- Exzec Cyber Newsletter
- Posts
- Remote Worker or Rogue Nation?
Remote Worker or Rogue Nation?
Salesforce phishing, voice-cloning fraud, and one North Korean plot straight out of Black Mirror.
⏱️ ≈ 6‑minute read
Editor’s Note: If your inbox feels like a movie script lately, you're not alone. This week’s threats—from Salesforce phishing extortion to fake court orders and nation-backed remote workers—blur the line between cybercrime and cyber theater.
📬 This Week’s Clickables
📌 Big News – Salesforce phishing sparks multi-org extortion; SafePay gang threatens 3.5TB leak
🚨 Can’t Miss – Bouygues breach, DaVita patient leak, Huawei router exploit, Ukrainian court phishing, Meta verdict
🤖 AI in Cyber – Copilot prompt injection, voice deepfake warning, AI malware in panda pics, and California’s watered-down AI rules
🧪 Strange Cyber Story – The woman who helped North Korean agents apply for jobs in U.S. tech
📌 Big Stories
😵💫 Salesforce Phishing Attacks Spiral into ShinyHunters Extortion Scheme
Intro: Dozens of major firms—including Cisco, Chanel, and Qantas—are being extorted after cybercriminals phished employee credentials tied to Salesforce accounts.
What Happened: Starting in March, attackers tricked employees into approving malicious OAuth apps or giving up logins. Salesforce says its platform was not breached, but Google confirmed at least 20 victims, including themselves. Now, a group calling itself ShinyHunters is threatening to leak customer data unless victims pay in Bitcoin.
Why It’s Important: This is a real-time case study in why OAuth attacks and vishing are rising: attackers bypass software controls and hijack trust. Big names with secure systems still fell to low-tech scams.
The Other Side: Salesforce insists this is not a technical compromise—security controls worked. The flaw was human.
The Takeaway: Cloud platforms don’t just need MFA—they need user training, strict app vetting, and monitoring. Assume credentials will be stolen.
TL;DR: Hackers phished Salesforce logins and are now extorting dozens of companies, including Cisco. The platform wasn't hacked—people were.
Further Reading:
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” — Bruce Schneier🧧 Ingram Micro Faces 3.5TB Leak Deadline from SafePay Ransomware Gang
Intro: After recovering from a ransomware attack, Ingram Micro now faces a second blow—SafePay is threatening to leak 3.5 terabytes of its stolen internal data.
What Happened: SafePay hit the global tech distributor in early July, briefly disrupting systems. Ingram restored operations quickly, but now the gang has posted a countdown and claims to have exfiltrated sensitive data, from emails to partner documents.
Why It’s Important: Ingram Micro’s reach across global supply chains makes this potentially massive. Even without encryption, data theft and leak threats can be just as disruptive.
The Other Side: Ingram hasn’t confirmed SafePay as the attacker and says it’s investigating. No data has been leaked post August 1 (yet).
The Takeaway: Uptime doesn’t mean you're safe—today’s ransomware gangs extort without encrypting. You need both backup and breach response playbooks.
TL;DR: Ingram Micro restored systems after a ransomware hit—but now faces a looming 3.5TB data leak from the SafePay gang.
Further Reading:
🔥 Can’t Miss
📡 Bouygues Telecom Breach Exposes 6.4M Customers – France’s third-largest mobile carrier confirmed a breach impacting millions of records, including contract and banking details. The CNIL has been notified.
🏥 DaVita Notifies 1M Patients After April Ransomware Breach – The Interlock gang exfiltrated health and insurance data. Clinics stayed open, but breach notices now reveal the scale.
📶 Huawei Router Exploit Causes Telecom Outage in Luxembourg – A cyberattack exploiting Huawei gear knocked out Luxembourg’s mobile network and emergency calls for over 3 hours.
📨 Fake Court Summons Used to Hack Ukraine’s Military – CERT-UA warns of phishing disguised as legal notices to plant malware, likely linked to Russian actors.
🔒 Meta Loses Jury Trial Over Flo Health Privacy Violations – Jury rules Meta illegally collected reproductive health data from Flo app users without consent.
SOC 2 in Days, Not Quarters.
Delve gets you SOC 2, HIPAA, and more—fast. AI automates the grunt work so you're compliant in just 15 hours. Lovable, 11x, and Bland unlocked millions.
We’ll even migrate you from your old platform.
beehiiv readers: $1,000 off + free AirPods with code BEEHIV1KOFF.
🤖 AI in Cyber
🛡 Enterprise Copilots Vulnerable to Silent Prompt Injection – At Black Hat, researchers showed how enterprise AI assistants can be hijacked to leak or alter data without clicks.
📜 California Passes Narrow AI Decision Rules – New rules let residents opt out of purely automated decisions—but only if there’s no human oversight.
📞 Sam Altman Warns AI Voice Deepfakes Could Spark Crisis – OpenAI’s CEO says cloned voices will soon bypass identity checks entirely, creating a fraud epidemic.
🐼 AI-Generated Malware Hides in Panda Images – “Koske” cryptominer hides inside JPEGs, possibly built with LLMs, and targets exposed Jupyter servers.
🧟♂️ Strange Cyber
🎭 The Woman Who Helped North Korean IT Workers Land U.S. Jobs
Intro: A U.S. woman just got 8 years for helping North Korean developers pose as American remote workers. Her clients? Fortune 500s.
What Happened: Christine Chapman acted as the face of a fake U.S. consulting firm, setting up fake job interviews and even hosting 90+ laptops in her home. The real workers? North Koreans secretly logging in from Pyongyang and wiring their pay to fund the regime’s nuclear program.
Why It’s Important: This wasn't just fraud—it was national security. These insiders could’ve accessed source code, credentials, or customer data at major U.S. firms—all while posing as helpful coders.
The Other Side: Chapman, who was reportedly in financial distress, may have been manipulated. But the scheme shows how geopolitical threats can hide behind login screens.
The Takeaway: In the remote work era, HR is part of your cyber defense. Verify new hires. Trust, but verify. Then verify again.
TL;DR: A woman helped North Korean agents land real remote jobs in U.S. tech firms. No malware needed—just resumes and fake Zoom calls.
Further Reading:
Thanks for reading this week’s edition. Like what you see? Forward it!
Hate everything you see or have other feedback? Reply back to this email!