authentication requests to the real AWS login service in real time, allowing attackers to capture validated credentials and likely intercept one time password codes. The campaign uses multistage redirects and spoofed security alerts to lure victims. Once credentials are submitted, attackers can quickly access compromised accounts. In one observed case, unauthorized console access occurred within 20 minutes from a Mullvad VPN IP address. Researchers emphasize the campaign does not exploit AWS vulnerabilities but relies on credential theft through phishing. AWS has been notified and is working on disruption efforts, while defenders are urged to monitor authentication activity for suspicious logins. CISA has added a high severity Ivanti endpoint Manager vulnerability to its known exploited VULNERABILITIES catalog and ordered federal agencies to patch within three weeks. The flaw allows remote attackers to bypass authentication and steal credentials through a low complexity cross site scripting attack requiring no user interaction. Avanti patched the issue last month. While Avanti says it has not seen confirmed exploitation before disclosure, CISL warns the bug is actively exploited and poses significant risks to federal networks. Coming up after the break, my conversation with Brian Baskin from Sublime Security. We're discussing tax season, employee impersonations and who fact checks the fact checkers stick around. Foreign. How enterprises operate and how they stay protected. It's time to eliminate risk and protect innovation. From March 23rd through the 26th, join Trend AI for actionable AI security insights catch impactful sessions at RSAC, then unwind and grab a bite at their lounge in Trapezoeno. Experience industry leading AI security in person. Engage with the experts and get your chance to win $500,000. San Francisco lets AI fearlessly. Learn more@trendmicro.com RSA. If you're defending a network today, there's a simple question worth asking. What does the attacker see when they look at your organization? Nord Stellar helps answer that. Nord Stellar is a threat exposure management platform that gives security teams visibility into external risks, including leaked credentials, active session tokens, impersonation attempts and exposed assets across the surface web and the dark web. It's built to help organizations detect the consequences of breaches early before attackers turn access into action. From monitoring for infostealer malware logs to identifying cybersquatting and brand abuse, Nord Stellar helps teams focus on the threats that actually matter. Executives get clear, actionable insights tied to business risk security teams get real time alerts and one of the largest deep and dark web intelligence pools in the industry. Cybercriminals may already be looking for your weak spots. Don't make it easy for them. Be the one that's prepared. Defend your business with Nordstellar. Use the code CYBERWIRE10 to unlock your exclusive discount. Go to nordstellar.com cyberwire daily and learn more. Brian Baskin is a threat researcher at Sublime Security. I recently caught up with him to discuss tax season, employee impersonation scams.