Dragon Bytes
Avsnitt

Software Supply Chain Paradox, Ubiquiti Zero-Days, and the TFL Hackers

Dela

This week on Dragon News Bytes, Eli Woodward, Stephen Campbell, Will Thomas, and newly joined threat intel advisor Lucas Bliven break down the latest high-urgency threats targeting enterprise infrastructure. From the contradictory security advice surrounding AI and CI/CD pipelines to the weaponization of Microsoft Teams, the team strips away the noise to look directly at adversary tradecraft. The episode also dives into the massive real-world fallout of the Transport for London (TFL) hack and the growing prevalence of Operational Relay Boxes (ORBs) facilitating state-sponsored attacks.


Topics & References:

Part 1: The CI/CD Pipeline & The AI Paradox

  • Organizations are facing contradictory advice regarding patching and software supply chain attacks.

  • While AI enables faster exploitation requiring rapid patching, adversaries are simultaneously using AI to launch poisoned updates into CI/CD pipelines.

  • Some organizations are implementing mandatory cooldown periods for new repository pushes before adding them to their pipelines to monitor for malicious activity.

  • Highly advanced organizations are mitigating this risk by maintaining entirely cloned, self-audited databases of approved software packages.

Part 2: Ubiquiti, Cisco, and the Rise of ORBs

  • New vulnerabilities added to the CISA KEV include a CVSS 10 flaw for Ubiquiti devices.

  • When chained together, these flaws give an attacker full unauthenticated remote code execution and device takeover.

  • Cisco SD-WAN devices are also facing active zero-day exploitation, with ORB activity linked upstream to the telemetry observed in a recent Mandiant report.

  • State-sponsored groups, such as APT28, are heavily targeting edge devices like routers to build Operational Relay Box (ORB) networks, bypassing geo-restrictions and looking like residential IPs.

  • Chinese offensive exploit retailers, such as iSoon, have been developing offensive networks to sell or rent access for tailored state operations.

Part 3: Microsoft Teams C2 & TFL Hack Arrests

  • The Dragon Force ransomware group is utilizing Microsoft Teams as a relay for Command and Control (C2) communications.

  • This represents a severe challenge for defenders, requiring highly verbose logging to filter malicious communications from legitimate cloud infrastructure traffic.

  • The UK's National Crime Agency arrested two young men (18 and 20) associated with Scattered Spider and Lapsus$ for their role in the Transport for London (TFL) cyberattack.

  • The TFL attack caused massive disruption, forcing 30,000 individuals to queue in person around London to show their IDs for account resets.

Part 4: Threat Intelligence & Upcoming Events

  • Annual cybersecurity vendor reports offer value, but organizations should consult their incident response insurance providers to determine which reports best align with their specific industry risk picture.

  • Small-to-medium-sized businesses are increasingly targeted for easier payouts because they often lack full SOC security coverage.

  • Team Cymru will be present at Black Hat and DEF CON in August, including presentations in the Telecom Village, Adversary Village, and Noob Village.


Events & Community:

  • Underground Economy: September 7th -9th in Strasbourg, France

🔗 to register: https://www.team-cymru.com/events/underground-economy-2026


Connect with Us:


Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

Podden och tillhörande omslagsbild på den här sidan tillhör Dragon Bytes. Innehållet i podden är skapat av Dragon Bytes och inte av, eller tillsammans med, Poddtoppen.