The Aflac cyberattack and the massive 16 billion–credential leak making the rounds online are part of a much deeper story. While cyber attack tactics are evolving, the core vulnerability remains the same: most organizations still don’t have a reliable way to manage, prioritize, and remediate security risks across their organizations.
Attackers are no longer just exploiting firewalls or endpoints. They’re chaining together stolen credentials, social engineering, and vulnerable applications to gain access and escalate. This is exactly the pattern outlined in CISA’s AA23-320A advisory on Scattered Spider—a group known for rapidly exploiting whatever’s easiest to breach.
Hackers Go Where the Defenses Are Weakest
The uncomfortable truth is this: today it’s phishing, tomorrow it’s a vulnerability in your software stack. Threat actors don’t care how they get in—only that they do. And if your security stack is siloed, slow, or noisy, you’re giving them the time and space to dig deeper.
In many organizations, the software security lifecycle is fragmented:
- Dozens of tools, but no single source of truth
- Findings that never reach developers in time
- Manual triage processes that delay response
- Duplicate or low-priority alerts that bury critical risk
This isn’t just inefficient—it’s dangerous.
What the CISA Advisory Makes Clear
CISA’s AA23-320A advisory outlines how threat actors like Scattered Spider are leveraging:
- Phishing and impersonation tactics to gain initial access (via SMS, voice, or email)
- MFA fatigue and SIM-swapping to bypass authentication controls
- Legitimate remote access tools like AnyDesk and TeamViewer to maintain persistence
- Credential harvesting and lateral movement to exploit additional systems
These tactics aren’t exotic—they’re effective. And once inside, adversaries are exploiting vulnerabilities in applications and infrastructure to maximize their reach.
The DevSecOps Gap
The problem isn’t a lack of security tools—it’s a lack of connected visibility and prioritized response. Too many security programs are just reactive, operating without the automation and orchestration needed to keep pace with modern threats.
Security teams can’t afford to chase every alert. Instead, they need to:
- Ingest findings from across tools and normalize them
- Automate deduplication and triage workflows
- Prioritize based on real business risk, not just severity scores
- Deliver timely, actionable issues to the teams who can fix them
This is where DevSecOps principles—shift left, automate early, close the feedback loop—come into play. Not just as buzzwords, but as operational necessities.
Building Resilience into the Process
At DefectDojo, we see this every day. The teams that reduce risk fastest aren’t necessarily the ones wit
h the most tools—they’re the ones who have a clear system for consolidating, filtering, and acting on their security signals.
That means:
- Centralizing scan results from static, dynamic, container, and cloud tools
- Applying machine learning to deduplicate false positives and redundant findings
- Scoring vulnerabilities in context—by asset, exploitability, and potential impact
- Empowering developers with clear remediation paths, early in the CI/CD process
This kind of structured vulnerability management is what turns alerts into decisions, and decisions into security outcomes.
The combination of credential leaks, social engineering, and software vulnerabilities is not going away. If anything, it’s accelerating. What CISA’s AA23-320A makes clear is that attackers are getting faster—and organizations need to match that speed with smarter, more connected security operations.
Credential theft may open the door. But how far an attacker walks into your org depends on what they find next: a tangled mess of fragmented defenses—or a system designed to see and stop them before they get too far.
June 21, 2025
Back to Blog