CLICK HERE TO DOWNLOAD THIS IMAGE & COLOR IT IN!A rouge snack machine? A hotel hacker? Customizable gems? Oh yeah. It's here, and it's all a part of this month's edition of Lore & Order.
Now let's crack it open and see what broke, what worked, and what we learned along the way.
Now bear with me briefly...
Exercises are serious stuff and important for uncovering real gaps. But from an engagement and participation perspective, you'll be doing yourself a favor if you add an element of fun in the mix.
I don't mean it has to be funny—I mean incorporate elements that stimulate and challenge your audience. Let your players build their characters, draw up a storyline that allows participants to use their imagination, build suspense with each reveal, and encourage participants to play a role that is new to them. These tactics will lead to better engagement, and your participants will dive into the experience.
Exercises can also be just for fun and that's exactly what we're doing with our TTX Thursdays in Blueberry Security's discord.
Every other Thursday we've been running exercises on the server. We bring in a new facilitator each time to showcase a scenario and facilitation method of their choosing. We've done Hackback Games, traditional formats, as well as Backdoors & Breaches.
One scenario was a rogue AI-enabled snack machine that gained access to employees' data in the HRIS system and was leaking PII on its display. That was a blast!
If you're interested in seeing what we're up to, you can [sign up here link]. You can play along or be a passive observer—there's something for everyone. It's a great networking and learning environment to boot!
You allies in IR,
Rob & Scout
Dear Asa,
A hotel was referred to us by an IT company for incident response. Overnight, they had fallen victim to a vishing attack—an impersonator claiming to be "hotel software support" gained access to multiple systems. The night shift employee who interacted with the attacker was conveniently no longer available (a nice inject idea), and we were forced to work with second- and third-hand accounts, making our initial steps slower than ideal.
We quickly deployed EDR and other security tools. The hotel had been using a free Gmail account for operations, so we began by helping them recover access. On the endpoints, we found remote access software (AnyDesk) and Nirsoft’s WebBrowserPasswordView. After running the tool ourselves, we identified likely compromised credentials—including access to their card processing software and guest relationship platforms.
The attacker had also leveraged Firefox’s sync feature to silently collect future password changes saved in-browser. This flew under the radar at first, and they were able to grab the updated Gmail credentials before we locked it down again.
We removed all unauthorized software and, in collaboration with the hotel’s corporate sponsor, began determining what guest data may have been exposed.
As the incident wrapped, the hotel's key takeaway was clear: this attack was entirely preventable at several points. With the right proactive tools and basic staff training to verify identities before granting access, the breach could have been avoided altogether.
— Lead Cybersecurity Engineer | Technology
After Gen. Timothy Haugh was unexpectedly removed from leading both NSA and U.S. Cyber Command, new leadership picks are expected any day now. The
transformation could finally dismantle the long-standing “dual-hat” structure, separating the two roles for the first time in over a decade.
The move has major implications for how intelligence flows, how cyber ops are run, and how prepared we really are for conflict in the digital domain. Track What Happens Next
UK retailer M&S has confirmed that personal customer data (including addresses, phone numbers, and birthdates) was stolen during a recent cyberattack. No payment data or passwords were exposed, but users will still be required to reset credentials as a precaution.
DragonForce, a ransomware-as-a-service group, has claimed responsibility for the attacks on M&S, Co-Op, and Harrods. Read the Full Brief
U.S. experts found hidden comms hardware inside Chinese-made solar inverters and batteries—equipment that’s everywhere from rooftops to utility-scale grids.
These undocumented devices could bypass firewalls and send data who-knows-where, or worse—remotely mess with power infrastructure. Think: surprise shutdowns, grid instability, major headaches. Follow the Fallout
Microsoft’s latest Patch Tuesday includes fixes for 78 vulnerabilities—five of which are already being exploited in the wild. The update covers everything from Azure DevOps (CVSS 10.0) to privilege escalation bugs in Defender for Linux, DWM, and WinSock.
CISA has added all five zero-days to its Known Exploited Vulnerabilities list, requiring agencies to patch by June 3. Review the Summary
Built by our killer engineers, Elvira and Mario
You can now modify the color and crown jewel theming for every one of your client accounts. You can use this as a way to personalize accounts for organization and/or for fun. For example, maybe you theme your accounts by industry. The world is your oyster!
Stay tuned for more colors! Have a favorite you want to see next? Send it to us! Email support@ally.security.
Cheers,
Rob & Scout
That's all, folks! Thanks for joining us this month. If you want first dibs on easter eggs, bonus resources, or just want to argue about threat actor naming conventions in real time—join us in Slack.
We’ll be there, probably over-caffeinated, definitely monitoring weird snack machine behavior.
About Ally Security
Ally is here to support facilitators, which in turn creates a virtuous cycle where exercises take less time, provide more value, are run more frequently, and can make every organization can be better prepared.
The unexpected wins. The client curveballs. The chaos you couldn’t have scripted if you tried. Dear Asa is your space to share the stories that don’t make it into the official post-incident report. Script, submit, and enjoy a chance to be featured or quoted in an upcoming post.
