A wave of coordinated cyberattacks has hit Salesforce customers across industries and continents, compromising millions of records from some of the world’s most recognized brands — including Google, Allianz Life, Qantas, LVMH, and even government agencies.

In this episode of Cyberside Chats, Sherri Davidoff and Matt Durrin break down how the attackers pulled off one of the most sweeping cloud compromise campaigns in recent memory — using no zero-day exploits, just convincing phone calls, malicious connected apps, and gaps in cloud supply chain security.

We’ll explore the attack timeline, parallels to the Snowflake breaches, ties to the Scattered Spider crew, and the lessons security leaders need to act on right now.

Key Takeaways

1. Use phishing-resistant MFA — FIDO2 keys, passkeys.

1. Train for vishing resistance — simulate phone-based social engineering.

1. Monitor for abnormal data exports from SaaS platforms.

1. Lockdown your Salesforce platform — vet and limit connected apps.

1. Rehearse rapid containment — revoke OAuth tokens, disable accounts fast.

References

• Google - The Cost of a Call: From Voice Phishing to Data Extortion

• Salesforce – Protect Your Salesforce Environment from Social Engineering Threats

• BleepingComputer – ShinyHunters behind Salesforce data theft at Qantas, Allianz Life, LVMH

• TechRadar – Google says hackers stole some of its data following Salesforce breach

• LMG Security Blog – Our Q3 2024 Top Control is Third Party Risk Management: Lessons from the CrowdStrike Outage

On National Social Engineering Day, we’re pulling the lid off one of the most dangerous insider threat campaigns in the world — North Korea’s fake remote IT worker program.

Using AI-generated résumés, real-time deepfake interviews, and U.S.-based “laptop farms,” DPRK operatives are gaining legitimate employment inside U.S. companies — funding nuclear weapons programs and potentially opening doors to cyber espionage.

We’ll cover the recent U.S. sanctions, the Christina Chapman laptop farm case, and the latest intelligence from CrowdStrike on FAMOUS CHOLLIMA — plus, we’ll give you specific, actionable ways to harden your hiring process and catch these threats before they embed inside your network.

Actionable Takeaways for Defenders

1. Verify Beyond the Résumé:Pair government ID checks with independent work history and social profile verification. Use services to flag synthetic or stolen identities.
2. Deepfake-Proof Interviews:Add unscripted, live identity challenges during video calls (lighting changes, head turns, holding ID on camera).
3. Geolocation & Device Monitoring: Implement controls to detect impossible travel, VPN/geolocation masking, and multiple logins from the same endpoint for different accounts.
4. Watch for Multi-Job Signals: Monitor productivity patterns and unusual scheduling; red flags include unexplained work delays, identical deliverables across projects, or heavy reliance on AI-generated output.
5. Hold Your Vendors to the Same Standard: Ensure tech vendors and contractors use equivalent vetting, monitoring, and access control measures. Bake these requirements into contracts and third-party risk assessments.

References

• U.S. Treasury Press Release – Sanctions on DPRK IT Worker Scheme
• CrowdStrike 2025 Threat Hunting Report – Profile of FAMOUS CHOLLIMA’s AI-powered infiltration methods
• National Social Engineering Day – KnowBe4 Announcement Honoring Kevin Mitnick

A silent compromise, nearly a million developers affected, and no one at Amazon knew for six days. In this episode of Cyberside Chats, we’re diving into the Amazon Q AI Hack, a shocking example of how vulnerable our software development tools have become.

Join hosts Sherri Davidoff and Matt Durrin as they unpack how a misconfigured GitHub token allowed a hacker to inject destructive AI commands into a popular developer tool. We’ll walk through exactly what happened, how GitHub security missteps enabled the attack, and why this incident is a critical wake-up call for supply chain security and AI tool governance.

We’ll also spotlight other supply chain breaches like the SolarWinds Orion backdoor and XZ Utils compromise, plus AI tool mishaps where “helpful” assistants caused real-world damage. If your organization uses AI developer tools—or works with third-party software vendors—this episode is a must-listen.

Key Takeaways: ▪ Don’t Assume AI Tools Are Safe Just Because They’re Popular Amazon Q had nearly a million installs—and it still shipped with malicious code. Before adopting any AI-based tools (like Copilot, Q, or Gemini), vet their permissions, access scope, and how updates are managed.

▪ Ask Your Software Vendors About Their Supply Chain Security If you rely on third-party developers or vendors, request details on how they manage build pipelines, review code changes, and prevent unauthorized commits. A compromised vendor can put your entire environment at risk.

▪ Hold Vendors Accountable for Secure Development Practices Ask whether your vendors enforce commit signing, use GitHub security features (like push protection and secret scanning), and apply multi-person code review processes. If they can't answer, that's a red flag.

▪ Be Wary of Giving AI Assistants Too Much Access Whether it’s an AI chatbot that can write config files or a developer tool that interacts with production environments, limit access. Always sandbox and monitor AI-integrated tools, and avoid letting them make direct changes.

▪ Prepare to Hear About Breaches From the Outside Just like Amazon only found out about the malicious code in Q after security researchers reported it, many organizations won’t catch third-party security issues internally. Make sure you have monitoring tools, vendor communication protocols, and incident response processes in place.

▪ If You Develop Code Internally, Lock Down Your Build Pipeline The Amazon Q hack happened because of a misconfigured GitHub token in a CI workflow. If you’re building your own code, review permissions on GitHub tokens, enforce branch protections, and require signed commits to prevent unauthorized changes from slipping into production. #Cybersecurity #SupplyChainSecurity #AItools #DevSecOps #AmazonQHack #GitHubSecurity #Infosec #CybersideChats #LMGSecurity

Iranian cyber operations have sharply escalated in 2025, targeting critical infrastructure, defense sectors, and global businesses—especially those linked to Israel and the U.S. From destructive malware and coordinated DDoS attacks to sophisticated hack-and-leak campaigns leveraging generative AI, Iranian threat actors are rapidly evolving. Join us to explore their latest tactics, notable incidents, and essential strategies to defend your organization. Hosts Sherri Davidoff and Matt Durrin break down wiper malware trends, AI-powered phishing, the use of deepfakes for psychological operations, and the critical role of patching and MFA in protecting against collateral damage.

Key Takeaways for Cybersecurity Leaders

• Patch Internet-Facing Systems Promptly: Iranian attackers frequently exploit unpatched systems—especially VPNs, SharePoint, and other perimeter-facing tools. Microsoft’s July Patch Tuesday alone included 137 vulnerabilities, including actively exploited zero-days. Stay current to avoid being an easy target.

• Implement Phishing-Resistant Multifactor Authentication (MFA): Groups like Charming Kitten are leveraging generative AI to craft convincing spear phishing emails. Use MFA methods such as FIDO2 security keys, biometrics, or passkeys. Avoid push fatigue, SMS codes, or email-based MFA which are easily phished or bypassed.

• Segment and Secure Critical IT & OT Systems: Assume attackers will get in. Segment IT from OT networks (especially SCADA/ICS environments) and limit lateral movement. Iranian campaigns have crossed into OT, targeting backups and sabotaging ICS operations.

• Maintain Robust, Tested Backup and Recovery Systems: Wiper malware and ransomware deployed by Iranian groups have destroyed both live data and backups. Use immutable or offline backups, and test full restores. Automate reimaging processes to ensure rapid recovery at scale.

• Raise Awareness Against Sophisticated Social Engineering: Train staff to recognize AI-generated phishing and deepfake audio/video attacks. Iran has used deepfakes to spread disinformation and influence public perception. Show your team what deepfakes look and sound like so they can spot them in the wild.

Resources & References

CISA/FBI/NSA Joint Advisory: https://www.cisa.gov/sites/default/files/2025-06/joint-fact-sheet-Iranian-cyber-actors-may-target-vulnerable-US-networks-and-entities-of-interest-508c-1.pdf

Unit 42 Report: https://unit42.paloaltonetworks.com/iranian-cyberattacks-2025/

Deepwatch Threat Intel: https://www.deepwatch.com/labs/customer-advisory-elevated-iranian-cyber-activity-post-u-s-strikes/

LMG Security – Defending Against Generative AI Attacks: https://lmgsecurity.com/defend-against-generative-ai-attacks/

#cybersecurity #cybercrime #cyberattack #cyberaware #cyberthreats #ciso #itsecurity #infosec #infosecurity #riskmanagement

On July 13, 2025, a developer at the Department of Government Efficiency—DOGE—accidentally pushed a private xAI API key to GitHub. That key unlocked access to 52 unreleased LLMs, including Grok‑4‑0709, and remained active long after discovery.

In this episode of Cyberside Chats, we examine how a single leaked credential became a national-level risk—and how it mirrors broader API key exposures at BeyondTrust and across GitHub. LMG Security’s Director of Penetration Testing, Tom Pohl, shares red team insights on how embedded secrets give attackers a foothold—and what CISOs must do now to reduce their exposure.

Key Takeaways:

1. Treat leaked API keys like a full-blown incident—whether it’s your code or a vendor’s.

Monitor for exposure and misuse. Include secrets in IR playbooks—even when it’s third-party code.

1. Ask your vendors the hard questions about secrets management.

Do they rotate keys? Use a secrets manager? How quickly can they revoke?

1. Scan your environment for exposed secrets, even if you don’t develop software.

Look for credentials in cloud configs, automation, scripts, SaaS tools.

1. Make sure your penetration testing team searches for secrets as part of their processes.

Secrets can show up in unexpected places—firmware, config files, build artifacts. Your red team or vendor should actively hunt for exposed keys, hardcoded credentials, and reused certs across applications, infrastructure, and third-party tools.

1. Train your IT staff and developers to remove secrets from code and automate detection.

Use GitGuardian, TruffleHog, and a secrets manager like AWS Secrets Manager or HashiCorp Vault.

References:

• Exposed Secrets, Broken Trust: What the DOGE API Key Leak Teaches Us About Software Security – LMG Security: https://www.LMGsecurity.com/exposed-secrets-broken-trust-what-the-doge-api-key-leak-teaches-us-about-software-security/

• "Private Keys in Public Places” - DEFCON talk by Tom Pohl, LMG Security: https://www.youtube.com/watch?v=7t_ntuSXniw

• DOGE employee leaks private xAI API key from sensitive database – TechRadar: https://www.techradar.com/pro/security/doge-employee-with-sensitive-database-access-leaks-private-xai-api-key

#DOGEleak #cybersecurity #cybersecurityawareness #ciso #infosec #itsecurity

Why do so many major cyberattacks happen over holiday weekends? In this episode, Sherri and Matt share their own 4th of July anxiety as security professionals—and walk through some of the most infamous attacks timed to exploit long weekends, including the Kaseya ransomware outbreak, the MOVEit breach, and the Bangladesh Bank heist. From retail breaches around Thanksgiving to a cyber hit on Krispy Kreme, they break down what makes holidays such a juicy target—and how to better defend your organization when most of your team is off the clock.

1. Treat Holiday Weekends as Elevated Threat Windows Plan and staff accordingly. Threat actors deliberately strike when visibility and response capacity are lowest—your incident response posture should reflect that heightened risk.
2. Establish and Test Off-Hours Response Plans Ensure escalation paths, contact protocols, and technical procedures are defined, reachable, and tested for weekends and holidays. On-call responsibilities should be clearly assigned with appropriate backups.
3. Reduce Your Attack Surface and Harden Perimeter Before the Break Conduct targeted patching, vulnerability scans, and privilege reviews in the days leading up to any holiday period. Temporarily disable or restrict non-essential access and remote administration rights.
4. Practice Incident Response Tabletop Exercises With Holiday Timing in Mind Simulate scenarios that unfold over weekends or during staff absences to uncover timing-based gaps in coverage, decision-making, or escalation. Make sure playbooks account for limited availability and stress-test your team’s ability to respond under real-world holiday constraints.
5. Communicate Expectations Across the Organization and With 3rd Parties Brief relevant teams (not just security) on the increased risk. Reinforce secure behaviors, clarify how to report suspicious activity, and keep business units informed about potential delays or escalation protocols. Talk with your MSP and other 3rd party vendors to ensure they have consistent monitoring and know who to contact if there is an incident (and vice versa).

• MOVEit Data Breach Timeline – Rapid7
• Kaseya Ransomware Attack Explained – Varonis
• Bangladesh Bank Heist – Darknet Diaries Episode 72
• Tabletop Exercises & Incident Response Planning – LMG Security

#cybersecurity #dfir #incidentresponse #ciso #cybersidechats #cybersecurityleadership #infosec #itsecurity #cyberaware

In June 2025, the White House issued an executive order that quietly eliminated several key federal cybersecurity requirements. In this episode of Cyberside Chats, Sherri and Matt break down exactly what changed—from the removal of secure software attestations to the rollback of authentication requirements—and what remains in place, including post-quantum encryption support and the FTC’s Cyber Trust Mark. We’ll talk about the practical impact for security leaders, why this mirrors past challenges like PCI compliance, and what your organization should do next.

1. Don’t Drop SBOMs or Attestations — Build Them Into Contracts Anyway Even without a federal requirement, insist on SBOMs and secure development attestations in vendor agreements. Transparency reduces your risk.
2. Re-Evaluate Third-Party Software Risk Practices Now With no centralized validation, it's up to you to verify vendors' claims. Strengthen your third-party risk management processes accordingly.
3. Watch for Gaps in MFA, Encryption, and Identity Standards Don’t assume basic protections are baked in. Federal rollback may signal declining baseline expectations—so enforce your own.
4. Prepare for Industry-Led Enforcement — From Insurers, Buyers, and Info-Sharing Groups Expect cyber insurers, large enterprises, ISACs/ISAOs, and professional groups to lead on software transparency. Get ahead by aligning now.

Resources:

1. Full Text of the June 6, 2025 Executive Order: https://www.whitehouse.gov/presidential-actions/2025/06/sustaining-select-efforts-to-strengthen-the-nations-cybersecurity-and-amending-executive-order-13694-and-executive-order-14144

1. LMG Security: Software Supply Chain Security – Understanding and Mitigating Major Risks: https://www.lmgsecurity.com/software-supply-chain-security-understanding-and-mitigating-major-risks/

1. The Record’s Breakdown: Trump Order Rolls Back Key Federal Cybersecurity Rules: https://therecord.media/trump-cybersecurity-executive-order-june-2025

Forget everything you thought you knew about ransomware. Today’s threat actors aren’t locking your files—they’re stealing your data and threatening to leak it unless you pay up.

In this episode, we dive into the rise of data-only extortion campaigns and explore why encryption is becoming optional for cybercriminals. From real-world trends like the rebrand of Hunters International to “World Leaks,” to the strategic impact on insurance, PR, and compliance—this is a wake-up call for security teams everywhere.

If your playbook still ends with “just restore from backup,” you’re not ready.

Takeaways for Security Teams:

• Rethink detection: Focus on exfiltration, not just malware.

• Update tabletop exercises: Include public leaks, media scrutiny, and regulatory responses.

• Review insurance policies: Ensure data-only extortion is covered, not just encryption events.

• Prepare execs and PR: Modern extortion targets reputation and compliance pressure points.

Resources & Mentions:

• https://www.coveware.com/ransomware-quarterly-reports

• Security Boulevard: Hunters International Rebrands as World Leaks:

• https://attack.mitre.org/resources/

• LMG Security