Zero Day Logs

In the spring of 2020, up to 18,000 organizations installed a software update from a trusted vendor. It was signed. It was verified. Every security check said it was clean. Every one of those checks was correct. What they couldn't verify was what was inside the package before the seal was applied.This is the full story of SUNBURST — how Russia's SVR compromised SolarWinds' build pipeline, turned a routine software update into a backdoor, and spent nine months reading emails inside the U.S. Treasury, the Department of Homeland Security, the State Department, and dozens of Fortune 500 companies. How FireEye discovered it by investigating their own breach, burned their own toolkit to stop it, and exposed one of the largest intelligence operations in history — in a single day.Zero Day Logs is an investigative audio documentary built entirely from the public record: official security advisories, customer post-incident reports, court documents, and verified forensic findings. Every breach. One episode. Real consequences.Find full technical breakdowns, attack timelines, and defensive configurations at zerodaylogs.com. If you found this breakdown valuable, please follow the show and leave a review.____________________CHAPTERS00:00 Cold Open — In 2020, They Were Invited00:41 The Routine Update01:14 18,000 Organizations02:07 What Orion Could See03:58 Inside the Treasury05:46 Why Every Security Scan Passed09:16 The Build Pipeline10:10 Code Signing: The Wax Seal11:31 The Printing Press Analogy12:16 Inside the Build Pipeline14:51 Sunburst Activates16:52 The DNS Covert Channel19:36 100 Out of 18,00019:57 Hands-On Access25:54 Nine Months of Access28:03 FireEye's Response28:44 Pulling the Thread29:53 December 13, 202034:09 Attribution and Sanctions36:53 The solarwinds123 Password39:18 The Three Missing Controls42:32 Defense in Depth43:08 The Cost of Remediation48:49 Trust and Verification54:24 Technical Breakdown + Resources54:41 Next on Zero Day Logs

In 2022, a teenager posted screenshots from inside the company that controls the login page for 18,000 organisations — not by breaking through a firewall, but through a contractor's compromised laptop. Twenty months later, it happened again. This time through a diagnostic file uploaded to a support ticket.This is the full story of both Okta breaches — how a contractor's laptop, a credential saved to a personal Google account via Chrome's password sync, and a file format most people have never heard of gave attackers a window into Cloudflare, 1Password, BeyondTrust, and thousands of others. And how one company was told something was wrong — and stayed silent for 18 days.Zero Day Logs is an investigative audio documentary built entirely from the public record: official security advisories, customer post-incident reports, court documents, and verified forensic findings. Every breach. One episode. Real consequences.Find full technical breakdowns, attack timelines, and defensive configurations at zerodaylogs.com. If you found this breakdown valuable, please follow the show and leave a review.____________________________CHAPTERS00:00 Cold Open — Screenshots on Telegram03:52 The Invisible Gatekeeper06:07 Lapsus$ — Not a Nation State07:52 What Actually Happened in 202208:03 How Authentication Actually Works11:43 The Contractor's Laptop19:53 Twenty Months Later23:13 The 2023 Breach24:17 The HAR File — A Flight Data Recorder25:03 Session Cookies and Stolen Wristbands27:55 The November 29th Disclosure30:03 Cloudflare, 1Password, BeyondTrust34:15 The Supply Chain Problem36:38 Zero Trust and Assume Breach40:31 Eighteen Days of Silence41:43 The Three Missing Controls43:23 The Credential That Left the Building47:06 What Changed After48:20 The Chain of Trust53:09 Outro53:35 Next: SolarWinds____________________________SOURCES & FURTHER READING- Okta Security Advisory — October 2023- Okta Expanded Disclosure — November 29, 2023- Okta Security Advisory — March 2022- Cloudflare blog: "How Cloudflare mitigated yet another Okta compromise"- 1Password Security Incident Report (2023)- BeyondTrust Incident Disclosure (2023)- CISA Identity Security Guidance- Lapsus$ public reporting / Arion Kurtaj UK conviction (2023)

In September 2023, one of the largest casino and hospitality companies on Earth was brought to a standstill — not by malware, not by a state-sponsored strike, but by a single phone call to an IT help desk.This is the full story of how Scattered Spider exploited the gap between trust and verification — from a LinkedIn search to a rogue Identity Provider inside MGM's Azure AD tenant — and how a $100M containment decision brought the casino floor dark.Zero Day Logs is an investigative audio documentary built entirely from the public record: SEC filings, court documents, government advisories, and verified forensic findings. Every breach. One episode. Real consequences.Find full technical breakdowns, attack timelines, and defensive configurations at zerodaylogs.com. If you found this breakdown valuable, please follow the show and leave a review.━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━CHAPTERS 00:00 Cold Open — Las Vegas Goes Dark 00:19 The Casino Floor Stops 01:38 The Help Desk: Where It All Started 03:42 OSINT — They Opened LinkedIn 04:43 Vishing: The Phone Call 05:47 Inside Okta — The MFA Reset 06:12 How Multi-Factor Authentication Works 09:49 Lateral Movement — Mapping the Network 11:53 Federated Identity Explained 16:10 SAML Assertion Forgery 18:25 The ESXi Architecture 20:08 MGM Pulls the Plug 20:48 What One MFA Reset Actually Cost━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━SOURCES & FURTHER READINGOkta Security Advisory (2023)CISA Advisory AA23-320AMGM SEC 8-K filing, September 2023Microsoft DART case study