Brief #100: Microsoft NTLM Exploit, Cybersecurity Job Reality, AI Security Incidents Up 56%

Happy Sunday!

Welcome to the 100th edition of Mandos Brief! Thanks to all of you who've been with me on this journey - whether you're a day-one reader or just joined us recently.

This week brings some developments worth your attention:

• Microsoft's NTLM Hash vulnerability is already being exploited just 8 days after patching - a reminder that the patch-to-exploit window keeps shrinking
• The cybersecurity job market is showing a paradoxical reality: entry-level positions are oversaturated while organizations still struggle to find qualified talent
• Stanford's AI Index Report reveals AI-related security incidents jumped 56% in 2024, with websites increasingly restricting data scraping for AI training

Let's dive into this week's security landscape!

INDUSTRY NEWS

Microsoft NTLM Hash Disclosure Vulnerability Actively Exploited Within Days of Patch

• A vulnerability in Windows Explorer (CVE-2025-24054) allows attackers to leak NTLM hashes via maliciously crafted .library-ms files with minimal user interaction - even right-clicking or simply navigating to a folder containing the file can trigger the exploit.

• Malicious campaigns targeting government and private institutions in Poland and Romania began just 8 days after Microsoft's March 11 patch, using malspam with Dropbox links containing files that harvest NTLMv2-SSP hashes for potential credential theft or relay attacks.

• The attack appears to be a variant of a previously patched vulnerability (CVE-2024-43451), with similar campaigns continuing against organizations worldwide using multiple network resource files targeting the same SMB authentication weakness.

Task Scheduler Vulnerabilities Enable UAC Bypass and Log Manipulation

• Researchers discovered a UAC bypass vulnerability in Windows Task Scheduler that allows attackers to execute high-privilege commands without user approval by exploiting batch logon functionality, elevating from any integrity level to the highest available privileges.

• Two new defense evasion techniques were identified - one leveraging an unlimited buffer in the Author task metadata field that can overwrite Event Log descriptions, and another building on this to completely overflow the Security Event Log file (Security.evtx) through repeated task creation.

• The impersonation capabilities of schtasks.exe can be particularly dangerous for lateral movement, allowing any low-privileged user with knowledge of credentials for users in Administrators, Backup Operators, or Performance Log Users groups to obtain elevated privileges through batch logon.

Phishing Campaign Uses Multi-Layered Attack Chain to Deliver Agent Tesla and Other Malware

• Attackers deployed a sophisticated phishing campaign delivering malicious archives that initiate complex multi-stage attack chains, using both AutoIt and .NET compiled executables as alternative paths to evade detection.

• The attack begins with emails containing malicious 7z attachments disguised as order documents, which extract JSE files that download PowerShell scripts to deliver the final payloads including Agent Tesla variants, Remcos RAT, and XLoader.

• Through process injection techniques targeting legitimate Windows processes like RegAsm.exe and RegSvcs.exe, the malware establishes persistence while complicating analysis by security researchers and sandboxes.

LEADERSHIP INSIGHTS

NIST Publishes Draft Guidelines for API Protection in Cloud-Native Systems

• NIST Special Publication 800-228 provides comprehensive guidance on vulnerabilities in API lifecycles and recommends both basic and advanced protection controls for pre-runtime and runtime stages.

• The document emphasizes zero-trust principles for all APIs, noting that perimeters have vanished in modern enterprise IT applications, requiring controls to span both public and internal APIs.

• Common API risks identified include lack of visibility in enterprise inventory, broken authentication, and unrestricted resource consumption that can lead to denial-of-service attacks.

Anthropic's Enterprise AI Implementation Guide Outlines Security and Compliance Best Practices

• Anthropic's guide emphasizes the need for comprehensive security frameworks that address data privacy, model security, and regulatory requirements as part of a three-dimensional AI strategy encompassing people, processes, and technology.

• Organizations implementing AI should establish an AI review board, define ethical guidelines, and create transparent processes for model evaluation and incident response to build trust while maintaining momentum.

• The implementation roadmap progresses through increasing levels of technical complexity - from basic implementations focused on direct interactions to advanced agent-based systems with decision-making capabilities and sophisticated error handling mechanisms.

Initial Access Brokers Report: US Organizations Most Targeted With Shift Toward SMBs

• Initial Access Brokers (IABs) are increasingly targeting smaller organizations with 60.5% of attacks now focusing on companies with $5M-$50M revenue, compared to 53% in 2023. The US remains the prime target (31% of all attacks), with VPN access surging in 2024, challenging RDP for the top exploitation method.

• Business services, manufacturing, and retail are the most targeted industries (13% each), showing a broader distribution compared to 2023 when business services alone represented 29%. The average access price in 2024 is $2,047, with 58% of listings priced under $1,000, making these compromises both affordable and damaging at scale.

• Most compromised machines (53%) had only Windows Defender as their security product, highlighting significant security gaps. Domain user is now the most common privilege type offered for sale, with domain and local admin privileges accounting for approximately 70% of listings.

Discover my collection of industry reports, guides and cheat sheets in Cyber Strategy OS

CAREER DEVELOPMENT

Cybersecurity Job Market Reality: Graduate Oversaturation Meets Industry Unwillingness to Train Entry-Level Talent

• The cybersecurity industry faces a significant oversaturation of entry-level applicants, with 300+ candidates competing for single SOC analyst positions while education providers continue to promote a "massive skills gap" narrative.

• Most "entry-level" positions now require 2-3 years of experience, creating a paradoxical barrier for new graduates who have invested in degrees, certifications, and home labs but cannot gain initial experience in the industry.

• Automation of traditional starter positions and economic factors have further constricted the entry pipeline, requiring job seekers to target niche skill areas like OT security, IAM, or threat modeling rather than oversaturated SOC roles.

Over Half of IT Leaders Struggle to Hire Skilled Cybersecurity Talent

• The cybersecurity talent gap continues to widen, with more than 50% of IT leaders reporting difficulty finding qualified professionals to protect their organizations from increasing threats.

• Organizations are experiencing negative impacts on their security posture due to understaffing, including delayed project implementations, increased vulnerability to attacks, and difficulty maintaining compliance standards.

• Companies are responding by implementing alternative strategies such as upskilling existing staff, adopting more automated security tools, and partnering with managed security service providers to address critical gaps.

Cybersecurity Professionals Share Their Biggest Workplace Mistakes on Reddit

• A security engineer accidentally enabled global 2FA settings instead of account-specific settings, causing an enterprise-wide lockout of a critical security application.

• Multiple professionals reported configuration mistakes including deleting VLANs from military facilities, syncing blank servers to production file servers, and breaking domain controller access by implementing overly restrictive hardening policies.

• One analyst described deploying Crowdstrike EDR enterprise-wide just before the major global outage, while another inadvertently quarantined all Chrome browsers organization-wide by misconfiguring a custom IOC.

AI & SECURITY

Building Your First Offensive Security MCP Server

• The Multi-protocol C2 server (MCP) is an evolving open-source collaborative platform that includes multiple protocols and agents for offensive security operations, providing a comprehensive alternative to commercial tools like Cobalt Strike.

• MCP offers advanced features such as remote code execution, file manipulation, and credential harvesting, with the ability to create and deploy implants using the command line interface via SSH.

• The setup process involves several key components including Debian/Ubuntu installation, MongoDB configuration, and proper security practices like running services as a non-root user and enforcing TLS for all connections.

Deloitte Highlights the Need for Balanced AI Governance Amid Expanding AI Capabilities

• As AI transforms business operations globally, the focus has shifted from whether AI delivers value to managing its implementation costs, including compliance requirements and potential penalties for non-compliance, while preventing poor quality development that could lead to substantial rework and reputational damage.

• Different AI forms bring unique capabilities and challenges - Machine Learning analyzes datasets for predictions, Generative AI improves human-computer interactions, while agentic AI can autonomously perform complex tasks, raising both efficacy and risk considerations across industries like healthcare, banking, and manufacturing.

• Organizations must balance regulatory requirements like the EU AI Act with operational efficiency, as AI-specific risks include scaling biases in training data, unreliable outputs from generative systems, and autonomous decision-making that could violate organizational requirements without human awareness.

Stanford AI Index Report 2025 highlights growing cybersecurity concerns amid rapid AI adoption

• The number of reported AI-related incidents rose to 233 in 2024—a record high and a 56.4% increase over 2023, according to the AI Incidents Database, highlighting growing security challenges as AI adoption accelerates.

• Organizations recognize key responsible AI risks, but implementation of mitigation efforts lags behind, with only 64% concerned about AI inaccuracy, 63% about regulatory compliance, and 60% about cybersecurity threats.

• The data commons is rapidly shrinking as websites implement new protocols to limit data scraping for AI training, with restricted tokens in actively maintained domains jumping from 5-7% to 20-33% between 2023 and 2024.

MARKET UPDATES

Sekoia.io Secures €26 million in Series B Funding to Enhance AI-SOC Platform and Expand Internationally

• European cybersecurity firm Sekoia.io raises €26M from Revaia, UNEXO, and existing investors, bringing total funding to €60M since founding in 2022. Funding will accelerate AI development and international expansion beyond Europe.

• The Sekoia AI-SOC Platform automates threat detection using an exclusive intelligence dataset on threat actors, deploys agent-based AI to reduce incident response times, and offers 200+ native integrations with third-party solutions.

• The company targets the rapidly growing MSSP market (expected to reach $52.9B by 2028) with a platform designed to democratize access to advanced cybersecurity for organizations of all sizes, addressing challenges posed by the NIS2 directive and talent shortages.

Cybersecurity Funding Increases 29% in Q1 2025 Despite Fewer Deals

• Total funding to venture-backed cybersecurity startups reached $2.7 billion in Q1, up 29% from Q4 2024, while deal flow declined 31% year-over-year with only 139 deals completed.

• Google's planned $32 billion acquisition of cloud security unicorn Wiz, the largest acquisition of a venture-backed company ever, may drive further investor interest in the cybersecurity sector.

• Key growth drivers include AI applications in security, with major funding rounds going to NinjaOne ($500M at $5B valuation), Island ($250M at $4.8B valuation), and Aura ($140M at $1.6B valuation).

Exaforce Secures $75 Million Series A Funding for AI-powered SOC Platform

• Exaforce has developed the industry's first multi-model AI platform for Security Operations Centers (SOCs), combining semantic, behavioral, and statistical models with LLMs to overcome limitations of pure LLM approaches in security applications.

• The funding round was led by Khosla Ventures and Mayfield, with their Agentic SOC Platform promising a tenfold reduction in human-led SOC work through AI agents called Exabots that handle alert triage, investigations, and automated workflows.

• Design partners have already reported 10x improvements in productivity, with the platform addressing critical SOC challenges including false positive reduction, improved threat detection coverage for cloud environments, and alleviating the security talent shortage.

TOOLS

Jit

An integrated application security platform that combines multiple security scanning tools with developer-focused workflows for automated code and infrastructure security testing.

Contrast Runtime Security Platform

A comprehensive application security platform that combines runtime protection, security testing, and monitoring capabilities across the entire application lifecycle.

ZeroFox Easm

A solution that discovers, analyzes, and helps remediate vulnerabilities across an organization's external digital attack surface by identifying and monitoring internet-facing assets.

Before you go

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity, leadership and AI updates, follow me on LinkedIn, BlueSky and Mastodon.

Best, 
Nikoloz