Issue #35 | July, 2025
Editorial section
Looking for effective cybersecurity
In today’s digital ecosystem, organizations are increasingly leaning on third-party vendors to deliver critical services. With this rise in interconnectivity comes an equally pressing need to manage the cyber risks posed by these external relationships. Enter SOC 2 - a framework that has, for better or worse, become frequently used as a badge of security for countless service providers.
However, as more companies accept SOC 2 reports as a proxy for cybersecurity assurance, it’s worth asking: Do they truly understand what SOC 2 means - and more importantly, what it doesn’t?
That’s why we decided to have a conversation about SOC 2 and to what extent it is meaningful to an organization’s cybersecurity. You’ll find an introduction to the topic in the second section of this newsletter, and we also had a chance to discuss the theme with AJ Yawn, who participated in a bonus episode of our podcast as a guest this month - now live!
Our second section also contains Third-Party Cyber Risk Management guidance and cybersecurity surveys.
In the other sections, you’ll find our usual mix of updates, third-party incidents, and security research. Our government section has two parts this month, since a particular topic - digital sovereignty - warranted a bit more space.
This is another long issue of Alice in Supply Chains, but it’s worth your time. Enjoy!
Updates: Scattered Spider and attacks on UK retailers, Coinbase breach and other news
An anonymous Redditor claiming to work for one of the UK retailers impacted by the cyberattacks we covered last month published a post detailing how Tata Consultancy Services (TCS) was responsible for the initial access to their network.
In brief, the post states that Scattered Spider used social engineering to trick the company’s outsourced helpdesk at TCS to reset passwords and MFA.
In 3 of 4 calls, the service desk reset passwords and re-enrolled MFA with zero resistance. The caller simply gave a name - no validation, no callback, no check. On the 4th call, the attacker requested access to a privileged group. The TCS agent asked for an employee ID. The ID given didn’t even match our company’s format; and yet the access was granted anyway.
That’s four out of four security failures.
When we requested the rest of the call logs (we know over 100 such calls were made), TCS stalled for days. Eventually, a senior manager claimed the recordings were either lost or deleted. Yes - they said both.
More scathing comments about people who say they had experience with TCS are present in Kevin Beaumont’s thread on Mastodon. It’s interesting to note that TCS was not impacted by these incidents - it was a service and process issue, not a system compromise. This means that their statements to the media about them not being compromised are not technically inaccurate.
Although we cannot independently verify any of the claims, especially the ones regarding TCS, Scattered Spider is known for these kinds of attacks. They appear to have tricked helpdesk staff in 2023 to get into MGM’s systems, for instance. Microsoft also reported on the use of violent threats against support staff around the same time.
At any rate, Scattered Spider is back in the news, as they’re believed to be responsible for two new campaigns: one against the insurance industry, and another targeting aviation and transportation companies.
This was not the only hacking incident that received updates, though. Nextgov/FCW reported that more providers were hit by the Chinese hackers behind the telecom cyberattacks last year, naming Comcast and Digital Realty as victims, while Bloomberg named Viasat (a non-paywalled article is available from Bleeping Computer). In May, CyberScoop also published some commentary from inside sources that we didn’t cover at the time.
We also have a follow-up to the Coinbase incident thanks to Reuters reporters who managed to discover new details from six unnamed sources familiar with the incident. The report names TaskUs as the outsourcing firm related to this incident and claims that Coinbase knew about the leak since January. As we reported last month, the criminals attempted to extort Coinbase, but Coinbase instead offered the money as a reward for information that would lead to their arrest.
A 19-year-old pled guilty to charges believed to be related to the PowerSchool hack, but DataBreaches.net notes that the guilty plea left unanswered questions. Although he might be a conspirator to those who did carry out the most recent cyberattack on the company, this is one of the unknowns brought up by the article.
OpenAI is being forced to save chat logs it promised to delete due to the lawsuit filed by the New York Times. The company is fighting it (more coverage from Ars Technica). This is an interesting case about what happens when court orders directly conflict with contracts and agreements.
In more OpenAI news, the company introduced a meeting recording functionality – and who knows if they’ll be forced to save those, too. There are already suggestions that we should assume every meeting is being recorded. If followed, such advice could have many consequences for workplace dynamics. Clear policy on AI usage and technical measures for enforcement are becoming more relevant.
Our last update comes from Microsoft, which announced new features stemming from its Windows Resiliency Initiative (WRI), the project that it launched as a result of the CrowdStrike outage last year. The company promised a “private preview” of the new technology platform that would supposedly allow antivirus software to work without kernel drivers, preventing security software from crashing the whole OS like CrowdStrike did. It is unclear what kind of trade-offs will be necessary to make this possible, if any, but it would be a major change to how security software works in Windows.
A rant about SOC 2, third-party risk management guidance and surveys
AJ Yawn wrote a brief post on LinkedIn to say that SOC 2 needs to die. The post received over a hundred comments, so he wrote a more detailed overview titled 15 Things I Hate About SOC 2: A Rant.
1. It was never designed for cybersecurity.
SOC 2 was created to give customers peace of mind that their financial service providers had basic controls in place. It wasn’t built for cloud-native environments or real-time threat landscapes. We’re retrofitting a legacy framework into a modern problem and it shows.
2. It’s run by accountants, not security professionals.
The AICPA owns SOC 2. That means auditors trained in financial compliance are assessing technical security. You wouldn’t ask a CISO to review your taxes. So why are CPAs reviewing cloud infrastructure?
[…]
5. It’s driven by sales, not security.
The number one reason companies pursue SOC 2 is because a customer asked for it. Not because it makes them safer. That alone should tell you everything about its actual value.
That a cybersecurity effort should be judged based on how well it actually creates positive security outcomes shouldn’t be controversial, yet it sometimes feels like it is. Many of the points raised by AJ parallel what we say about questionnaires and other third-party risk management approaches that quickly become detached from a company’s security posture.
AJ Yawn joined Adrian Sanabria and Tenchi Security 's CTO and Co-founder, Alexandre Sieira , for a special interview on the Alice in Supply Chains podcast. Follow us on your preferred platform so you won’t miss this bonus episode!
As a side note to this discussion, Gartner says that a “perfect storm” of third-party risks is “driving growth and maturity in third-party risk management technology.” We agree about the “perfect storm” as described by Gartner, but it’s just as significant to ask whether it’s more worthwhile to automate old practices or to look for new solutions. Automating your current processes might seem like a logical step with low friction, but it might not be enough when the stakes have changed due to a “perfect storm.” Making something more efficient won’t always make it more useful!
Next up, we have some commentary on legal matters. PYMNTS brings us 3 Takeaways as Enforcement Actions and Data Breaches Roil BaaS Models (“BaaS” here being “ banking-as-a-service”). Josh Bressers comments on the Cyber Resilience Act (CRA) from the EU and how it will force software makers to maintain software updates and documentation for a decade. Lastly, Freshfields updates us on the latest developments on the Digital Operational Resilience Act and its impact on critical ICT providers.
The next group of links here contains data from surveys and research:
To end this section, we have some sad news. There’s mounting evidence that cyberattacks are linked to a patient’s death in London, and have harmed 170 patients. Both reports are linked to delays in third-party blood services. As we’ll see in the next section, the real-world consequences of cyberattacks are becoming increasingly easier to see.
Hacks hit food distributor, Brazilian banks, SoftBank and more: third-party incidents round-up
After a cyberattack hit a grocery distributor in the United States, Unite Natural Foods (UNFI), the effects were felt down the chain, affecting customer orders:
The company, which is the primary distributor for Amazon-owned Whole Foods, and supplies over 250,000 grocery store products, including frozen goods, disclosed on Monday that it had identified unauthorized access to its IT systems. Douglas said on its call Tuesday that the company has since shut down its entire network.
The company has not described the nature of the cyberattack, but it said the intrusion was causing ongoing disruptions to its operations, including its ability to fulfill and distribute customer orders.
This incident received a lot of coverage, as it led to shortages at Whole Foods and empty shelves in other retailers. The company is a major player in the sector. The company admitted the incident would impact its quarterly earnings. If you want a summary of the incident, there’s a good one here from LinkedIn.
We have a few incidents against banking institutions to cover. Hackers hit the Brazilian banking system after bribing a 48-year-old man who worked for C&M Software, a vendor that connects financial institutions to the Central Bank’s Pix payment system.
The criminals allegedly paid R$15,000 ($2,750) to gain initial access but made out with up to R$800 million ($145 million) after transferring money out of the banks’ accounts into crypto. Investigations are ongoing, as the incident involves C&M, its customers, and the financial institutions that received the stolen money.
Swiss banks UBS and Pictet also disclosed a data leak due to an attack on Chain IQ, an external provider. Finally, SoftBank disclosed a data leak impacting 137,000 customers – also at an unnamed third party.
Meanwhile, SentinelOne blocked Chinese attackers who tried to hack them through an IT vendor. Their investigation revealed that these attackers have infiltrated critical infrastructure around the world. SentinelOne’s write-up is available here.
While we’re on the topic of critical infrastructure, Japanese ISP Internet Initiative Japan (IIJ) disclosed that hackers accessed the email system that they provide to 4 million customers.
ConnectWise disclosed a vulnerability and a breach of its ScreenConnect system that impacted some of its customers. The number of businesses impacted was not disclosed, however. Since the issues involve a remote access solution, the damage to the victims could be significant.
Vanta also had a bug in its platform that exposed customer information to other customers.
Aside from the case involving Scattered Spider mentioned in the first section, two insurance companies disclosed security incidents. Erie Insurance provided a comprehensive timeline of their recovery steps, while Asefa was hit by ransomware. Asefa’s clients, including FC Barcelona, might be exposed in this incident.
Three providers to the healthcare sector suffered data leaks: Episource (official statement), Gargle (news coverage), and Unimed in Brazil (news coverage). In Episource’s case, medical data (such as test results) were also leaked alongside personal details, but patients may not be aware they had this data in the first place.
We’re ending this section with two incidents involving software supply chain security. Socket found a campaign using 35 npm packages that appears to be linked to the interview scam that targets software developers, while Aikido discovered what seems like a different campaign targeting npm as well as PyPI.
The Digital and Cloud Sovereignty debate heats up with more bans and supply chain control
Over the last few years, there has been growing pressure from the United States against Chinese and Russian companies like Huawei, ZTE, and Kaspersky. A few other countries followed suit, banning or limiting the use of Chinese equipment, especially for surveillance (cameras) and telecommunications.
It appears that the European Union believes that relying on American technology has its risks, too. The ideas behind “digital sovereignty” were the driving force behind regulations like the Digital Markets Act and the Digital Services Act, which attempt to rein in the practices of large American technology companies – namely, Google, Apple, and Microsoft.
As this debate heats up, the consequences to technology supply chains and outsourcing could be significant. Cloud providers are promising a “sovereign cloud” for Europe, and Microsoft made an on-premises version of its 365 suite. These promises clashed with reality when Microsoft cut off the email service of an International Criminal Court (ICC) prosecutor who was sanctioned by the United States (ICC statement available here).
To be clear, Microsoft did not cut off the service to the ICC as a whole, and the company said its lawyers “have now reached the view that it merely provides a technical platform and that its customers decide whether to give their employees access to its services.” Whether that will hold up in court, if the government decides to sue the company, remains to be seen.
In any case, the damage is unlikely to be undone that easily. The European Commission is believed to be considering OVHCloud to ditch Microsoft Azure:
The European Commission is in advanced business negotiations with OVHcloud, the France-based major European cloud service provider, to transition its cloud services away from Microsoft, according to three senior sources with internal knowledge of the matter who spoke to Euractiv on condition of anonymity.
The infrastructure shift is being driven by a push for European digital sovereignty in the cloud market, following concerns raised by a US executive order that led to the shutdown of Microsoft services for an employee of a European-based institution.
This is not happening in a vacuum. An initiative called ECOFED aims to create a federated European cloud; the Netherlands is partnering with Thales to build a local cloud; Denmark’s Ministry for Digitalization and the city of Lyon both want to move away from Microsoft, and the French government is backing Eutelsat, a Starlink competitor.
In a way, these steps mirror the United States’ attitude towards Chinese tech suppliers, which makes for an awkward situation. U.S. Senators recently introduced the No Adversarial AI Act to ban Chinese AI in the government, which isn’t much different from Germany telling Google and Apple to block DeepSeek.
This also opens American companies to more questionable requests. Russia, for instance, is seeking to force Apple to allow its RuStore app store on iPhones.
These challenges are not exclusive to governments or national security. For instance, Google, OpenAI, and Microsoft have ended a partnership with Scale AI after the company received an investment from Meta. Scale AI is trying to claim it will remain neutral, but not everyone is trusting that promise for now.
There is no easy solution, and we can’t predict the future. Businesses should be prepared to change suppliers by betting on robust and streamlined Third-Party Cyber Risk Management processes that enable them to adapt quickly and securely to different service providers and business partners, especially when conditions change - either because of the market, or due to regulatory requirements. Our latest blog post explains why this is the case.
Governments publish advice, NIST releases draft on Cybersecurity Supply Chain Risk Management
The Canadian Centre for Cyber Security published an advisory on Salt Typhoon, which hacked an unnamed Canadian telecommunications provider in February. The PDF is available here.
The Cyber Centre is aware of malicious cyber activities currently targeting Canadian telecommunications companies. The responsible actors are almost certainly PRC state-sponsored actors, specifically Salt Typhoon.
Three network devices registered to a Canadian telecommunications company were compromised by likely Salt Typhoon actors in mid-February 2025. The actors exploited CVE-2023-20198 to retrieve the running configuration files from all three devices and modified at least one of the files to configure a GRE tunnel, enabling traffic collection from the network.
In separate investigations, the Cyber Centre has found overlaps with malicious indicators associated with Salt Typhoon, reported by our partners and through industry reporting, which suggests that this targeting is broader than just the telecommunications sector.
According to the advisory, the threat actor is likely exploiting vulnerabilities in edge devices. Given Salt Typhoon’s history, the group’s actual targets are probably customers of the telecom provider, which explains the bold letters in the advisory.
Another government advisory came from CISA, which warned businesses that attackers are exploiting SimpleHelp. SimpleHelp is a remote monitoring and management (RMM) solution, and, according to CISA, ransomware operators are using it to breach the customers of a utility billing software provider that bundled SimpleHelp with their application. Since it was installed by a third-party application, customers might not be aware that they have SimpleHelp running. The advisory is here.
New Zealand’s National Cyber Security Centre (NCSC) developed a set of minimum security standards (PDF) that certain government agencies will have to follow starting October 30. Their maturity model has many provisions for third-party risk management and supply chain security, including how SaaS platforms are used. However, the required level is low for now (2 out of 5), so it’s only a starting point.
NIST released a document titled “Developing Security, Privacy, and Cybersecurity Supply Chain Risk Management Plans for Systems” and is accepting comments until July 30. The “System Plans” are only required for U.S. federal agencies (and potentially for vendors interested in working with them), but it’s also a potentially helpful guideline for others. It’s also a sign of the government’s increased focus on supply chain risk.
Of course, the EU is not far behind on supply chain security, given the provisions outlined in the Cyber Resilience Act that we mentioned in our second section and their concerns over digital sovereignty. Some recent comments about the CRA are available here.
The European Securities and Markets Authority (ESMA) published Principles for third-party risk supervision. These are non-binding, but could be implemented by supervisory authorities in each country. Analysis is available from Walkers.
The Securities and Exchange Commission (SEC) is going in a different direction, however – at least to an extent. The Commission is giving up on rules that would have imposed security requirements on financial service providers. A Trump administration Executive Order is also eliminating several measures adopted by President Biden. In a way, this might increase the responsibility of each business to manage supply chain risk independently.
President Trump’s extensive tax and spending bill (sometimes referred to as the “big, beautiful bill”) would have limited states from regulating AI for 10 years, but this provision was struck down in a 99-1 vote in the Senate. As such, states are still free to regulate AI initiatives.
To end this section, we have an AT&T settlement and a Vodafone fine. AT&T will settle a data breach lawsuit for $177 million, while Vodafone was fined €45 million in Germany over data privacy violations.
Research describes the complexities of SMS routing and its impact on 2FA security
Lighthouse Reports and Bloomberg published a piece on how a company that allegedly worked as a contractor to the surveillance industry had access to SMS security codes used to authenticate users to several services.
Companies, including banks and Big Tech, don’t send login codes to their customers directly. This would be costly and inefficient. Instead they rely on a sprawling and opaque network of contractors and subcontractors, each of which promises to shave off a part of the sending cost in return for market share. […]
Fink Telecom and other such companies can offer cheap routing in part because of their access to multiple different countries’ “global titles” - the network access points used by telecom operators to communicate with each other. As the phone industry has globalised, a flourishing trade in leasing these global titles has evolved, one outcome of which is that companies can appear to be present in countries other than their actual base. We found Fink Telecom using global titles in Namibia, Chechnya and the UK, as well as its native Switzerland. Earlier this year the UK phone regulator banned the leasing of UK global titles to other companies, citing risks of surveillance and account cracks.
This is unlikely to be news to people familiar with how the system works. What it suggests, however, is that someone could hypothetically buy their way into the SMS chain by offering a lower cost (i.e., subsidized) routing. Unless companies take control of this chain, the messages could be compromised before they even get to their intended recipients.
On to more research. AIM Security identified “EchoLeak,” a very interesting vulnerability that enabled data exfiltration through Microsoft 365 Copilot without user interaction. The short of it is that the attacker just had to send an email with a Copilot prompt. However, numerous technical considerations were needed to ensure that the message would bypass protections and to make Copilot interact with the prompt and external resources.
Meanwhile, penetration testing outfit ModZero found and reported a vulnerability on Synology’s “Active Backup for Microsoft 365.” Another authentication problem with a credential leak was found by SpecterOps in OneLogin.
For our last link, we have a LinkedIn post from Robert Woodford describing a Booking.com scam. The scam details are already interesting, but we should also think about how scams like this affect a brand’s reputation, especially when criminals can steal booking data from the platform’s partners only to then scam their victims using the platform’s brand. In other words, a customer’s experience on such platforms might not be secure if the companies listed are not secure. Because hotels can use third parties to manage these listings, it’s difficult to tell exactly where the leak is.
We have two more bonus links for you below, but this is all for now. As mentioned before, this month we'll have not one, but two editions of our Alice in Supply Chains podcast! One, with special guest AJ Yawn - out now - and a second one where we'll have our usual format, with Alexandre Sieira and Adrian Sanabria covering the top stories from this issue - out soon! Thanks for reading!
A moderator on Cursor’s forum added that this is rare, but ‘users do report it occasionally.’
Yesterday I was migrating some of my back-end configuration from Express.js to Next.js and Cursor bugged hard after the migration - it tried to delete some old files, didn’t work at the first time and it decided to end up deleting everything on my computer, including itself.
Many articles were written about a “leak” of 16 billion credentials. It’s not directly related to the subject of this newsletter, but we thought Bleeping Computer’s take on this topic was important, especially given all that was said about stolen credentials in Verizon’s Data Breach Investigations report, which we covered.
These stolen credentials were likely circulating for some time, if not for years. It was then collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet.
Don't miss the podcast with AJ Yawn! It's a fun time, and I'm REALLY interested in hearing everyone's feedback on whether or not the SOC 2 should be ditched/replaced/revamped, or if it's fine as-is.