In partnership with
⏱️ ≈ 8-minute read
Editor’s Note: This week’s lineup has a little bit of everything: medtech disruption, cloud misconfigurations, state-backed messaging compromises, and AI continuing its side hustle as the intern from hell. The throughline is not subtle: exposed access, weak controls, and overly trusting workflows are still doing half the attackers’ jobs for them.
📬 This Week’s Clickables
📌 Big News
Stryker’s breach hits operations, while Salesforce customers get another lesson in why public-facing permissions are never a set-it-and-forget-it job.🚨 Can’t Miss
A massive TELUS breach claim, Kremlin-linked messaging hijacks, emergency Chrome patches, and Michelin’s Oracle EBS fallout🤖 AI in Cyber
AI-built malware, AI-assisted attack workflows, criminal adoption of CyberStrikeAI, and agentic browsers showing exactly how trust can go sideways.🧪 Strange Cyber Story
One Zoom setting, one bad click, and up to $200,000 gone. Convenience strikes again.
🚨 Big News
🏥 Stryker’s cyberattack turns into an operations problem fast
Intro:
Stryker’s incident went from “we’re investigating” to “this is now affecting the business” in about a day. That is usually when a cyber event stops being an IT problem and starts showing up in board-level language.
What Happened:
Reuters reported that Stryker said the cyberattack disrupting its Microsoft environment is affecting its ability to process orders, manufacture products, and ship them to customers. The company said patient-related services and connected medical products were not impacted, which is the good news in a story that otherwise keeps getting worse. An Iranian-linked group called Handala claimed responsibility, though the broader impact and financial fallout are still being assessed. For a global medtech company, even a short disruption to ordering and fulfillment can ripple across hospitals and supply chains fast.
Why It’s Important:
This is a reminder that the real damage from enterprise intrusions is often operational, not just reputational. When core business systems go sideways, security incidents start hitting revenue, logistics, and customer trust all at once. Healthcare-adjacent manufacturers are especially exposed because they sit in the uncomfortable middle ground between enterprise IT and critical service delivery. If orders stall and production slips, the downstream consequences can stack up in a hurry.
The Other Side:
Stryker says patient-related services and connected products remain unaffected, which suggests segmentation or response controls may have prevented a worse scenario. It is also still early, and public disclosures at this stage are usually incomplete by definition. There is still room for the final story to be either more contained or much uglier.
👉 Takeaway:
The headline is disruption, but the lesson is access control. When core management layers and device administration are too broadly trusted, overprivileged MDM and similar admin pathways can turn one compromise into a business-wide mess a lot faster than anyone wants to admit.
TL;DR
The breach did not appear to hit patient services, but it did hit the machinery of business operations. In medtech, that is more than enough to become a serious problem.
Further Reading: Reuters
What do these names have in common?
Arnold Schwarzenegger
Codie Sanchez
Scott Galloway
Colin & Samir
Shaan Puri
Jay Shetty
They all run their businesses on beehiiv. Newsletters, websites, digital products, and more. beehiiv is the only platform you need to take your content business to the next level.
🚨Limited time offer: Get 30% off your first 3 months on beehiiv. Just use code JOIN30 at checkout.
☁️ Salesforce customers get another cloud security warning they really did not need
Intro:
Nothing says “mature cloud risk” like a third customer attack spree in six months. At this point, “misconfiguration” is less a technical issue and more a recurring genre.
What Happened:
CyberScoop reported that Salesforce issued a new alert tied to attacks targeting public-facing Experience Cloud sites. According to the report, attackers are scanning for overly permissive guest user configurations and using a modified version of Mandiant’s AuraInspector to identify exposed instances and steal data. Researchers linked the activity to a threat actor associated with ShinyHunters, and the campaign is described as the third broad attack spree affecting Salesforce customers in roughly six months. The exact victim count is unverified, but the pattern is becoming impossible to ignore.
Why It’s Important:
This is not just a Salesforce story - it is an identity and configuration governance story. Public-facing portals with loose guest access are the kind of weakness that looks harmless right up until attackers industrialize discovery and turn it into a repeatable playbook. The bigger issue is that many organizations still treat SaaS exposure as someone else’s problem because the platform is hosted by a major vendor. It is not. Shared responsibility does not disappear just because the logo is expensive.
The Other Side:
Salesforce is at least being direct about the issue and working with Mandiant to provide detection guidance and risk reduction advice. The underlying weakness also appears to center on customer-side configuration choices, not a platform-wide break of Salesforce itself. That distinction matters, even if it offers very little comfort to customers now doing emergency guest-user audits.
👉 Takeaway:
If your customer portal is public and your guest permissions are broad, you may already be participating in an attacker’s inventory spreadsheet. SaaS security still lives or dies on configuration discipline.
TL;DR
Another round of Salesforce customer attacks is here, and once again the path in looks suspiciously like permissions that should have been tighter months ago.
Further Reading: CyberScoop
The first webcam was built at the University of Cambridge to monitor a coffee pot, proving two timeless truths: engineers hate wasted trips, and convenience always expands the attack surface. (Source: University of Cambridge)🔥 Can’t Miss
🗂️ TELUS Digital confirms breach after hacker claims 1 petabyte data theft
TELUS Digital confirmed a security incident after threat actors claimed they stole nearly 1 petabyte of data in a multi-month breach. The company said a limited number of systems were accessed without authorization and that operations remain fully functional, but the claim puts serious attention on its role as a BPO provider handling data and workflows for multiple clients. One breach in that kind of environment can become a multiplier fast.
👉 Key takeaway: BPO providers are not just vendors - they are aggregation points, which makes them high-value targets and high-consequence weak spots.📱 Kremlin hackers attempting to compromise Signal and WhatsApp accounts globally
Dutch intelligence agencies warned that Russian-backed hackers are running a global campaign against Signal and WhatsApp accounts used by officials, military personnel, and journalists. The playbook is simple and effective: trick targets into handing over verification or PIN codes, then step into the account and the conversation history. Signal said its encryption was not compromised, which matters, but that does not help when the attacker logs in as the user.
👉 Key takeaway: Secure messaging apps are only as secure as the account recovery and device-linking decisions around them.🌐 Chrome 146 update patches two exploited zero-days
Google pushed an emergency Chrome 146 update to fix two high-severity zero-days already being exploited in the wild. One hits the Skia graphics library and the other affects the V8 JavaScript engine, meaning a malicious page could do far more than just ruin your mood. Delayed browser patching keeps paying attackers better than it pays IT debt down.
👉 Key takeaway: Browser updates are not housekeeping - they are frontline defense, especially when active exploitation is already confirmed.🛞 Michelin confirms data breach linked to Oracle EBS attack
Michelin confirmed it was hit in the broader Oracle E-Business Suite campaign, with attackers allegedly stealing and leaking more than 300GB of files. The incident reinforces a familiar problem: legacy enterprise platforms remain excellent targets when they sit on high-value business data. Old plumbing with premium data attached is still a criminal favorite.
👉 Key takeaway: If critical business systems are difficult to modernize, they become even more important to harden, monitor, and isolate.
Hiring in 8 countries shouldn't require 8 different processes
This guide from Deel breaks down how to build one global hiring system. You’ll learn about assessment frameworks that scale, how to do headcount planning across regions, and even intake processes that work everywhere. As HR pros know, hiring in one country is hard enough. So let this free global hiring guide give you the tools you need to avoid global hiring headaches.
🤖 AI in Cyber
🧬 AI-generated Slopoly malware used in Interlock ransomware attack
IBM X-Force found strong signs that a malware strain called Slopoly was likely generated with a large language model and used during an Interlock ransomware intrusion. The notable part is not that AI made the malware brilliant - it made it usable for persistence and data theft. That lowers the skill floor without lowering the damage ceiling.
👉 Key takeaway: AI does not need to produce masterpiece malware to be dangerous - it just needs to produce usable malware faster.🧠 Microsoft says hackers are abusing AI at every stage of cyberattacks
Microsoft says attackers are increasingly using AI across the full attack chain, from reconnaissance and phishing to scripting and post-compromise work. This is not the cinematic version of AI hacking - it is the practical one, where malicious workflows get faster, cheaper, and easier to scale. That is bad enough on its own.
👉 Key takeaway: The biggest near-term AI risk in cyber is not autonomy - it is attacker efficiency at scale.🛠️ CyberStrikeAI tool adopted by hackers for AI-powered attacks
Researchers say a new open-source platform called CyberStrikeAI was observed in infrastructure tied to a campaign that compromised hundreds of Fortinet FortiGate firewalls. Open-source AI security tooling was always going to be dual-use. Criminals just skipped the ethics panel and got straight to implementation.
👉 Key takeaway: Security tooling powered by AI will not stay on the defender side for long, so detection strategies need to assume adversarial reuse by default.🧭 Researchers discover suite of agentic AI browser vulnerabilities
Researchers at Zenity Labs found vulnerabilities in agentic AI browsers, including Perplexity’s Comet, that could allow attackers to hijack behavior through prompt injection delivered via seemingly legitimate content like calendar invites. The issue is not just one bug - it is a trust model problem in systems built to infer intent and act on it. Prompt injection remains deeply annoying and very effective.
👉 Key takeaway: Agentic convenience creates new trust-boundary problems, and prompt injection is still very much undefeated.
Global HR shouldn't require five tools per country
Your company going global shouldn’t mean endless headaches. Deel’s free guide shows you how to unify payroll, onboarding, and compliance across every country you operate in. No more juggling separate systems for the US, Europe, and APAC. No more Slack messages filling gaps. Just one consolidated approach that scales.
🧟♂️ Strange Cyber
🎥 The $200,000 Zoom call
Intro:
Some cyber stories involve sophisticated tradecraft. Others involve one default feature, one moment of trust, and a financial crater where your afternoon used to be. This might be an oldie, but it’s a goodie.
What Happened:
The Record detailed how crypto entrepreneur Jake Gallen lost between $150,000 and $200,000 after a Zoom call that turned into a remote-access scam. Investigators traced the activity to a group called ELUSIVE COMET, described as Western operators mimicking North Korean tactics. The attack reportedly hinged on a Zoom remote control request, giving the attackers access to the victim’s machine, files, and wallets. No dazzling zero-day. No elite wizardry. Just a feature that should have made everyone more uncomfortable years ago.
Why It’s Important:
This story is a perfect example of why legitimate feature abuse keeps winning. Collaboration tools ship with enough built-in trust to wreck a user in one click, and remote access inside normal workflows feels routine enough to slip past suspicion. That is exactly why attackers keep reaching for it.
The Other Side:
The defense here is not mysterious. Disable remote control where it is unnecessary, tighten meeting settings, and train users to treat access prompts like password prompts. The scam is effective precisely because it looks mundane, which means awareness and hardening can go a long way.
👉 Takeaway:
Sometimes the most expensive breach in the room is hiding behind a convenience feature everyone forgot to turn off. Default settings still deserve a threat model.
TL;DR
A Zoom call became a remote-access scam and cost the victim up to $200,000. Fancy tools were not the star. Trust was.
Further Reading: The Record
Enjoying Exzec Cyber? Forward this to one person who cares about staying ahead of attacks
Hate everything you see or have other feedback? Reply back to this email!