CyberWire Daily - Signals, scams, and a Salesforce snatch.
Episode Date: March 10, 2026Russian hackers target Signal and WhatsApp. Permit scammers impersonate local officials. Anthropic sues over a Pentagon blacklist. The White House moves to restore fraud victims. ShinyHunters target S...alesforce data. Ericsson reports a breach. macOS users face ClickFix malware. AWS credentials are phished. And CISA warns of an exploited Ivanti flaw. Our guest is Brian Baskin, Threat Researcher at Sublime Security, discussing tax season employee impersonation scams. Who fact-checks the fact-checkers? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest today is Brian Baskin, Threat Researcher at Sublime Security, discussing how tax season employee impersonation scams are conducted and what to look out for as we prepare our returns. Selected Reading Russia targets Signal and WhatsApp accounts in cyber campaign (AIVD) FBI warns of phishing attacks impersonating US city, county officials (Bleeping Computer) Anthropic sues Trump administration over Pentagon blacklist (CNBC) White House floats Victims Restoration Program for millions affected by cyber fraud (The Record) CybercrimeHundreds of Salesforce Customers Allegedly Targeted in New Data Theft Campaign (SecurityWeek) Ericsson US discloses data breach after service provider hack (Bleeping Computer) Fake CleanMyMac Site Uses ClickFix Trick to Install SHub Stealer on macOS (Hackread) Behind the console: Active phishing campaign targeting AWS console credentials (Datadog Security Labs) CISA: Recently patched Ivanti EPM flaw now actively exploited (Bleeping Computer) AI fake-news detectors may look accurate but fail in real use, study finds (Tech Xplore) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
When cyber threats strike, minutes matter.
Booz Allen brings the same battle-tested expertise trusted to protect national security
to defend today's leading global organizations.
They safeguard their data, strengthen enterprise resilience,
and mobilize in minutes across energy, health care, financial services, and manufacturing.
Their teams don't just respond.
They anticipate, outthink, and.
stay ahead of evolving threats.
This is powerful protection for commercial leaders only from Booz Allen.
See how your organization can prepare today at Boozalan.com slash commercial.
Russian hackers target signal and WhatsApp.
Permit scammers impersonate local officials,
anthropic sues over a Pentagon blacklist.
The White House moves to restore fraud victims.
Shiny hunters target Salesforce data.
Erickson reports a breach.
MacOS users face click-fix malware.
AWS credentials are fished.
Cicill warns of an exploited of antiflo.
Our guest is Brian Baskin,
threat researcher at Sublime Security,
discussing tax season employee impersonation scams.
And who fact-checks the fact-checkers?
It's Tuesday, March 10th, 2026.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great as always to have you with us.
Russian state hackers are conducting a global cyber campaign
aimed at gaining access to signal and WhatsApp accounts
belonging to government officials, military personnel, and other individuals of interest.
Dutch intelligence services MIVD and AIVD
confirmed that Dutch government employees are among the targets
and journalists may also be at risk.
The attackers rely on social engineering rather than technical vulnerability.
They often impersonate a signal support chatbot to trick victims into revealing verification or pin codes,
which allow the attackers to take over accounts.
In other cases, they exploit the app's legitimate linked devices feature to connect attacker-controlled devices to a victim's account.
Once compromised, attackers can read messages, including group chats and potentially access sensitive information.
Dutch authorities stress that the messaging platforms,
themselves remain secure, but individual accounts are vulnerable. They advise users to remain vigilant,
watch for suspicious group members or duplicate accounts, and to report suspected compromises to their
organization's security team. The FBI is warning about a fishing campaign in which criminals
impersonate U.S. city and county planning or zoning officials to target people and businesses
applying for land use permits.
Attackers use publicly available information about permit applications,
such as zoning numbers or property addresses,
to make fraudulent emails appear legitimate.
Victims receive unsolicited messages referencing their permit details
and are asked to pay related fees through wire transfers,
peer-to-peer payment apps, or cryptocurrency.
The FBI says warning signals include emails sent from non-greensers,
government domains, attachments that prompt recipients to request further details, and pressure
to pay quickly to avoid permit delays. The Bureau advises recipients to verify messages by checking
email domains and contacting local government offices directly. Suspected victims should report
incidents to the FBI's Internet Crime Complaint Center. Anthropic has filed a lawsuit
against the Trump administration after the Pentagon designated the AI company a supply chain risk,
a move that effectively blocks its technology from defense-related work.
The complaint filed in U.S. District Court in California argues the designation is unlawful
and causing significant financial and reputational harm.
Under the Pentagon's decision, defense contractors must certify that they are not using
Anthropics AI models, known as Claude,
in work tied to the Department of Defense.
The company says federal contracts are already being canceled,
and private sector deals are now uncertain.
Anthropic estimates the decision could jeopardize hundreds of millions of dollars in the near term
and potentially reduce its 2026 revenue by billions.
Anthropic is asking the court to overturn the designation and pause the policy while the case proceeds.
The company has also requested a formal review in a fair.
federal appeals court.
The Trump administration issued an executive order directing federal agencies to strengthen the U.S.
response to cybercrime and the growing financial losses Americans face from online scams.
The order instructs multiple agencies to develop a coordinated action plan within 120 days
to prevent, investigate, and dismantle transnational criminal organizations that operate scam
centers and cyber fraud schemes. The order also requires the creation of a victim restoration program
within 90 days, designed to return funds seized from criminal networks to victims of cyber-enabled
fraud. A new operational unit within the National Coordination Center will coordinate efforts
among agencies, including the Department of State, Treasury, Defense, Homeland Security, and Justice.
officials say the effort will combine government intelligence, law enforcement operations, and private sector cybersecurity expertise to track and disrupt criminal infrastructure.
The administration also signaled potential sanctions and diplomatic pressure against companies that allow cybercrime groups to operate within their borders.
Salesforce is warning customers about an ongoing cyber campaign linked to the Shiny Hunter's group involving data.
theft and extortion. Since mid-20205, the attackers have targeted organizations'
Salesforce environments using social engineering, fishing, and misconfigured settings rather than
platform vulnerabilities. The latest campaign exploits overly permissive experience cloud
guest user configurations, which can allow attackers to access more data than intended.
Threat actors are reportedly using a modified version of the open-source Aura-Inspensual.
specter tool to extract exposed data. Shiny Hunter's claims the operation has targeted hundreds of
companies and has threatened to leak stolen data if victims refuse extortion demands.
Erickson incorporated the U.S. subsidiary of Swedish telecom Erickson, says a breach at a third-party
service provider exposed personal data belonging to over 15,000 employees and customers. The provider
detected the intrusion on April 28th of last year and determined that unauthorized access to a limited
set of files likely occurred between April 17th and April 22nd. Exposed information may include
names, addresses, social security numbers, driver's license, or government ID numbers, financial
details, medical information, and dates of birth. Erickson says there's currently no evidence the
stolen data has been misused. The company is
offering affected individuals, free identity protection, and credit monitoring services,
while the incident remains under investigation.
Researchers have identified a campaign targeting macOS users with a fake website impersonating
the popular Clean My Mac utility.
The site tricks visitors into installing S-Hub Stealer malware through a social engineering technique
known as the ClickFix attack.
Victims are instructed to run a terminal control.
command that appears to install legitimate software, but instead downloads and executes a malicious
script, bypassing macOS security protections because the user runs the command themselves.
Once installed, the malware collects system information and attempts to steal credentials
by displaying a fake macOS authentication prompt.
If the password is entered, attackers can access the macOS keychain to harvest stored credentials
and sensitive data.
S.H. Hub Steeler also targets cryptocurrency wallets,
displaying fake prompts that capture recovery seed phrases
and enable attackers to steal funds.
Researchers say the malware maintains persistence
through a hidden background task disguised as a legitimate system updater.
Researchers at Data Dog have identified an active adversary
in the middle fishing campaign targeting AWS
management console credentials. The operation uses typo-squatted domains that mimic AWS infrastructure
and hosts a high-fidelity clone of the AWS sign-in page. The Fishing Kit proxies authentication
requests to the real-AWS login service in real time, allowing attackers to capture validated
credentials and likely intercept one-time password codes. The campaign uses multi-stage redirects,
and spoofed security alerts to lure victims.
Once credentials are submitted,
attackers can quickly access compromised accounts.
In one observed case, unauthorized console access
occurred within 20 minutes from a Mulvad VPN IP address.
Researchers emphasize the campaign does not exploit AWS vulnerabilities,
but relies on credential theft through fishing.
AWS has been notified and is working on disruption efforts, while defenders are urged to monitor authentication activity for suspicious logins.
SISA has added a high-severity Avanti endpoint manager vulnerability to its known exploited vulnerabilities catalog and ordered federal agencies to patch within three weeks.
The flaw allows remote attackers to bypass authentication and steal credentials through a low-complexed.
cross-site scripting attack requiring no user interaction. Avanti patched the issue last month.
While Avanti says it has not seen confirmed exploitation before disclosure, Cicill warns the bug is
actively exploited and poses significant risks to federal networks.
Coming up after the break, my conversation with Brian Baskin from Sublime Security.
We're discussing tax season employee impersonations. And who fact-checked's the
fact checkers. Stick around.
AI is changing how enterprises
operate and how they stay protected.
It's time to eliminate risk
and protect innovation. From March
23rd through the 26th,
join Trend AI for actionable
AI security insights.
Catch impactful sessions at
RSC, then unwind
and grab a bite at their lounge in
Trapasue. Experience
industry-leading AI security
in person, engage with the
experts and get your chance to win $500,000.
San Francisco, let's AI fearlessly.
Learn more at trendmicro.com slash RSA.
If you're defending a network today, there's a simple question worth asking.
What does the attackers see when they look at your organization?
Nordsteller helps answer that.
Nord Stellar is a threat exposure management platform that gives security teams visibility into external risks,
including leaked credentials, active session tokens, impersonation attempts, and exposed assets
across the surface web and the dark web.
It's built to help organizations detect the consequences of breaches early
before attackers turn access into action.
From monitoring for info-stealer malware logs to identifying cyber squatting and brand abuse,
Nordsteller helps teams focus on the threats that actually matter.
Executives get clear, actionable insights,
tied to business risk. Security teams get real-time alerts and one of the largest deep and dark
web intelligence pools in the industry. Cybercriminals may already be looking for your weak spots.
Don't make it easy for them. Be the one that's prepared. Defend your business with Nord Stellar.
Use the code CyberWire 10 to unlock your exclusive discount. Go to Nordstellar.com
slash Cyberwire Daily and learn more. Brian Baskin is a threat research.
at Sublime Security.
I recently caught up with him to discuss
tax season employee impersonation scams.
Yeah, tech season and the beginning of the year
where benefits, HR enrollments,
all these major tech activities occur.
It's a great time for actors to come in,
target people with some very targeted,
unique attacks related to tax forms,
tax procedures,
and really put a sense of urgency
that you need to perform an action now
and involves your money,
and it involves your career,
and involve some very important things about your life
in order to actually continue.
So it really preys upon people's fears and urgency.
Yeah, I mean, I guess that's a really solid point there
that most of us, when we get some kind of notice from the IRS,
here in the States anyway, it gets our attention.
And it's, honestly, the tax season is a great thing to adversaries.
They don't need to an event a reason for,
urgency, it's given to them for free. The IRS has really put the fear out there to general people
that you have very important deadlines. You must get things done by this date. And generally, a lot of
people fear that if they don't, big, horrible things were going to happen, that the IRS would
tell them immediately, you made a mistake, you need to correct your mistake. And also,
what most people don't realize is IRS doesn't actually happen that fast.
They will let you know by actual physical mail six months later that you made a mistake.
Right.
You won't know right then.
Well, let's walk through some of the things that you and your colleagues at Sublime Security are tracking here.
I mean, what are some of the more common scams you'll see this time of year?
We get a lot of attacks impersonating the IRS, asking for personal information about the victim,
asking them to fill out a new form to log into the IRS website,
asking for updated W-2s,
the general tax forms and sessions that they would expect.
And realistically, they are hoping that the user open an attachment,
look at a PDF, run some sort of malicious payload inside the PDF,
or go to a fake website and type in the credentials
to let the actor log in as them on the actual websites.
Is it fair to say that there are a couple of different groups here?
I mean, there's the folks who are after our credentials,
but then is there a separate group who are chasing after our potential refunds?
There is, and I think that's a very specific target audience they also go after.
So, yes, there's actually two different audiences that we see for fishing attacks.
One is going to be your more consumer-level person
who is looking for their quick refunds.
it's typically smaller amounts of money, you know, in a few thousand dollars.
They just want to get really quick access to that.
Versus your more enterprise level person who is typically in charge of accounts,
your HR, your financial workers who are in charge of tens of thousands of dollars,
that typically get the very much more complicated and sophisticated attacks against them.
And so if my responsibility is to help protect my organization here,
What sort of things should I be on the lookout for and what kind of defenses should I put in place?
So we'd like to say that AI has changed the field and it actually has in the tax season.
So AI has definitely changed what we look for inside of the emails that we receive.
Typically, we would tell people to look for bad grammar, look for bad spelling.
We would look for things that just look out of the norm.
However, now emails are coming in very professional, very correct.
There would be exactly what you would expect from the agency.
So the idea is that modern fishing is actually operationally mature.
We moved away from the sloppy attacks.
They're using legitimate services.
They're using legitimate emails.
So the real protection comes from the basics of knowing where that email is leading you to.
is it trying to get you to scan a malicious QR code?
Is it trying to take you to a site that's not legitimate?
Is it trying to take you to a fake IRS site?
Is it actually trying to make you call back a number
that's not actually related to the IRS?
And a lot of that is just typical,
this is a bad place to try to take you that's not official
and really could be overcome by someone
just simply searching for that one item on the Internet,
the phone number, the email address, the website,
and seeing if that's legit or not.
So it sounds like there's a real educational component here of making your employees aware of these things.
Are there technical things folks can put in place as well to help tamp down on this?
There are multiple ways that you can protect an organization from attacks like these.
And some are on the actual email side.
And that's looking for, you know, the emails that look malicious or have some malicious component to them.
There's also the idea that you would have multi-factor on some of these websites that an employee would be connecting to.
And that's including your internal HR sites that collects forms, as well as the ultimate outcome of these emails.
If they're here to try to steal money from your company, they're really targeting your internal procedures.
So having actual strong procedures as far as if money is requested, what should you be doing to perform?
that action. Who should you raise for authorization? Who should you be raising for approval?
That's Brian Baskin from Sublime Security. No, it's not your imagination. Risk and regulation
really are ramping up and customers expect proof of security before they'll sign that deal.
That's where Vanta comes in. Vanta automates your compliance process and brings compliance,
risk and customer trust together on one AI powered platform.
Whether you're preparing for SOC2 or managing an enterprise governance, risk, and compliance program,
Banta helps keep you secure and keeps your deals moving.
Companies like Ramp and writers spend 82% less time on audits with Vanta.
That's not just faster compliance, that's more time for growth.
Take it for me.
If you're thinking about compliance, take the time to check out Vanta.
Get started at vanta.com slash cyber.
One plus one equals more of the greatest stories.
Hulu on Disney Plus.
Stories about survivors.
The most dangerous planet.
Family, retribution.
Murder.
Prophecy.
Beer and propane.
How are we doing it?
Blake Pantha.
The ultimate soldier.
Chicago, all right?
The best of the best stories now with even more from Hulu.
Amazing.
Have it all with three.
on Disney Plus.
And finally, a suspicious link arrives from a friend.
The headline is outrageous.
The video looks slightly off.
In the age of online misinformation, artificial intelligence promises to help sort
truth from nonsense.
Unfortunately, according to researcher Dorsoff Salami of the University of Montreal,
those promises are doing a bit of exaggerating themselves.
For her doctoral research, Salami examined AI systems designed to detect fake news and found they don't actually fact-check.
Instead, they calculate probabilities based on patterns in their training data.
In other words, they behave less like journalists and more like mirrors, reflecting whatever biases and gaps were present in the data they learned from.
That creates problems.
The definition of misinformation is often disputed.
The training labels are not always transparent, and the models can inherit biases,
sometimes even flagging content differently depending on gender or geography.
Salami proposes a more human-centered approach.
She's even created a browser extension that helps users verify claims by showing sources,
explanations, and fact checks, leaving the final judgment where it arguably belongs.
with the human reading the headline.
And that's the Cyberwire, or links to all of today's stories.
Check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to Cyberwire at N2K.
dot com. N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound
design by Elliot Peltzman. Our contributing host is Maria Vermazis. Our executive producer is
Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you
back here tomorrow. If you only attend one cybersecurity conference this year, make it RASAC 2026.
It's happening March 23rd through the 26th in San Francisco,
bringing together the global security community for four days of expert insights,
hands-on learning, and real innovation.
I'll say this plainly, I never miss this conference.
The ideas and conversations stay with me all year.
Join thousands of practitioners and leaders
tackling today's toughest challenges and shaping what comes next.
Register today at rsaacconference.com slash cyberwire 26.
I'll see you in San Francisco.