Software Supply Chain Paradox, Ubiquiti Zero-Days, and the TFL Hackers
This week on Dragon News Bytes, Eli Woodward, Stephen Campbell, Will Thomas, and newly joined threat intel advisor Lucas Bliven break down the latest high-urgency threats targeting enterprise infrastructure. From the contradictory security advice surrounding AI and CI/CD pipelines to the weaponization of Microsoft Teams, the team strips away the noise to look directly at adversary tradecraft. The episode also dives into the massive real-world fallout of the Transport for London (TFL) hack and the growing prevalence of Operational Relay Boxes (ORBs) facilitating state-sponsored attacks.
Topics & References:
Part 1: The CI/CD Pipeline & The AI Paradox
- Organizations are facing contradictory advice regarding patching and software supply chain attacks.
- While AI enables faster exploitation requiring rapid patching, adversaries are simultaneously using AI to launch poisoned updates into CI/CD pipelines.
- Some organizations are implementing mandatory cooldown periods for new repository pushes before adding them to their pipelines to monitor for malicious activity.
- Highly advanced organizations are mitigating this risk by maintaining entirely cloned, self-audited databases of approved software packages.
Part 2: Ubiquiti, Cisco, and the Rise of ORBs
- New vulnerabilities added to the CISA KEV include a CVSS 10 flaw for Ubiquiti devices, tracked under CVE-2026-3498, 3499, and 3410.
- When chained together, these flaws give an attacker full unauthenticated remote code execution and device takeover.
- Cisco SD-WAN devices are also facing active zero-day exploitation, with ORB activity linked upstream to the telemetry observed in a recent Mandiant report.
- State-sponsored groups, such as APT28, are heavily targeting edge devices like routers to build Operational Relay Box (ORB) networks, bypassing geo-restrictions and looking like residential IPs.
- Chinese offensive exploit retailers, such as iSoon, have been developing offensive networks to sell or rent access for tailored state operations.
Part 3: Microsoft Teams C2 & TFL Hack Arrests
- The Dragon Force ransomware group is utilizing Microsoft Teams as a relay for Command and Control (C2) communications.
- This represents a severe challenge for defenders, requiring highly verbose logging to filter malicious communications from legitimate cloud infrastructure traffic.
- The UK's National Crime Agency arrested two young men (18 and 20) associated with Scattered Spider and Lapsus$ for their role in the Transport for London (TFL) cyberattack.
- The TFL attack caused massive disruption, forcing 30,000 individuals to queue in person around London to show their IDs for account resets.
Part 4: Threat Intelligence & Upcoming Events
- Annual cybersecurity vendor reports offer value, but organizations should consult their incident response insurance providers to determine which reports best align with their specific industry risk picture.
- Small-to-medium-sized businesses are increasingly targeted for easier payouts because they often lack full SOC security coverage.
- Team Cymru will be present at Black Hat and DEF CON in August, including presentations in the Telecom Village, Adversary Village, and Noob Village.
Events & Community:
- Underground Economy: September 7th -9th in Strasbourg, France
🔗 to register: https://www.team-cymru.com/events/underground-economy-2026
Connect with Us:
- Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
- Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb
Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.