Episode #
20

Software Supply Chain Paradox, Ubiquiti Zero-Days, and the TFL Hackers

This week on Dragon News Bytes, Eli Woodward, Stephen Campbell, Will Thomas, and newly joined threat intel advisor Lucas Bliven break down the latest high-urgency threats targeting enterprise infrastructure. From the contradictory security advice surrounding AI and CI/CD pipelines to the weaponization of Microsoft Teams, the team strips away the noise to look directly at adversary tradecraft. The episode also dives into the massive real-world fallout of the Transport for London (TFL) hack and the growing prevalence of Operational Relay Boxes (ORBs) facilitating state-sponsored attacks.

Topics & References:

Part 1: The CI/CD Pipeline & The AI Paradox

  • Organizations are facing contradictory advice regarding patching and software supply chain attacks.
  • While AI enables faster exploitation requiring rapid patching, adversaries are simultaneously using AI to launch poisoned updates into CI/CD pipelines.
  • Some organizations are implementing mandatory cooldown periods for new repository pushes before adding them to their pipelines to monitor for malicious activity.
  • Highly advanced organizations are mitigating this risk by maintaining entirely cloned, self-audited databases of approved software packages.

Part 2: Ubiquiti, Cisco, and the Rise of ORBs

  • New vulnerabilities added to the CISA KEV include a CVSS 10 flaw for Ubiquiti devices, tracked under CVE-2026-3498, 3499, and 3410.
  • When chained together, these flaws give an attacker full unauthenticated remote code execution and device takeover.
  • Cisco SD-WAN devices are also facing active zero-day exploitation, with ORB activity linked upstream to the telemetry observed in a recent Mandiant report.
  • State-sponsored groups, such as APT28, are heavily targeting edge devices like routers to build Operational Relay Box (ORB) networks, bypassing geo-restrictions and looking like residential IPs.
  • Chinese offensive exploit retailers, such as iSoon, have been developing offensive networks to sell or rent access for tailored state operations.

Part 3: Microsoft Teams C2 & TFL Hack Arrests

  • The Dragon Force ransomware group is utilizing Microsoft Teams as a relay for Command and Control (C2) communications.
  • This represents a severe challenge for defenders, requiring highly verbose logging to filter malicious communications from legitimate cloud infrastructure traffic.
  • The UK's National Crime Agency arrested two young men (18 and 20) associated with Scattered Spider and Lapsus$ for their role in the Transport for London (TFL) cyberattack.
  • The TFL attack caused massive disruption, forcing 30,000 individuals to queue in person around London to show their IDs for account resets.

Part 4: Threat Intelligence & Upcoming Events

  • Annual cybersecurity vendor reports offer value, but organizations should consult their incident response insurance providers to determine which reports best align with their specific industry risk picture.
  • Small-to-medium-sized businesses are increasingly targeted for easier payouts because they often lack full SOC security coverage.
  • Team Cymru will be present at Black Hat and DEF CON in August, including presentations in the Telecom Village, Adversary Village, and Noob Village.

Events & Community:

  • Underground Economy: September 7th -9th in Strasbourg, France

🔗 to register: https://www.team-cymru.com/events/underground-economy-2026

Connect with Us:

Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.