The Backup Wrap-Up

The REDCap Attack that Phishing-Resistant MFA Could Have Stopped


Listen Later

Phishing-resistant MFA could have stopped a Chinese state-sponsored threat actor from spending over a year inside North American academic and medical research networks — and we're going to tell you exactly how it happened and what you need to do about it.

A group called UNC5608, tracked by Google's Threat Intelligence Group (GTIG), exploited a vulnerability unique to REDCap — a research data platform that allows multiple software versions to run simultaneously. They got in via stolen admin credentials, planted custom malware called Infinite.red directly into REDCap's upgrade process, harvested credentials for over a year, then used those credentials to log into Google Workspace as a domain admin and create fake compliance rules to silently forward sensitive research emails — military strategy, geostrategic policy, advanced tech, specific pathogens — straight to Gmail accounts they controlled. And nobody noticed for a very long time.

Prasanna and I break down the full attack chain, then walk through every prevention layer that could have stopped it: inventory management, patching, password hygiene, SSO, phishing-resistant MFA, passkeys, DBSC, context-aware access, compliance rule monitoring, credential separation across security domains, and logging. We also get into what backups can and can't do for you in a long-dwell-time attack like this — and why infrastructure-as-code and truly immutable golden images matter more than you might think.

If you're running any kind of research platform, academic institution, or medical network — or honestly any organization that uses Google Workspace — this one's for you.

Chapters:

00:00 — Intro: The attack that phishing-resistant MFA could have stopped

01:03 — Show intro & woodworking banter

03:26 — What is a living-off-the-land attack?

04:02 — Who is UNC5608 and who did they target?

05:08 — How REDCap's multi-version design was exploited

06:11 — Infinite.red malware and credential harvesting

09:01 — Google Workspace infiltration via fake compliance rules

10:18 — The keywords they were stealing: pathogens, military strategy, and more

11:50 — What could the victims have done differently?

12:42 — Inventory management, patching, and legacy version removal

14:00 — Why you can't trust application-level authentication alone — use SSO

15:18 — Phishing-resistant MFA and why it matters

16:00 — Passkeys, FIDO, and why there are zero known attacks against them

17:57 — Device-bound session credentials (DBSC) and context-aware access

19:38 — Monitor your compliance rules — have a compliance rule for the compliance rule

20:40 — Credential separation across security domains

23:00 — Get some logging — XDR, SIEM, and catching exfiltration in progress

24:00 — What can backups actually do in a long-dwell-time attack?

27:00 — Infrastructure-as-code and the right cyber recovery approach

28:58 — Protecting your golden images with immutable storage

31:59 — Wrap-up

...more
View all episodesView all episodes
Download on the App Store

The Backup Wrap-UpBy W. Curtis Preston (Mr. Backup)

  • 4.7
  • 4.7
  • 4.7
  • 4.7
  • 4.7

4.7

26 ratings


More shows like The Backup Wrap-Up

View all
The Changelog: Software Development, Open Source by Changelog Media

The Changelog: Software Development, Open Source

289 Listeners

Risky Business by Risky Business Media

Risky Business

375 Listeners

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) by Johannes B. Ullrich

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

648 Listeners

Tech Talks Daily by Neil C. Hughes

Tech Talks Daily

201 Listeners

CyberWire Daily by N2K Networks

CyberWire Daily

1,030 Listeners

Smashing Security by Graham Cluley

Smashing Security

317 Listeners

Darknet Diaries by Jack Rhysider

Darknet Diaries

8,051 Listeners

Cybersecurity Today by Jim Love

Cybersecurity Today

178 Listeners

Hacking Humans by N2K Networks

Hacking Humans

313 Listeners

Random but Memorable by 1Password

Random but Memorable

72 Listeners

AWS Podcast by Amazon Web Services

AWS Podcast

203 Listeners

Cybersecurity Headlines by CISO Series

Cybersecurity Headlines

136 Listeners

Risky Bulletin by Risky Business Media

Risky Bulletin

45 Listeners

Hacker And The Fed by Chris Tarbell & Hector Monsegur

Hacker And The Fed

167 Listeners

The Rest Is Classified by Goalhanger

The Rest Is Classified

1,092 Listeners