Summary of Risky Business Podcast Episode #795 Title: How The Com is Hacking Salesforce Tenants
Release Date: June 11, 2025
Host: Patrick Gray
Guests: Adam Boileau, Alex Tilly (Okta)

1. Introduction and Overview

In this episode of Risky Business, host Patrick Gray and guest Adam Boileau delve into a week filled with cybersecurity intrigue, vulnerabilities, and criminal activities. The episode also features an in-depth sponsor interview with Alex Tilly from Okta, discussing North Korean operations targeting Salesforce tenants.

2. Intrigue: Errors Leaks and Russian FSB Documents

Patrick Gray opens the discussion with the emergence of a group named Errors Leaks, who are allegedly selling stolen intelligence documents via Telegram.

“Their business is apparently offering stolen documents stolen from various intelligence services for sale over Telegram...”
[01:25] Patrick Gray

Adam Boileau concurs, highlighting the group's risky activities and potential repercussions.

“They claim to have gotten hold of some documents from the Russian FSB... this does feel like living a little bit dangerously.”
[01:52] Adam Boileau

The New York Times has reported on these documents, assessing their legitimacy and discussing Russia's suspicion of Chinese intelligence activities. However, the evidence around the WeChat data's acquisition remains inconclusive.

3. Ukraine's Military Intelligence and Tupolev Data Theft

The conversation shifts to Ukraine's military intelligence successfully stealing sensitive data from Tupolev, a major Russian aircraft manufacturer. Despite the extraction of 4.4 gigabytes of data, the significance of this breach is debated.

“These days that's not an impressive amount of data, but once upon a time that would have been quite a lot.”
[05:23] Adam Boileau

The host reflects on the ongoing drone attacks in Ukraine, emphasizing the resilience and dedication of journalists like Dorina Antoniok.

4. iOS Security: iVerify’s Findings on iMessage Exploits

iVerify, an iOS-focused security firm, has identified potential exploitation of iMessage to compromise devices through avatar update processing bugs.

“They think someone has been exploiting a bug that Apple patched earlier this year...”
[08:22] Adam Boileau

Patrick raises concerns about Apple's lack of transparency regarding the exploit, stressing the importance of third-party oversight in the closed Apple ecosystem.

5. Spyware Manufacturer Paragon and Italy's Refusal to Cooperate

Paragon, a spyware company, has terminated its contract with Italy following suspicions of misuse against journalists. Italy's refusal to verify allegations further complicates the situation.

“Paragon say they had found a way that with Italy's cooperation, they could have verified that this journalist wasn't targeted.”
[11:39] Patrick Gray

Adam notes the complexities of private companies overseeing government actions, highlighting the challenges in accountability and compliance.

6. Mobile Security: Qualcomm Bugs and Corellium's Acquisition by Cellebrite

The episode covers Qualcomm's patching of critical bugs in its chipsets, aided by Google researchers. Additionally, Corellium's acquisition by Cellebrite for $200 million is discussed, emphasizing its significance in exploit development tools.

“These bugs all seem to be in graphics driver implementations... good work to Google finding some cool bugs.”
[15:40] Adam Boileau

“Corellium offers a virtualized iOS environment... it's pretty crazy to see that they managed to actually get through that unscathed.”
[17:03] Patrick Gray

7. Apple’s Push Notifications and Government Data Requests

Governments from the US, UK, Germany, and Israel are requesting access to push notification data from Apple, which can sometimes include unencrypted content. The discussion clarifies that this data is generally limited and not as intrusive as end-to-end encrypted messaging.

“It's about multifactor auth ultimately preventing credential theft... phishing for CodeExec is much harder than it used to be.”
[32:28] Adam Boileau

8. Info Stealer Botnets: Lama Stealer and Accrete Infostealer

The takedown of the Lama Stealer botnet is examined, with insights into the evolving landscape of Russian cybercrime. Accrete Infostealer is emerging as a significant threat, taking over market share from its predecessor.

“It's a dog eat dog world over there in Russian cybercrime. So it makes sense that there's someone waiting in the wings who are taking over.”
[24:31] Adam Boileau

Patrick emphasizes the importance of ongoing law enforcement actions to disrupt these operations continuously.

9. Ransomware Impacts: UK National Health System and United Natural Foods

Ransomware attacks have had tangible real-world consequences, such as blood shortages in the UK and disruptions in the US food distribution network.

“These include the national health system in the UK needing 1 million blood donors due to ransomware attacks...”
[26:09] Adam Boileau

“United Natural Foods, a massive distributor, is facing operational disruptions affecting customer orders and the broader food supply chain.”
[28:23] Adam Boileau

10. Salesforce Tenant Hacking via Social Engineering

Patrick and Adam delve into a sophisticated social engineering campaign targeting Salesforce tenants. Hackers trick users into authorizing malicious apps, thereby siphoning off sensitive data.

“This is about copying Salesforce's real apps... and then running them through the regular authorization flow to siphon data.”
[31:30] Adam Boileau

They discuss the challenges of mitigating such threats, emphasizing the need for better control and intelligence around OAuth events and app authorizations.

“We need something that can control the OAuth event... but we also need the intelligence to let you know when you should block it.”
[37:24] Patrick Gray

11. Sponsor Interview: Alex Tilly on North Korean Operations at Okta

The episode concludes with an insightful interview with Alex Tilly, a threat intelligence specialist at Okta and former Australian Federal Police investigator. Alex discusses his research on North Korean cyber operations targeting Salesforce through fake job applications aimed at deploying malware and conducting reconnaissance.

Key Insights from Alex Tilly:

• Recruitment Tactics: North Koreans are targeting remote full-stack developer positions, using fake job ads to attract legitimate applications.

  “They’re hosting fake job ads and generating these opportunities that don’t... exist to draw in legitimate applications.”
  [52:25] Alex Tilly

• Malware Deployment: After gaining access, malicious actors deploy RATs (Remote Access Trojans) to harvest sensitive information and maintain persistence.

  “They engage in deploying malware to harvest either... development systems... tooling.”
  [53:58] Alex Tilly

• Behavioral Patterns: Successful identification involves tracking login events and building profiles based on suspicious activities and service usage.

  “It’s about vetting up front, understanding—are there any red flags we’ve got to look for?”
  [63:05] Alex Tilly

Actionable Advice:

• Vetting and Monitoring: Organizations should rigorously vet remote hires and continuously monitor their activities to detect anomalies.

  “It's about being aware and having a pathway for team members to raise a red flag.”
  [64:50] Alex Tilly

• Collaboration Between Teams: Security teams need to work closely with HR to implement effective screening and monitoring processes.

  “Security people getting involved with the HR people as much as we can to understand what data sources are available.”
  [64:50] Alex Tilly

12. Closing Remarks and Final Stories

Patrick wraps up with lighter anecdotes, including an Australian Navy ship inadvertently disrupting wireless internet communications in New Zealand, highlighting the often humorous side of cybersecurity mishaps.

“It's funny because this perfectly encapsulates the Australia, New Zealand relationship...”
[48:16] Patrick Gray

The episode concludes with expressions of camaraderie and a commitment to continue delivering insightful security news and analysis.

Notable Quotes:

• “It's about multifactor auth ultimately preventing credential theft... phishing for CodeExec is much harder than it used to be.”
  [32:28] Adam Boileau

• “We need something that can control the OAuth event... but we also need the intelligence to let you know when you should block it.”
  [37:24] Patrick Gray

• “Security people getting involved with the HR people as much as we can to understand what data sources are available.”
  [64:50] Alex Tilly

This episode of Risky Business provides a comprehensive overview of contemporary cybersecurity threats, emphasizing the evolving tactics of state-sponsored actors and the critical need for robust defense mechanisms within organizations.