Inside the Kill Chain: How One Phish Led to Full Network Compromise — Ep.2

One phishing email. Four hours. Domain admin and access to everything. In Episode 2 of Inside the Box, Peter Bassill walks through a real anonymised penetration test, mapping every phase to the Cyber Kill Chain, and shows exactly where the defence should have stopped it. Then: the biggest cyber security stories of the week, plus highlights from the Cyber Defence blog that every UK business owner needs to read.

Listen to Episode 2: “The Kill Chain”

Available on Podbean, Apple Podcasts, Spotify, and wherever you get your podcasts.

The Kill Chain: A Real-World Walkthrough

The Cyber Kill Chain, originally developed by Lockheed Martin, breaks an attack into seven phases: reconnaissance, weaponisation, delivery, exploitation, installation, command and control, and actions on objectives. An attack is not a single event — it is a sequence. And at every stage of that sequence, there is an opportunity for a defender to detect, disrupt, or stop it.

In this episode, Peter walks through a real penetration test against a sixty-person professional services firm. Starting with two hours of open-source intelligence gathering on LinkedIn, he maps each phase of the engagement to the kill chain. The phishing email that impersonated their managed service provider. The single click that handed over credentials. The remote access tool deployed without triggering a single alert. Within four hours of the initial email, Peter had domain admin and access to the client database, financial records, and email archive.

The critical takeaway: there were at least four points where the defence could have broken the chain. MFA on the email account. Better email filtering. Endpoint detection. Network monitoring. The firm had none of them. The kill chain only succeeds when every link holds. Break one, and the attacker has to start again.

This Week’s Cyber Security News

Fortinet FortiClient EMS — Two Critical Zero-Days in One Week

Fortinet pushed emergency patches over the Easter bank holiday weekend for CVE-2026-35616, a critical pre-authentication API bypass in FortiClient EMS scoring 9.1 on CVSS. No credentials needed, no user interaction, low complexity. This came days after another critical FortiClient EMS flaw, CVE-2026-21643 (SQL injection, also 9.1), began being actively exploited. Both are pre-auth. Both affect the same product line. Exploitation was observed on honeypots from 31st March.

Action required: If you are running FortiClient EMS 7.4.5 or 7.4.6, patch immediately. The hotfix is available now, with version 7.4.7 expected shortly. The 7.2 branch is reportedly unaffected. If your management interface is exposed to the internet, assess whether you have already been compromised.

F5 BIG-IP and Citrix NetScaler — The NCSC Says Assume Breach

The NCSC issued advisories for both F5 BIG-IP Access Policy Manager (CVE-2025-53521, reclassified from DoS to unauthenticated RCE at 9.8) and Citrix NetScaler ADC/Gateway (CVE-2026-3055, memory overread at 9.3, drawing comparisons to CitrixBleed). Over seventeen thousand vulnerable F5 IPs have been identified globally. Attackers are deploying webshells, meaning compromise may persist even after patching.

Action required: The NCSC recommends investigating for compromise on all affected F5 products regardless of when patching occurred. For both F5 and Citrix, treat this as priority one: isolate, investigate, patch, and rebuild if necessary. The NCSC maintains a list of assured incident response providers for organisations that need forensic support.

LiteLLM Supply Chain Attack — The AI Industry’s MOVEit Moment

A threat group called TeamPCP compromised the CI/CD pipeline of LiteLLM, an open-source Python library present in over a third of cloud environments. Two malicious versions were published to PyPI on 27th March and were live for approximately forty minutes. In that window, tens of thousands of downloads occurred. The malware harvested credentials, API keys, and cloud secrets. The first major downstream victim, AI recruiting startup Mercor, had four terabytes of data reportedly exposed. Wiz estimates over a thousand SaaS environments are affected. We published a detailed breakdown of the Mercor breach earlier this week.

Action required: If your development teams use LiteLLM, audit immediately. Rotate all secrets present in the environment. Review dependency pinning and verification practices. Treat your AI supply chain as an attack surface.

Cyber Essentials v3.3 “Danzell” — Three Weeks Away

Cyber Essentials version 3.3, codenamed Danzell, comes into force on 27th April 2026. MFA is now mandatory for all cloud services and all administrator accounts with no exceptions. Any cloud service storing or processing organisational data is automatically in scope. The language has been tightened to close loopholes that previously allowed checkbox compliance. We also published an eye-opening analysis of the true cost of Cyber Essentials — for a real ten-person business, the figure is £13,000 to £30,000, not the £320 headline price.

Action required: Audit your cloud services now. Ensure MFA is enabled everywhere. Understand the shared responsibility model for every SaaS product you use before your next assessment.

CYBERUK 2026 — Glasgow, 21st–23rd April

The NCSC’s flagship conference returns for its tenth anniversary. The theme is “The Next Decade: Accelerating Our Cyber Defence.” Over 2,500 leaders and practitioners are expected. Plenary sessions are usually published afterwards for those without tickets.

From the Cyber Defence Blog This Week

Several stories from the blog tied directly into the episode’s kill chain theme — attackers exploiting what organisations have forgotten about, neglected, or never secured in the first place.

A Coffee Machine Caused a Data Breach

A forensics team spent days investigating a significant corporate breach. The source was not a server or a laptop — it was an internet-connected coffee machine on the same network as everything else, quietly exfiltrating data overseas. If it connects to the internet and it is on your network, it is an attack surface. Segment your network and put IoT devices on their own VLAN.

Russian State Hackers Are Targeting Home Routers

The NCSC warned that APT28 (Fancy Bear) is actively compromising home and small office routers — primarily TP-Link models — by changing DNS settings to redirect users to fake login pages. Every device connected to the compromised router inherits the poisoned settings. Microsoft estimates over 200 organisations and 5,000 devices have been affected. Log into your router, check the DNS settings, update the firmware, and disable remote management.

Six-Figure Losses Now Routine for UK Manufacturers

New ESET data shows nearly one in five UK manufacturers lost over £1 million to cyber attacks in the past year. Seventy-eight per cent reported being hit. The attacks are coordinated, increasingly AI-assisted, and targeting SMBs as much as enterprise.

NHS Scotland GP Websites Hijacked for Months

Multiple NHS Scotland GP practice websites were hijacked and used to redirect visitors to adult content and illegal streaming sites. The compromise went unnoticed for months. The attack method: abandoned websites with outdated, unpatched CMS installations. If you have a WordPress site or any CMS, patch it, remove unused plugins, and set up monitoring for unauthorised content changes.

The Thread Running Through Everything

Every story in this episode — the kill chain walkthrough, the Fortinet zero-days, the LiteLLM supply chain attack, the router hijacking, the coffee machine, the NHS Scotland websites — shares the same underlying lesson. Attackers exploit what you have forgotten about. The management interface left exposed. The IoT device never segmented. The router firmware never updated. The website launched three years ago and never touched since. Each one is a link in a kill chain. The defenders who win are the ones who break the chain before it reaches the end.

Coming Next

Episode 3 — “Watchers on the Wall” — takes you inside the Security Operations Centre. What SOC analysts actually do all day, how they handle alert fatigue, and what separates a good SOC from a checkbox SOC. Peter has stories.