Incident Analysis
In-depth guides and analysis on incident analysis from the Safeguard engineering team.
137 articles
Boeing Hit by LockBit Ransomware: 43GB of Sensitive Data Leaked
In November 2023, the LockBit ransomware gang published 43 gigabytes of Boeing's internal data after the aerospace giant refused to pay ransom, exposing the persistent vulnerability of manufacturing supply chains to ransomware.
Mr. Cooper Mortgage Breach Exposes 14.7 Million Customers
In November 2023, mortgage giant Mr. Cooper disclosed a cyberattack that compromised the personal and financial data of 14.7 million current and former customers, making it one of the largest financial services breaches of the year.
MGM Resorts and Caesars Hit by Scattered Spider: Social Engineering at Scale
In September 2023, the Scattered Spider hacking group crippled MGM Resorts and extorted Caesars Entertainment through phone-based social engineering, exposing how human vulnerabilities can bypass even the most expensive security stacks.
MOVEit Vulnerability Mass Exploitation: A Field Analysis
Inside the Cl0p ransomware gang's zero-day attack on Progress MOVEit Transfer, the CVE-2023-34362 timeline, and the supply chain lessons it exposed.
3CX Desktop App: Anatomy of a Cascading Breach
How a Trading Technologies installer from 2022 poisoned the 3CX build pipeline in 2023, producing the first publicly confirmed cascading supply chain attack.
GoAnywhere MFT Zero-Day (CVE-2023-0669): Clop Ransomware's File Transfer Rampage
The Clop ransomware gang exploited a pre-auth RCE in GoAnywhere MFT to breach over 130 organizations. The campaign foreshadowed their devastating MOVEit attack months later.
T-Mobile API Breach: 37 Million Records Stolen Through an Unsecured API
In January 2023, T-Mobile disclosed that an attacker exploited an API to steal personal data of 37 million customers. It was their ninth major breach in five years.
CircleCI Credential Rotation: The Mass-Reset Event
CircleCI told every customer to rotate every secret on January 4, 2023. Here is what actually happened and why the scope was total.
Slack GitHub Repository Theft: Stolen Tokens and the Risks of Third-Party Integrations
In December 2022, Slack disclosed that stolen employee tokens were used to access private GitHub repositories. The breach highlighted the risks of token-based authentication in CI/CD pipelines.
Azure AD Token Theft Campaigns: A 2022 Retrospective
Token theft is the quiet successor to credential phishing, and 2022 turned it into an industry. Here is what the year's Azure AD campaigns actually looked like.
The Log4Shell Response Playbook Six Months In
Six months after CVE-2021-44228 broke the internet, here is what worked, what didn't, and the response patterns security teams should keep as muscle memory.
Microsoft LAPSUS$ Breach: Source Code Access and the Limits of Perimeter Security
LAPSUS$ claimed access to Microsoft's source code repositories, leaking 37GB of code from Bing, Cortana, and other projects. The breach showed that even tech giants have access control gaps.