Signals, scams, and a Salesforce snatch.

Russian hackers target Signal and WhatsApp. Permit scammers impersonate local officials. Anthropic sues over a Pentagon blacklist. The White House moves to restore fraud victims. ShinyHunters target Salesforce data. Ericsson reports a breach. macOS users face ClickFix malware. AWS credentials are phished. And CISA warns of an exploited Ivanti flaw. Our guest is Brian Baskin, Threat Researcher at Sublime Security, discussing tax season employee impersonation scams. Who fact-checks the fact-checkers?

Today is Tuesday March 10th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Russian state hackers target access to Signal and WhatsApp. 

Russian state hackers are conducting a global cyber campaign aimed at gaining access to Signal and WhatsApp accounts belonging to government officials, military personnel, and other individuals of interest. Dutch intelligence services MIVD and AIVD confirmed that Dutch government employees are among the targets, and journalists may also be at risk.

The attackers rely on social engineering rather than technical vulnerabilities. They often impersonate a Signal Support chatbot to trick victims into revealing verification or PIN codes, which allow the attackers to take over accounts. In other cases, they exploit the apps’ legitimate “linked devices” feature to connect attacker-controlled devices to a victim’s account.

Once compromised, attackers can read messages, including group chats, and potentially access sensitive information. Dutch authorities stress that the messaging platforms themselves remain secure, but individual accounts are vulnerable. They advise users to remain vigilant, watch for suspicious group members or duplicate accounts, and report suspected compromises to their organization’s security team.

The FBI warns of a phishing campaign in which criminals impersonate U.S. city and county planning or zoning officials. 

The FBI is warning about a phishing campaign in which criminals impersonate U.S. city and county planning or zoning officials to target people and businesses applying for land-use permits. Attackers use publicly available information about permit applications, such as zoning numbers or property addresses, to make fraudulent emails appear legitimate.

Victims receive unsolicited messages referencing their permit details and are asked to pay related fees through wire transfers, peer-to-peer payment apps, or cryptocurrency. The FBI says warning signs include emails sent from non-government domains, attachments that prompt recipients to request further details, and pressure to pay quickly to avoid permit delays.

The bureau advises recipients to verify messages by checking email domains and contacting local government offices directly. Suspected victims should report incidents to the FBI’s Internet Crime Complaint Center .

Anthropic sues the Trump administration over being labeled a “supply chain risk.” 

Anthropic has filed a lawsuit against the Trump administration after the Pentagon designated the AI company a “supply chain risk,” a move that effectively blocks its technology from defense-related work. The complaint, filed in U.S. District Court in California, argues the designation is unlawful and causing significant financial and reputational harm.

Under the Pentagon’s decision, defense contractors must certify that they are not using Anthropic’s AI models, known as Claude, in work tied to the Department of Defense. The company says federal contracts are already being canceled and private-sector deals are now uncertain. Anthropic estimates the decision could jeopardize hundreds of millions of dollars in the near term and potentially reduce its 2026 revenue by billions.

Anthropic is asking the court to overturn the designation and pause the policy while the case proceeds. The company has also requested a formal review in a federal appeals court.

The White House orders a Victim Restoration Program to combat cyber-enabled fraud. 

The Trump administration issued an executive order directing federal agencies to strengthen the U.S. response to cybercrime and the growing financial losses Americans face from online scams. The order instructs multiple agencies to develop a coordinated action plan within 120 days to prevent, investigate, and dismantle transnational criminal organizations that operate scam centers and cyber fraud schemes.

The order also requires the creation of a Victim Restoration Program within 90 days, designed to return funds seized from criminal networks to victims of cyber-enabled fraud. A new operational unit within the National Coordination Center will coordinate efforts among agencies including the Departments of State, Treasury, Defense, Homeland Security, and Justice.

Officials say the effort will combine government intelligence, law enforcement operations, and private-sector cybersecurity expertise to track and disrupt criminal infrastructure. The administration also signaled potential sanctions and diplomatic pressure against countries that allow cybercrime groups to operate within their borders.

Salesforce warns customers of an ongoing ShinyHunters campaign. 

Salesforce is warning customers about an ongoing cyber campaign linked to the ShinyHunters group involving data theft and extortion. Since mid-2025, the attackers have targeted organizations’ Salesforce environments using social engineering, phishing, and misconfigured settings rather than platform vulnerabilities.

The latest campaign exploits overly permissive Experience Cloud guest user configurations, which can allow attackers to access more data than intended. Threat actors are reportedly using a modified version of the open-source Aura Inspector tool to extract exposed data. ShinyHunters claims the operation has targeted hundreds of companies and has threatened to leak stolen data if victims refuse extortion demands.

Over 15 thousand Ericsson customers and employees suffer a data breach. 

Ericsson Inc., the U.S. subsidiary of Swedish telecom company Ericsson, says a breach at a third-party service provider exposed personal data belonging to 15,661 employees and customers. The provider detected the intrusion on April 28, 2025 and determined that unauthorized access to a limited set of files likely occurred between April 17 and April 22.

Exposed information may include names, addresses, Social Security numbers, driver’s license or government ID numbers, financial details, medical information, and dates of birth. Ericsson says there is currently no evidence the stolen data has been misused. The company is offering affected individuals free identity protection and credit monitoring services while the incident remains under investigation.

A new campaign targets macOS users with a ClickFix variant. 

Cybersecurity researchers have identified a campaign targeting macOS users with a fake website impersonating the popular CleanMyMac utility. The site tricks visitors into installing SHub Stealer malware through a social engineering technique known as a ClickFix attack. Victims are instructed to run a Terminal command that appears to install legitimate software but instead downloads and executes a malicious script, bypassing macOS security protections because the user runs the command themselves.

Once installed, the malware collects system information and attempts to steal credentials by displaying a fake macOS authentication prompt. If the password is entered, attackers can access the macOS Keychain to harvest stored credentials and sensitive data. SHub Stealer also targets cryptocurrency wallets, displaying fake prompts that capture recovery seed phrases and enable attackers to steal funds. Researchers say the malware maintains persistence through a hidden background task disguised as a legitimate system updater.

Researchers identify a phishing campaign targeting AWS Management Console credentials. 

Researchers at Datadog have identified an active adversary-in-the-middle (AiTM) phishing campaign targeting AWS Management Console credentials. The operation uses typosquatted domains that mimic AWS infrastructure and hosts a high-fidelity clone of the AWS sign-in page. The phishing kit proxies authentication requests to the real AWS login service in real time, allowing attackers to capture validated credentials and likely intercept one-time password (OTP) codes.

The campaign uses multi-stage redirects and spoofed security alerts to lure victims. Once credentials are submitted, attackers can quickly access compromised accounts. In one observed case, unauthorized console access occurred within 20 minutes from a Mullvad VPN IP address. Researchers emphasize the campaign does not exploit AWS vulnerabilities but relies on credential theft through phishing. AWS has been notified and is working on disruption efforts while defenders are urged to monitor authentication activity for suspicious logins.

CISA flags a high-severity Ivanti Endpoint Manager vulnerability. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Ivanti Endpoint Manager vulnerability, tracked as CVE-2026-1603, to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch within three weeks. The flaw allows remote attackers to bypass authentication and steal credentials through a low-complexity cross-site scripting attack requiring no user interaction. Ivanti patched the issue last month in EPM 2024 SU5. While Ivanti says it has not seen confirmed exploitation before disclosure, CISA warns the bug is actively exploited and poses significant risk to federal networks.

 

Who fact-checks the fact-checkers? 

A suspicious link arrives from a friend. The headline is outrageous. The video looks slightly off. In the age of online misinformation, artificial intelligence promises to help sort truth from nonsense. Unfortunately, according to researcher Dorsaf Sallami of Université de Montréal, those promises are doing a bit of exaggerating themselves.

For her doctoral research, Sallami examined AI systems designed to detect fake news and found they don’t actually “fact-check.” Instead, they calculate probabilities based on patterns in their training data. In other words, they behave less like journalists and more like mirrors, reflecting whatever biases and gaps were present in the data they learned from.

That creates problems. The definition of misinformation is often disputed, the training labels are not always transparent, and the models can inherit biases, sometimes even flagging content differently depending on gender or geography.

Sallami proposes a more human-centered approach. Her browser extension, Aletheia, helps users verify claims by showing sources, explanations, and fact-checks, leaving the final judgment where it arguably belongs, with the human reading the headline.

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.