InfoSec.Watch

138 - Security Leverage Points

Infosec.Watch Season 2 Episode 138

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 10:50

Send us Fan Mail

We track the security stories that give attackers the most leverage, from AI-assisted exploit development to SaaS platform compromise, manufacturing ransomware, and high-impact vulnerabilities. We end with a practical defensive check: a short control plane exposure register that shows exactly which systems could change trust, access, routing, revenue, or production at scale. 
• AI-assisted zero-day exploit and why admin tools move to the top of the patch queue 
• Phishing-resistant MFA and reviewing trusted path assumptions for bypass risk 
• Canvas incident and the need for tenant-level SaaS impact assessment 
• Manufacturing ransomware as business disruption strategy across logistics and production 
• Cisco Catalyst SD-WAN controller authentication bypass and control plane blast radius 
• Exchange OWA KEV-driven mitigations and using deadlines for escalation 
• WordPress FunnelKit exploit leading to WooCommerce checkout skimming and script audits 
• Leverage-point thinking for modern asset inventory and exposure management 
• Control plane exposure register fields, owners, logs, rollback paths, review cadence 
If you want daily updates between episodes, you can find us on X, Facebook, and LinkedIn. Just search InfoSecWatch. And if you haven't already, head over to InfoSec.watch and grab the free weekly newsletter. It's concise, it's practitioner focused, and it lands every week. 


Support the show

Thanks for listening to InfoSec.Watch!

Subscribe to our newsletter for in-depth analysis: https://infosec.watch
Follow us for daily updates:
-  X (Twitter)
- LinkedIn 
- Facebook -   

Stay secure out there!


Welcome And The Week’s Theme

SPEAKER_00

Welcome to the InfoSec Watch Podcast. This week centers on a single theme: systems that multiply attacker leverage, AI-assisted exploit development, SaaS platforms, manufacturing operations, network controllers, mail access, web front ends. The Defender priority this week isn't just patching fast, it's knowing which systems can change trust, access, routing, and commerce or production when they fail. Let's get into it. Starting with the top signals, Google's threat intelligence group reported that it identified a criminal threat actor using a zero-day exploit it believes was developed with AI. The exploit targeted a two-factor authentication bypass in a popular open source, web-based administration tool. Google said its proactive discovery may have prevented a planned mass exploitation event. Here's what matters AI-assisted vulnerability discovery isn't a future threat to plan for. It's an operational planning problem right now. The window from vulnerability discovery to weaponization is shrinking. For defenders, that means exposed admin tools are your immediate priority. Enforce phishing resistant MFA wherever you can, and review whether trusted path assumptions anywhere in your environment can be used to bypass second factor checks. That's the specific attack pattern Google is flagging. Moving to Canvas. In structure disclosed, it detected unauthorized activity in Canvas on April 29. They revoked access, engaged forensic experts, and later reached an agreement intended to prevent publication of stolen data. The incident affected Canvas-free for teacher activity and caused downstream disruption for education customers. The real issue here isn't the specific vendor, it's the SaaS incident response model. When a core SaaS platform is compromised, your response playbook needs to address tenant-level impact. Not just the vendor had an incident. You need answers to what user data was in scope, which integrations were live, what access tokens or API credentials may have been exposed. If your SaaS incident response plan doesn't include a tenant-level impact assessment workflow, this is a good week to fix that. The third signal this week, and this one's about scale, Foxconn confirmed a cyber attack affecting its North American facilities. The Nitrogen Ransomware Group claimed responsibility in alleged large-scale data theft. Separately, West Pharmaceutical Services disclosed in an SEC filing that unauthorized actors exfiltrated data, encrypted systems, and temporarily disrupted global business operations. Two major manufacturers in one week. And the impact extended well beyond IT systems shipping, receiving, production, logistics. That's the point. Ransomware groups know that business disruption is their leverage, not just data theft. If your ransomware response playbook stops at restore from backup, it's incomplete. You need playbooks that cover production, logistics, shipping, receiving, and third-party communications. And those playbooks need to have actually been tested before an encryption event forces you to find out they don't work. Now to vulnerabilities. Cisco published a May 2026 advisory for CVE 2026-20118. A critical authentication bypass affecting Cisco Catalyst ESD WayN controller and manager deployments. Rapid7 released technical analysis describing the issue as a control plane exposure that can lead to administrative access. Cisco also published dedicated remediation guidance, not just the advisory, but a full walkthrough for addressing the SD WayN PCR issues. This one is serious, and here's why. SD WayN controllers aren't just network appliances. They define routing policy, segmentation, and trust relationships across your entire fabric. An authentication bypass at the control plane layer is a fundamental compromise of that trust model. Step one, inventory every catalyst SD Way-in component in your environment and verify which are on fixed releases. Step two, review controller logs for unexpected authentication activity or unexpected peering events. And importantly, hand your network team the Cisco remediation guidance directly, not just awareness that the advisory exists. Get completion evidence, not just acknowledgement. Microsoft disclosed CVE 2026-42897 and Exchange Server Outlook Web Access Vulnerability. CISA added it to the known exploited vulnerabilities catalog on May 15th with a May 29 remediation deadline for federal civilian executive branch agencies. A permanent patch is still pending, but Microsoft has published mitigation guidance. If you're running Exchange on premises, don't wait for a final patch. Run the Exchange mitigation workflow now. Confirm your OWA exposure surface, and monitor for suspicious crafted message activity. That's the attack vector pattern. For organizations that aren't bound by the federal deadline, treat May 29 as a practical benchmark. If you have an exposed Exchange deployment still unmitigated on that date, you're behind. Use KEV deadlines as executive escalation points, not just compliance checkboxes. One more vulnerability, and this one's for anyone running e-commerce. A critical, unauthenticated flaw in the FunnelKit Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. Versions before the 3.15 dunzer.3 are affected. Attackers are using skimmer code disguised but as analytics or tag manager scripts, the kind of thing that can sit on a checkout page for weeks before anyone notices. Patch FunnelKit immediately if you're running it. Then go audit the external scripts loaded on your checkout pages. Look for anything injecting into payment fields, any unfamiliar tag manager references, and any script that doesn't belong there. This is the kind of attack that doesn't make noise until customers start reporting fraudulent charges. Now for the Defender trend. And this is the thread that connects everything this week. Attackers are targeting leverage points, not just endpoints. Look at the full picture: an AI assisted admin tool exploit, a SaaS platform breach, a Cisco ESD Way and controller authentication bypass exchange OWA exploitation, WooCommerce payment skimming, and ransomware disrupting manufacturing operations at scale. These aren't random targets. They're systems that sit at choke points, where trust, access, routing, commerce, or production is coordinated. When you compromise an endpoint, you own one endpoint. When you compromise a control plane, you own the blast radius of everything that trusts it. For defenders, the asset inventory problem has fundamentally changed. Internet-facing exposure is table stakes. The deeper question is, which of your systems, if compromised, could change access for hundreds of other systems? Which could redirect network traffic? Which could send trusted messages at scale? Which could inject code into every checkout? Which could halt production across a global operation? You need to know the answers to those questions before an incident forces you to figure them out under pressure. Before we close out the week, a few more items worth knowing. On West Pharmaceutical, one detail from their SEC filing that's useful for planning purposes, the recovery wasn't a single restore event. Core Enterprise systems came back first, and shipping, receiving, and manufacturing resumed at some sites while other systems were still being restored. That phased operational recovery is worth keeping in mind when you're scoping your own incident timelines, and SAP's May 2026 security patch day included critical vulnerabilities in SAP Commerce Cloud and SAP S4 HANA. Some of these are scoring 9.6 on the CVSS scale. If your organization runs SAP, scop your internet exposure on those products, confirm who owns the patching process, and verify whether compensating controls are in place anywhere business teams control deployment timing. SAP environments are frequently under monitored from a security standpoint, and a 9.6 in a business critical ERP system is not a patch to defer. This week's defensive check is directly tied to the trend we've been discussing. Create a control plane exposure register. Open a ticket for it this week. Security engineering leads it, but it requires input from infrastructure, network, identity, cloud, and application owners. You can't do this from the security team alone. For each system on the list, you want to capture the system name and the business function it controls. The owner, a specific person, not a team, and a backup owner. Internet exposure status and admin access path. What type of MFA is enforced, where logs go, and retention period. Current version, patch status, rollback path, and isolation procedure. Start with the obvious candidates. SADYN controllers, VPNs, identity providers, exchange and OWA, MDM platforms, EDR consoles, SaaS admin portals, CI CD systems, payment plugins, SAP systems, and production and logistics platforms. The evidence that you're done isn't a sprawling spreadsheet. It's a reviewed list, short enough to actually be reviewed, with named owners, exposure status, log source, rollback path, and a next review date already on the calendar. The goal isn't a perfect CMDB, it's a short, defensible answer to the question: which systems give an attacker leverage over many other systems if they're compromised? If you can't answer that for your top ten systems, the list isn't done. And the final word this week: the lesson is simple, but it deserves to land. Defenders need to think in terms of leverage. Attackers aren't randomly scanning for anything exploitable. They're looking for places where one compromise changes trust, access, operations, or revenue at scale. This week gave us multiple examples in a single news cycle. Patch the urgent flaws. Yes, but the deeper work is mapping the systems where a single intrusion would feel like 10. Because that's where attackers are already looking. Stay sharp. Thanks for listening to the InfoSec Watch podcast. If you want daily updates between episodes, you can find us on X, Facebook, and LinkedIn. Just search InfoSecWatch. And if you haven't already, head over to InfoSec.watch and grab the free weekly newsletter. It's concise, it's practitioner focused, and it lands every week. We'll see you next time.