What’s more likely: Nation state actors compromised your network and applications through a brand new zero-day, or you left the door open by accident by misconfiguring one of your controls, applications, or infrastructure devices?
With everything going on in the geopolitical landscape right now, it is easy to point to nation state actors as the top threat. The truth is that accidents happen far more frequently and affect a much broader attack surface than APTs do. Is it important to defend against these types of actors? Sure. Is it more important to get the basics right? 100%.
In May 2025, we saw the TeleMessage breach which led to a complete compromise of the TM SGNL archives, including those of United States government officials’ communications regarding war plans. How did this happen? An endpoint left open to the internet was hosting a heap dump full of juicy data. Scouring this dump would later lead the attacker to the archive server that contained full, unencrypted conversations. Accidents happen, right?
Two-factor authentication has been an important control for preventing the leak of a single secret from having a catastrophic impact on a company. But what happens if you forget to turn it on? Well, that’s how we get things like the Change Healthcare breach, wherein this critical control wasn’t enabled on their Citrix portal. Maybe it’s a misconfiguration on a specific use, like in Zapier’s case back in March. Either way, these seemingly simple oversights can leave the door wide open for attackers to waltz right in.
Earlier in January, Paul McCarty from SourceCodeRed put out a notice that they’d detected some malicious NPM packages. The strange part? They were published by Snyk’s security research team. Paul goes on to say that usually, when corporate red teams perform a dependency confusion attack like this, they will specifically target their own organization, but these packages were indiscriminate in their targets. Snyk later responded, but isn’t this a big oopsie?
With all the new product releases rallying around AI, let’s all remember to change the default password to something other than “123456.” McDonald's learned that their AI hiring partner, Paradox.ai, forgot to do just that just a couple of weeks ago, when security researchers Ian Carroll and Sam Curry uncovered an administrative account using the aforementioned abysmal password.
These types of incidents aren’t new, though. We have tons of technology at our disposal to find, fix, and prevent these accidents from happening because of that simple maxim: accidents happen. How can we go one step further in verifying that our security controls are doing what we think they are? Test them.
To learn more about Cobalt and our elite pentester community, visit our Cobalt Core page.
