130 - When Trusted Tools Turn On You

Show Notes

We track how trust boundaries fail across the modern stack, from CI/CD supply chain compromise to phishing-driven account takeover and remote assistance abuse. We also break down actively exploited vulnerabilities and a practical tier 0 validation loop that treats patching like incident response, not routine maintenance.
• supply chain compromise risk when trusted CI/CD tooling is abused for credential theft
• behavior-based hunting on build systems, including anomalous execution and network egress
• phishing campaigns against Signal and WhatsApp framed as identity compromise at scale
• Microsoft Teams social engineering path to Quick Assist remote access and intrusion expansion
• vulnerability triage for active exploitation, including Cisco FMC CVE-2026-20131 and rapid weaponization of new disclosures
• mobile exploit kit reporting and why device takeover belongs in tier 0 thinking
• IoT botnet disruption as a prompt to inventory unmanaged devices and validate network visibility
• one-week tier 0 validation loop: verify versions, remove exposure, review logs, rotate secrets
Follow the show on X, Facebook, and LinkedIn, and subscribe at https://infosec.watch.

Thanks for listening to InfoSec.Watch!

Subscribe to our newsletter for in-depth analysis: https://infosec.watch
Follow us for daily updates:
-  X (Twitter)
- LinkedIn 
- Facebook -   

Stay secure out there!

Chapters

• 0:00: Welcome And Three Threat Themes
• 0:41: Trivy Supply Chain Compromise Risk
• 2:38: Phishing To Account Takeover
• 5:51: CVEs Exploited At Real Speed
• 9:36: IoT Botnets And DDoS Reality
• 10:54: Quick Hits On Active Exploitation
• 15:39: One Week Tier 0 Validation Loop
• 17:25: Final Takeaways And Closing

Transcript

Welcome And Three Threat Themes

SPEAKER_01 0:09

Welcome back to the InfoSec.watch Podcast. I'm Grant Lawson.

SPEAKER_00 0:14

And I'm Sloane Parker.

SPEAKER_01 0:16

Today we're working straight from the InfoSec.watch newsletter issue 130, dated March 23rd, 2026. And the brief really clusters around three themes software supply chain abuse, Linux privilege escalation risk, and identity and trust boundary weakness.

SPEAKER_00 0:35

Which is a pretty accurate snapshot of what defenders are juggling right now. Okay, let's get into it.

SPEAKER_01 0:41

Alright, kicking things off with our first top story. Trivi, the open source vulnerability scanner, was reportedly compromised in a supply chain attack. Reports say attackers injected credential stealing malware into official releases and into GitHub actions used by thousands of CICD workflows with potential downstream supply chain compromise across CI CD environments.

SPEAKER_00 1:04

Credential stealing malware inside a security tool is one of those trust boundary gut punches. So let's break it down based on what we know. What's the practical risk picture?

SPEAKER_01 1:15

The important thing is to frame it as a behavior problem, not a malware name problem. So operationally, you're not just hunting for a specific file hash. You're looking for the behaviors you'd expect when a trusted tool gets abused. Script execution that doesn't fit the workflow, trusted tool abuse, persistence where there normally shouldn't be any, and unexpected outbound connections from build systems.

SPEAKER_00 1:39

Right, because if the scanner runs inside CICD, it effectively inherits trust. And if it's touching secrets, tokens, environment variables, registry creds, then credential theft becomes a direct line into the rest of the pipeline. That's not just security impact. That's build integrity, release integrity, and potentially customer trust if anything ships from a compromised build chain.

SPEAKER_01 2:04

Exactly. From a business standpoint, the blast radius is about downstream compromise. It's been explicitly called out that this could trigger additional compromise across CICD environments. For defenders, the takeaway is to review detections and response coverage around execution and network egris from systems that you normally consider automation, not endpoints.

SPEAKER_00 2:27

And the tone here matters. It's not patch and forget, it's assume the workflow is part of the attack surface, which ties nicely into the defense move later.

Phishing To Account Takeover

SPEAKER_01 2:38

Moving on to our second story, the FBI is linking phishing attacks against encrypted messaging apps, specifically Signal and WhatsApp, to Russian intelligence services. And the advisory warns these campaigns have already compromised thousands of accounts. That's consistent with the key takeaway. Focus on the full user abuse path, delivery, user interaction, remote access, and credential misuse, so that detections and response playbooks cover the entire chain.

SPEAKER_00 3:17

So defenders shouldn't frame this as messaging app security, frame it as identity compromise and account takeover delivered through phishing. When we hear thousands of accounts, that's scale. It implies this isn't boutique targeting only. It's something teams should expect to see.

SPEAKER_01 3:35

And the operational implication is if your organization relies on these apps for sensitive coordination, incident response comms, executive comms, security team comms, compromised accounts can expose sensitive context and enable additional social engineering.

SPEAKER_00 3:51

Which leads to a practical defender lens. Are your teams prepared for account compromise in these communication channels as an incident class, not a theoretical one? Something you triage, contain, and recover from along the same chain that's been highlighted. How it arrived, what the user did, whether remote access occurred, and how credentials were misused.

SPEAKER_01 4:25

The stated goal is to persuade users to launch Quick Assist, which grants remote access. Then malware deployment and intrusion expansion follow.

SPEAKER_00 4:35

This one is painfully believable because it exploits a trust boundary that organizations build on purpose. Internal chat plus IT help implies legitimacy.

SPEAKER_01 4:44

Precisely. The technical impact pathway as described is Teams Message, User Interaction, Quick Assist launch, remote access, malware deployment, and expansion. And the defender takeaway is tightly scoped and practical. Harden remote assistance workflows, restrict quick assist where possible, verify help desk requests out of band, and alert on unusual remote support sessions.

SPEAKER_00 5:11

Out of band is the key phrase there because if the attacker is living inside the same collaboration tool, any verification that happens inside that channel is kind of the point of failure.

SPEAKER_01 5:22

And on the business side, this is the type of access that turns a social engineering event into a technical incident quickly. Remote control is a high-leverage step. So in terms of practical coverage, you want both preventative control over remote assistance tooling and detection and response around anomalous remote support activity.

SPEAKER_00 5:41

I also like that it's phrased as harden workflows, not tell users to be careful. Users are part of the chain, but defenders control the workflow design.

CVEs Exploited At Real Speed

SPEAKER_01 5:50

Alright, let's turn to this week's vulnerability spotlight. We've got three to cover. First, an active interlock ransomware campaign exploiting a critical flaw in Cisco's secure firewall management software. The vulnerability is CVE 2026-20131 with a CVSS score of 10.0, and exploitation is used for root access. It also notes this warning comes from Amazon threat intelligence.

SPEAKER_00 6:18

That one is one where the words active campaign, critical, CVSS 10, and root access all land in the same sentence, which is basically a defender's triage alarm.

SPEAKER_01 6:29

Right. And the key takeaway is unambiguous. Treat this as a live exploitation risk. Identify exposed assets, prioritize emergency remediation, and hunt for signs of compromise before patching closes the window.

SPEAKER_00 6:43

I also like that it's phrased as hunt before patching closes the window. That's not about delaying fixes. It's about acknowledging that if exploitation is active, patching alone doesn't tell you whether you were hit yesterday.

SPEAKER_01 6:56

Exactly. We should be careful not to invent technical specifics we don't have, so we won't, but we can still extract the operational mandate. Exposed assets first, then remediation with an assumed breach mindset.

SPEAKER_00 7:09

And FMC in particular, anything in that security management control plane category tends to be high impact because it's trusted infrastructure. Again, trust boundary.

SPEAKER_01 7:20

Our second vulnerability item is a dark sword iOS exploit kit reportedly used by multiple threat actors since at least November 2025, leveraging six flaws, three of them described as zero days for full device takeover and sensitive data theft. That reporting is attributed to Google Threat Intelligence Group, iVerify and Lookout.

SPEAKER_00 7:45

Mobile compromise isn't always treated like a tier zero event, but this is describing a capability that can put everything on the device at risk.

SPEAKER_01 7:59

Patch exposed assets first, review logs for related activity, and verify mitigations are actually blocking abuse.

SPEAKER_00 8:17

And two, verify mitigations, because teams sometimes treat mitigations as checkboxes, and it's important to validate their effective.

SPEAKER_01 8:25

And for a third item, we have LangFlow. A critical LangFlow flaw, CVE 2024 33017, CVSS 9.3, was exploited within 20 hours of public disclosure. And it uses that as a call out on how quickly threat actors weaponize newly published vulnerabilities.

SPEAKER_00 8:50

20 hours. That's basically disclose and the clock starts immediately.

SPEAKER_01 8:56

Exactly. And again, without adding extra details we don't have, the defender takeaway is identify exposed systems, prioritize by reachability and privilege impact, and verify both patch status and detection coverage. Don't just assume the update alone is sufficient.

SPEAKER_00 9:14

That last part, detection coverage, is what separates patching as maintenance from patching as incident response. If exploitation is fast, you're patching into an environment where attempts may already be happening.

IoT Botnets And DDoS Reality

SPEAKER_01 9:27

Which ties directly into the broader theme of this issue. Treat telemetry review as if exploitation attempts are already in motion. For our trend to watch this week, the U.S. Justice Department, working with authorities in Canada and Germany, dismantled online infrastructure behind four disruptive IoT botnets used in major DDoS attacks. Reports say these botnets compromise more than 3 million hacked IoT devices, including routers and web cameras.

SPEAKER_00 9:58

3 million is a reminder that IoT is an edge case. It's mass scale. And even if the infrastructure gets disrupted, the pattern is the point. Compromised devices, commoditized DDoS capability, and defenders needing to treat exposure as ongoing.

SPEAKER_01 10:15

Which ties directly into the broader theme of this issue. Treat telemetry review as if exploitation attempts are already in motion. For the key takeaway is to frame it as a drill. Use a headline to pressure test your visibility. Do you have logs when network devices start behaving oddly? Do you know where routers, cameras, and unmanaged embedded devices exist in your environment? If not, this is a prompt without waiting for your own incident.

Quick Hits On Active Exploitation

SPEAKER_00 10:44

And importantly, it's a trend that aligns with the issue's theme of trust boundaries. Unmanaged devices often sit in places where monitoring assumptions are weak. Alright, let's run through some quick hits to round things out.

SPEAKER_01 10:57

Let's do it. First, CISA warns that flaws impacting Sinecord Zimbra Collaboration Suite and Microsoft Office SharePoint have been actively exploited in the wild, urging government agencies to patch. There are also flags of a Cisco Zero Day being hit in ransomware attacks in the same item. Key takeaway treat this like an active threat.

SPEAKER_00 11:27

Translation, this isn't routine patch Tuesday hygiene. It's reduce the window right now, then verify whether you're already seeing knock at the door activity.

SPEAKER_01 11:38

Second, CISA adds five actively exploited flaws to its known exploited vulnerabilities catalog, including a critical CVSS 10.0 craft CMS bug and Apple Zero Days linked to Dark Sword malware. Key takeaway treat it as active exposure management. Identify reachable systems, patch or mitigate by risk tier, and review telemetry for signs of attempted exploitation.

SPEAKER_00 12:04

And that overlaps nicely with the vulnerability spotlight. The point isn't just there are bugs, the point is they're being used, and the defender motion is exposure discovery, prioritization, and telemetry review.

SPEAKER_01 12:18

Third, Sidewinder, described as suspected India link threat group, expands espionage across Southeast Asia, targeting governments, telecom, and critical infrastructure. The emphasis is on spear phishing, older vulnerabilities, and rapidly rotating infrastructure to keep persistent access. Key takeaway revisit spear phishing defenses for high-risk teams and watch for fast-changing infrastructure that can outpace static block lists. Fourth, Oracle patches a critical flaw, CVE 2026-21992, CVSS9. Key takeaway? Review expose authentication paths, verify policy enforcement across alternate login flows, and rotate credentials or tokens if abuse is plausible.

SPEAKER_00 13:30

The phrase alternate login flows is where real incidents hide. Teams validate the main path, but attackers use the side doors, anything that bypasses expected policy enforcement. Yep, these matter operationally, even if they're not CVEs.

SPEAKER_01 13:51

Policy and Regulation Watch. The European Union sanctioned companies in China and Iran for cyber attacks, and it's noted that the rulings prohibit those entities from entering or doing business in the EU. Key takeaway? Review supplier, partner, and procurement exposure against new sanctions designations to avoid avoidable compliance risk.

SPEAKER_00 14:12

That's one defenders sometimes treat as legal's problem. But it hits security operations when you're onboarding vendors, buying services, or maintaining relationships with third parties. If you're sanctioned adjacent and don't know it, that becomes an emergency you didn't plan for.

SPEAKER_01 14:30

Also in policy, OFAC sanctions six individuals and two entities tied to a DPRK IT worker network scheme using fake remote jobs as has been described. Key takeaway? Focus on the whole intrusion chain. Delivery, execution, persistence, and command and control should be visible in telemetry before it becomes a missed campaign.

SPEAKER_00 14:53

And staying strictly inside what's stated, even when something starts as fraud or hiring abuse, the operational lesson is the same. If you can't see delivery and execution, you can't contain early.

SPEAKER_01 15:10

OWASP Threat Dragon, an open source threat modeling tool for designing and analyzing application security architecture.

SPEAKER_00 15:17

I like it as a reminder that threat modeling isn't paperwork. It's how you spot the trust boundaries before attackers do.

One Week Tier 0 Validation Loop

SPEAKER_01 15:26

And the operational takeaway alongside it is to prioritize internet facing and privilege systems first, add exploit attempt detections, and verify compensating controls actually block code execution paths. And that brings us to our actionable defense move of the week, which is the one-week tier 0 validation loop. Here's what it says to do plain and implementable. For every tier 0 patch this week, firewalls, MDM, or EMM, VPN, IAM, backup, first, verify the new version is actually on the box. Second, confirm the exposure is removed or allow listed externally. Third, review 14 days of admin, off, and configuration logs for anomalies. And fourth, rotate secrets if compromise is plausible.

SPEAKER_00 16:13

I love this because it's not patch everything as a slogan. It's a loop. Apply, validate, review, rotate if needed. And tier zero is exactly where trust boundary failure turns into full control plane failure.

SPEAKER_01 16:30

And the final emphasis here supports that mindset. Identity paths and trust boundaries remain a primary operational weak point. Local privilege boundaries on Linux still matter after a foothold, and supply chain abuse keeps creating asymmetrical risk for defenders. The practical takeaway is to tighten exposed control planes, validate compensating controls, and review telemetry as if exploitation attempts are already in motion.

SPEAKER_00 16:56

Which honestly is the connective tissue across everything we covered. Supply chain compromise in CICD, user abuse paths in phishing, remote assistance as a trust boundary, and vulnerabilities that go from disclosure to exploitation fast.

SPEAKER_01 17:13

And the key takeaway here is CRISP. Treat identity paths like production attack surface, reduce exposure, validate alternate flows, and review off logs before assumptions become incidents.

SPEAKER_00 17:25

That's it for this episode. Thanks for spending time with us.

SPEAKER_01 17:28

Appreciate you listening. Follow the show on X, Facebook, and LinkedIn, and subscribe at https colon forward slash forward slash infosec.watch.

SPEAKER_00 17:39

We'll be back next week with the next issue breakdown.