CyberWire Daily: Amazon Disrupts Russian Hackers, Salesloft Breach Fallout, and AI in Business

Amazon Disrupts Midnight Blizzard Campaign

• 🛡️ Amazon's threat intelligence team successfully disrupted a cyber campaign by Russia's state-backed group Midnight Blizzard (APT29).
• 🎣 Attackers used a watering hole technique, redirecting users to fake CloudFlare verification pages to steal credentials via a malicious Microsoft authentication flow.
• 🚫 Amazon, working with Microsoft and Cloudflare, took down the group's domains and infrastructure, though APT29 is reportedly rebuilding.
• 🔑 The campaign signals a shift from MFA bypass to stealthier credential theft tactics.

Salesloft Breach Continues to Impact Services

• 🌐 The breach at Salesloft's Drift chatbot has had far-reaching consequences, exposing data from hundreds of connected services including Slack, Google Workspace, AWS, Azure, and OpenAI.
• 🚨 Google warned that attackers could siphon corporate data, search for cloud credentials, and access email accounts.
• 🔗 Companies are advised to treat all Salesloft integrations as compromised and invalidate tokens immediately.
• 🔒 Zscaler confirmed limited access to its Salesforce data, including employee contact information and product licensing, but no sensitive files were affected.

Critical Vulnerabilities and Malware Campaigns

• 📱 WhatsApp has patched a critical zero-click flaw in its iOS and Mac apps that allowed spyware to compromise devices without user interaction.
• 📄 A fake PDF editing tool, App Suite PDF Editor, distributed via Google Ads, was found to deliver the Tamper Chef infostealer, stealing credentials and system data.
• 🚗 A jury ordered Tesla to pay $243 million in damages after a hacker uncovered critical autopilot data that Tesla initially claimed not to have, impacting its defense strategy.
• 🇪🇸 Spain canceled a €10 million contract with Huawei for its academic and research network due to digital strategy and strategic autonomy concerns.
• 💸 The city of Baltimore lost over $1.5 million due to a fraudster spoofing a vendor and tricking employees into changing bank account details.

Threat Vector: Policy to Cyber Defense

• 🧠 Michael Sikorski and Thomas P. Bossert discussed the path from policy and national security strategy to building operational cyber defense.
• ⚔️ They explored the concept of proactive interference and disrupting attacks in real-time, rather than just reacting to them.
• ⚖️ The discussion highlighted the disconnect between policy makers' rhetoric on offensive cyber operations and the technical realities, emphasizing the need for clear definitions and achievable objectives.
• 🤝 Trinity Cyber's approach was described as reciprocal, interfering only when initiated by an adversary to create friction and achieve better operational outcomes.

Preview: Only Malware in the Building

• 🌶️ A special, video-focused episode of Only Malware in the Building is previewed, featuring hosts eating hot sauces while discussing their careers and cyber journeys.
• 🎬 The production involved a year-long effort to create a unique video experience, moving beyond traditional audio podcast formats.
• 💡 The episode aims to provide deeper insights into the hosts' personalities and careers within the cybersecurity field.