Simply Cyber Newsletter #142

Start your work week off at full speed with expert analysis and actionable intel from top cybersecurity news stories. Share with your End Users, Peers, and Executives to support weekly security awareness with the Simply Cyber Newsletter!

FOR END USERS

Social engineering attacks surged this past year, Palo Alto Networks report finds. A new Palo Alto Networks report shows social engineering was the top way attackers got into organizations last year, responsible for over one third of incidents. These scams often target employees with system wide access, aiming to steal sensitive data or reset security settings.

What you need to know: Educate your end users about how social engineering can appear, such as emails, texts, phone calls, or fake job offers. Attackers use these tactics to trick people into granting access or changing security settings. Emphasize the importance of slowing down, verifying requests through known channels, and never sharing login credentials or approving unexpected MFA prompts without confirmation. Use real examples to make the risk relatable, such as a caller pretending to be IT asking for a password reset. Remind staff that even highly skilled professionals have been fooled, so hesitation and verification are signs of caution, not distrust. Encourage a culture where reporting a suspicious message or call is celebrated, even if harmless. The fastest way to stop a social engineering attack is to recognize and speak up immediately.

FOR PEERS

New Ghost Calls tactic abuses Zoom and Microsoft Teams for C2 operations. Researchers unveiled “Ghost Calls,” a command-and-control evasion method abusing Zoom and Microsoft Teams TURN servers to blend malicious traffic into normal video conferencing flows. Although Zoom has deployed mitigations as of August 9, the technique remains viable in certain contexts.

What you need to know: Share this story with your peers and discuss how your organization detects and responds to post-exploitation tactics that leverage trusted services. Ghost Calls shows how threat actors can tunnel C2 traffic through Zoom or Teams TURN servers, using legitimate credentials to hide in encrypted, enterprise-approved channels. This is a strong example of “living off the land,” where attackers avoid exploits and instead abuse standard infrastructure. From a GRC perspective, assess whether your security policies and controls account for abuse of trusted third-party services. This includes vendor risk evaluations for collaboration platforms, continuous monitoring of encrypted traffic patterns, and incident response playbooks that consider stealthy C2 over allowed ports and domains. While Zoom’s August 9 mitigation limits TURN to client-media server pairing and disables peer-to-peer over TURN, other conferencing platforms may still be vulnerable to similar techniques. Review your monitoring capabilities for WebRTC traffic, verify that alerts can be generated for anomalous patterns, and ensure SOC workflows can triage these without creating excessive noise.

For end users, encourage reporting anything unusual in conferencing tools, such as unexpected meeting invites, unexplained video prompts, or performance issues during calls. They can be valuable early warning points for security teams.

FOR EXECUTIVES

Google says hackers stole its customers’ data by breaching its Salesforce database. Google confirmed that attackers breached a Salesforce database storing contact and business information for some small and medium-sized customers. The group, ShinyHunters, used voice phishing to gain access and has targeted other companies’ Salesforce data in recent months.

What you need to know: When bringing this to executives, focus on three plain-language points:

1. Supply chain exposure – This was not Google’s core systems, but a third-party database platform.

2. Business risk, not just technical risk – Even “basic” business data can be used to impersonate employees, target customers, or damage trust.

3. Vendor oversight matters – If a partner or platform is breached, it can still impact us.

Your goal is to start a conversation about how your organization ensures critical suppliers (like CRM or cloud service providers) have strong security controls and a plan for rapid incident response. Be ready to ask leadership for support in reviewing vendor risk management processes, contract breach notification clauses, and how customer communications would be handled if your supplier were hit.

You don’t need to be an expert in Salesforce security. Your role is to flag the risk, connect it to business impact, and recommend a next step (such as a vendor security review or tabletop exercise) that leadership can greenlight.

SIMPLY CYBER MEDIA GROUP PODCAST LINEUP

Visit simplycyber.io/learn to check out all the content on Simply Cyber or head over to youtube.com/@SimplyCyber/podcasts to explore all the podcasts!

SC MEDIA GROUP WEEKLY EVENTS SCHEDULE

SIMPLY CYBER CON 2025

When: Sunday, Nov. 2nd & Monday, Nov. 3rd

We’re excited to share Simply Cyber Con is back for the third year in a row!

Registration is now available! Head over to the website to learn more about conference registration and training day options.

Ready to share your knowledge? Navigate to the Call For Papers section of simplycybercon.org and submit yours now!

Interested in sponsoring? Review the sponsor packet. It’s going to be the best Simply Cyber Con yet, don’t miss out on this chance to sponsor and share your business with #TeamSC!

Stay tuned for updates! #simplycybercon

SC ACADEMY THE PLACE FOR CYBER CAREERS

At Simply Cyber Academy, we specialize in making GRC and Cybersecurity Careers a reality. Empower your career by learning real in-demand skills from cyber experts and the theory behind those skills with Simply Cyber Academy.

The popular GRC Analyst Master Class is a must for kickstarting your GRC Cybersecurity career. In addition, we have new courses covering various areas of focus in cyber available to help you advance in your career.

Check out the NEW FREE courses available in the academy and our new blog!

LET’S CONNECT

Stay current on trending topics, tips, events and resources in cybersecurity, connect with Simply Cyber on socials for new content.

As always, please send me feedback. Which tip above is your favorite? What do you want more or less of? Other suggestions? Please let me know. Just send a DM on X with #actionableintel in the subject so I can find it.

Join us on the Daily Cyber Threat Brief happening every weekday morning at 8 AM Eastern on YouTube and LinkedIn.

Find more about what’s happening this week in the Simply Cyber community, below. Join us on the Daily Cyber Threat Brief happening every weekday morning at 8 AM Eastern on YouTube and LinkedIn.

Thank you and see you again next week, #TeamSC!

Gerry