Good Morning Security Gang!
Happy Labor Day Monday, September 1st, 2025! You’d think a holiday might slow the news cycle, but oh how wrong you’d be.
This morning’s CyberHub Podcast is packed—so much so that I had to cut stories just to fit everything in. We’re talking about the Salesforce/SalesLoft Drift supply chain compromise hitting Google Workspace and TransUnion, a ransomware attack in Nevada, another embarrassing fraud incident in Baltimore, FEMA’s IT department purge, WhatsApp zero-day patching, Russian watering hole campaigns, and some long-overdue accountability in both government and cybercrime circles. Let’s dig in.
☁ Google Workspace Compromised via SalesLoft Drift Integration
The ongoing Salesforce compromise wave has widened: attackers abused the SalesLoft Drift integration to steal OAuth tokens, pivot into Salesforce environments, and exfiltrate sensitive data. Targets included Google Workspace, which saw Drift email tokens used to access mail from a “small number” of accounts—the first time in years Google Workspace has been compromised in this way. Data sought included AWS keys, Snowflake tokens, and passwords. Google attributed the campaign to UNC6395. SalesLoft is advising all Drift customers to revoke and rotate any API keys.
🧾 TransUnion Breach Impacts 4.4 Million
Credit bureau TransUnion confirmed the same SalesLoft Drift compromise impacted its U.S. consumer support systems, exposing the data of 4.46M people. Information stolen included names, SSNs, and dates of birth. TransUnion insists core credit databases weren’t touched, but the scale makes this one of the largest consumer privacy breaches of 2025. Victims are being offered 24 months of credit monitoring.
🎰 Nevada State Ransomware Attack
The state of Nevada confirmed that last week’s statewide outage was caused by ransomware. Agency offices and VoIP services went dark, though life-saving systems were prioritized. CISA has been onsite since Sunday to help with containment and recovery. Restoration of critical services remains ongoing.
🏙 Baltimore Loses $1.5M to Vendor Fraud—Again
Baltimore’s government fell for yet another scam, approving fraudulent vendor account changes that led to $1.5M in payments being stolen. This marks at least the third such incident since 2019. The city’s Inspector General blamed incompetence and a failure to implement corrective measures despite repeated warnings.
As I said bluntly on the show: “If this was my city government, I’d be calling for a purge at the ballot box.”
🛡 FEMA IT Department Purged for Cyber Failures
Homeland Security Secretary Kristi Noem fired 24 FEMA IT staff, including the CIO and CISO, citing failure to patch critical vulnerabilities, resistance to audits, and wasteful spending. Despite nearly $500M in IT and cyber budget, DHS claims FEMA leadership delivered “virtually nothing” in terms of basic cyber hygiene. This shakeup is being called a wake-up call for other DHS agencies.
📱 WhatsApp Zero-Day Patched
WhatsApp patched CVE-2025-55177, a zero-day in iOS and macOS clients that allowed attackers to abuse device sync messages and trigger malicious URL processing. Update immediately if you use WhatsApp on iOS or Mac.
🐻 Russian Midnight Blizzard Watering Hole Campaign
Amazon flagged Midnight Blizzard (APT29) for using watering hole campaigns to trick visitors into entering device codes, granting attackers access to Microsoft 365 accounts. Targets include Ukraine and European entities. This tactic builds on earlier Russian campaigns leveraging RDP phishing and app-specific password abuse.
🌐 Salt Typhoon Targets Dutch ISPs
Dutch intelligence confirmed Salt Typhoon also breached routers of smaller ISPs and hosting providers in the Netherlands, aligning with U.S. findings. No internal networks were penetrated, but the access alone raises concerns over supply chain manipulation.
🖥 Microsoft “Digital Escorts” for DoD Code—Now Banned
The Pentagon ended a decade-long Microsoft program allowing foreign coders in China to work on U.S. defense cloud systems with so-called “digital escorts.” These escorts lacked security clearance and coding expertise, sparking outrage once discovered. Officials now admit the practice posed an unacceptable risk of backdoors in high-impact FedRAMP systems.
🇩🇪 German Hacker Charged for Energy Sabotage
Prosecutors charged a German hacker with espionage and sabotage for the March Rosenfeld energy cyberattack, which caused €10M in damages and stole 20TB of data. He was linked to Anonymous operations after Russia’s invasion of Ukraine.
🔒 VerifTools Fake ID Marketplace Seized
U.S. and Dutch authorities seized domains and servers of VerifTools, one of the largest fake ID marketplaces online. It sold counterfeit passports, driver’s licenses, and more. While another marketplace will pop up, investigators say the disruption yielded valuable intelligence.
🧠 James Azar’s CISO Take
The big lesson from today’s show is fourth-party risk is the new frontier. Neither Google nor TransUnion were directly breached—their Salesforce environments were compromised through SalesLoft Drift, a layer most organizations barely track. CISOs need to treat integrations like privileged accounts and enforce continuous monitoring, token rotation, and least-privilege access.
The second theme is accountability. From FEMA’s IT purge to Baltimore’s failures to Microsoft’s disastrous coder program, leadership failures carry enormous risk. Patching, auditing, and governance aren’t optional—they’re the basics. If your organization isn’t enforcing them, attackers will, regulators will, or the voters will. The question is: do you want to lead, or be forced to change after a breach?
✅ Action Items
🔐 Revoke & rotate all Salesforce/Drift OAuth tokens and API keys.
📊 Treat SaaS integrations as privileged accounts; audit and enforce MFA.
🛡 Patch WhatsApp iOS/Mac clients immediately.
☎ Review VoIP resilience; ensure landline/backup comms for emergencies.
📉 Audit vendor fraud controls in accounts payable workflows.
🧾 Monitor for watering hole/device code phishing in Microsoft 365.
🇨🇳 End risky foreign coder programs in defense and critical industries.
🌐 Track Salt Typhoon and other supply chain campaigns for ISP targeting.
That's our show for this morning. We'll be back tomorrow at 9 AM Eastern with all the latest cybersecurity headlines. Until then, have a great rest of your day, y'all, and most importantly, stay cyber safe.
