top of page
logo

The Red Thread Weekly Wrapup: Issue #13

  • 7 hours ago
  • 4 min read

Categories: IT Risk Management | Information Security | Penetration Testing


I have spent 26 years watching the same patterns repeat across different technologies, and this week was a loud reminder of why the gear you trust most is often your biggest blind spot. When we buy a firewall or a high-end security appliance, there is a psychological shift that happens in the boardroom. We check a box. We assume the perimeter is held by a silent, infallible sentry. But the reality is that these devices are just software, and software is written by people who make mistakes.

This week, the industry is grappling with the scale of FortiBleed. We are looking at over 110 million credentials stolen from FortiGate devices. It is a staggering number, but the technical failure is less interesting to me than the management failure. The breach did not happen because of a complex, cinematic zero-day exploit. It happened because of exposed management interfaces and a lack of multi-factor authentication on the very devices meant to protect the network. It is the digital equivalent of buying the most expensive deadbolt on the market and then leaving the key in the lock.

The Illusion of the Perimeter

The FortiBleed campaign has been a methodical, large-scale harvesting operation. Attackers found roughly 430,000 devices exposed to the internet and simply started knocking on doors. If you are a CFO or a CEO, you might wonder why your IT team would leave a management door open to the public web. Usually, it is a matter of convenience or a legacy configuration that was never cleaned up. But in a world where initial access brokers are monetizing these entries for millions, convenience is a luxury you can no longer afford.

A dark server room with a subtle red glow emanating from a server unit

The impact here is not just a temporary outage. We are seeing RADIUS credentials, NTLM hashes, and authentication tokens for databases like MySQL being syphoned off in bulk. This is the raw material for lateral movement. Once an attacker has these, they are no longer an intruder; they are a legitimate user in the eyes of your system. This is why we focus so heavily on IT Risk Management that looks past the presence of a tool and evaluates how that tool is actually being governed.

When AI Agents Go Rogue

While we are cleaning up the mess at the perimeter, the "inside" of our networks is becoming more complex with the rapid adoption of AI agents. This week, two specific risks caught my eye: AutoJack and Copilot SearchLeak. We are moving past the phase where AI is just a chatbot you talk to. We are now giving these models agency: the ability to execute code and search through our internal files to "help" us work faster.

AutoJack is a reminder that any system capable of executing commands on your behalf can be tricked into executing commands for an attacker. It is a Remote Code Execution risk that lives in the logic of the AI agent itself. Similarly, SearchLeak demonstrates how easily an AI integrated into your workflow can be manipulated into exfiltrating sensitive data through seemingly benign search queries. When you combine these, you have a tool that can both steal your data and run malicious scripts, all while operating under the permissions of your most trusted employees.

A minimalist digital interface representing an AI agent with glowing data packets

This is why Data Governance is no longer a back-office compliance task. It is a fundamental security control. If you cannot classify what data an AI agent is allowed to see, you cannot secure the output of that agent. We are seeing a trend where the pursuit of productivity is creating massive, unmonitored backdoors into the corporate crown jewels.

The Vulnerability of the Pipeline

The third thread I am pulling on this week involves Cisco SD-WAN and GitHub. We are seeing more supply chain flaws where the very tools used to manage and deploy our infrastructure are being targeted. When a vulnerability exists in the pipeline: the path that code and configurations take to get to your production environment: every device downstream is at risk.

If an attacker can compromise a GitHub workflow or a management console like Cisco vManage, they do not need to hack your individual servers. They simply wait for your next scheduled update to deliver the payload for them. It is a highly efficient way to compromise an entire enterprise at once. This shift in the threat landscape is why a standard Penetration Test must now include your CI/CD pipelines and your third-party management platforms.

Interconnected dark glass cubes representing a supply chain pipeline

A Single Source of Truth

The common thread in all of these incidents: from the firewall to the AI agent to the supply chain: is misplaced trust. We trust that the vendor secured the device. We trust that the AI is only doing what we asked. We trust that our deployment pipeline is a closed loop.

My takeaway for you this week is simple: trust is a liability that must be managed. It is not enough to have the right technology in place. You need a continuous process of verification that ensures your "trusted" systems aren't actually working against you.

If you are concerned about how these evolving risks fit into your current roadmap, I am happy to have a direct conversation about how we can tighten those controls without slowing down your business.

Comments

bottom of page