Trivy Breach Spreads Into CI/CD Pipelines; FCC Bans Routers Made Abroad; Spanish Port Disrupted by Ransomware

This is essentially the CI/CD GitHub equivalent of the 2020 SolarWinds system management software compromise, with several new wrinkles. See the SANS blog item and the March 25 webcast for immediate actions required. https://www.sans.org/webcasts/when-security-scanner-became-weapon

What is reported so far is likely just the tip of the iceberg. In my opinion, the most important lesson from this event is that you MUST be able to rotate credentials quickly. This will not work without solid secrets management. If you can’t rotate credentials routinely (weekly?), you are not doing it right. Include developer credentials, and do not just treat this as a production credential issue. And yes, it is hard.

The use of AI makes finding issues, such as exposed credentials, much easier. I’m reminded of something Ed Skoudis told me years ago when solving a CTF: Cheat to Win. Don’t panic — seriously look at leveraging AI to make sure you don’t have exposed or overlooked secrets, and that you’ve rotated them. Then leverage it to discover any exfiltration, maintain situational awareness, and target response actions.

One continues to assert that suppliers should be held liable for damages resulting from their distribution of malicious (as opposed to routinely poor quality, which the market has come to tolerate) code. It this slows down distribution, so be it.

Compared to commercial systems, consumer devices tend to be simpler to secure. Don’t expose the admin interface to the internet, set a reasonably strong password, and you will stop >99% of attacks. I wish the rule would not just focus on the country of origin, but also establish minimum/baseline security requirements. What about devices manufactured in the US, but vulnerable enough to still be easily compromised? What about US-made devices loading updates from non-US sources?

The intent here is understandable given the documented threat from state-sponsored actors such as Salt Typhoon, but policy built on geography rather than technical risk assessment is a blunt instrument. We are seeing similar proposals emerge under changes to the EU Cybersecurity Act, where there are moves to restrict certain technology vendors based on their country of origin being deemed a 'hostile state.' The problem with this approach is that it creates confusion and uncertainty in the market, and leaves organisations unclear on how to plan procurement and infrastructure decisions. Perhaps more concerning is what happens when geopolitical relationships shift. A vendor from a country considered friendly today may find itself on a restricted list tomorrow should international relations sour, creating further disruption for organisations that have built their infrastructure around those products. A more durable and technically credible approach would be to establish clear, enforceable security standards that any vendor must meet regardless of where they are headquartered or where their products are manufactured and then hold them to those standards consistently.

If the FCC and DHS can keep up with the speed of assessment and conditional approval needed to really have any positive impact on risk, great idea. If not, either extensions will be granted or approvals given without meaningful assessment — more paperwork, no gain in security.

Managing supply chain risk has to be ingrained/SOP. While this restriction seems extreme at first blush, the activities by Salt Typhoon warrant taking actions to prevent recurrence. The good news is these restrictions make understanding what is disallowed or needing exception easy. Make sure your controls are easy to understand and you include an exception process, which has been tested.

The US manufactures very few consumer routers. The FCC rule brings up some practical questions on how it will be implemented and what will be the collateral impact. Besides, the risk, if there is one, will still exist given the large installed base of foreign made routers.

Routers play a vital role in both public network and enterprise security. Their implementation, configuration, and maintenance leave a lot to be desired. This assessment is only a tiny step in reducing this risk.

This attack appears to have targeted the port’s operational IT systems rather than industrial control systems, which is why cargo movement continued while scheduling and coordination platforms went offline. Many environments assume that keeping OT separate is sufficient, but this incident shows how operations depend on supporting IT services. From an administrative standpoint, this reinforces the need for strong segmentation between business systems, port logistics platforms, and any shared infrastructure, along with tightly controlled administrative access. The shift to manual operations also suggests limited resilience in application-layer recovery, highlighting the importance of tested backups, rapid system rebuild capability, and clear prioritization of which services must be restored first to resume normal operations.

No ransomware gang has taken credit for the attack despite reports of a ransom demand. The port is waiting for “everything to be clean” before restoring connections. Hopefully systems will be back online before the impact to freight traffic becomes significant.

Not a lot of details on the cyber incident. That said, how the adversary compromised the servers and total costs to regain full business operations would be valuable to cyber defenders. Hopefully the government of Spain will make this a requirement of the investigation.

Luckily, none of the vulnerabilities have been observed in attacks (yet). The “DarkSword” exploit kit that hit recently is mitigated with the iOS 26.3 update, released in February. But even for Apple users, exploit timelines are shrinking. Try to have your devices updated by the end of next week.

Depending on how you count or group them, there are 85 flaws being addressed. Just roll the patches. This update includes the fix in macOS/iPadOS/iOS 26.3.1(a). Make sure you have plans to get those macOS 14/15 systems onto macOS 26 — it may require replacement hardware, which may necessitate conversation about uses that depend on the Intel CPU and workarounds. Don’t arbitrarily decide to wipe or disable those older systems without understanding why they are still in use; those aren’t fun conversations.

The backporting of more than twenty fixes to older iOS and iPadOS versions is a welcome move, acknowledging the reality that not all users run the latest hardware. We seem to be at the dawning of a new threat landscape targeting iOS and iPadOS, demonstrated by the recent Coruna and DarkSword malware. My concern is that there may be a level of false security amongst Apple users; these patches and other future patches may not be applied in a timely manner and we may see a mass compromise of these platforms in time. If you have Apple devices in your corporate estate, consider creating a policy in your MDM tool to enforce a minimal patch level for any those devices.

Apple security updates have been timely and non-disruptive. Automatic updates should be the default for all but a tiny fraction of Apple users. However, Apple has concluded that some security updates should not be left to user discretion. Such discretion always leaves a window of opportunity for exploitation between the time that Apple publishes a release and most users have applied it. It now reserves the right to apply mandatory automatic security updates. I have already seen at least one such update.

Sadly we won't see any vendors or so-called cybersecurity experts who initially cried wolf and blamed this outage on cyberattacks withdraw, retract, or amend their commentary. Then we wonder why as an industry we struggle to be taken seriously by businesses and governments.

The report notes what went well, such as disconnecting from the connecting European grid to prevent added outages, as well as noting areas for improvement, such as better configuration of renewable power providers to better supplement power in a similar situation. Download and read the report; you’ll want to discuss opportunities with your team.

There you have it, the blackout was not cyber related, but rather caused by contention for resources to maintain business operations. The only question remaining is whether the report actually results in reallocation of spending to make the necessary changes.

In Normal Accidents Charles Perrow taught us that accidents are often, not to say usually, the result of multiple failures. This is particularly true of Grid failures because grids are designed to tolerate component failure, load imbalance, and even some operator errors. Perrow shows us that most systems can be overwhelmed and are particularly vulnerable to operator error. He should be mandatory reading for those involved in the implementation and management of infrastructure.

ICT got lucky as none of their customer facing or government supporting services were impacted. The compromised systems remain offline while the investigation completes which is impacting their employees, who may disagree with my calling this lucky. Have a plan on how to manage impact of internal system outages. Your staff won’t relish unpaid leave or idle time at their desk as much as you may think, regardless of their improved solitaire scores.

Automatic controls, including separation and access control, of function (transactions and changes) and management alerts, are both effective and efficient. That said, they are not a substitute for management supervision.

This incident is a perfect example of how cyberattacks can have very direct physical consequences for ordinary people. The dependency on continuous cloud connectivity for safety-critical devices like ignition interlocks highlights that resilience and offline fallback modes should be design requirements, not afterthoughts. Regulators overseeing these devices should be asking hard questions about vendor cyber resilience as part of product approval.

This is a case of the maximum tolerable outage window being exceeded. In this case a ten-day workaround is available, and the workaround meeting the compliance requirements for the system. (The driver still needs to pass the breath test). The takeaway is to review your resilience plans to see if your outage and recovery plans are still realistic, and adjust where needed. You may also want develop workaround scenarios where you aren’t able to recover services in the window intended. Then test both.

Expect more of these types of service disruptions as companies look to mergers and acquisitions for market growth. Government can help by requiring risk reviews and percentage caps on market consolidation.

"Fail safe" will almost always inconvenience someone.

Another win for the good guys. It’s essential for cyber criminals to not only get shut down but also face fines and jail time to make the consequences of their actions real and meaningful to others similarly inclined. If you’re a victim in a case, have a clear understanding of how much of any fine or financial recovery to expect, if any, up front to avoid disappointment.

Well done to all involved in bringing these criminals to justice. These sentences send a clear message that cybercrime is not a victimless pursuit and that law enforcement cooperation across borders is yielding real results.