Two new XSS bugs, a Cisco hack, and more: first officer’s blog – week 12

Mike Parkin | August 15, 2022

First Officer’s log, Terrestrial date, 20220815. Officer of the Deck reporting.  

While my crewmates continued to execute the Officer of the Deck duties during my shore leave with the expected skill and professionalism, we were unable to dispatch our usual First Officer’s report. It falls to me now to again take up that mantle and report on recent activities in our sector. 

As I returned to duty, a major conference was underway. Unfortunately, logistics prevented myself or other members of the crew from attending. Perhaps next year. In the meantime, we will look for useful information to disseminate after we get a chance to review. 

In the meantime, the mission goes on. 

Cross site scripting will never die

What happened 

A pair of Cross Site Scripting (XSS) bugs were found in Google’s cloud platform. One of them was on DevSite and the other was found on Google Play. The attacks were technically different in nature, but both fell under the XSS umbrella. The researcher, NDevTK, got a well-earned bug bounty from Google for the finds. 

Why it matters 

XSS vulnerabilities have been a thing for a thing for a long, long, time, and it seems unlikely they’ll ever be fully eradicated. The more complex code becomes, and the more systems interact, the harder it is to keep everything secure. After all, the days of writing entire websites in vi or emacs are done and gone. 

What they said

XSS bug


One XSS bug is bad enough, but two? See how people are reacting.  

And the winner is…

What happened 

In April CISA (Cybersecurity and Infrastructure Security Agency) and ACSC (Australian Cyber Security Center) working with other Law Enforcement agencies released a list of the “Top” malware in the wild for 2021.  

Why it matters 

While the list is certainly informative, it does little to directly address the issue of how some malware becomes so widespread and easy for threat actors to deploy that there can even be a “top” list. Though, on the other hand, it does let organizations focus on the most common threats they’re likely to encounter. 

Of course, there is always the question of whether malware authors are as proud of making a “top ten” list as legitimate application developer does when one of theirs makes a top-of-something list. 

What they said  

When government agencies talk, others talk back. Learn more.

Here’s why you don’t mix work and home

What happened 

Threat actors managed to gain access to part of networking giant Cisco’s environment by compromising an employee’s personal Google account, and then leveraging that to move into the target environment. The attack was fairly involved and appears to have been executed by a threat actor operating as an Initial Access Broker – someone who gains access to a target environment and then sells that access to other threat actors to execute whatever agenda they’re following. 

Why it matters 

Cisco has a very mature and seasoned security team, who were able to deal with the threat once it was identified. The challenge is with the initial access coming from a user’s personal account, rather than a breach of their corporate credentials. In most cases, organizations have very little visibility, or any legitimate right to visibility, into their staff’s personal accounts. That means, for better or worse, they can’t do much to protect said user’s assets without their permission. 

Enforcing a separation between User and Organization assets can be difficult, especially in this day of remote work and Bring Your Own Device environments. It can be done, but managing it takes a combination of tools and policies that balance organizational security needs with user protection and privacy. 

What they said 

A Cisco hack is always big news. Check it out.

Want to get ahead of the stories? Join the conversations as they happen with the Vulcan Cyber community Slack channel  

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy