More Risky Business episodes

Risky Business #843 -- Fortibleed is kinda awesome, actually thumbnail

Risky Business #843 -- Fortibleed is kinda awesome, actually

Published 24 Jun 2026

Duration: 01:03:36

A comprehensive overview of cybersecurity threats and defenses, covering credential theft campaigns, SaaS and OAuth vulnerabilities, AI-driven risks, legacy infrastructure weaknesses, quantum policy implications, and strategies for securing IoT, SaaS, and post-quantum transitions.

Episode Description

On this weeks show special guest co-host Rob Joyce joins Patrick Gray and James Wilson to discuss the weeks cybersecurity news. Rob served as an advis...

Overview

The podcast discusses a large-scale cyberattack targeting Fortinet devices, where attackers exploited vulnerabilities in firewalls to steal 75,000 credential pairs via advanced tools like a custom Go-based exploit. The campaign, attributed to a Russian-speaking group, utilized sophisticated infrastructure, including cloud-native setups and remote access techniques, and remained undetected for an extended period. The discussion also highlights credential theft risks, emphasizing the use of 36 enterprise GPUs to crack weak passwords and the cyclical pattern of unpatched devices leading to expanded network access. OAuth token vulnerabilities were analyzed, particularly in breaches involving SaaS platforms like Salesforce, where stolen tokens enabled unauthorized data access. SaaS-to-SaaS trust relationships were critiqued for bypassing traditional network defenses, sparking debates over shared responsibility for security between vendors and users.

The podcast further explores AIs dual role in cybersecurity, including emerging vulnerabilities in AI-generated code that may introduce undetected supply chain risks, such as hallucinated dependencies and prompt injection exploits. Tools like Socket were discussed for detecting malicious open-source dependencies through behavioral analysis, with a focus on mitigating risks from AI-driven code generation. Hardware vulnerabilities, such as a buffer overflow flaw in older iPhone USB controllers, were also covered, alongside infrastructure challenges in municipal water systems and recent supply chain attacks targeting critical sectors. Finally, the episode addresses policy and technical gaps, including the U.S. push for post-quantum cryptography, debates over AIs impact on cybersecurity, and the complexities of securing rapidly evolving SaaS ecosystems without unified solutions.

What If

  • What if you prioritized proactive credential auditing to prevent extended breach periods like the Forty Bleed campaign?

    • Move: Implement automated credential rotation and real-time audit trails for all Fortinet devices and OAuth tokens using tools like Socket Firewall.
    • Why Now?: Credential theft campaigns like Forty Bleed exploit unpatched devices for months; proactive rotation reduces attack surface immediately.
    • Expected Upside: Fewer long-term unknown breaches, reduced risk of lateral movement via stolen credentials, and compliance with modern security best practices.
  • What if you redesigned your SaaS integrations to enforce strict OAuth token lifecycle controls and visibility?

    • Move: Deploy a zero-trust architecture for SaaS OAuth tokens, using behavior-based monitoring (e.g., Sockets analysis of dependency behavior) to flag non-expiring tokens and unauthorized scope expansions.
    • Why Now?: SaaS-to-SaaS trust relationships bypass traditional defenses, and leaked OAuth tokens can exfiltrate data without detection.
    • Expected Upside: Mitigation of data exfiltration risks from third-party integrations, tighter control over API access, and alignment with post-quantum cryptographic policy timelines.
  • What if you leveraged open-weight AI models for local bug detection to outpace AI-driven attack vectors?

    • Move: Use open-weight models like Quen 3.6 or 35BA3B for local code analysis, paired with a proxy-based dependency scanner (e.g., Socket Firewall) to detect AI-synthesized vulnerabilities pre-deployment.
    • Why Now?: AI-generated code and attack payloads are proliferating (e.g., LLM-based malware), while local models avoid exposing code to cloud-based adversaries.
    • Expected Upside: Faster identification of critical bugs (e.g., 22 vulnerabilities found in curl) with reduced risk of model lock-in, enabling cost-effective SDLC improvements.

Takeaway

  • Rotate Fortinet Credentials Regularly: Implement a strict credential rotation schedule for all Fortinet devices, as the Forty Bleed campaign exploited long-term unpatched credentails. Use automated tools to enforce expiry policies and audit access logs for anomalies.
  • Scope and Expire OAuth Tokens: Limit OAuth token lifespans and minimize their access scope to prevent SaaS integration breaches (e.g., Clues Salesforce token theft). Use tools like OAuth2.0 token introspection to monitor and revoke tokens proactively.
  • Audit SaaS Integrations for Trust Relationships: Map all third-party SaaS integrations and enforce strict access controls. Regularly review API permissions and implement logging/metrics to detect unauthorized data exfiltration via SaaS-to-SaaS trust chains.
  • Integrate AI-Driven Supply Chain Scanning Tools: Deploy tools like Socket or Socket Firewall to detect malicious dependencies in open-source packages. Use the proxy mode to block unsafe repo connections during CI/CD pipelines, avoiding LLM-generated supply chain risks.
  • Patch Known Vulnerabilities Immediately: Prioritize patching infrastructure (e.g., Fortinet, VMware) and open-source libraries using resources like the Patch the Planet initiative. Automate vulnerability detection via tools like Codex or GPT-5.5 to reduce tech debt in critical codebases.

Recent Episodes of Risky Business

5 Jun 2026 Soap Box: Detection and response in the AI age

The text explores the growing threat of zero-day exploits and vulnerabilities, emphasizing the need for advanced detection/response strategies, AI-driven automation in SOC tasks, collaborative AI systems for faster threat mitigation, and the evolving balance between AI capabilities and human oversight in security operations.

27 May 2026 Risky Business #839 -- TeamPCP stole GitHub's internal repos

A GitHub breach by "Team PCP" via a compromised VS Code extension exposed 3,800 internal repositories, underscoring supply chain risks, corporate underreporting, AI-driven threats, outdated dependencies, and systemic gaps in open-source and cybersecurity practices.

20 May 2026 Risky Business #838 -- GitHub investigates possible breach

Recent cybersecurity incidents, including GitHub's unauthorized access and a CISA contractor's credential exposure, highlight risks from misconfigurations, human error, legacy malware, AI-driven vulnerabilities, and enterprise tool flaws, alongside emerging threats like deepfakes, ransomware signing, and outdated infrastructure challenges exacerbated by geopolitical conflicts.

15 May 2026 Soap Box: Where does AI fit into cloud security?

Open-source cloud security tools like Prowler evolve through community contributions and AI integration, balancing automated security checks with deterministic controls amid challenges like dynamic APIs, enterprise adoption tensions, and the resurgence of foundational security measures in hybrid cloud environments.

13 May 2026 Risky Business #837 -- GitHub Actions footgun claims TanStack

Recommended: Security. Security. Security.

Summary: Cybersecurity risks from misconfigured GitHub Actions, AI-driven threats like autonomous malware, DNSSEC failures, ransomware attacks on education sectors, and challenges in AI model governance and supply chain vulnerabilities are explored, alongside discussions on regulatory responses and infrastructure resilience.

More Risky Business episodes