InfoSec.Watch

129 - Quick Assist, Slow Panic

Infosec.Watch Season 2 Episode 129

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 8:56

Send us Fan Mail

We track how attackers keep turning trusted channels into reliable intrusion paths, from extension marketplaces to chat platforms and developer dependencies. We also lay out what defenders should patch first and how to validate fixes so security work actually reduces risk.
• Glasswarm escalation against Open VSX using a modular loader for stealthier propagation
• Why defenders need full intrusion chain telemetry across execution, persistence and C2
• Microsoft Teams phishing that impersonates IT and abuses Quick Assist for remote access
• Living off the land detection focused on behaviors rather than specific malware files
• Astronata backdooring React Native packages to steal crypto wallets and developer credentials
• Software supply chain hygiene through provenance checks and dependency trust path reviews
• Chrome vulnerabilities exploited in the wild and why pre-patch hunting matters
• Veeam critical flaws and treating backup infrastructure as a tier zero asset
• VPN credential theft campaigns and enforcing MFA across every authentication path
• Post-patching rigor with version checks, exposure validation, log review and secret rotation


Support the show

Thanks for listening to InfoSec.Watch!

Subscribe to our newsletter for in-depth analysis: https://infosec.watch
Follow us for daily updates:
-  X (Twitter)
- LinkedIn 
- Facebook -   

Stay secure out there!


Welcome And Weekly Themes

SPEAKER_01

Welcome to the InfoSec Watch Podcast, where we analyze the week's most critical cybersecurity news for defenders. I'm Grant Lawson.

SPEAKER_00

And I'm Sloan Parker. This week, the major themes are the continued abuse of trusted channels and the asymmetric risk defenders face from software supply chain attacks.

Glasswarm Hits Open VSX

SPEAKER_01

Let's dive right into our top stories. First up, a significant escalation in the Glasswarm campaign targeting the Open VSX registry.

SPEAKER_00

Great, so this is the marketplace for VS code extensions. What's different this time?

SPEAKER_01

The threat actor has shifted tactics. Instead of embedding a malicious loader directly into every single malicious listing, they've abstracted it. Now, compromised packages just need to reference the loader, making it a much stealthier and more efficient propagation method.

SPEAKER_00

That makes sense. It loaders their operational burden and makes detection harder if you're just scanning individual packages. And it's not just about stealth. Abstracting the loader means they can update their malware payload independently of the compromised packages. They can swap in a keylogger one day, a ransomware dropper the next, without having to republish dozens of extensions. That makes it a much more dangerous and persistent threat.

SPEAKER_01

Exactly. And this is why the key takeaway for defenders is to focus on the entire intrusion chain. You need telemetry that shows the full sequence, delivery, execution, persistence, and command and control. Without that holistic view, this kind of campaign can be easily missed.

SPEAKER_00

That's a key point. It turns the initial compromise into a persistent, adaptable foothold. So for defenders, it means even if you've analyzed one malicious extension, you can't assume you know the full extent of the threat. The payload could change at any moment.

SPEAKER_01

Sticking with the theme of abusing trusted channels, the Rapid7 MDR team is seeing a spike in phishing campaigns using Microsoft Teams.

SPEAKER_00

In this case, attackers are impersonating internal IT departments, trying to persuade users to launch Quick Assist.

SPEAKER_01

And Quick Assist is so insidious because it's a legitimate Microsoft tool for remote assistance. Once the user grants access, the threat actor has a foothold to deploy malware or move laterally.

SPEAKER_00

It's a classic living off-the-land technique. This is why we have to treat this as a behavior problem, not just a malware problem. You can't just have a detection rule for a specific malicious file.

Astronata Backdoors React Native Packages

SPEAKER_01

Of course, you need to be reviewing detections for unusual script execution, the abuse of trusted tools like Quick Assist, new persistence mechanisms, and suspicious outbound connections from user endpoints.

SPEAKER_00

And our third top story circles back to the supply chain. Aikido uncovered a campaign they're calling Astronata that backdoored two popular React native packages.

SPEAKER_01

And the goal here was pretty direct, stealing cryptocurrency wallets and developer credentials.

SPEAKER_00

Correct. This really underscores the need for rigorous software supply chain hygiene. For any security team, especially those with development groups, this is a call to action. You need to review your dependency trust paths.

Chrome Exploits And Emergency Patching

SPEAKER_01

Validate the provenance of those packages. Where are they really coming from? Who maintains them? And crucially, monitor developer environments for any signs of follow-on compromise. Once those credentials are stolen, the developer's machine becomes a launch pad into the rest of the corporate network. Alright, let's pivot to our vulnerability spotlight. Two big ones this week. Sloan, let's start with Google Chrome.

SPEAKER_00

Google has released security updates for two high severity vulnerabilities that are being actively exploited in the wild. We have CVE 2026-3909, which is an out-of-bounds right vulnerability with a CVSS score of 8.8.

SPEAKER_01

That phrase exploited in the wild changes everything. This is no longer a theoretical risk, it's a live exploitation risk.

SPEAKER_00

Exactly. The priority for any security team right now is to identify all exposed assets running vulnerable versions of Chrome and push for emergency remediation.

Veeam Bugs Put Backups At Risk

SPEAKER_01

And it's not just about patching, it's also about hunting for signs of compromise before patching, because that closes the window of visibility for investigators. Assume opportunistic exploitation is already underway.

SPEAKER_00

Next up, backup vendor Veeam has released patches for multiple vulnerabilities in its backup and replication platform. This includes three critical flaws.

SPEAKER_01

And these could allow authenticated users to execute code on the backup servers. This is a critical asset.

SPEAKER_00

Right. Your backup and recovery plane should be protected like a tier zero asset, at the same level as your domain controllers or identity providers. Attackers, especially ransomware groups, deliberately target backup systems to prevent recovery.

SPEAKER_01

So the takeaway straightforward: patch quickly, restrict administrative access to these systems to an absolute minimum, and, this is the part people often forget, proactively verify your backup integrity and your restore workflows before you're in the middle of an incident.

SPEAKER_00

Let's move to our trend to watch. This week, we're seeing reports of a threat actor specifically targeting VPN users in new credential theft campaigns.

SPEAKER_01

This highlights how attackers continue to probe the seams of our authentication infrastructure. It's not just about the primary login flow anymore. They're looking for alternate paths, password reset mechanisms, or secondary portals that might be less secure.

SPEAKER_00

So for defenders, the guidance is to map out and review all of your exposed authentication paths. You need to verify that your security policies, like MFA, are being enforced consistently across all those different login flows.

Quick Hits And Botnet Takedown

SPEAKER_01

And if there's any chance that abuse is plausible, you have to consider rotating credentials or tokens for the affected user base. Alright, time for some quick hits. This is a fast-paced look at other important stories this week. First, CISA added a critical security flaw in Natin to its known exploited vulnerabilities catalog.

SPEAKER_00

This means handle it like an active threat, not routine maintenance. Reduce your exposure immediately and look for evidence of exploitation.

SPEAKER_01

Socket uncovered a supply chain attack on Packagist, targeting Vietnamese streaming sites with Trojanized themes.

SPEAKER_00

Right. Treat it as an exposure management problem. Identify reachable systems, patch them based on risk, and review your telemetry for any signs of attempted exploitation.

SPEAKER_01

And finally, a major botnet that compromised routers and IoT devices in 163 countries was taken down.

SPEAKER_00

The key takeaway here is to use this news to drive one practical change now: either shrink your attack surface, tighten your monitoring, or validate a control you've been assuming works.

SPEAKER_01

That brings us to our actionable defense move of the week. Sloan, what should teams be focused on?

SPEAKER_00

This week it's all about post-patching rigor. For every patch you apply to a tier zero system, that's your firewalls, your VPNs, your identity, and backup systems. There's a four-step validation process.

SPEAKER_01

Okay, let's hear them.

SPEAKER_00

One, verify the new version is actually running on the box. Don't just trust the deployment tool. Two, confirm that external exposure has been removed or is properly restricted via an allow list. Three, review the last 14 days of admin, authentication, and configuration logs for any anomalies. And four, if compromise is even plausible, rotate the secrets on that system.

SPEAKER_01

That's a great framework. It reinforces the idea that patching is just step one. The real defensive value comes from validation plus an assumed breach log review, which is step two. And that's all the time we have for this week. This week's stories reinforce that identity paths and trust boundaries remain primary operational weak points, and that backup infrastructure is still very much a part of the live attack surface.watch.