How Attacks Start
12–1–2025 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, December 1, 2025, and if you’re anything like me, you’re wondering where the year has gone and marveling that it’s already December.
How Attacks Start
While it was a relatively quiet week last week on the security news front, largely driven by the Thanksgiving holiday here in the US, there were two threads that I thought were worth pulling because they highlight the very innocuous way attacks can be launched in our environment.
The first is based on a report from Watchtowr Labs on how people continue to put keys and secrets (passwords, API keys, etc.) into free online utilities.
The researchers iterated through two free “code beautifying” tools - JSONFormatter and CodeBeautify - and found:
Active Directory credentials
Code repository authentication keys
Database credentials
LDAP configuration information
Cloud environment keys
FTP credentials
CI/CD pipeline credentials
Full, and sensitive API requests and responses
Private keys
Card payment gateway credentials
And even “An entire export of every single credential from someone's AWS Secrets Manager??”
They note that this exposure extends across industries, and do a pretty good job of throwing appropriate amounts of shade and reminding us all that we’ve got to do a better job of managing this sort of sensitive data. Now, obviously (or maybe not so obviously), Watchtowr makes a product that helps prevent this sort of exposure, but you can do it in other ways, too.
The researchers also planted their own canary tokens to see if attackers were doing the same thing they were to capture and replay credentials - and, surprising nobody - they were.
Exposures like these come back to the fundamentals of not hardcoding credentials, having a plan to manage keys and secrets beyond just usernames and passwords, and thinking about data loss prevention in a browser driven world, where copy and paste can lead to this type of exposure.
The other example of how attacks happen comes from researchers at Reliaquest, who noted that the recent SonicWall VPN exploits from the Akira ransomware gang (which we’ve covered on this show) noted that:
“In every incident, Akira operators gained a foothold in larger, acquiring enterprises by compromising SonicWall devices inherited from smaller, acquired business during M&A. In these cases, the acquiring enterprises were unaware that these devices existed in their new environments, leaving critical vulnerabilities exposed.”
This is a good reminder that integrating tech stacks is hard, and while we are seeing lots of growth through acquisition, that also means we need to remain vigilant about changes in our environment - especially when those environments are changing rapidly.
I raise these two items because we know that our security teams have their plates full with day-to-day efforts, and asking them to defend against modern attackers when secrets are being publicly exposed or vulnerable devices added to their environment makes it incredibly difficult to be resilient.
Focusing on these basics can help your security team move from constant fire fighting to more strategic efforts, but only if we don’t undermine their efforts from within.
Fundraising
From a fundraising perspective, a very quiet week, again due mostly to the Thanksgiving holiday here in the US, with a total of only $1.1B in newly committed capital.
I would remind you, though, that we’re sitting about about $215B so far in Q4.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.
We’ll see you next week for another edition of the Intentional Brief.
Links
https://www.theregister.com/2025/11/25/akira_ransomware_acquisitions/