Daily Briefing for 03.10.26

At a glance.

• Russian hackers are targeting Signal and WhatsApp users.
• FBI warns of phishing attacks requesting phony zoning permit fees.
• ShinyHunters continues targeting misconfigured Salesforce instances.

Russian hackers are targeting Signal and WhatsApp users.

Dutch intelligence agencies warn that Russian state-backed hackers are "engaged in a large-scale global cyber campaign" to target Signal and WhatsApp accounts belonging to dignitaries, military personnel, and civil servants. The attackers pose as support chatbots to trick users into handing over their verification or PIN codes, which grant the attackers access to the accounts.

The Netherlands Defence Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) said in their advisory, "All Signal users can personally check whether there are any potentially compromised contacts in their group chats. If you see any people who appear twice in the list of members (under the same or a slightly different name), this may be evidence of either a compromised account or a new account created by a victim."

FBI warns of phishing attacks requesting phony zoning permit fees.

The FBI has published a PSA outlining a phishing campaign impersonating city and county officials to trick users into sending payments for zoning permits. The Bureau states, "Victims receive unsolicited emails citing their permit information, zoning application numbers, and/or property addresses. Victims are instructed to pay invoices for fees related to their permits and directed to make payments via wire transfer, peer-to-peer payment, or cryptocurrency."

The threat actors tailor their attacks to the targeted regions, and in some cases the emails are timed to coincide with ongoing permit requests. The FBI notes that "[t]he emails contain detailed, accurate information about planning and zoning requests, including property addresses, case numbers, and the true names of city and county officials."

ShinyHunters continues targeting misconfigured Salesforce instances.

The ShinyHunters extortion group has announced a new campaign targeting vulnerable or misconfigured Salesforce instances, SecurityWeek reports. The extortion gang claims to have hacked "several hundreds of companies" as part of what it calls the "Salesforce Aura Campaign." Criminal gangs frequently exaggerate their claims, but it's worth noting that ShinyHunters was responsible for many confirmed attacks against Salesforce instances throughout 2025.

Salesforce published a report on this campaign on Saturday, noting that the attackers are exploiting overly permissive Experience Cloud guest user configurations rather than a vulnerability in Salesforce itself. The company states, "Evidence indicates the threat actor is leveraging a modified version of the open-source tool Aura Inspector (originally developed by Mandiant) to perform mass scanning of public-facing Experience Cloud sites. While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings."