SFH 01 - When Hackers (and Defenders) Get Sloppy

In partnership with

Table of Contents

• BlackLock Ransomware's Epic OPSEC Failure

• What’s the deal with Signal?

• Oracle Cloud's Catastrophic Supply Chain Breach

• Deepfakes Drive Massive Surge in Fraud

• Wrap Up

Your job called—it wants better business news

Welcome to Morning Brew—the world’s most engaging business newsletter. Seriously, we mean it.

Morning Brew’s daily email keeps professionals informed on the business news that matters, but with a twist—think jokes, pop culture, quick writeups, and anything that makes traditionally dull news actually enjoyable.

It’s 100% free—so why not give it a shot? And if you decide you’d rather stick with dry, long-winded business news, you can always unsubscribe.

Check it out

BlackLock Ransomware's Epic OPSEC Failure

Everyone loves a feelgood story, and what's more feelgood than a ransomware operator getting wrekt? Security researchers at Resecurity recently delivered a masterclass in turning the tables by exploiting a vulnerability in BlackLock ransomware's data leak site - not just finding a way in, but essentially obtaining the architectural blueprints of their entire operation.

The breach revealed BlackLock's remarkably standard business practices: using disposable email addresses (the digital equivalent of burner phones), leveraging MEGA cloud storage for data exfiltration (why build infrastructure when you can rent it?), and following operational patterns that are more MBA than APT (advanced persistent threat). It's almost disappointing how conventional their workflow turned out to be.

What's particularly fascinating isn't the technical exploit itself but the economic evolution it represents. The ransomware economy has matured to mirror legitimate business patterns - complete with mergers and acquisitions. Evidence suggests BlackLock may have been "acquired" by competitor DragonForce, displaying the same consolidation patterns we see in legitimate industries.

This incident highlights a critical reality: even sophisticated threat actors make fundamental mistakes. BlackLock's operators spent countless hours developing evasive malware but neglected basic web application security for their own infrastructure - a reminder that offensive security requires defensive excellence as its foundation.

For security professionals, the lesson is clear: large threat actors are running businesses with the same constraints, shortcuts, and organizational challenges as legitimate enterprises. Understanding these operational patterns offers defenders predictive insight into attacker behavior beyond mere technical indicators.

Links

• The Hacker News - "BlackLock Ransomware Exposed After Misconfiguration Reveals Their Entire Operation"

• Resecurity Blog - Research Report on BlackLock Infra

What’s the deal with Signal?

Last week's "Signal vulnerability" headlines perfectly demonstrated why technical accuracy matters in security reporting. Let's set the record straight: there was no Signal vulnerability. None. What actually happened was depressingly mundane: someone accidentally added a reporter to a Signal chat containing sensitive information. This isn't a technical failure - it's a wetware problem.

The incident highlights a critical distinction: secure communication tools only protect against technical compromises, not human error. Signal's end-to-end encryption worked exactly as designed. What failed was the human operational security around its usage.

This situation is particularly concerning given the context. The group name suggested this wasn't an isolated case of improper communication channels but potentially part of a broader pattern of using Signal for sensitive governmental communications. Let's be clear: while Signal provides excellent encryption, it is not an approved medium for top secret data exchange. There's a reason Sensitive Compartmented Information Facilities (SCIFs) exist - they provide comprehensive protection against threats that no mobile messaging app, no matter how well-designed, can address.

If Signal isn't compromised and it's perfectly secure, then what's the problem with using it for secure communications? The problem lies in the fact that Signal doesn't run on isolated and secured hardware, it runs on anyone's phone and/or desktop. A phone or desktop, unless it is kept under 24/7 lock and key, not exposed to any internet, and constantly under scrutiny - is liable to be compromised by a determined enough threat actor. iPhone, Android, Windows, MacOs, Linux - it doesn't matter, if a nation state wants to get on your consumer-grade device, they can. The problem was never with Signal, but on the user's devices themselves not being held to the same level of security as something engineered FOR secure communications.

Links:

• NPR - The inside story of how a journalist was sent White House war plans

• BBC - 'They invited me - now they're attacking me': Signal chat journalist speaks to BBC

Oracle Cloud's Catastrophic Supply Chain Breach

The term "supply chain attack" gets tossed around so casually these days that we've become numb to its implications. Oracle Cloud's recent catastrophe deserves to cut through that numbness. CloudSEK has uncovered what might legitimately be 2025's most significant supply chain compromise, with 6 million records exfiltrated from Oracle Cloud SSO and LDAP systems - potentially impacting over 140,000 tenant organizations.

Translating this for the non-technical: imagine someone stealing the master keys to 140,000 office buildings simultaneously. Except these aren't just physical offices - they're the digital infrastructure powering everything from healthcare records to financial transactions.

The attacker isn't being subtle either, simultaneously selling stolen assets (JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys… basically keys to stuff that only the owners should have) while demanding ransom from affected companies. It's the digital equivalent of selling copies of your house key on the dark web while also demanding payment to not burn your house down.

This breach perfectly illustrates the cascading catastrophe that cloud-based supply chain compromises create. When you outsource your infrastructure, you're making a calculated risk assessment: "This provider's security is better than what we could build ourselves." Oracle's failure forces 140,000 organizations to recalculate that equation simultaneously.

For security leaders, this incident demands re-evaluation of third-party risk assessments. The question isn't just "How secure is our vendor?" but "What's our contingency when - not if - our critical vendor suffers catastrophic compromise?" Companies without concrete answers to this question are essentially hoping that luck is a viable security strategy.

Remember: when you migrate to cloud infrastructure, you're not transferring risk - you're transforming it from a set of risks you understand to a set of risks managed by entities with different priorities than yours.

Links:

• CloudSEK - "The Biggest Supply Chain Hack of 2025: 6M Records For Sale Exfiltrated From Oracle Cloud Affecting Over 140K Tenants"

• The Register “There Are 10,000 reasons to doube Oracle Cloud’s security breach denial”

Deepfakes Drive Massive Surge in Fraud

Remember when we thought passwords were our biggest authentication problem? Those were simpler times. AuthenticID's 2025 Fraud Report paints a disturbing picture of rapidly evolving identity attacks: phishing attempts up 76 percent, fake IDs increased by 42 percent, and - most alarmingly - a 250 percent surge in account takeover scams.

The report makes a prediction that should give security professionals pause: account takeover attacks will exceed ransomware in prevalence this year. This isn't just a statistical shift; it's a fundamental change in the threat landscape. While security teams have been fortifying against ransomware, attackers have been perfecting more profitable and less detectable attack vectors.

What's driving this shift? The deepfake revolution. Synthetic media has matured from novelty to weaponized attack vector. The gap between organizations with modern biometric defenses and those still living in the password era has become a chasm. If your authentication still relies primarily on knowledge factors (passwords, PINs, security questions) or possession factors (SMS, email codes), congratulations - you're running the security equivalent of Windows XP in 2025.

For security leaders, this demands immediate authentication modernization. Multi-factor authentication is no longer cutting-edge - it's the bare minimum. The new standard requires continuous authentication models that consider behavioral patterns, impossible travel detection, and anomaly monitoring beyond the initial login.

The most sobering reality? Most affected organizations won't discover these compromises until long after they've occurred. While you're reading this, sophisticated actors are likely already operating within the perimeter of organizations that believe their password policies and occasional MFA prompts constitute adequate security.

Links

• The Fintech Times - "AuthenticID: Deepfake Dangers Escalate - Troubling Trends in 2025 Fraud Report"

• DHS - “The Increasing Threat of Deepfake Identities”

Wrap Up

If there's a common thread through this week's security disasters, it's that technology alone can't save us from ourselves. From ransomware operators exposing their operations to cloud giants leaking customer data and government officials misusing secure messaging, the human element remains cybersecurity's greatest vulnerability - and greatest asset.

These incidents remind us that security isn't a product or a checklist; it's a continuous practice demanding both technical excellence and operational discipline. As attack surfaces expand and threats evolve, our response must balance technological sophistication with human-centered design that accounts for our predictable imperfections.

Until next week, patch your systems - and your processes.

Thanks for reading!
Jake

Mandatory reminder

Hello friend, I’m thrilled to share my insights and findings with you. While I put a lot of effort into researching and presenting accurate information, it's always a good idea to double-check and verify anything you read online. Consider this newsletter a starting point, and don’t hesitate to do your own research to make informed decisions.

If you found this information useful, I’d greatly appreciate you sharing it with a friend or colleague who might find some benefit in it. Ideally we’d be learning this stuff before graduating high school, but some random person on the internet is the next best thing, right?