CyberWire Daily - Blizzard warning: Amazon freezes midnight hack.
Episode Date: September 2, 2025Researchers disrupt a cyber campaign by Russia’s Midnight Blizzard. The Salesloft Drift breach continues to ripple outward. WhatsApp patches a critical flaw in its iOS and Mac apps. A fake PDF editi...ng tool delivers the TamperChef infostealer. A hacker finds crash data Tesla claimed not to have. Spain cancels a €10 million contract with Huawei. A fraudster bilks Baltimore for over $1.5 million. We’ve got a breakdown of the latest Business news. In our Threat Vector segment, Michael Sikorski and guest Thomas P. Bossert explore the path from policy and national security strategy to building operational cyber defense. We preview our spicy new episode of Only Malware in the Building. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.Threat Vector Segment In our Threat Vector segment, host David Moulton hands the mic over to Michael Sikorski and guest Thomas P. Bossert, President of Trinity Cyber and former Homeland Security Advisor. They explore the path from policy and national security strategy to building operational cyber defense. Listen to the full conversation here and find new episodes of Threat Vector each Thursday on the N2K CyberWire network and in your favorite podcast app.CyberWire Guest Today, our podcast producer Liz Stokes speaks with N2K Director of Enterprise Content Strategy Ma'ayan Plaut about our spicy new episode of Only Malware in the Building. You can find the audio version of Only Malware episode here, but we recommend you view the episode for added enjoyment! Selected Reading Amazon disrupts Russian APT29 hackers targeting Microsoft 365 (Bleeping Computer) The Ongoing Fallout from a Breach at AI Chatbot Maker Salesloft (Krebs on Security) Zscaler swiftly mitigates a security incident impacting Salesloft Drift (Zscaler) WhatsApp fixes 'zero-click' bug used to hack Apple users with spyware (TechCrunch) TamperedChef infostealer delivered through fraudulent PDF Editor (Bleeping Computer) Heimdal Investigation: European Organizations Hit by PDF Editor Malware Campaign (Heimdal Security) Tesla said it didn’t have critical data in a fatal crash. Then a hacker found it. (The Washington Post) Spanish government cancels €10m contract using Huawei equipment (The Record) Scammer steals $1.5 million from Baltimore by spoofing city vendor (The Record) N2K Pro Business Briefing update (N2K Networks) Taco Bell rethinks AI drive-through after man orders 18,000 waters (BBC) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
The DMV has established itself as a top-tier player in the global cyber industry.
DMV rising is the premier event for cyber leaders and innovators
to engage in meaningful discussions and celebrate the innovation happening in and around the Washington
D.C. area. Join us on Thursday, September 18th, to connect with the leading minds shaping
our field and experience firsthand why the Washington, D.C. region is the beating heart of cyber
innovation. Visit DMV Rising.com to secure your spot.
certificates lifespans will be cut in half, meaning double today's renewals.
And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal
volume.
That's exponential complexity, operational workload, and risk, unless you modernize your strategy.
CyberArk, proven in identity security, is your partner in certificate security.
CyberArc simplifies life cycle management with visibility, automation, and control at scale.
Master the 47-day shift with CyberArk.
Scan for vulnerabilities, streamline operations, scale security.
Visit cyberark.com slash 47-day.
That's cyberark.com slash the numbers 47-D-A-Y.
Researchers disrupt a cyber campaign by Russia's Midnight Blizzard.
The sales loft drift breach continues to ripple outward.
WhatsApp patches a critical flaw in its iOS and Mac apps.
A fake PDF editing tool delivers the Tampa Chef InfoSteeler.
A hacker finds crash data Tesla claimed not to have.
Spain cancels a $10 million.
euro contract with Huawei, a fraudster builts Baltimore for over $1.5 million.
We got a breakdown of the latest business news.
In our threat vector segment, Michael Sikorsky and guest Thomas P. Bossert explore the path
from policy and national security strategy to building operational cyber defense.
And we preview our spicy new episode of Only Malware in the Building.
It's Tuesday, September 2nd, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great to have you with us.
Researchers at Amazon have disrupted a cyber campaign by Midnight Blizzard, APT-29, a Russian state-backed group tied to the SVR.
The hackers compromised legitimate websites in a watering hole attack, redirecting about 10% of visitors to fake cloud flare verification pages.
From there, victims were funneled into a malicious Microsoft device code authentication flow,
tricking them into authorizing attacker-controlled devices.
Amazon's threat intelligence team uncovered the scheme,
noting the attackers used randomization, cookies,
and base 64 obfuscated JavaScript to avoid detection.
Working with Microsoft and Cloudflare,
Amazon cut off the group's domains and infrastructure.
APT-29 quickly tried to rebuild on new cloud services,
highlighting its persistence.
The campaign reflects a shift away from MFA bypass tactics towards stealthier credential theft.
Users are urged to enforce MFA, monitor logins, and review device authorization policies.
Hackers have stolen authentication tokens from sales lofts drift chatbot,
exposing not just Salesforce data but hundreds of other connected services,
including Slack, Google Workspace, AWS,
Azure, and OpenAI.
Google's threat intelligence group warned the campaign, active from August 8th through the 18th,
allowed attackers to siphon corporate Salesforce data, search for cloud credentials,
and even access some Google workspace email accounts.
The attackers, tracked as UNC 6395, may overlap with extortion groups like shiny hunters
or scattered spider, though attribution remains unclear.
Google advised companies to treat all Salesloft linked integrations as compromised and invalidate tokens
immediately. In response, Salesforce blocked drift integrations. Salesloft has enlisted mandiant to investigate
the breach, which highlights the growing risk of authorization sprawl, attackers abusing legitimate
tokens instead of malware. The Sales Loft Drift breach continues to ripple outward, following Google's warning
about stolen OAuth tokens being used to access Salesforce and other cloud services, Z-scaler confirmed
that attackers obtained limited access to its Salesforce data. The exposed details include
employee contact information, product licensing data, and some plain-text support case content,
but no sensitive files or infrastructure were affected. Z-scaler revoked drift access,
rotated tokens, and tightened customer authentication.
The company urges vigilance against fishing attempts exploiting leaked contact details.
WhatsApp has patched a critical flaw in its iOS and Mac apps, which was exploited in a zero-click spyware campaign.
Used with a separate Apple vulnerability, the attack allowed hackers to compromise devices and steal data,
including private messages without user interaction. Amnesty International reports fewer than 200
WhatsApp users were targeted since late May. Meta confirmed the bugs were fixed weeks ago,
but offered no attribution, leaving the responsible spyware vendor or group unidentified.
Researchers have uncovered a large-scale malware campaign distributing a fake PDF editing tool
called App Suite PDF editor through Google Ads. The app, signed with fraudulent certificates
from at least four companies, initially appeared legitimate,
but received a malicious update on August 21st,
activating the Tampered Chef Info-Stealer.
The malware steals credentials,
browser cookies, and system data
while checking for security tools.
Over 50 domains hosted these deceptive apps,
suggesting a coordinated effort.
Some variants also attempted to enroll devices
into residential proxy networks,
further monetizing victims.
Trusek and Expel found the campaign began
in mid-20204 and includes related apps like One Start and Manual Finder, which download each other
and execute hidden commands. Though some certificates were revoked, users with active installations
remain at risk. A Miami jury has ordered Tesla to pay $243 million in damages over a 2019
crash in Florida, after critical autopilot data, initially missing, was unconsored.
covered by a hacker known as Green the Only.
The hacker extracted a collision snapshot from the car's autopilot unit,
revealing what Tesla's system detected in the moments before the fatal crash.
Tesla later admitted it had the data on its servers but failed to produce it.
Jurors found Tesla 33% liable, concluding its technology and handling of crash data contributed to the tragedy.
The verdict marks a major setback for Tesla's autopilot defense strategy,
raising questions about transparency in crash investigations,
and has already fueled shareholder and wrongful death lawsuits nationwide.
Tesla says it will appeal.
Spain has canceled a 10 million euro contract
that would have deployed Huawei equipment in its Red Iris Academic and Research Network,
which links universities' research centers and partners,
of the Defense Ministry. The government cited digital strategy and strategic autonomy in reversing
the deal, awarded to Telefonica just a week earlier. The move follows growing concerns from
NATO allies about Chinese technology and critical infrastructure. While Huawei faces restrictions
across Europe, Spain has maintained a case-by-case approach, creating friction with allies over security
risks.
The city of Baltimore lost more than $1.5 million after a fraudster spoofed a vendor and tricked
employees into changing bank account details, the city's inspector general reported.
Using a fake supplier contact form in December 2024, the scammer gained access to the vendor's
workday account and submitted multiple account change requests, which were approved without
verification. Payments of $800,000 and $721,000 followed. Only the latter was recovered.
This marks Baltimore's third vendor scam since 2019, highlighting persistent weaknesses in financial
controls despite prior promised reforms. We've got a new segment here for you today.
Each week, we're going to surface the biggest stories from across the cybersecurity business landscape
in our weekly business briefing newsletter.
We bring you the highlights here on the CyberWire Daily in our business breakdown.
Last week, we saw just over $500 million raised across three investments and three acquisitions.
First, a look at investments and exits.
California headquartered sassy provider NetScope has filed for an IPO
and will go public on the NASDAQ.
NetScope hasn't disclosed the price of its stock,
but Reuters reports that the IPO is expected to raise more than $500 million,
which could value the company at over $5 billion.
While still not profitable, the company has increased its ARR by 33% year over year
to just over $700 million.
InnerWorks, a UK fraud prevention firm raised $4 million in seed funding,
which it plans to use to improve its defenses against AI cybercrime
and expand its platform.
Turning to acquisitions,
one of the standouts
was Canadian Quantum Secure Infrastructure firm
Scope Technologies,
acquiring Indian SSO provider
cloud codes from Plurlock
for $1.7 million Canadian.
With this acquisition,
Scope Technologies aims to deploy
the world's first commercial
quantum-resistant SSO platform.
Also making headlines,
Cryptic Vector,
a U.S. government contractor,
is acquiring the offensive cyber R&D firm Caesar Creek Software.
The acquisition aims to improve cryptic vector's position
as one of the largest offensive cyber solution providers
and better support the DOD.
And that wraps up this week's business breakdown.
For deeper analysis on major business moves
shaping the cybersecurity landscape,
subscribe to N2K Pro and check out thecyberwire.com every Wednesday
for the latest business updates.
Coming up after the break in our threat vector segment,
Michael Sikorsky and Thomas P. Bossert explore the path from policy and national security strategy
to building operational cyber defense.
And we preview our spicy new episode of Only Malware in the Building.
Stick around.
At TALIS, they know cybersecurity can be tough and you can't protect everything.
But with TALIS, you can secure what matters most.
With TALIS's industry-leading platforms, you can protect critical applications, data, and identities,
anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks,
retailers and health care companies in the world rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-L-E-S.
Learn more at TALIS Group.com slash cyber.
And now a word from our sponsor, Threat Locker,
the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a deny-by-default software that makes application control simple and fast.
Ring fencing is an application containment strategy, ensuring apps can only access the files,
registry keys, network resources, and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection from Threat Locker.
On today's Threat Vector segment, Michael Sikorsky and guest Thomas P. Mossert
explore the path from policy and national security strategy to building operational cyber defense.
Hi, I'm David Moulton, host of the Threat Vector podcast, where we break down cybersecurity threats, resilience, and the industry trends that matter most.
What you're about to hear is a snapshot from a high-stakes conversation.
between Michael Sikorsky, CTO of Unit 42, and Tom Bosser, president of Trinity Cyber
and former U.S. Homeland Security Advisor.
This episode isn't about theory.
It's a wake-up call.
In this episode, Tom and Siko pull the curtain back on the next evolution in cyber defense,
proactive interference, not just blocking attacks, disrupting them in real time.
If you've ever wondered how to shift from reaction to resistance, from alert to action,
this is it.
because if you're still relying on last-gen perimeter models,
you're already behind and the attackers know it.
I'm Michael Sikorski, the CEO of Unit 42 of Palo Alto Networks,
and I'm stepping in as guest host today.
I'm joined by my friend Tom Bossert,
president at Trinity Cyber, Distinguished Fellow at Atlantic Council,
and former U.S. Homeland Security Advisor.
Tom's been a policy powerhouse
and now leads one of the most innovative
cybersecurity companies out there
focusing on proactive threat interference.
Think of it like messing with the attackers
mid-operation in a way that changes the game entirely.
There's been a lot of talk lately
about the concepts of more offensive security,
more interference, more technologies
that are kind of getting back at the attacker.
I mean, if you've heard a lot of rhetoric like that
in the last, you know, a few months even.
Yeah.
Do you have any sort of, you know, where do you think that's going?
And what is going to be the impact of that?
Do you think they're, you know, for the next four years, longer, like, do you think
there's going to be a lasting effect to that kind of talk?
Is there going to be more action taken in the private space with that kind of thing?
Yeah, you know, I think you have a really, like, technical listening base here to this podcast.
And so we'll just kind of jump into it.
But one of my biggest fears is a massive disconnect between those policymakers that say that
and what you know to be the case and how the tech works and what it really means.
So what does offensive mean?
What does defensive mean?
You get into these debates.
But, yeah, listen, at this level, it's easy to say, at one high level, people can't see me.
I'm saying at the 30,000 foot level, I'm all for not just cyber-induced,
but any kind of policy lever inducing a change in the incentive structure.
Listen, there are bad actors out there.
Do things to them to punish them to impose consequences off for it.
You don't have to limit yourself to just offensive cyber.
I think one of the things that troubles the United States and Western countries on the offensive debate
is we say, I'm mad.
I want to get back at these guys for taking advantage of us.
Check, check, me too.
And then, well, so let's start hacking them.
Well, what do you mean?
What do you want to hack?
Do you want to just hack in general?
You want to shut down a bit.
They kind of have to define what that is, right?
Once you get into that debate, this is what I used to do for doing.
Once you get into the debate of figuring out what's the target, how much is it going to cost, what effect are you going to achieve?
Are you actually going to change the behavior of that country by hacking into more of its private businesses?
Do they care about their private businesses?
Is there a fundamental misunderstanding about how we can...
It's harder to be tip for tab, right?
Because China's hacking every single business that we have, everything we're doing.
Like, would they even care if we did the same?
If we did the same to them.
And, you know, the late Ash Carter said, I'm soaked in gasoline.
and you want to get me into a match throwing contest.
And I thought that's pretty good, right?
So there's a lot of parallels to the tariff debate
that we're having right now.
But, yeah, listen, in targeted, a useful way,
I don't shy away from offensive cyber operations
if they have a meaning and a purpose.
But, you know, for me, tell me how to frame it better,
but what I just described about what Trinity's doing
is, here, I'll direct this to the current president.
It's reciprocal, okay?
it's reciprocal.
The idea here is that we're not going to do anything to impose any consequence on you unless
you first start it.
And for us, we're only interfering with that, which it's kind of judo, where you take
the energy of the attacker back on himself.
To me, we have to get better at doing that.
That's a starting point because offensive operations take a long time.
They are executed in a different place with singular authorities.
And often it would be much easier and more effective.
to use a different lever
or a different type of national power
to change the calculus of the adversary.
You want to hack all the Chinese
businesses to get China to behave differently?
I don't know. I don't think that's the best way.
It's a way. But it's got to be
a mix of all the other ways that you've got going
for you. The U.S. has a lot
of power. We don't have to sit around
and just hack people back. At some
point, we reserve the right to use bigger force.
Yeah, that's interesting.
I'm wondering, like, where
you know, if things
could get more privatized, right?
I mean, a lot of, at least I think of it
as like, you've got to go work for an agency
or something like that to really do
the offensive stuff, and that's what people have always
talked about. I wonder if this would
like open the door for that not to be the case
longer term.
And then where do you
draw the line? Who's watching
the companies who would be doing that, right?
There's a thousand answers to that, but one of the simplest
ones is honestly, it's like the rule of
artillery in the military. You know what you're allowed to do if somebody starts shooting at you?
Shoot back. You don't shoot first, but you shoot back. And there's a misnomer in the cyber world
that shoot back is kind of a pause thing where you get hacked and then you get together
and you call a bunch of experts and you say, okay, now we're going to hack back to like
kind of a pain type of application. We're going to apply pain to them for doing that.
Like it's a like it's a spite thing. But that's not what I'm suggesting. What we're trying
to do here is to create friction, the kind of pain like I described earlier that throws off
their operations that stops them from so unimpededly imposing costs on us. It's not about getting
into a fight where I'm mad and I want to have my emotion vindicated. It's about trying to achieve
a better operational outcome.
conversation is a blueprint for what comes next in cyber defense. Don't miss it. The episode is called
from policy to cyber interference, and it's live now in your threat vector feed. Thanks for
listening. Stay secure. Goodbye for now.
Today we published a special spicy new episode of our Only Malware in the Building podcast.
Here's our podcast producer Liz Stokes speaking with N2K director of Enterprise Content Strategy,
My On Plot, about the show.
Hi, Liz.
Hi.
I am here to ask you lots of questions about only malware in the building.
and in particular, the newest special edition that's coming out in September.
Can you tell us a little bit of background about what we're making and why it fits into the Only Malware Universe?
Yeah, absolutely. First, thank you so much for having me.
I'd love to tell you a little bit more about one of the shows that I work on specifically called Only Malware in the Building,
and especially the special edition that's going to be coming out in September.
So Only Malware in the Building is kind of one of our little niches that we have on the show,
It's this malware-infused podcast where we have Dave Bittner, Keith Malarski, and Selena Larson all come on and talk about social engineering, different malware strings that are out there, all kinds of different stuff that's out there in the world right now. And they just kind of come on and vibe. But this idea really came from a show that we all like, which wink, wink, if anybody can guess what it is. And we kind of thought it would be fun.
that of our hosts kind of took on the personas of those people on the show and shared malware
through the eyes of the podcast like the show. And so from basically, I believe it was last year
that we started doing this, it kind of transformed into this fun, creative show every month
that comes out where we have a different cold open each episode where I,
work on the script with my my good colleague trey hester the audio engineer of the show we kind of just
basically put dave and selina and keith and all of these weird crazy scenarios every month and they have
to figure it out while also talking about malware so it's this it's this amazingly fun episode each
month that we get to work on and it's very creative and it really just brings out the best of um our
creative flow here at n2k and specifically the september episode that's coming out
we kind of took this idea of having all three hosts eat ridiculously hot sauces with wings and kind of
answers some get to know your questions about their past, like different questions that involve
them coming up in cyber, them coming up in the careers, and just kind of like getting to deep dive
into their personalities and their careers a little bit. So I'm really excited about
this show to come out. I'm really excited for this episode to come out. I'm so excited for the audience
to see it, but it's just, it's mainly something that we've been working on for the past year now.
And so it's, it's, it's going to be great when it comes out. It really will. Without teasing
too much, because we want to make sure that people see the whole episode when it comes out,
can you talk a little bit about how we went about recording it? Like, who was involved? What were
all of the pieces that went into this? Any sort of like exciting things that happened?
happened along the way. Oh, yeah. So I think, as I said before, this episode has been probably a year
in the making that we've been working towards this. And this has probably been one of the longest
projects that I personally have worked on ever in my career. And the reason behind that is because
so much went into making sure that the hosts had everything that they needed so that when we
sat down and actually shot this, everything was perfect. And I want to say, I want to
start by saying that our team has worked incredibly hard to make this something special for our
audience to sit down and watch. I mean, this isn't going to be like something that we've ever done
before. And I think that's the beauty of this episode is that it's going to bring into ties of
things that we have done, but also things that you're not going to want to miss when this
episode comes out. There are certainly things that I want to share with the audience right now,
But we are holding off on sharing all of the things because we want it to be such a big surprise.
We want the audience to get that wow factor when it comes out.
And so we are dropping little teasers and hints every once in a while on social media, trying to get people hyped up about it.
And I think for the majority of the part, everybody is getting hyped about this.
And I think especially people in N2K are hyped about this.
I mean, we have worked so hard on this project and we just want to make sure that the audience sees how hard we've worked on this.
project. Yeah. Well, without teasing too too much, I think the biggest thing about this episode
that's different than the others in the past is that it is very focused on a video product.
There's obviously been an audio podcast because that is a thing that we do hear at N2K all the time,
but I'm curious how things differ between doing an audio first or audio only to a video
first production this time. Yeah, you know, sitting down each month, Trey and I can bump out a script
in like a couple of days and then we can turn it into audio pretty much within a couple of weeks.
This video project, like I said, it took a year in the making. And so starting from, okay,
let's have this concept turn into a reality. It kind of turned into, well, what all goes into
this video project? You know, like it's not just three hosts sitting down eating some very spicy
sauces and wings you know it's it's something bigger than that it's what kinds of questions are
going to get the audience the most involved um you know what kind of teasers can we put out that'll
really get uh everybody hyped up about this episode what what type of sauce are we going to choose
that'll make dave scream his head off you know like anything like that and so while we were
putting all of the little pieces together um trying to turn them into something bigger it was
really the team behind this project that led this into becoming what it is today. I don't want to
give too much away, but this video project is something that I think all of us are incredibly
proud of to put out onto our network and to share with our audience because we've worked so hard
on this. And every account that we've taken into consideration to make this thing, I think
it's going to be a really beautiful thing once we put it out for our audience.
There is an audio version of only malware in the building,
but I highly recommend you view the episode on YouTube for added enjoyment.
We'll have a link in the show notes.
With Amex Platinum, access to exclusive Amex pre-sale tickets can score you a spot trackside.
So being a fan for life turns into the trip of a lot.
lifetime. That's the powerful
backing of Amex. Pre-sale tickets for
future events subject to availability and varied by race.
Terms and conditions apply. Learn more at
at Amex.com.com. You can
get protein at home, or
a protein latte at Tim's. No powders,
no blenders, no shakers.
Starting at 17 grams per medium
latte, Tim's new protein lattes,
protein without all the work, at participating
restaurants in Canada.
And finally, Taco Bell is discovering that teaching AI to handle late-night cravings
isn't quite as simple as asking for extra hot sauce.
Chief Digital and Technology Officer Dane Matthews admitted the company's voice AI has had
its share of meltdowns, sometimes delightfully accurate, sometimes like a burrito that unravels
in your lap.
Customers have gleefully documented the chaos, including one viral exchange,
where the AI, when asked for a large mountain do,
simply kept asking what drink the man wanted with that.
Another prankster managed to order 18,000 water cups.
Still, Taco Bell says its AI has successfully handled 2 million orders across 500 restaurants.
Apparently, progress, like tacos, is best-served messy.
And that's The Cyberwire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast
where I contribute to a regular segment
on Jason and Brian's show every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
We'd love to know what you'd
think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity. If you like our show, please share a rating and
review in your favorite podcast app. Please also fill out the survey in the show notes or send an
email to Cyberwire at N2K.com. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz
Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is
Jennifer Ibin. Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Thank you.