A wave of coordinated cyberattacks has hit Salesforce customers across industries and continents, compromising millions of records from some of the world’s most recognized brands — including Google, Allianz Life, Qantas, LVMH, and even government agencies.

In this episode of Cyberside Chats, Sherri Davidoff and Matt Durrin break down how the attackers pulled off one of the most sweeping cloud compromise campaigns in recent memory — using no zero-day exploits, just convincing phone calls, malicious connected apps, and gaps in cloud supply chain security.

We’ll explore the attack timeline, parallels to the Snowflake breaches, ties to the Scattered Spider crew, and the lessons security leaders need to act on right now.

Key Takeaways

1. Use phishing-resistant MFA — FIDO2 keys, passkeys.

1. Train for vishing resistance — simulate phone-based social engineering.

1. Monitor for abnormal data exports from SaaS platforms.

1. Lockdown your Salesforce platform — vet and limit connected apps.

1. Rehearse rapid containment — revoke OAuth tokens, disable accounts fast.

References

• Google - The Cost of a Call: From Voice Phishing to Data Extortion

• Salesforce – Protect Your Salesforce Environment from Social Engineering Threats

• BleepingComputer – ShinyHunters behind Salesforce data theft at Qantas, Allianz Life, LVMH

• TechRadar – Google says hackers stole some of its data following Salesforce breach

• LMG Security Blog – Our Q3 2024 Top Control is Third Party Risk Management: Lessons from the CrowdStrike Outage

On National Social Engineering Day, we’re pulling the lid off one of the most dangerous insider threat campaigns in the world — North Korea’s fake remote IT worker program.

Using AI-generated résumés, real-time deepfake interviews, and U.S.-based “laptop farms,” DPRK operatives are gaining legitimate employment inside U.S. companies — funding nuclear weapons programs and potentially opening doors to cyber espionage.

We’ll cover the recent U.S. sanctions, the Christina Chapman laptop farm case, and the latest intelligence from CrowdStrike on FAMOUS CHOLLIMA — plus, we’ll give you specific, actionable ways to harden your hiring process and catch these threats before they embed inside your network.

Actionable Takeaways for Defenders

1. Verify Beyond the Résumé:Pair government ID checks with independent work history and social profile verification. Use services to flag synthetic or stolen identities.
2. Deepfake-Proof Interviews:Add unscripted, live identity challenges during video calls (lighting changes, head turns, holding ID on camera).
3. Geolocation & Device Monitoring: Implement controls to detect impossible travel, VPN/geolocation masking, and multiple logins from the same endpoint for different accounts.
4. Watch for Multi-Job Signals: Monitor productivity patterns and unusual scheduling; red flags include unexplained work delays, identical deliverables across projects, or heavy reliance on AI-generated output.
5. Hold Your Vendors to the Same Standard: Ensure tech vendors and contractors use equivalent vetting, monitoring, and access control measures. Bake these requirements into contracts and third-party risk assessments.

References

• U.S. Treasury Press Release – Sanctions on DPRK IT Worker Scheme
• CrowdStrike 2025 Threat Hunting Report – Profile of FAMOUS CHOLLIMA’s AI-powered infiltration methods
• National Social Engineering Day – KnowBe4 Announcement Honoring Kevin Mitnick

A silent compromise, nearly a million developers affected, and no one at Amazon knew for six days. In this episode of Cyberside Chats, we’re diving into the Amazon Q AI Hack, a shocking example of how vulnerable our software development tools have become.

Join hosts Sherri Davidoff and Matt Durrin as they unpack how a misconfigured GitHub token allowed a hacker to inject destructive AI commands into a popular developer tool. We’ll walk through exactly what happened, how GitHub security missteps enabled the attack, and why this incident is a critical wake-up call for supply chain security and AI tool governance.

We’ll also spotlight other supply chain breaches like the SolarWinds Orion backdoor and XZ Utils compromise, plus AI tool mishaps where “helpful” assistants caused real-world damage. If your organization uses AI developer tools—or works with third-party software vendors—this episode is a must-listen.

Key Takeaways: ▪ Don’t Assume AI Tools Are Safe Just Because They’re Popular Amazon Q had nearly a million installs—and it still shipped with malicious code. Before adopting any AI-based tools (like Copilot, Q, or Gemini), vet their permissions, access scope, and how updates are managed.

▪ Ask Your Software Vendors About Their Supply Chain Security If you rely on third-party developers or vendors, request details on how they manage build pipelines, review code changes, and prevent unauthorized commits. A compromised vendor can put your entire environment at risk.

▪ Hold Vendors Accountable for Secure Development Practices Ask whether your vendors enforce commit signing, use GitHub security features (like push protection and secret scanning), and apply multi-person code review processes. If they can't answer, that's a red flag.

▪ Be Wary of Giving AI Assistants Too Much Access Whether it’s an AI chatbot that can write config files or a developer tool that interacts with production environments, limit access. Always sandbox and monitor AI-integrated tools, and avoid letting them make direct changes.

▪ Prepare to Hear About Breaches From the Outside Just like Amazon only found out about the malicious code in Q after security researchers reported it, many organizations won’t catch third-party security issues internally. Make sure you have monitoring tools, vendor communication protocols, and incident response processes in place.

▪ If You Develop Code Internally, Lock Down Your Build Pipeline The Amazon Q hack happened because of a misconfigured GitHub token in a CI workflow. If you’re building your own code, review permissions on GitHub tokens, enforce branch protections, and require signed commits to prevent unauthorized changes from slipping into production. #Cybersecurity #SupplyChainSecurity #AItools #DevSecOps #AmazonQHack #GitHubSecurity #Infosec #CybersideChats #LMGSecurity