CyberWire Daily – "Undoing the undo bug"

Date: August 20, 2025
Host: Dave Bittner, N2K Networks
Featured Guest: Matt Radelec, VP of Incident Response, Cloud Operations, and Sales Engineering at Varonis

Overview

This episode delivers a comprehensive rundown of current major cybersecurity news, including urgent Microsoft patches, significant breaches, government actions, and DDoS takedowns, followed by a deep-dive interview into SaaS vulnerabilities—particularly Salesforce—and the rise of "Shiny Hunters". Throughout, the discussion centers on real-world attack trends, challenges of securing complex cloud environments, and actionable security lessons for enterprises.

Key News and Analysis

1. Microsoft’s Emergency Out-of-Band Windows Update

[02:33]

• Microsoft released an emergency update to fix a bug that broke reset and recovery tools following the August 2025 security patches.
• The issue affected Windows 10 and older Windows 11 versions, preventing users from resetting PCs, reinstalling Windows, or using certain recovery features.
• Advice: Admins are urged to install the new cumulative updates, which replace the faulty ones.

Quote:
"Microsoft advises applying the out-of-band updates instead of the August security patches." – Dave Bittner [02:33]

2. Security Clearance Revocations at NSA

[02:55]

• President Trump revoked security clearances for 37 intelligence officials, including Vin Nguyen, NSA’s leading AI and cyber expert.
• Nguyen’s departure is widely seen as a blow to U.S. technology initiatives, with bipartisan concern over the move’s ramifications and its political undertones.

Quote:
“His removal has alarmed current and former officials who warn that losing his expertise could significantly delay U.S. development in key emerging technologies.” – Dave Bittner [02:55]

3. Massive Ohio Medical Marijuana Patient Data Exposure

[03:30]

• Researcher Jeremiah Fowler uncovered an unsecured 323GB database tied to Ohio Marijuana Card, containing almost a million sensitive records (SSNs, medical data, IDs).
• Although the database was secured within a day, the company’s follow-up was minimal, highlighting persistent risks from misconfigured databases.

4. AI Website Builder “Lovable” Abused for Phishing

[04:12]

• Attackers are exploiting the Lovable.app platform to create hundreds of thousands of phishing sites per month, including fake logins, crypto wallet drainers, and malware campaigns.
• The developer has implemented new AI safeguards in response but abuse continues at scale.

5. Warlock Ransomware Exploits SharePoint Vulnerability

[04:45]

• The Warlock group exploits authentication and deserialization flaws in Microsoft’s SharePoint “tool shell”, rapidly compromising unpatched systems globally.
• Notable campaigns include links to alleged Chinese actors and hits on major UK telcos.

6. Chrome and Firefox Security Updates

[05:19]

• Google released Chrome 139, driven by Big Sleep AI, to patch high-severity V8 engine bugs. Mozilla patched nine significant vulnerabilities in Firefox (including a sandbox escape and memory safety bugs).

7. Russian Attacks on European Water Infrastructure

[06:00]

• Suspected Russian hackers targeted Norway’s Bremenger Dam, briefly opening a valve, and attempted to disrupt water supply in a major Polish city.
• The incidents demonstrate the increasing threat to under-protected critical infrastructure in Europe.

Quote:
“Experts warn these incidents reflect Russia's long standing strategy of poking and prodding critical systems as precursors to larger attacks.” – Dave Bittner [06:25]

8. T-Mobile and Sprint Location Data Fines Upheld

[07:08]

• Federal appeals court sustains $92 million in FCC penalties for illegal customer location data sales.
• T-Mobile and Sprint share liability, AT&T and Verizon still fighting related cases.

9. Wrapperbot DDoS Botnet Dismantled

[07:39]

• US authorities dismantled Wrapperbot (a.k.a. 1111 Botnet), which attacked 18K+ victims with DDoS peaking over 6 Tbps.
• 22-year-old operator charged after being traced through payment accounts and admitting administration.

Deep Dive: Cloud SaaS Security—Salesforce & Shiny Hunters

Guest: Matt Radelec, Varonis [Begins ~14:36]

Ubiquitous SaaS Security Issues

[14:36 – 16:09]

• Many organizations lack internal expertise and outsource critical cloud applications like Salesforce, leading to knowledge gaps and potential security oversights.
• Salesforce’s multiplicity (integrations across verticals: healthcare, sales, ticketing) makes privilege, entitlement, and API management complex and opaque.

Quote:
"It can be a black box for folks... for non-technical people can feel almost impenetrable." – Dave Bittner [15:39]
"So you're spot on." – Matt Radelec [16:09]

Common Vulnerabilities and Misconfigurations

[17:06 – 18:01]

• Over-permissive access—‘godlike’ rights to view/export all company data are common in cloud apps.
• Salesforce, like Office 365, lets users create and publicly share data links—a risk misunderstood and under-secured.

Quote:
"Salesforce allows you to do that too. And no one thinks about Salesforce the way that they think about Office 365, but the functionality is there." – Matt Radelec [17:30]

Shared Responsibility and Cloud Posture Gaps

[18:09 – 19:05]

• Providers secure the platform, but customers must configure identities, permissions, and data exposure.
• “Shiny Hunters” exemplifies the risk: attackers exploit overly broad API/app privileges, often enabled by default and misunderstood due to third-party management.

Shiny Hunters Tactics & Threat Model

[21:08 – 23:50]

• Shiny Hunters and Scattered Spider use sophisticated social engineering—not pure technical exploits—to trick users into authorizing malicious apps with broad data access.
• Attackers pivot across platforms (Salesforce, Office 365, Okta, Snowflake); breaches amplify due to “big blast radius” privileges.
• Their novelty: using legitimate user actions as a vector, exploiting SaaS complexity and misconfiguration.

Quote:
"They are simply targeting users and they are getting users to do things with a big blast radius that leads to a data breach." – Matt Radelec [22:28]
"What they're doing is novel and they're targeting large companies with lots of entry points." – Matt Radelec [22:52]

Social Engineering—Still the Weakest Link

[24:02 – 25:05]

• Credential theft and user manipulation remain the top breach vectors, regardless of technical security investments.
• Even savvy users occasionally fall for well-constructed phishing or authorization prompts.

Quote:
"Even the security researcher can be fooled by a well crafted ruse... We're in a time where the attackers have an upper hand." – Matt Radelec [24:15]

Actionable Recommendations for SaaS Security

Low-Hanging Fruit ([25:20]):

• Disable or strictly limit public link sharing.
• Prevent end users from authorizing/submitting new integrated applications.
• Rigorously apply the principle of least privilege access everywhere.

Advanced Measures ([26:29]):

• Restrict Salesforce app permissions (e.g., allow read-only, limit APIs).
• Implement IP-based access controls; combine with MFA.
• Employ behavioral analytics and monitoring to quickly detect and limit breaches.
• Understand the shared responsibility model—review all SaaS configurations, especially when using third-party consultants.

Quote:
“Give people access to just what they need to do their job and apply that principle everywhere... the liability will be capped.” – Matt Radelec [26:10]

Third-Party Providers—Critical Questions

[28:34]

• Key questions to ask your SaaS/cloud integrators:
  • Can data be shared publicly?
  • Can users connect APIs or new apps?
  • How many super admins exist?
  • Is MFA implemented?
  • Are IP logon restrictions enforced?
  • What public sites or interfaces are exposed?
• Varonis offers risk assessments to help uncover these blind spots.

Notable Moments & Quotes

• "Salesforce is often not purchased by IT... it often bypasses a lot of the standard software onboarding."
  – Matt Radelec [27:55]
• "The Eye of Sauron seems to be shifting to different places and it looks like right now it's focused on Salesforce and very large companies."
  – Matt Radelec [23:37]
• "You as a security practitioner have to do 100% right, 100% of the time. The job just gets harder."
  – Matt Radelec [24:52]
• "Security is usually the first thing to get overlooked" (when migrating to Salesforce via third parties) – Matt Radelec [28:00]

Final Cyberwire Commentary

[30:20]

• Microsoft's Copilot AI tool allowed access to files with no audit trail—posing a compliance nightmare. Microsoft quietly labeled and patched the issue, declining public disclosure.
• Takeaway: Even advanced AI features need transparency and strong security oversight.

Useful Timestamps

• [02:33] – Microsoft emergency patch
• [03:30] – Ohio medical marijuana data breach
• [04:12] – Lovable AI phishing
• [04:45] – Warlock ransomware on SharePoint
• [06:00] – Water sector cyberattacks
• [07:39] – Wrapperbot DDoS takedown
• [14:36] – Salesforce & SaaS security interview: Matt Radelec (Varonis)
• [21:08] – Shiny Hunters threat profile
• [25:20] – Defensive recommendations

Tone

The tone is practical and accessible, emphasizing clarity and immediate real-world relevance—balancing high-level analysis with tactical, actionable advice.

For further details and links to the day’s covered stories, visit the daily briefing at thecyberwire.com.