CISA orders Ivanti Sentry patch by Sunday

Show Notes

CISA just enforced a seventy two hour patch deadline for actively exploited infrastructure, and that single move signals a broader shift in how fast security teams are expected to operate. This episode breaks down what that means in practice, from Ivanti Sentry exposure to the growing expectation that internet-facing systems must be treated as compromised almost immediately. It also looks at how attackers are accelerating their own timelines, with zero-day exploitation in PeopleSoft leading directly to extortion, and npm-based worms stealing cloud and AI credentials before detection tools can respond. We also cover Google's legal push against AI-driven smishing networks and what it signals about the future of platform-led defense. Learn more at https://crestvale.io

Transcript

SPEAKER_00 0:00

If you run internet-facing infrastructure, your patch window just collapsed from months to days. And if you miss that window, you should assume attackers are already inside. This is the Crestvale Newsroom Daily Podcast. CISA just forced a shift that most organizations are not operationally ready for. A max severity command injection flaw in Avanti Century is already being exploited in the wild. In response, the Cybersecurity and Infrastructure Security Agency invoked its new directive and gave federal agencies 72 hours to patch or shut systems down. Not mitigate, not monitor, patch or pull the plug. This is the first real use of binding operational directive 2604, and it resets expectations for how fast critical infrastructure needs to respond when active exploitation is confirmed. There are two parts of this that matter. First, the assumption has changed. External researchers are already seeing broad exploitation attempts. The guidance is no longer treat this as risk. It is treat this as compromise. Second, the timeline is now measured in days, not weeks, not quarterly patch cycles, and this is not happening in a vacuum. Ivanti has now had dozens of critical vulnerabilities flagged over recent years. Many of them have been actively targeted by ransomware groups. This is a pattern of exposure that attackers understand well. Here is why this matters. If you operate internet-facing appliances, especially security appliances, you need to assume they are high priority targets the moment a vulnerability goes public. Your incident response and patching model has to match that reality. That means rapid isolation, fast patch deployment, and in some cases, being ready to take systems offline entirely. If your current process cannot move in 72 hours, then your real exposure window is not 72 hours. It is however long it takes you to catch up. And attackers will use that gap. Now, that same compression of time is showing up in how attacks actually play out. A zero day in Oracle PeopleSoft was exploited before most organizations even knew it existed. The group behind it, Shiny Hunters, moved straight from initial access to data theft and extortion across more than 100 organizations. No waiting. No slow burn. The vulnerability was a critical remote code execution flaw in people tools. It required no authentication. That made initial access trivial. What happened next was structured and repeatable. Attackers deployed remote management tools disguised as legitimate agents. They mapped internal systems. They spread credentials across environments. And then they exfrated data for extortion. Higher education got hit first, not because it was uniquely valuable, but because it had a high concentration of exposed systems. Here is the important shift. The timeline from zero day to monetization is now measured in days, sometimes hours. If you are running legacy systems that are exposed to the internet and slow to patch, you are not buying time. You are giving attackers a predictable window to operate. Meanwhile, software supply chain attacks are getting faster in a different way. Two worms, Miasma and Ironworm, turned NPM into a propagation engine for credential theft, and they are exploiting a very specific weakness. Timing. The malicious code runs during the install process, before most scanners or endpoint tools can flag anything. By the time a signal appears, credentials are already gone. And those credentials are not trivial. These worms are targeting GitHub tokens, CI and CD secrets, cloud credentials, and keys tied to AI tooling. This is about control of infrastructure. In one case, the worm spread across a major maintainer network in just over a minute. It reached large organizations within days. Detection is simply too late in that model. If your pipeline allows untrusted code to execute during install without isolation, then you have already lost the race. The control point has to move earlier or become enforced at runtime. Now, on a different front, platform providers are starting to go after the attackers themselves. Google filed a lawsuit against a group it says used AI to run large-scale smishing campaigns. We are talking millions of text messages and over a million phishing domains. This is industrialized fraud. The operation used automation and AI to impersonate trusted brands at scale. That turns brand trust into an attack surface. Google is not just filtering messages, it is trying to dismantle the infrastructure behind them. That includes legal action, telecom coordination, and large-scale blocking systems. For security teams, the takeaway is simple. SMS and messaging are now primary attack channels, not edge cases. And brand impersonation is happening at a scale where traditional blocking approaches cannot keep up. Here is what else is worth knowing today. AMD took over four months to patch a reported vulnerability and then declined to reward the researcher. That kind of signal weakens disclosure incentives and increases the chance that serious bugs stay private. The Cloud Security Alliance reports that most financial firms are already using AI agents with some level of autonomy. A significant portion do not know if those agents have been involved in a breach. Agent jacking is emerging as a real issue. Attackers are using AI coding agents as execution paths for malicious code, effectively turning developer tooling into a new supply chain vector. Mackay Sugar halted physical operations after a cyber attack. This is a reminder that operational technology incidents now translate directly into lost revenue. The European Commission is pushing for more sovereign and open source technology adoption. That points to a gradual fragmentation of cloud and identity ecosystems across regions. Before we close out, here is a quick look at where markets landed. Equities closed higher in the previous session, with both SPY and QQQ moving up, suggesting continued strength in large cap and tech. The 10-year treasury yield also moved higher, indicating tighter financial conditions. In commodities and digital assets, Bitcoin and gold both finished higher, while oil moved lower, showing a split between risk assets and energy. Here is the takeaway. If your security model depends on time to react, you are already behind attackers who now move at machine speed. Tomorrow we are watching how organizations start redesigning pipelines and patch workflows to close these shrinking attack windows. If this was useful, follow the Crestvale Newsroom Daily Podcast so you don't miss it. Thanks for listening. Thanks for ill.