Three Threat Actors, One Blindspot: The Infrastructure You Never Question
Ransomware operators, Iran's Handala, and Russian intelligence. Three unrelated threat actors. Same blindspot: too much implicit trust.
INTRODUCTION
When a cloud MDM becomes a wiper, a software dependency becomes the front door, and an encrypted messenger becomes a wiretap, the question is: are you defending against the right things?
This week three independent data points converged to challenge the same assumption: that the defenses most organizations are optimizing for are still the right ones. Google Cloud’s H1 2026 telemetry shows credentials are no longer the primary entry point. Third-party software vulnerabilities now lead at 44.5 percent, with exploitation windows collapsing to days. Meanwhile, a state-linked group exploited Microsoft Intune, a trusted cloud MDM platform, to remotely wipe over 200,000 devices across 79 countries because no control required multi-party approval for destructive operations. And Dutch intelligence confirmed that Russia is targeting Signal and WhatsApp accounts not by breaking encryption, but by abusing the account-linking features organizations assume are safe. The common thread: defenders are extending implicit trust to vendors, platforms, and defaults that attackers are now exploiting first.
If you enjoy reading our newsletter, share it!
Thanks for supporting The Monday Brief.
WEEKLY SIGNALS ANALYSIS
Treat third-party libraries and vendor software as the primary attack surface, not a peripheral concern. Inventory runtime dependencies, require SBOMs from vendors, and prioritize patch orchestration for third-party components along with credential hygiene.
Ship logs to an immutable, external retention store. Implement write-once backups with retention policies independent of cloud tenants and deploy automated detection for log deletion, unusual snapshot changes, and artifact registry tampering.
Threat model your management platforms with the same rigor you apply to your crown jewels. Destructive administrative operations (remote wipe, mass policy push, tenant-wide configuration changes) should require multi-party approval. No single session, credential, or role should be able to execute irreversible operations at scale without independent authorization.
Audit linked devices on all Signal and WhatsApp accounts for executives, legal counsel, and anyone handling sensitive out-of-band communications. Remove unrecognized devices immediately. Enforce in-person verification for any new device linking.
What not to over-index on: credential rotation in isolation. Rebalance with third-party dependency controls, administrative platform governance, and account security across communication tools.
THIS WEEK’S SIGNALS
Signal 1: Third-Party Software Vulnerabilities Now the Leading Initial Access Vector
Why it matters: This redefines what “critical patch” actually means. Google Cloud data shows third-party vulnerabilities account for 44.5 percent of observed initial access, surpassing weak credentials. For most organizations, breaches will start through dependencies and vendor-delivered code, not password spraying or simple phishing.
What is being misread: Patch management programs were designed around software the organization builds or buys directly. When the leading initial access vector is a dependency three layers deep in a vendor’s stack, traditional vulnerability management doesn’t even see the attack surface, let alone cover it.
Think Red (Douglas McKee): Attackers follow the path of least resistance and target the smallest trusted component that touches the most customers. Just like any business, they want the largest ROI for their time. Exploit one widely used library and you get broad, fast access. Why burn a zero-day when a six-month-old CVE in a popular dependency gives you the same result with far less effort?
Act Blue (Ismael Valenzuela): Know what’s in your products’ DNA. Inventory runtime dependencies and require SBOMs from vendors. Prioritize patch orchestration for third-party components with automated rollouts and enforce runtime protections like WAFs and RASP for externally facing services. The architectural play here is treating every external dependency as crossing a trust boundary that requires explicit validation.
Supporting sources:
Google Cloud CISO Perspectives: New threat horizons shows 44.5 percent initial access via third-party vulnerabilities
Cloud Threat Horizons Report H1 2026: Full report and technical breakdown
Security Boulevard: Summary and operational highlights from the H1 2026 report
Signal 2: Ransomware and Cloud Abuse Now Include Anti-Forensics and Living-Off-The-Cloud Techniques
Why it matters: Ransomware operations are evolving from smash-and-encrypt into sustained cloud-resident campaigns. Groups are actively deleting or corrupting logs to blind responders, while using legitimate cloud-native services (storage buckets, container registries, managed compute) as operational infrastructure that blends into normal tenant activity. The result is a double problem: defenders lose the forensic trail and can’t distinguish attacker activity from routine workloads. Incident response playbooks built on “pull the logs, find the entry point” break down when the logs are gone and the attacker looks like another microservice.
What is being misread: Security teams assume cloud logs are a reliable forensic source. Adversaries are deleting, corrupting, or preventing log collection to cover their tracks. Without immutable logging and external retention, the forensic record exists only at the adversary’s discretion.
Think Red (Douglas McKee): If I can make you question your own telemetry, I’ve already won half the fight. Delete the logs, pivot into managed cloud services, and blend cryptomining or extortion tooling into normal service activity to stay under the radar. Those anti-forensic moves buy time to exfiltrate data and wipe recovery points.
Act Blue (Ismael Valenzuela): Ship logs to an immutable, external retention store. Implement write-once backups with retention policies independent of cloud tenants. Deploy automated detection for log deletion, unusual snapshot changes, and artifact registry tampering. The forensic chain of custody starts at ingestion, not at incident response.
Supporting sources:
Cloud Threat Horizons Report H1 2026: Examples of log tampering and living-off-the-cloud tactics used by UNC4899 and ransomware groups
Google Cloud CISO Perspectives: Operational impact and mitigation notes on anti-forensics in cloud attacks
Security Boulevard: Operational summary and emphasis on tamper-resistant logging
Signal 3: State-Backed Actors Weaponize Trusted Management Platforms to Deliver Destructive Attacks
Why it matters: This attack illustrates how geopolitical conflict now extends directly to any organization perceived to have ties to countries involved. Stryker was targeted by Handala (a hacktivist persona linked to Iran’s Ministry of Intelligence and Security, MOIS) following a Feb. 28 missile strike that killed Iranian schoolchildren. Handala called Stryker a “Zionist-rooted corporation,” reportedly referencing its 2019 acquisition of Israeli company OrthoSpace. But the operational mechanism matters as much as the motive: the attackers reportedly abused Microsoft Intune, a widely trusted cloud-based MDM platform, to issue remote wipe commands across more than 200,000 systems, servers, and mobile devices. A tool that every enterprise trusts precisely because it has deep administrative control became the weapon. This ties directly back to Signal 1: organizations extend implicit trust to major vendor platforms without adequate governance, threat modeling, or segmentation around what those platforms can do. In this case, the lack of controls around a well-known MDM’s wipe capability turned a single compromise into a global operational shutdown across 79 countries.
What is being misread: Calling Handala a hacktivist group invites the wrong risk calculation. This is a state-backed actor with destructive capability that selects targets based on perceived geopolitical alignment, not data value. Any organization with acquisition history, partnerships, or supply chain ties to countries involved in active conflict should assume it could be in scope.
Think Red (Douglas McKee): Why build custom malware when the target hands you a remote wipe button? Intune already has deep administrative control over every enrolled device. Compromise one privileged session and you inherit the full blast radius of the platform itself. Attackers are not breaking in and deploying wipers anymore. They are logging in and pressing buttons that the organization already trusted. The more centralized the management tool, the bigger the payoff for a single credential.
Act Blue (Ismael Valenzuela): Threat model your management platforms with the same rigor you apply to your crown jewels. Destructive administrative operations (remote wipe, mass policy push, tenant-wide configuration changes) should require multi-party approval. No single session, credential, or role should be able to execute irreversible operations at scale without independent authorization. Audit every elevated action in real time and enforce break-glass procedures for bulk operations.
Supporting sources:
LevelBlue SpiderLabs: Epic Fury update on the Stryker attack, describing Handala’s destructive wiper operation against a US Fortune 500 medtech firm and its shift from espionage to disruptive attacks
TechCrunch: Handala claims responsibility for attack on Stryker
KrebsOnSecurity: Deep dive on Handala’s Stryker wiper attack, Intune abuse, and healthcare impact
CheckPoint: What Defenders Need to Know about Iran’s Cyber Capabilities
Palo Alto Networks Unit 42: Iranian cyberattacks 2026, linking Handala to Void Manticore and MOIS
Microsoft: Use Access policies to require Multi Admin Approval
Signal 4: Russia Is Abusing Legitimate Messaging App Features to Mirror Accounts in Real Time
Why it matters: Dutch intelligence (AIVD) disclosed a Russian campaign that targets Signal and WhatsApp accounts using the apps’ own device-linking features. This is not a software vulnerability. Attackers use social engineering to get targets to scan a QR code, which links the attacker’s device as a trusted mirror. Every message sent or received then arrives silently on the attacker’s device in clear text, in real time, without any notification to the victim.
What is being misread: Security teams treat end-to-end encryption as the whole story. The encryption is fine. The account may not. Device linking was designed for convenience and it has become a persistent, low-noise access technique that survives password changes, device replacements, and app updates.
Think Red (Douglas McKee): The QR code linking attack requires zero malware, minimal technical skill, and leaves no forensic trace on the victim’s device. A convincing security-verification message with a linked QR code is all it takes. Once linked, I receive a real-time mirror of every conversation. I do not need to break encryption, yet the encryption is trusted. I just need to be a trusted device. Targets in government, journalism, and critical infrastructure are already using Signal specifically because they believe it is safe, which makes them more likely to comply with a “verify your account” prompt than with a generic phishing message.
Act Blue (Ismael Valenzuela): Audit linked devices on all Signal and WhatsApp accounts for executives, board members, legal counsel, and anyone handling sensitive out-of-band communications. Remove any device that cannot be immediately identified. Enforce a policy that no new device linking occurs without in-person verification or a second-factor confirmation through a separate channel. For the highest-risk personnel, disable linked devices entirely. Add this to your social engineering training as a specific scenario. The attack is simple and the defense is a two-minute account audit.
Supporting sources:
AIVD (Dutch Intelligence): Russia targets Signal and WhatsApp accounts in active cyber campaign
The Register: Dutch intelligence warning on Russian targeting of Western messaging infrastructure
MEME OF THE WEEK
The biggest backdoors aren’t the ones attackers build.
They’re the ones organizations approve.
ROLE-BASED TAKEAWAYS
Executive / CISO / Board Level
Third-party vulnerabilities now represent 44.5 percent of initial access attempts. Reallocate near-term vulnerability management budget and headcount toward vendor dependency discovery, patch orchestration, and SBOM verification. The attack surface has shifted from credentials to code you didn’t write.
Mandate product security testing and threat modeling for any system that manages, touches, or has access to high-value assets. The Stryker incident showed that an unquestioned MDM platform became the weapon. If your team has not modeled what the worst-case abuse of a management tool looks like, the attacker will model it for you.
Require multi-party approval for all destructive administrative operations. No single session, credential, or role should be able to execute irreversible actions at scale. Review your governance posture around management platforms within 30 days.
Mandate linked device audits on Signal, WhatsApp, and any messaging platform used for sensitive out-of-band communications across executive, legal, and board-level personnel. Add device-linking social engineering to your next awareness training cycle.
Enterprise Architect
Design Principle Impact: Trust boundaries must extend to the platforms that manage your environment, not just the workloads they manage. Cloud MDM, endpoint management, and identity platforms with deep administrative control should be architected with the same segmentation, approval gates, and blast-radius constraints as your most critical production systems.
New Constraint/Dependency: Destructive administrative operations require multi-party approval workflows. Immutable logging must be retained in stores independent of the cloud tenant being monitored, so that an attacker who compromises the tenant cannot erase the forensic trail. Every external dependency crosses a trust boundary that requires explicit validation at ingestion and runtime.
Security Operations
Implementation Watch Item: Deploy detection for log deletion events, sudden drops in log ingestion rates, and unusual snapshot or backup policy changes. Monitor MDM and management platforms for bulk administrative actions (mass wipe, mass policy push, tenant-wide configuration changes) and alert on any such action executed outside established change windows or without multi-party approval.
Common Failure Mode: Teams assume cloud-native logs will be available at incident response time. Without immutable external retention, adversaries can delete or corrupt the forensic record before responders arrive. Similarly, teams assume MDM platforms are defensive tools, not attack surfaces, and fail to monitor administrative actions within them.
Monitoring Patterns: Watch for remote wipe commands at unusual scale or frequency, new device enrollments in MDM platforms from unexpected geolocations, new linked devices appearing on executive Signal or WhatsApp accounts, third-party dependency updates outside normal patch cycles, and log stream deletions or retention policy modifications.
Signal vs Noise Guidance: High-confidence indicators include bulk wipe or policy push commands outside change windows, log deletion API calls from service accounts, and new linked devices on messaging platforms for personnel who did not initiate linking. Lower-priority but worth tracking: single failed MDM admin logins that do not coincide with bulk actions, and routine dependency updates from known vendors within expected maintenance windows.
Take the adversary by surprise: Place canary administrative accounts in your MDM platform with alerting on any login or action. Instrument immutable log stores with honeytokens that trigger on unauthorized access or export. Register tripwire linked devices on Signal and WhatsApp accounts for high-risk personnel to detect device-linking campaigns. Seed dependency manifests with decoy packages containing callback mechanisms to detect supply chain reconnaissance.
See you next Monday!
The Monday Brief is produced by Douglas McKee and Ismael Valenzuela. The opinions expressed are our own and do not reflect those of our employers.