Brief #66: AKS Vulnerability Exposes Clusters, Lazarus Exploits Windows Zero-Day, AI Reshapes Developer Roles, Palo Alto Networks' Strong Forecast

Before you start your Monday, catch up on the latest in cybersecurity!

In this week's issue:

• Lazarus Group exploits Windows zero-day (critical vulnerability)
• SSRF vulnerability in Microsoft Copilot Studio (AI security risk)
• Fostering a positive cybersecurity culture (leadership strategy)
• Free Splunk training courses (skill development)
• Cyberbit's expansion and North American ownership (market shift)

I've packed this edition with even more insights, including career development opportunities and new cybersecurity tools.

Your feedback shapes the future of Mandos Brief!

I'd love to hear your thoughts about the content I share:

• 👍 This is helpful. Thanks!
• 😐 Meh - it is ok.
• 👎 Not interesting to me.

Azure Kubernetes Services Vulnerability Allowed Cluster Compromise

• Mandiant disclosed a privilege escalation vulnerability in Azure Kubernetes Services (AKS) to Microsoft, which has since been fixed. Attackers could have exploited this to access sensitive information, leading to data theft, financial loss, and reputational harm.

• AKS clusters using "Azure CNI" for network configuration and "Azure" for network policy were affected. Attackers with command execution in a Pod could download the cluster node configuration, extract TLS bootstrap tokens, and read all secrets within the cluster.

• The vulnerability stems from the difficulty in securely bootstrapping Kubernetes nodes. Azure's WireServer component and HostGAPlugin endpoint allowed attackers to retrieve and decrypt VM configuration settings, including the Custom Script Extension used for initial setup.

Lazarus Group Exploits Windows Zero-Day to Deploy FUDModule Rootkit

• Gen Digital researchers discovered that the North Korean Lazarus hacking group exploited a zero-day vulnerability in the Windows AFD.sys driver to gain elevated privileges and install the FUDModule rootkit on targeted systems.

• The BYOVD flaw, tracked as CVE-2024-38193, was fixed by Microsoft in August 2024 along with seven other zero-day vulnerabilities. It allowed attackers to gain unauthorized access to sensitive system areas without having to install an older, vulnerable driver.

• Lazarus, known for targeting financial and cryptocurrency firms in million-dollar cyberheists, has previously abused the Windows appid.sys and Dell dbutil_2_3.sys kernel drivers in BYOVD attacks to install FUDModule.

Qilin Ransomware Attack Steals Google Chrome Credentials

• Sophos researchers detected a Qilin ransomware attack in July 2024 that involved stealing credentials stored in Google Chrome browsers on compromised endpoints.

• The attackers infiltrated the network via compromised VPN credentials lacking MFA, edited the default domain policy to introduce a logon-based GPO containing PowerShell and batch scripts to harvest Chrome credential data, and left it active for over three days.

• The stolen credentials mean affected users must change their username-password combinations for every third-party site, signaling a potentially dark new chapter in the ongoing story of cybercrime as ransomware groups continue to change tactics and expand their techniques.

AWS Environments Compromised via Exposed .env Files

• Unit 42 researchers uncovered a data extortion campaign that compromises AWS resources through credentials collected from insecurely stored .env files on web servers, exposing over 90,000 unique environment variables.

• The exposed files contained various types of credentials, including 1,185 unique AWS access keys, 333 PayPal OAuth tokens, 235 GitHub tokens, 111 HubSpot API keys, 39 Slack webhooks, and 27 DigitalOcean tokens.

• After obtaining an AWS access key, the attackers performed reconnaissance actions and achieved privilege escalation by creating a new IAM role with AdministratorAccess policy, attempting to create infrastructure stacks using EC2 resources and AWS Lambda.

Researchers Uncover Hardware Backdoor in "MIFARE Classic Compatible" Cards

• In a recent paper, researchers studied the FM11RF08S, a new variant of MIFARE Classic cards designed to resist card-only attacks, and found several vulnerabilities and a hardware backdoor.

• The researchers developed attacks capable of cracking the FM11RF08S sector keys in minutes, even when keys are diversified, by leveraging the discovered backdoor protected by a common secret key.

• Similar backdoors were found in previous generations of Fudan, NXP, and Infineon MIFARE Classic cards, highlighting the risks for consumers using these widely deployed cards for access control in hotels and other facilities worldwide.

Fostering a Positive Cybersecurity Culture for Organizational Success

• Jinan Budge, Principal Analyst at Forrester, emphasizes that understanding the prevailing cultural context is crucial for security leaders to effectively shape workforce behaviors and norms around technology and security.

• To change perceptions, security teams must adopt an open, transparent, positive, and collaborative approach, focusing on clear goals, fresh ideas, and their sphere of influence.

• Leveraging branding principles, honing soft skills, justifying changes effectively, and adopting a language of risk instead of security are key strategies for building a strong cybersecurity culture that drives business value.

3 Key Strategies for Mitigating Non-Human Identity Risks

• Josh Yavor, CISO at Teleport, outlines three fundamental areas to focus on when securing non-human identities (NHIs), which can outnumber human users by 10,000 to 1,000 in most networks.

• The first strategy is discovery and posture management, which involves continuously inventorying and monitoring NHIs across all environments, including SaaS applications, and using tools that provide rich context to prioritize risks based on factors like permissions and privileges.

• The second strategy is third-party breach response and credential rotation, which requires quickly identifying impacted NHIs connected to third parties experiencing security incidents and rotating them without disrupting critical business processes.

Cloud Security Gotchas CISOs Often Overlook

• According to cloud security experts, ephemeral resources in the cloud, such as temporary storage instances, can pose significant security risks despite their short lifespan by serving as entry points for malicious activities without leaving much trace for forensic analysis.

• Scott Piper, principal cloud security researcher at Wiz, argues that taking inventory in the cloud is much easier compared to on-premises environments, and security teams should overcome their historical avoidance of this task to identify misconfigurations and critical issues.

• Tracking cloud spend can provide early indicators of malicious activity, such as denial of wallet (DoW) attacks designed to force enterprises to incur extra cloud charges, but the constantly evolving nature of cloud services makes real-time analysis challenging.

Microsoft Launches Comprehensive Security Operations Analyst Course SC-200

• Microsoft has introduced the SC-200 course, designed to train Security Operations Analysts in using Microsoft Sentinel, Defender XDR, and Defender for Cloud to mitigate cyberthreats.

• The course covers configuring Microsoft Sentinel, utilizing Kusto Query Language (KQL) for detection, analysis, and reporting, and investigating and responding to threats across the Microsoft security portfolio.

• Aimed at intermediate-level security professionals, the course prepares learners for the SC-200 certification exam and features modules on Microsoft Defender for Cloud Apps, Endpoint, Purview, and 365 Security Center.

Free Splunk Training Courses Available for Self-Paced Learning

• Splunk offers a library of free eLearning courses that allow users to quickly launch their Splunk education and learn at their own pace from any device.

• Courses cover topics such as managing Splunk Observability Cloud teams using API and Terraform, setting up Splunk Cloud as an identity provider for Splunk Observability Cloud, and instrumenting Splunk Mobile Real User Monitoring for iOS and Android.

• Additional free courses cover Splunk Enterprise and Splunk Cloud basics, including an intro to Splunk, using fields, creating dashboards, scheduling reports and alerts, data visualization, search architecture, data input, installation, configuration, licensing, upgrades, data enrichment, data models, statistical processing, and an intro to SPL2 and Edge Processor.

Free Cybersecurity Training from Fortinet Offers Courses for Various Skill Levels

• Fortinet's free cybersecurity training program provides a wide range of self-paced and instructor-led courses, as well as practical exercises, catering to security professionals, IT professionals, and teleworkers.

• The program includes a public training schedule for in-person and virtual classes, allowing participants to learn alongside diverse Fortinet employees, business partners, and customers from around the world.

• Fortinet offers NSE certifications that serve as objective indicators of a candidate's technical knowledge and skills, and provides a global network of Authorized Training Centers (ATC) delivering expert-level training in local languages across more than a hundred countries.

SSRF Vulnerability in Microsoft Copilot Studio Allows Access to Internal Infrastructure

• Tenable Research discovered a critical server-side request forgery (SSRF) vulnerability in Microsoft Copilot Studio that allowed making external web requests, including to the Instance Metadata Service (IMDS) and internal Cosmos DB instances.

• By using an HTTP 301 redirect and inserting newlines in the metadata header to remove the X-Forwarded-For header, researchers were able to bypass SSRF protections and retrieve instance metadata, managed identity access tokens, and gain read/write access to an internal Cosmos DB.

• While no cross-tenant information was immediately accessible, the shared infrastructure for the Copilot Studio service among tenants magnifies the risk. Microsoft quickly addressed the issue, assigning it CVE-2024-38206 as a Critical Information Disclosure vulnerability.

AI Transforms Application Security, Balancing Automation with Human Oversight

• In an interview with Help Net Security, Kyle Wickert, Worldwide Strategic Architect at AlgoSec, discusses how AI is transforming application security by enhancing real-time threat detection and response, saving countless hours compared to manual processes.

• To harness the benefits of AI in application security effectively, Wickert suggests adopting an application-centric approach that automates change management processes, identifies security risks, and ensures compliance, while balancing AI with human oversight to manage false positives and security risks.

• Wickert highlights the importance of integrating comprehensive security testing throughout the application delivery pipelines, embedding compliance and risk assessment tasks into change management processes, and fostering a security-first mindset within organizations to prioritize application security effectively.

AWS CEO: AI to Change Developer Jobs, Less Coding by 2025

• AWS CEO Matt Garman suggests that in the next 24 months, most developers may not be coding as AI tools change the nature of their work.

• Garman believes the developer's role will shift towards focusing more on innovation and understanding customer needs, rather than just writing code.

• While some predict AI will eliminate programming jobs, Garman sees opportunities for developers to accomplish more with AI tools, removing "undifferentiated heavy lifting" from their work.

Palo Alto Networks Forecasts Strong FY2025 Revenue and Profit, Shares Rise

• Palo Alto Networks forecasts fiscal 2025 revenue and profit above Wall Street estimates, indicating growing demand for its products amid an evolving digital threat landscape.

• The company's shares rose about 2% in extended trading, as it announced an additional $500 million for share repurchases, but dipped briefly after CEO Nikesh Arora mentioned customers reevaluating options due to a recent global IT outage.

• Palo Alto Networks' fourth-quarter revenue rose about 12% to $2.19 billion, beating expectations, and it posted an adjusted profit per share of $1.51, exceeding estimates, with customers including NetApp, Iron Mountain, and a U.S. federal agency.

Cyberbit Announces 100% North American Ownership and Expansion Funding

• Cyberbit, a leading cybersecurity skill development platform provider, announced new funding from existing investors, including Charlesbank Capital Partners, to recapitalize the company under solely North American ownership and control.

• Over the past year, Cyberbit has undertaken several strategic initiatives to accelerate expansion, including appointing Caleb Barlow as CEO, relocating its global headquarters to the United States, launching a new subsidiary focused on government growth, and adding several new leadership team members.

• With new funding and 100% North American ownership, Cyberbit is positioned to focus on growth and expansion into new geographies, as they fulfill their mission of delivering hyper-realistic experiences that build elite cybersecurity teams.

Fabric Cryptography Raises $33M to Develop Cryptography Chip and Software

• Fabric Cryptography, a Santa Clara-based cryptography hardware startup, has raised $33 million in a Series A funding round led by 1kx and Blockchain Capital, bringing its total funding to $39 million.

• The company is developing a custom silicon chip called the Verifiable Processing Unit (VPU), which aims to accelerate cryptographic algorithms using hardware-software codesign techniques, similar to how AI hardware boosts AI workloads.

• Fabric will use the new funds to develop the next-generation VPU chips, scale its software and cryptography teams, and work on algorithms to protect personal data when using AI models in the cloud.

Pulsedive

Pulsedive is a threat intelligence platform that provides frictionless threat intelligence for growing teams, offering features such as indicator enrichment, threat research, and API integration.

DumpsterDiver

DumpsterDiver is a tool for analyzing big volumes of data to find hardcoded secrets like keys and passwords.

MISP Workbench Tools

Tools to export data from MISP MySQL database for post-incident analysis and correlation.

If you found this newsletter useful, I'd really appreciate if you could forward it to your friends and share your feedback below!

Have questions? Let me know in the comments or on LinkedIn and Mastodon.

Best, 
Nikoloz