A

You're listening to the Cyberwire network, powered by N2K. And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program. Study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at CS JHU. EDU MSSI Microsoft releases emergency out of band Windows Updates Trump targets NSA's leading AI and cyber expert in clearance revocations A breach may have compromised the privacy of Ohio medical marijuana patients. Cybercriminals exploit an AI website builder to rapidly create phishing sites. Warlock ransomware operators target Microsoft SharePoint tool, shell vulnerability, Google and Mozilla, Patch, Chrome and Firefox. European officials report two cyber incidents targeting water infrastructure. A federal appeals court has upheld fines against T Mobile and Sprint for illegally selling customer location data. Authorities dismantled DDoS powerhouse Wrapperbot on our Industry Voices segment, we're joined by Matt Radelak, VP of incident response, cloud operations and sales engineering at Varonis, speaking about Shiny Hunters and the problems with securing Salesforce and Microsoft. Copilot gets creative with complian.

B

Foreign.

A

August 20, 2025 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. Microsoft has released emergency out of band Windows updates to fix a bug that breaks reset and recovery tools after installing the August 2025 security patches. The issue affects Windows 10 and older versions of Windows 11, blocking users from resetting their PCs, reinstalling Windows while keeping files, or using the Fix Problems using Windows Update tool. IT admins using Remote Wipe CSP for remote resets are also impacted. These cumulative out of band updates replace the faulty ones and can be installed via Windows Update, Windows Update for Business, or the Microsoft Update Catalog. Microsoft advises applying the out of band updates instead of the August security patches. President Trump revoked security clearances for 37 current and former intelligence officials, including Vin Nguyen, a senior data scientist at the National Security Agency. Noyen, a highly regarded mathematician and expert in quantum computing, artificial intelligence and cyber issues, has been Central to the NSA's Cutting Edge Technology products. His removal has alarmed current and former officials who warn that losing his expertise could significantly delay U.S. development in key emerging technologies. Nguyen was previously mentioned in reporting on the 2016 Election Intelligence Assessments drawing political attention. Despite his reputation for nonpartisan work, critics say targeting him and others reflects a politically motivated effort led by Dni Tulsi Gabbard at Trump's direction, to discredit intelligence findings on Russian interference in 2016. A major data exposure may have compromised the privacy of Ohio medical marijuana patients Researcher Jeremiah Fowler discovered an unsecured 323 gigabyte database in July that contained nearly a million records, including Social Security numbers, medical histories, mental health evaluations and scans of IDs such as driver's licenses. Some files detailed qualifying conditions like cancer, HIV or anxiety, while others included offender release cards used for identification. Fowler traced the database to Ohio Medical alliance llc, known as Ohio Marijuana Card, and alerted the company on July 14. The database was secured the next day, though the firm did not directly respond to him. Company president Cassandra Brooks later said the incident was under investigation. Misconfigured databases like this remain a common cybersecurity risk. Cybercriminals are exploiting Lovable, an AI website builder, to rapidly create phishing sites, drain cryptocurrency wallets and spread malware, according to proofpoint researchers. Originally designed to let users generate functional websites in minutes or Lovable is now being abused to mimic trusted brands like Microsoft and UPS. Proofpoint has detected hundreds of thousands of malicious URLs hosted on lovable app each month since February. Campaigns include fake Microsoft logins powered by Tycoon, phishing as a service, fraudulent HR benefit portals, credit card harvesting, UPS clones and crypto wallet drainers. Attackers have also distributed malware such as the ZGRAT Remote Access Trojan through fake invoice pages. Lovable says it's removed phishing clusters and added AI safeguards like real time malicious prompt detection and daily project scans. Warlock ransomware operators are aggressively exploiting Microsoft's SharePoint tool shell vulnerability, rapidly compromising unpatched systems worldwide, according to Trend Micro. First emerging on the ramp forum in June 2025, Warlock has quickly become a global threat, hitting organizations in North America, Europe, Asia and Africa. Affiliates exploit authentication and deserialization flaws to gain code execution, escalate privileges, move laterally and deploy ransomware at scale. Attacks include a July campaign linked to Chinese actor Storm 2603 and an August hit on UK telecom cult technology services. Google and Mozilla have released new security patches for Chrome and Firefox addressing multiple high severity flaws. Chrome 139 fixes an out of bounds write bug in the V8 engine that could be remotely exploited via crafted HTML pages. The flaw was discovered by Google's Big Sleep AI vulnerability hunting system. Mozilla patched nine Firefox issues, including a sandbox escape, a same origin policy bypass and memory safety bugs that risk remote code execution. Updates also cover Thunderbird and Firefox. ESR users are urged to update promptly. European officials last week reported two alarming cyber incidents targeting water infrastructure. In Norway, suspected Russian hackers opened a valve at the Bremenger Dam in April, briefly increasing water flow but causing no damage. A telegram video linked to pro Russian Z Pentrist alliance shows the attack, though experts say the perpetrators seem inexperienced. In Poland, officials disclosed a foiled cyber attack that could have cut water to a major city, also attributed to Russian actors. Experts warn these incidents reflect Russia's long standing strategy of poking and prodding critical systems as precursors to larger attacks. Security researchers stress that water utilities, often underfunded and poorly protected, must urgently improve defenses. Free resources such as the Defcon Franklin Project and the Cyber Peace Initiative are also available to help safeguard this critical infrastructure. A federal appeals court has upheld $92 million in FCC fines against T Mobile and Sprint for illegally selling customer location data without consent. The court ruled the carriers knowingly shared real time location information with aggregators like Location Smart and Zumigo, even after abuses were exposed. Judges rejected claims that the FCC misapplied the law or violated the Seventh Amendment, noting the carriers waived jury trial rights by paying fines and seeking review. T Mobile faces $80.1 million in penalties, Sprint $12.2 million, while AT& T and Verizon continue separate appeals. Authorities say they've dismantled Wrapperbot, one of the most powerful DDoS botnets ever recorded, following a US investigation. The takedown occurred after officials traced the operation to Ethan Fultz, age 22, of Eugene, Oregon, who allegedly ran the botnet since 2021. Fultz, charged with aiding and abetting computer intrusions, faces up to 10 years in prison. Wrapperbot, also known as 1111 Botnet and Cowl Bot, infected up to 95,000 IoT devices, conducting more than 370,000 attacks against 18,000 victims worldwide. At its peak, it launched DDoS attacks exceeding 6 terabits per second. Investigators linked faults to Wrapperbot through PayPal and Gmail accounts, and he later admitted to being its administrator. Major tech firms assisted in the investigation, which officials say may have prevented millions of future attacks. Coming up after the break, my conversation with Matt Radelek from Varonis, speaking about Shiny Hunters and the problems with securing Salesforce and Microsoft Copilot gets creative with compliance. Stay with We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed when it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed Indeed Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored Jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed. Plus we with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1, and without securing them trust, uptime, outages and compliance are at risk. Cyber Arc is leading the way with the only unified platform purpose built to secure every machine identity, certificates, secrets and workloads across all environments, all clouds and all AI agents. Designed for scale, automation and quantum readiness, Cyber Ark helps modern enterprises secure their machine future. Visit cyberark.com machines to see how. Matt Radelec is VP of Incident Response, Cloud Operations and Sales Engineering at Varonis. And on today's sponsored Industry Voices segment we chat about Shiny Hunters and the problems with securing Salesforce.

B

We're very blessed. A lot of organizations trust us to assess the security of their data and also to help them improve that, whether that be through using our software or even just meeting with us. And our whole go to market strategy is around doing what we call data risk assessments. And so as a result of that we get to zoom out and see, well, what do we see everywhere? Whether it's at a big bank or a small retail shop, or at a law firm or in fashion or in manufacturing or in defense. Like what is ubiquitous across all of those areas. And when it comes to security in the cloud, a lot of people make the same mistakes. And when we think about Salesforce, this is one of those areas where it's super common for organizations to even outsource their Salesforce to a third party provider and have either no in house Salesforce expertise or simply not even know like what it is or it's used for on the security team. And one of the things I always say back to that is, well, if there was an incident there, are you going to call the third party or are they still coming to the SOC and IR team? Right.

A

I mean it's a really interesting conundrum, I guess I could say. Correct me if I'm wrong here, but my understanding is that there can be a lot of frustration, mystery, black magic when it comes to Salesforce in general. It can be a black box for folks and for non technical people can, can feel almost impenetrable. Am I off base there?

B

No. And people, the Salesforce means different things to be from people. They have different products and different companies that they've bought and integrated over time. So there, there is like healthcare software that runs on Salesforce, there's order management software, there's ticket management software, there's you know, deal management software inside of Salesforce. So when you say the bigger Salesforce, it can mean a lot of different things to different people. And then unwinding how things like permissions, entitlements or permission sets, permission set groups is the sales terminology. Or even API privileges. Most people don't even know how to figure that out, let alone what it's supposed to look like. So you're spot on.

A

Yeah, well, I mean let's talk about some of the potential vulnerabilities here before we dig into what in your research when you talked about the Shiny Hunters gang, can we still stay at the broad level and talk about some of.

B

The potential things, the things that we found and we put out in our state of security report, for instance?

A

Yeah, let's do it.

B

Yeah. So one thing that we'll see a lot is that a lot of people have the ability to view and export all information. And you know, sometimes that's referred to as like godlike privileges. Right. Or these super admin like privileges. And that exists in lots of different applications. It could be in Salesforce, it could be in Box, it could be, it's less common in you know, IaaS like AWS or Google or even Azure Cloud Compute because you just don't give out those kinds of privileges. But it's pretty common in SaaS that we'll see that someone can do that. Another one is some of the apps like, I'm sure you and a lot of Your listeners use Microsoft 365, where you're able to create and share data via a link. A lot of people don't know this, but Salesforce allows you to do that too. And no one thinks about Salesforce the way that they think about Office 365, but the functionality of creating a link and sharing it to anyone on the Internet is there.

A

So there's a lot of power under the hood that people aren't aware of. They don't know what they don't know.

B

Yeah. And there's this bigger question about, like, posture management. So I think what ends up happening is people look at a SaaS application as being inherently scary. Social. Was that a $20 billion revenue company, like their big company? Right. They have. They have secure data centers. You can go and look at their website and see their trust information and how they take security seriously. But in this thing called the shared responsibility model, which is not pure to Salesforce, that's in any cloud provider that you do business with, you need to understand what's on you versus what's on them. And for Salesforce, they're going to secure their data centers, they're going to deliver you a secure connection to their website, but it's on you to configure your identities and your Salesforce records and attachments. Same as it would be like, let's say in Snowflake, the rows of your database and in your data lake and whether or not things are masked, these are configuration settings that are on you. And that's what makes this Shiny Hunters thing so, so interesting.

A

And are these things specific to Salesforce or do they have their own peculiarities that present certain challenges that some of the other providers may not have? Or is this par for the course in this area?

B

I'd actually say, I mean, yes, Salesforce has a lot of uniqueness that makes permissions management very difficult. But let's zoom out from that and talk about cloud and SaaS, posture management in general. What is the issue that Shiny Hunters is, quote, unquote, exploiting? It's not actually a vulnerability per se. It's that people are allowed to make API queries or add and authorize applications at the user level to their Salesforce data. You can also do this in Microsoft 365. You can also do this in Box and Dropbox and Google Workspace where you're allowed to add apps and connect different apps to what you do. So in this case, Shiny Hunters is, you know, targeting high profile companies they're posing to be, you know, it or security people. They're convincing people to authorize these applications into their tenants which then harvest and exfiltrate data. So when we tear that apart, there's a few things that they're getting wrong. One, that user has the ability to add these apps. That's problem number one. Two, the permissions that that user had are probably too broad. We call that Averonus a big blast radius. So that means not only did they add this app, but this bad app has the same privileges that they do. And maybe they have view all or export all or maybe they have API access with an unlimited amount of API tokens that could be in any application. Lots and lots of SaaS apps have all these features. It's just that Salesforce and just how many different ways there are to use it. People don't often know how to get to that least privilege or that small blast radius. And so things are generally open or like I mentioned before, Salesforce's uniqueness is it is very often managed by a third party and the third party is just trying to keep it running and keep your business running. They're not necessarily thinking about am I keeping you from having bleed over from one object type to another?

A

Yeah. What about Shiny Hunters themselves? I mean for folks who may not be familiar with them, how do you describe that specific group?

B

Yeah, there's been a lot of talk associating Shiny Hunters as like a branch or a carve out of scattered spider, which we all know has been targeting retailers and insurance companies. They've been like the hottest threat actor on the scene this summer. I even spoke about them in my RSI say talk for instance. And what's happening is they're using social engineering in order to impersonate IT people or help desk people. Now the methods that they use are changing for apps. What got Google was they got someone to authorize a malicious application like a data loader. Right. And then they exfiltrated data. But they're also doing things like getting into someone's okta or getting into someone's office365 or getting into their snowflake or getting into their servicenow. Like there's other applications that get targeted because ultimately when you compromise an identity and you assume control over an identity, the way that authentication works on the Internet is you have a lot of single sign on I'm sure, like in like yourself and your listeners, when you click on a website, you don't log in every time the credentials are cached. It auto passes the token that you already have and you log into that website. Well, when an attacker compromises you or they compromise your device, they get to do that same thing. They get to log in as you everywhere. And that's what makes, you know, Scattered Spider and Shiny Hunter so successful, is they are simply targeting users and they are getting users to do things with a big blast radius that leads to a data breach. They are exploiting that user having too much access or having misconfigured API credentials or having the ability to authorize applications on their tenant. And so it's actually quite novel versus quite sophisticated. That's the success behind their campaign is that what they're doing is novel and they're targeting large companies with lots of entry points.

A

Is there a sense that Shiny Hunters is specifically targeting organizations that are using Salesforce?

B

I mean they've had a lot of success there, but a lot of the threat intelligence is tying them to kind of a branch out of Scattered Spider who just seems to be shifting industries and shifting applications to target. So I think it's a target rich environment and when the Eye of Sauron moves, it's successful. Right. So they've shifted industries a few times, they've shifted regions. They started in the UK for instance. I don't know if you remember all the grocery stores that were compromised in the UK earlier this summer, which I talked about on my podcast, State of Cybercrime. But there's, there seem to be, like I said, the Eye of Sauron seems to be shifting to different places and it looks like right now it's focused on Salesforce and very large companies. I mean, Google being a massive, massive company.

A

Yeah. What do you make of Shiny Hunter's success with social engineering, of that being kind of in my mind the core of their success?

B

Yeah, it's 2025. We, we our users and you know, identities being compromised. It's still the most likely way that we're going to have a data breach. And it's still one of the hardest things to defend against. Can we really blame them? You know, yes, security awareness can help, but I think anybody could be fooled, even the security researcher can be fooled by a well crafted ruse. And so I think this really highlights the need for what people would call zero trust or against low blast radius. Having detective controls and responsive controls, being able to know what happened when a breach happens, being able to respond to it quickly because the bigger the company you are, the bigger the amount, number of entry points that there are going to be shiny arms. Also, to find one weak linker, as I always like to say, an attacker only has to find one weakness to get in. And you as a security practitioner have to replace, have to do 100% right, 100% of the time. And as, as things get larger and more complex, that just makes the job harder. So we're in a time where the attackers have an upper hand.

A

Well, let's talk about protecting yourself against these sorts of things. Can we, can we start with low hanging fruit? I mean, are there common things that people can do to just, you know, make, make the other people in the neighborhood maybe a little more attractive than them?

B

Yeah, limit, like disable or limit the ability to share stuff via a link on the Internet to anyone in the public. Turn it off. Turn off the ability for your users to add applications to their tenants. Like what's the use case? Shouldn't that have to go through it anyway? Like, don't you. All the companies that allow this, we often find have very rigorous change control processes and very rigorous like application vetting processes. But yet when it comes to Salesforce or it comes to their Google workspace, they allow users to add apps. They wouldn't do that on your laptop. Why allow that same thing in a SaaS application? So I think it's about taking a lot of the security basics and extending them to your SaaS apps and to your cloud environments. It's these simple best practices. And then of course, you know, like give people access to just what they need to do their job and apply that principle everywhere, Take that little bit of extra time to do security the right way. And when these incidents happen, the damage will be very small, the liability will be capped. It won't be a, you know, a big massive data breach that could be reputation damaging or even like cripple your company's business or ability to do operations.

A

What are some of the more sophisticated things that people can do to prevent these kinds of attacks?

B

Yeah, I think on the preventative side, you can restrict connected app permissions in Salesforce, maybe only read only and maybe only to certain things. You can apply IP based logging controls. So like maybe people can only get to these apps if they're on your VPN as opposed to meaning they need to not only compromise an identity but also compromise a device. Right. So think about like the multifactor authentication. Multi factor authentication is another good one. And also make sure that like for Salesforce, for instance, that you're deploying Salesforce Shield and having some type of behavioral analytics run on top of that, that you're monitoring authentications and looking for compromised identities, like, you know, behavioral analytics or you know, taking like a detection strategy because you're not going to be able to prevent anything. But what you can't prevent, you can probably detect. And if you can't detect it, then you can at least limit the impact of what happens or you can react quickly. And so if you think you have that mindset of I'm going to prevent it, if I can't prevent it, I'm going to detect it, if I can't detect it, I'm going to respond to it judiciously like you're doing everything again. And so if you've got an enterprise app that your business runs on and you don't have a plan to do those three things, probably start there.

A

I'm curious about something you touched on, which is that organizations who are otherwise secure, you know, organizations who would not allow their users to just install apps on their laptop, for example, seem to have this blind spot when it comes to Salesforce. Where do you suppose that comes from? What would generate that, that kind of oversight?

B

Yeah, Salesforce is often not purchased by it. Salesforce does a tremendous job like hats off to their sales team at selling into like the head of sales, the CEO, the cfo. And so as a result of that, it often bypasses a lot of the standard software onboarding. And when you do a move from like another CRM to a Salesforce, it's a humongous project. And again, oftentimes run by a third party and you know, people, there's everyone's squeezing the budget or they want things to be done faster and security is usually the first thing to get overlooked. Or it's simply not in the wheelhouse of the third party provider that you hired to set up your Salesforce because of that shared responsibility model.

A

Suppose I have a third party provider. I mean, what kind of questions should I be asking them?

B

Can people in my Salesforce share data via links? Can users connect via API? Can users view and export all? How many super admins do I have? Can users add connected apps into their Salesforce? Is multi factor authentication set up? Is IP based logon restrictions set up? What public sites do I have available? And if everything I'm saying sounds very overwhelming, you could go to varonis.com and ask for a free Salesforce data risk assessment. Us about 15 minutes to get connected to your salesforce and answer all those questions for you with no obligation to move forward. But there are a lot of lot of ways that you could also assess it yourself if that's you know above and beyond what your ability to influence things in your organization is.

A

That's Matt Radelec, VP of incident response, Cloud operations and Sales engineering at Veronica and now a word from our sponsor, Threat Locker, the powerful Zero Trust enterprise solution that stops ransomware in its tracks. Allow Listing is a deny by default software that makes application control simple and fast. Ring Fencing is an application control containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker. And finally, Microsoft's co pilot is supposed to make life easier. Summarize a file here, draft an email there. But it also came with a curious trick. It could fetch files without leaving any record in the audit log. For security teams and compliance officers, that's not a feature, that's a horror movie. Researcher Zach Korman found the flaw and responsibly reported it, only to discover that Microsoft's bug handling process was frustratingly opaque. The company quietly patched the issue, labeling it important rather than critical, and decided no CVE or public disclosure was necessary. For organizations bound by HIPAA or other regulations, that could be a major problem. For everyone else, it's a reminder that Copilot may be clever, but Microsoft's communication strategy could use some debugging of its own. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting insights through the end of August. There's a link in the show notes. Please take a minute and check it out. N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

B

Sa.