Cyberside Chats: Cybersecurity Insights from the Experts

When we first covered the Salesforce–Drift breach, we knew it was bad. Now it’s clear the impact is even bigger. Hundreds of organizations — including Cloudflare, Palo Alto Networks, Zscaler, Proofpoint, Rubrik, and even financial firms like Wealthsimple — have confirmed they were affected. The root cause? A compromised GitHub account that opened the door to Drift’s AWS environment and gave attackers access to Salesforce and other cloud integrations. 

In Part 2, Sherri Davidoff and Matt Durrin dig into the latest updates: what’s new in the investigation, why more victim disclosures are coming, and how the GitHub compromise ties into a wider trend of supply chain attacks like GhostAction. They also share practical advice for what to do if you’ve been impacted by Drift — or if you want to prepare for the next third-party SaaS compromise. 

Tips for SaaS Incident Response: 

1. Treat this as an incident: don’t wait for vendor confirmation before acting. There may be delays in vendor disclosure, so act quickly. 
2. Notify your cyber insurance provider: 
   • Provide notice as soon as possible. 
   • Insurers may share early IOCs, coordinate with vendors, and advocate for your org alongside other affected clients. 
   • They can also connect you with funded IR and legal resources. 
3. Engage external support: 
   • Bring in your IR firm to investigate and document. 
   • Work with legal counsel to determine if notification obligations are triggered. 
4. Revoke and rotate credentials: 
   • Cycle API keys, OAuth tokens, and active sessions. 
   • Rotate credentials for connected service accounts. 
5. Inventory your data: 
   • Identify what sensitive Salesforce (or other SaaS) data is stored. 
   • Check whether support tickets, logs, or credentials were included. 
6. Search for attacker activity: 
   • Review advisories for malicious IPs, user agents, and behaviors. 
   • Don’t rely solely on vendor-published IOCs — they may be incomplete. 

References: 

• Google Cloud Threat Intelligence Blog – Data theft in Salesforce instances via Salesloft Drift 

• BleepingComputer – Salesloft March GitHub repo breach led to Salesforce data theft attacks 

• Dark Reading – Salesloft breached GitHub account compromise 

• BleepingComputer – Hackers steal 3,325 secrets in GhostAction GitHub supply chain attack 

• LMG Security Blog – Third-Party Risk Management Lessons 

#salesforcehack #salesforce #SalesforceDrift #cybersecurity #cyberattack #databreaches #datasecurity #infosec #informationsecurity

A single weak app integration opened the door for attackers to raid data from some of the world’s largest companies. Salesforce environments were hit hardest—with victims like Cloudflare, Palo Alto Networks, and Zscaler—but the blast radius also reached other SaaS platforms, including Google Workspace. In this episode of Cyberside Chats, Sherri Davidoff and Matt Durrin break down the Salesforce–Drift breach: how OAuth tokens became skeleton keys, why media headlines about billions of Gmail users were wrong, and what organizations need to do to protect themselves from similar supply chain attacks. 

Key Takeaways 

• Ensure Vendors Conduct Rigorous Technical Security Testing – Require penetration tests and attestations from third- and fourth-party SaaS providers. 

• Limit App Permissions to “Least Privilege” – Scope connected apps only to the fields and objects they truly need. 

• Implement Regular Key Rotation – Automate key rotation with vendor tools (e.g., AWS recommends every 60–90 days) to reduce the risk of leaked or stolen keys. 

• Monitor for Data Exfiltration – Watch for unusual queries, spikes in API usage, or large Bulk API jobs. 

• Limit Data Exfiltration Destinations – Restrict where exports and API jobs can go (approved IPs or managed locations). 

• Integrate SaaS Risks into Your Incident Response Plan – Include guidance on rapidly revoking or rotating OAuth tokens and keys after a compromise. 

References 

1. Google Threat Intelligence Group advisory on UNC6395 / Drift OAuth compromise 
2. Cloudflare disclosure on the Drift incident 
3. Zscaler security advisory on Drift-related Salesforce breach 
4. LMG Security Blog – Third-Party Risk Management Lessons 

#Salesforcehack #SalesforceDrift #cybersecurity #cyberattack #cyberaware

Hackers aren’t untouchable—and sometimes, they become the victims. From North Korean operatives getting exposed at DEF CON, to ransomware gangs like Conti and LockBit crumbling under betrayal and rival leaks, the underground is full of double-crosses and takedowns. Now, Congress is even debating whether to bring back “letters of marque” to authorize cyber privateers to hack back on behalf of the United States. Join LMG Security’s Sherri Davidoff and Matt Durrin for a fast-paced discussion of headline cases, the lessons defenders can learn from these leaks, and what the future of hacker-on-hacker warfare could mean for your organization. 

Key Takeaways   

1. Don’t mythologize adversaries. State actors and ransomware gangs are fallible; design defenses to exploit their mistakes.  
2. Invest in visibility. Many hacker exposures happened because attackers reused credentials, tools, or infrastructure — the same patterns defenders can detect if monitoring is strong.  
3. Watch for insider threats. Disgruntled employees or partners can dismantle even powerful groups — monitor for early warning signs.  
4. Use leaks for training and education. Incorporate hacker chat logs, playbooks, and leaked toolkits into exercises to build staff skills and awareness.  
5. Adapt your IR playbooks. Align response plans with real-world attacker tactics revealed in leaks — and be ready to update as new intelligence emerges.  

Resources 

• TechCrunch: Hackers Breach and Expose a Major North Korean Spying Operation 
• TheRegister: Congressman proposes bringing back letters of marque for cyber privateers 
• LMG Security: Our Q3 2024 Top Control is Third-Party Risk Management 

#Cybersecurity #Cybercrime #CybersideChats #Cyberattack #Hackers #Hacker

On the eve of the Trump–Putin summit, sensitive U.S. State Department documents were left sitting in a hotel printer in Anchorage. Guests stumbled on pages detailing schedules, contacts, and even a gift list—sparking international headlines and White House mockery. 

But the real story isn’t just about geopolitics. It’s about how unmanaged printers—at hotels, in home offices, and everywhere in between—remain one of the most overlooked backdoors for data leaks. In this episode of Cyberside Chats, Sherri and Matt unpack the Alaska incident, explore why printers are still a weak spot in the age of remote and traveling workforces, and share practical steps to secure them. 

Key Takeaways for Security & IT Leaders 

1. Reduce reliance on unmanaged printers by promoting secure digital workflows. Encourage employees to use e-signatures and encrypted file sharing instead of printing. 
2. Update remote work policies to cover home and travel printing. Most organizations don’t monitor printing outside the office—explicit rules reduce blind spots. 
3. Require secure wiping or destruction of printer hard drives before disposal. Printers retain sensitive files and credentials, which can walk out the door if not properly handled. 
4. Implement secure enterprise printing with authenticated release and HDD encryption. Treat printers as endpoints and apply the same safeguards you would for laptops.
5. Train employees to recognize that printers are data risks, not just office equipment. Awareness helps prevent careless mistakes like walk-away leaks or using hotel printers. 

Resources 

• NPR: Trump–Putin Summit Documents Left Behind in Anchorage Hotel Printer (2025) 

• Dark Reading: “Printers’ Cybersecurity Threats Too Often Ignored”  

• LMG Security: “Work from Home Cybersecurity Checklist” 

A wave of coordinated cyberattacks has hit Salesforce customers across industries and continents, compromising millions of records from some of the world’s most recognized brands — including Google, Allianz Life, Qantas, LVMH, and even government agencies. 

In this episode of Cyberside Chats, Sherri Davidoff and Matt Durrin break down how the attackers pulled off one of the most sweeping cloud compromise campaigns in recent memory — using no zero-day exploits, just convincing phone calls, malicious connected apps, and gaps in cloud supply chain security. 

We’ll explore the attack timeline, parallels to the Snowflake breaches, ties to the Scattered Spider crew, and the lessons security leaders need to act on right now. 

Key Takeaways 

1. Use phishing-resistant MFA — FIDO2 keys, passkeys. 

1. Train for vishing resistance — simulate phone-based social engineering. 

1. Monitor for abnormal data exports from SaaS platforms. 

1. Lockdown your Salesforce platform — vet and limit connected apps. 

1. Rehearse rapid containment — revoke OAuth tokens, disable accounts fast. 

References 

• Google - The Cost of a Call: From Voice Phishing to Data Extortion  

• Salesforce – Protect Your Salesforce Environment from Social Engineering Threats 

• BleepingComputer – ShinyHunters behind Salesforce data theft at Qantas, Allianz Life, LVMH 

• TechRadar – Google says hackers stole some of its data following Salesforce breach 

• LMG Security Blog – Our Q3 2024 Top Control is Third Party Risk Management: Lessons from the CrowdStrike Outage 

On National Social Engineering Day, we’re pulling the lid off one of the most dangerous insider threat campaigns in the world — North Korea’s fake remote IT worker program. 

Using AI-generated résumés, real-time deepfake interviews, and U.S.-based “laptop farms,” DPRK operatives are gaining legitimate employment inside U.S. companies — funding nuclear weapons programs and potentially opening doors to cyber espionage. 

We’ll cover the recent U.S. sanctions, the Christina Chapman laptop farm case, and the latest intelligence from CrowdStrike on FAMOUS CHOLLIMA — plus, we’ll give you specific, actionable ways to harden your hiring process and catch these threats before they embed inside your network. 

Actionable Takeaways for Defenders 

1. Verify Beyond the Résumé:Pair government ID checks with independent work history and social profile verification. Use services to flag synthetic or stolen identities.
2. Deepfake-Proof Interviews:Add unscripted, live identity challenges during video calls (lighting changes, head turns, holding ID on camera).
3. Geolocation & Device Monitoring: Implement controls to detect impossible travel, VPN/geolocation masking, and multiple logins from the same endpoint for different accounts.
4. Watch for Multi-Job Signals: Monitor productivity patterns and unusual scheduling; red flags include unexplained work delays, identical deliverables across projects, or heavy reliance on AI-generated output.
5. Hold Your Vendors to the Same Standard: Ensure tech vendors and contractors use equivalent vetting, monitoring, and access control measures. Bake these requirements into contracts and third-party risk assessments. 

References

• U.S. Treasury Press Release – Sanctions on DPRK IT Worker Scheme 
• CrowdStrike 2025 Threat Hunting Report – Profile of FAMOUS CHOLLIMA’s AI-powered infiltration methods 
• National Social Engineering Day – KnowBe4 Announcement Honoring Kevin Mitnick 

A silent compromise, nearly a million developers affected, and no one at Amazon knew for six days. In this episode of Cyberside Chats, we’re diving into the Amazon Q AI Hack, a shocking example of how vulnerable our software development tools have become.

Join hosts Sherri Davidoff and Matt Durrin as they unpack how a misconfigured GitHub token allowed a hacker to inject destructive AI commands into a popular developer tool. We’ll walk through exactly what happened, how GitHub security missteps enabled the attack, and why this incident is a critical wake-up call for supply chain security and AI tool governance.

We’ll also spotlight other supply chain breaches like the SolarWinds Orion backdoor and XZ Utils compromise, plus AI tool mishaps where “helpful” assistants caused real-world damage. If your organization uses AI developer tools—or works with third-party software vendors—this episode is a must-listen.

Key Takeaways:
▪ Don’t Assume AI Tools Are Safe Just Because They’re Popular
Amazon Q had nearly a million installs—and it still shipped with malicious code. Before adopting any AI-based tools (like Copilot, Q, or Gemini), vet their permissions, access scope, and how updates are managed.

▪ Ask Your Software Vendors About Their Supply Chain Security
If you rely on third-party developers or vendors, request details on how they manage build pipelines, review code changes, and prevent unauthorized commits. A compromised vendor can put your entire environment at risk.

▪ Hold Vendors Accountable for Secure Development Practices
Ask whether your vendors enforce commit signing, use GitHub security features (like push protection and secret scanning), and apply multi-person code review processes. If they can't answer, that's a red flag.

▪ Be Wary of Giving AI Assistants Too Much Access
Whether it’s an AI chatbot that can write config files or a developer tool that interacts with production environments, limit access. Always sandbox and monitor AI-integrated tools, and avoid letting them make direct changes.

▪ Prepare to Hear About Breaches From the Outside
Just like Amazon only found out about the malicious code in Q after security researchers reported it, many organizations won’t catch third-party security issues internally. Make sure you have monitoring tools, vendor communication protocols, and incident response processes in place.

▪ If You Develop Code Internally, Lock Down Your Build Pipeline
The Amazon Q hack happened because of a misconfigured GitHub token in a CI workflow. If you’re building your own code, review permissions on GitHub tokens, enforce branch protections, and require signed commits to prevent unauthorized changes from slipping into production.

#Cybersecurity #SupplyChainSecurity #AItools #DevSecOps #AmazonQHack #GitHubSecurity #Infosec #CybersideChats #LMGSecurity

Iranian cyber operations have sharply escalated in 2025, targeting critical infrastructure, defense sectors, and global businesses—especially those linked to Israel and the U.S. From destructive malware and coordinated DDoS attacks to sophisticated hack-and-leak campaigns leveraging generative AI, Iranian threat actors are rapidly evolving. Join us to explore their latest tactics, notable incidents, and essential strategies to defend your organization. 
 
Hosts Sherri Davidoff and Matt Durrin break down wiper malware trends, AI-powered phishing, the use of deepfakes for psychological operations, and the critical role of patching and MFA in protecting against collateral damage. 

Key Takeaways for Cybersecurity Leaders 

• Patch Internet-Facing Systems Promptly: Iranian attackers frequently exploit unpatched systems—especially VPNs, SharePoint, and other perimeter-facing tools. Microsoft’s July Patch Tuesday alone included 137 vulnerabilities, including actively exploited zero-days. Stay current to avoid being an easy target. 

• Implement Phishing-Resistant Multifactor Authentication (MFA): Groups like Charming Kitten are leveraging generative AI to craft convincing spear phishing emails. Use MFA methods such as FIDO2 security keys, biometrics, or passkeys. Avoid push fatigue, SMS codes, or email-based MFA which are easily phished or bypassed. 

• Segment and Secure Critical IT & OT Systems: Assume attackers will get in. Segment IT from OT networks (especially SCADA/ICS environments) and limit lateral movement. Iranian campaigns have crossed into OT, targeting backups and sabotaging ICS operations. 

• Maintain Robust, Tested Backup and Recovery Systems: Wiper malware and ransomware deployed by Iranian groups have destroyed both live data and backups. Use immutable or offline backups, and test full restores. Automate reimaging processes to ensure rapid recovery at scale. 

• Raise Awareness Against Sophisticated Social Engineering: Train staff to recognize AI-generated phishing and deepfake audio/video attacks. Iran has used deepfakes to spread disinformation and influence public perception. Show your team what deepfakes look and sound like so they can spot them in the wild. 

Resources & References 

CISA/FBI/NSA Joint Advisory: https://www.cisa.gov/sites/default/files/2025-06/joint-fact-sheet-Iranian-cyber-actors-may-target-vulnerable-US-networks-and-entities-of-interest-508c-1.pdf 

Unit 42 Report: https://unit42.paloaltonetworks.com/iranian-cyberattacks-2025/ 

Deepwatch Threat Intel: https://www.deepwatch.com/labs/customer-advisory-elevated-iranian-cyber-activity-post-u-s-strikes/ 

LMG Security – Defending Against Generative AI Attacks: https://lmgsecurity.com/defend-against-generative-ai-attacks/ 

#cybersecurity #cybercrime #cyberattack #cyberaware #cyberthreats #ciso #itsecurity #infosec #infosecurity #riskmanagement