Fake it. Support calls scam hits 20 companies. Ukraine destroys bombers, then breaches the bomber manufacturer Chrome stops recognizing two certificate authorities over trust failures. and when old school beats high tech. The $400 million hack from a phone camera. This is cybersecurity today.
I'm your host, Jim Love Cyber criminals are using convincing fake IT support calls to have successfully breached approximately 20 organizations across hospitality, retail, and education sectors, stealing sensitive Salesforce data that they later use for extortion demands.
Google's threat intelligence group yesterday revealed details of the ongoing campaigns by a financially motivated group dubbed UNC 60 40, which specializes in voice phishing attacks, specifically targeting Salesforce environments for large scale data theft. The scammer's approach is deceptively simple, yet highly effective criminals call employees at English speaking Branches of multinational corporations impersonating IT support personnel with convincing technical knowledge.
During these calls, they guide victims to Salesforce's legitimate connected apps setup page and provide an eight digit connection code. This seemingly harmless action connects a malicious version of Salesforce's data loader application to the victim's environment.
The fake app, which appears legitimate with modified branding grants, attackers immediate access to query and steal sensitive customer and business data directly from Salesforce accounts After establishing their foothold, UNC 60 40 doesn't stop at Salesforce data The group uses harvested credentials to move laterally through victim networks, accessing additional platforms, including Okta, Microsoft 365, and workplace to maximize their data theft.
The attackers also trick victims into visiting fraudulent sites from their mobile devices during social engineering calls to capture additional authentication credentials. What makes this campaign particularly concerning is the timing of these extortion demands. Google reports that in some cases, criminals wait several months after the initial breach, before demanding ransom payments, suggesting UNC6040.
May be partnering with separate groups that specialize in monetizing stolen data During extortion attempts, the attackers claim affiliation with the notorious shiny hunters hacking group likely to increase pressure on victims.
Google's analysis reveals that UNC6040 shares characteristics with the COM, a loosely organized cyber crime collective that includes groups like Scattered Spider, However researchers emphasize UNC 60 40 operates as a distinct entity despite tactical similarities, including voice phishing expertise, and targeting of English speaking employees.
This campaign represents an evolution in social engineering attacks where technical security controls prove insufficient against sophisticated human manipulation. Salesforce responded that the attacks exploit user awareness gaps rather than platform vulnerabilities. The company stated Salesforce has enterprise grade security built into every part of our platform, and there's no indication that the issue stems from any vulnerability inherent in our services.
the incidents highlight how even security conscious organizations remain vulnerable to well-executed social engineering campaigns that exploit the human element of cybersecurity. Ukraine's military intelligence agency claims to have executed a comprehensive cyber operation against Russia's aircraft manufacturer, stealing over 4.4 gigabytes of classified data, including personnel files, internal communications, and strategic bomber maintenance records. The main intelligence directorate.
allegedly accessed internal systems for an extended period monitoring document flows in real time before executing the data extraction. The breach exposed, detailed information about engineers and staff responsible for maintaining Russia's strategic bomber fleet, including the TU 95 and the TU 60 aircraft used to launch cruise missile attacks on Ukrainian cities. the significance of the data obtained cannot be overestimated. A her source told Ukrainian media yesterday.
Now in fact, there is nothing secret left in Tupelo's activities for Ukrainian intelligence. The stolen data includes official correspondence, home addresses, resumes, purchase records, and closed meeting minutes. Intelligence that could enable future targeted operations against specific personnel or facilities.
Within Russia's defense industrial complex, The Ukrainian operatives marked their breach by replacing Tupelo's website homepage with an image of an owl clutching a Russian aircraft, referencing hers insignia while demonstrating their ability to penetrate and control enemy digital infrastructure. The website now redirects to the United Aircraft Corporation's main portal.
This represents the latest evolution in Ukraine's cyber capabilities, which have increasingly targeted critical surveillance and defense infrastructure. . Recent operations suggest Ukrainian intelligence agencies can compromise not only data systems, but also surveillance networks with speculation that they accessed Russian security cameras during the recent Crimean Bridge attack based on stable footage showing explosions, but no camera movement or vibrations.
The Tupolev Breach provides comprehensive intelligence about Russia's strategic aviation capabilities at a time when Ukraine is conducting coordinated cyber physical operations. The timing just days after operation spiderwebs drone attacks on Russian air bases suggests a systematic campaign combining kinetic strikes with intelligence gathering.
Tupolev under international sanctions since 2022, produces the strategic bombers that have been central to Russia's missile campaign against Ukrainian infrastructure.
The cyber operations potentially expose the entire personnel structure supporting these critical military assets, The combination of physical destruction and digital intelligence gathering represents a new model of asymmetric warfare, where cyber operations provide the knowledge necessary for sustained pressure against strategic targets while mapping enemy capabilities for future operations.
Google Chrome will stop trusting digital certificates from two major certificate authorities, Taiwan's Chung Telecom and Hungary's Net Lock starting August 1st, citing patterns of concerning behavior and compliance failures. Beginning with Chrome 1 39 websites, using certificates issued by these authorities after July 31st will trigger security warnings, telling users your connection is not private.
While users can still access these sites by clicking through the warnings, the broken trust will disrupt millions of web visitors The broken trust will disrupt millions of web visitors. Chrome controls over 66% of the global browser market, making this decision effectively a death sentence for these certificate authorities.
Even though other browsers like Edge and Safari will still trust them, Google cited patterns of compliance, failures, unmet improvement commitments, and the absence of tangible, measurable progress. Over the past year, both authorities failed to meet industry security standards and didn't deliver on promises to fix their practices. This follows a similar action against entrust in November, 2024 when Google stopped trusting new certificates from that authority.
After years of compliance issues, Google is tightening standards across the certificate industry. Certificate authorities serve as the Internet's trust gatekeepers, verifying websites identities, and enabling the H-T-T-P-S encryption that powers secure web connections. When a major browser loses confidence in a certificate authority, it exposes fundamental problems in how internet security is managed.
The move demonstrates Google's growing willingness to use Chrome's market dominance to enforce security standards effectively. Deciding which certificate authorities can participate in the global web infrastructure website operators using effective certificates should switch to a trusted authority immediately to avoid user disruption. And finally, here's your reminder that the simplest attacks are often the most powerful.
Coinbase, one of the world's most sophisticated cryptocurrency exchanges just got taken for up to $400 million, not because some technical genius cracked their encryption, but due to someone taking photos with their phone while. security experts spend millions on advanced firewalls, encryption, and zero trust networks, hackers simply bribed employees of a firm that Coinbase outsourced to in India.
All the person had to do was point her personal smartphone at her computer screen and snap pictures of customer data. No sophisticated malware, no nation state cyber weapons, no AI powered attacks, just a camera where it shouldn't be, and some cash to pay them to do it. the employee I'm talking about was caught red-handed. Photographing sensitive customer information, including names, addresses, social security numbers, and bank details.
She and an accomplice had been feeding this data to hackers for months before getting busted in January. The really embarrassing part, there are reports that Coinbase knew about this phone camera spy operation back in January, but only disclosed it publicly in May, and only then because the hackers sent them a $20 million Bitcoin ransom demand, threatening to leak everything online.
In fairness to the company, they did the right thing by not paying the ransom, but they went an extra step and offered the $20 million as a reward to anyone who could find these criminals. more than 200 task US employees lost their jobs in the aftermath, and nearly 70,000 Coinbase customers had their personal data compromised, all because someone remembered that sometimes the best way to steal digital secrets is with an analog approach. It is a perfect reminder.
You can build the most secure digital fortress in the world, but if someone can walk up to your screen with a camera, all that technology doesn't matter. Sometimes the old ways work just fine. And that's our show for today. Love to hear what you think. You can reach me at [email protected] or on LinkedIn or if you're watching this on YouTube, just drop a note under the video. Tomorrow's show brings back our month in review panel for a look at top stories for the month.
Hope you can join us and if you're enjoying this content, we'd love it if you recommend us to a friend. And If you can help us out financially with a small donation at buy me a coffee.com/tech podcast, that's buy me a coffee.com/tech podcast. We do accept corporate sponsors, but we're really picky about them and we want to continue to do that . With your financial support, buy me a coffee.com/tech podcast. I'm your host, Jim Love. Thanks for listening.