This week in Zero Trust

Default-deny has never been more critical

Plus: Supply chain attacks and their impact

Estimated reading time: 5-6 minutes

In this issue:

• The importance of allowlisting: Default-deny is your first line of defense
• Safe Mode abuse: How attackers bypass your protections
• Wiper attacks: When attackers' goal is disruption, not ransom
• Webinar: Supply chain attacks are exploding: Stop lateral movement from attackers using your tools
• Threats you need to know: LiteLLM supply chain attack and fake Microsoft Teams chats

From the CEO

We need more cyber defenders

"Cybercriminals and nation-state actors aren’t slowing down, and we need more people ready to stop them. Building that workforce starts with getting students interested early and giving them opportunities like CyberLaunch to develop real skills. My own interest in cybersecurity began in grade school, and we’re proud to support a program that helps foster that same interest in the next generation of cybersecurity professionals." - Danny Jenkins

From the ThreatLocker blog

Where attacks break through and how to shut them down

Strong, default-deny allowlisting is more important than ever

Detection is already behind

• What's happening: Attackers now routinely exploit legitimate tools, compromise credentials, and use AI to bypass traditional defenses at great speed. Zero-days are increasing in volume and sophistication and putting pressure on detection-based security tools. By the time a threat is identified, it may have already executed. 
• Why it matters: Detection-based security assumes you'll recognize threats in time, but attackers are compressing timelines and increasing frequency. This means anything unknown that is allowed to run is a risk. By removing the ability for unapproved applications to execute, organizations significantly reduce their attack surface and prevent threats before they get a chance to start.
• The big picture: Allowlisting has long been the gold standard in default-deny protection but finding the solution that fits your business needs can be a challenge. Some non-negotiable features you should be looking for:
  • Automatically track application updates
  • Easy approval process
  • Real-time audit
  • ➡️Get more non-negotiables when it comes to an allowlisting solution

Safe Mode isn't safe

When built-in recovery features become attack vectors

• What's happening: Attackers can exploit Safe Mode by taking advantage of the reduced security posture. By forcing a system crash or blue screen, they can reboot the machine into an environment where defenses are inactive or significantly weakened. At this point, they can execute malware, disable defenses, or establish persistence without interference.
• Why it matters: These attacks are rarely spontaneous. Attackers will typically stage tools or modify configurations while the system is operational and bypass controls and manipulate the system once Safe Mode is triggered. 

• The big picture: Searching for security tools that will enforce policy in Safe Mode is futile. Start by assuming Safe Mode exploits will occur and govern your standard operations with strict Zero Trust principles. Do not give attackers the opportunity to stage tools, modify behavior, or establish persistence, and Safe Mode will be far less exploitable. Secondly, data must be protected independent of the system's state. 
  ➡️Learn more about how to reduce the risk of Safe Mode abuse

The goal of a wiper attack is not financial

Wiper attacks are designed for destruction

• What's happening: Wiper attacks have gained renewed attention following the Stryker attack in March. The primary goal of a wiper attack is to cause irreparable damage to an organization's information systems. Historically, attackers have frequently deployed wiper malware against government entities, but as was the case with Stryker, major businesses are also a target. 
• Why it matters: The intent behind wiper malware is to inflict maximum damage, which means the recovery process is immensely difficult. These attacks often masquerade as ransomware and will exploit trusted software or vendor updates.
• The big picture: Protecting your data is of the utmost importance. Use default-deny allowlisting policies to prevent unauthorized binaries from executing. Wiper malware often comes as a payload embedded in email attachments or unauthorized scripts, so blocking execution outright is the most effective first line of defense.
  ➡️Learn more about protecting your organization against a wiper attack

Attackers are targeting trusted software and vendors to inflict maximum damage at scale. In this webinar, ThreatLocker experts will break down how supply chain attacks work and how you can put yourself in a stronger position to defend against them.

Hosted by ThreatLocker CEO Danny Jenkins and CPO Rob Allen

Tuesday, May 5 | 11 a.m. EDT | CPE eligible

See how to stop AI-driven attacks before they execute.

Get specific examples of how LLMs can help anyone craft a convincing phishing email and write scripts, as well as specific agentic AI examples.

Threats you need to know

LiteLLM supply chain attack and fake Teams domains

LiteLLM supply chain attack turns dev tools into infostealers

Small upstream change quickly escalates into credential theft and data exfiltration

• What's happening: The ThreatLocker Threat Intelligence team analyzed how threat actor group TeamPCP had compromised LiteLLM, a widely used AI gateway, and injected credential-stealing malware into official packages. The attack was initially discovered by a FutureSearch researcher. When developers installed or updated the tool, the malware silently harvested data including cloud credentials, SSH keys, and cryptocurrency wallets. Trivy attempted to rotate credentials upon discovering the malicious workflow push, but TeamPCP was able to maintain access. 

• Why it matters: Delays in complete credential rotation gave TeamPCP the opportunity to partner with another ransomware group who announced they would be sharing the affiliate keys to all members of the BreachForums community. This is likely to facilitate increased ransomware activity against all organizations affected by the compromise. 
• The big picture: Supply chain attacks are increasing in number because they are effective. Security teams often have limited visibility into a vendor's dependencies and automatic updates can introduce great risk.
  ➡️How to prevent supply chain propagation attacks

Fake Microsoft Teams attacks deliver malicious payloads

Enhanced social engineering highlights human weakness

• What's happening: Threat group UNC1069 is known for targeting professionals through deceptive communication and has recently launched a new wave of carefully crafted and targeted interactions using fake Microsoft Teams domains. Researchers from the Security Alliance (SEAL) identified a newly registered malicious domain, onlivemeet[.]com, being used to host fraudulent meeting pages and trick visitors into downloading malware in the form of a Remote Access Trojan (RAT).

• Why it matters: By exploiting Teams and other widely used services like Calendly, attackers have an easier chance of tricking their victims. Key delivery methods also centered on highly targeted language by reviving old conversations from previously compromised accounts, and job-related invitations to appear more legitimate.

• The big picture: People are often the weakest link in security, and attackers are all too willing to exploit them. Your employees or customers should never assume a meeting invitation or software prompt is trustworthy. Verify any requests through secondary channels and carefully inspect all URLs before clicking. Prioritize proactive security controls to combat refined social engineering tactics.
  ➡️Check out how you can neutralize phishing with Zero Trust Cloud Access

Cyber Hero Frontline has a simple goal: Cut through the noise and focus on practical Zero Trust implementation.

Make use of the insights, strategies, and lessons shared in each issue: