Brief #102: AirPlay Vulnerabilities, Passkeys Replace Passwords, MCP Security Risks

Happy Sunday!

I've been thinking about our industry's persistent password problem all week, and it's encouraging to see Microsoft finally making passkeys the default for new accounts. While this is a significant step forward, Ivanti's latest report reveals a concerning gap - only 22% of organizations are increasing investments in exposure management despite half of security professionals recognizing its value.

In this week's brief:

• North Korean threat actors are creating fake crypto companies to deploy triple malware threats
• The Model Context Protocol (MCP) introduces new security risks despite backing from tech giants
• Cybersecurity professionals emphasize that system administration experience is fundamental to security careers

Industry News

Researchers Discover "AirBorne" Vulnerability Affecting Millions of AirPlay-Enabled Devices

• Security firm Oligo revealed a collection of vulnerabilities in Apple's AirPlay SDK that could allow attackers on the same Wi-Fi network to hijack third-party AirPlay-enabled devices like speakers, TVs, and set-top boxes, potentially affecting tens of millions of devices.

• While Apple has patched these flaws in their own devices, many third-party manufacturers may never update their firmware, leaving a persistent security risk that could allow attackers to maintain stealthy network access, install ransomware, or even turn devices with microphones into listening devices.

• The vulnerabilities also affect CarPlay-enabled vehicle dashboard computers, though exploitation requires physical access via Bluetooth or USB connection, significantly limiting the threat vector in automotive applications.

Microsoft Makes Passkeys Default for New Microsoft Accounts

• Microsoft has made new accounts "passwordless by default," enabling users to sign in with phishing-resistant passkeys instead of traditional passwords, while existing users can delete their passwords through account settings.

• The company has simplified the sign-in experience by automatically detecting and prioritizing the best available authentication method on a user's account, representing a significant step toward industry-wide passwordless adoption.

• Over 15 billion user accounts now support passkeys, and the FIDO Alliance is working on improving credential interoperability across providers and expanding passkey implementation to payment use cases through a new Payments Working Group.

North Korean APT "Contagious Interview" Establishes Fake Crypto Companies to Deliver Triple Malware Threat

• Silent Push researchers uncovered three cryptocurrency front companies operated by North Korean APT group "Contagious Interview" (a subgroup of Lazarus) used to deploy BeaverTail, InvisibleFerret, and OtterCookie malware through fake job interviews targeting crypto professionals.

• The threat actors created convincing company personas using AI-generated employee images, fake business registrations, and elaborate social media presence, while their infrastructure revealed significant operational security failures linking all three companies: BlockNovas LLC, Angeloper Agency, and SoftGlide LLC.

• The cryptocurrency theft campaign uses a multi-stage infection process involving GitHub repositories with hidden code, fake job interviews requiring video recordings, and malware that establishes persistence across Windows, macOS, and Linux to steal wallet credentials from popular browser extensions.

Leadership Insights

Ivanti's 2025 State of Cybersecurity Report Highlights Shift To Exposure Management

• Exposure management – a comprehensive approach to risk assessment that balances business objectives with security needs – is recognized as valuable by 49% of security professionals, yet only 22% are increasing investments in this area for 2025.

• Organizations face significant data silos between IT and security teams, with 55% reporting silos that slow response times (62%) and weaken security posture (53%), while estimating it would take six years to break them down.

• Despite 83% of organizations having documented risk tolerance frameworks, 51% admit these aren't followed closely, creating serious vulnerabilities in how companies assess and communicate threats across leadership levels.

M-Trends 2025 Report Reveals Increased Dwell Time and Evolving Attack Vectors

• Global median dwell time increased to 11 days in 2024 (from 10 days in 2023), marking the first increase since M-Trends began in 2010, with exploits remaining the most common initial infection vector (33% of investigations).

• Financial sector continues to be the most targeted industry (17.4%), followed by business/professional services and high tech, with data theft observed in 37% of investigations and ransomware involved in 21% of cases.

• Notable emerging threats include North Korean IT worker insider threats, targeting of unsecured data repositories, and vulnerabilities in edge security devices like Palo Alto Networks PAN-OS (CVE-2024-3400) and Ivanti Connect Secure VPN (CVE-2023-46805).

Organizations Face Growing Financial Impact From Security Incidents as AI Transforms Threat Landscape

• Netwrix's 2025 Cybersecurity Trends Report shows that 75% of organizations reported financial damage from security incidents – up from 60% in 2024 – with 13% estimating costs exceeding $200,000, nearly double last year's figure of 7%.

• The report found 60% of organizations are already leveraging AI tools in their IT infrastructure, while 37% of respondents indicated that AI-driven threats forced them to adjust their security approach.

• Identity-based attacks continue to grow in the cloud, with account compromise incidents increasing from 16% in 2020 to 46% in 2025, while targeted attacks on premises rose from 19% in 2023 to 28% in 2025.

Discover my collection of industry reports, guides and cheat sheets in Cyber Strategy OS

Career Development

Cybersecurity Intern Finds System Administration Experience Is Essential To Security Career

• A cybersecurity intern expressed disappointment after being assigned primarily to sysadmin tasks rather than the security monitoring work promised during their interview.

• Industry professionals overwhelmingly responded that patching, system deployment, and configuration management are fundamental security skills that provide necessary context for future security roles.

• One senior cybersecurity professional with 30 years of experience emphasized that understanding how systems work is essential to effectively securing them.

Job Seekers With CTO Titles Face Hiring Challenges for Entry-Level Cybersecurity Positions

• A recent cybersecurity graduate with multiple CompTIA certifications (A+, Net+, Sec+, Pentest+, CySA+) and e-commerce business experience as "CTO" reports receiving zero interviews after 50 job applications for entry-level SOC positions.

• Community consensus indicates that using executive titles from small businesses on resumes can be counterproductive when applying for entry-level positions, as recruiters may view the candidate as overqualified or having unrealistic salary expectations.

• Networking at industry events and starting with help desk or IT positions may offer better pathways into cybersecurity, as direct entry into security roles without corporate IT experience remains difficult despite educational qualifications.

People-Centric Leadership in Cybersecurity Reduces Burnout and Business Risk

• At RSAC 2025, MK Palmore urged cybersecurity leaders to shift from mission-centric to people-centric leadership approaches, as military-style focus contributes to high burnout rates in the industry.

• Poor leadership communication during uncertain times leads to reduced productivity, with organizations facing higher turnover costs and diminished innovation when they neglect leadership development.

• Implementing empathetic leadership practices – including clear communication, mentoring opportunities, and focusing on individual skills – correlates with higher revenue, enhanced market share, and improved team resilience.

AI & Security

Model Context Protocol (MCP) Security Risks and Mitigation Strategies

• MCP, backed by Anthropic, OpenAI, Microsoft, and Google, enables LLMs to connect with external data sources but introduces significant supply chain risks through untrusted servers running arbitrary code with minimal verification mechanisms.

• Security concerns include typosquatting in registries, credential theft, remote code execution via auto-running tools, and injection vulnerabilities in server implementations, with thousands of public MCP servers already deployed despite evolving specifications.

• Recommended mitigations include using trusted sources, auditing servers before use, applying least privilege to credentials, preferring local servers over remote ones, and considering sandboxing or proxy gateways to establish centralized control points.

CrowdStrike Develops Multi-Agent AI System to Secure AI-Generated Code

• CrowdStrike data scientists created a proof-of-concept self-learning multi-agent AI system that uses Red Teaming capabilities to identify and address vulnerabilities in AI-generated code before they can be exploited.

• The system consists of three specialized AI agents working together: a vulnerability scanning agent to identify code weaknesses, a Red Teaming agent to build exploitation scripts, and a patching agent to generate security unit tests and code fixes.

• This automated approach reduces the time required to discover and address pre-release code vulnerabilities by approximately 90%, addressing security challenges posed by the rapid adoption of "vibe coding" and autonomous code generation.

AI21 Labs Releases Executive Playbook For Private AI Deployment

• Fortune 100 companies are avoiding public AI solutions due to compliance concerns, as highlighted in AI21 Labs' new executive playbook.

• The playbook provides guidance for building enterprise-grade AI systems that are private from inception, addressing data security challenges for large organizations.

• This resource targets executives seeking to implement AI solutions while maintaining complete privacy and regulatory adherence in corporate environments.

Market Updates

Cynomi Secures $37 Million Series B to Expand vCISO Platform

• Cynomi will use the funding to accelerate development of its AI-powered virtual CISO platform and expand sales operations across the US and Europe.

• The Tel Aviv-based company's platform focuses on automating strategic security management functions like risk assessment, compliance management, and security policy development for MSPs and MSSPs.

• Insight Partners and Entrée Capital co-led the investment, with participation from existing investors Canaan, Flint Capital, and S16VC.

Edgerunner AI Raises $12M For On-Device Military AI That Works Without Internet

• Seattle-based Edgerunner AI secured $12 million in Series A funding to develop domain-specific AI agents that help military personnel make decisions in the field without requiring internet connectivity.

• The company's technology runs entirely on-device, using compressed models on standard hardware like Intel chips, preserving data privacy while eliminating cloud costs and latency issues for military operations.

• Edgerunner has gained significant traction with the Department of Defense, signing an R&D agreement with the Air Force Research Laboratory and being designated as an "Awardable" vendor for DoD's Tradewinds Solutions Marketplace.

Palo Alto Networks to Acquire Seattle Cybersecurity Startup Protect AI

• Cybersecurity giant Palo Alto Networks is acquiring Seattle-based Protect AI in a deal reportedly valued at over $500 million, expanding its capabilities to address new attack surfaces created by AI adoption.

• Founded in 2022, Protect AI helps companies monitor various layers of machine learning systems and serves Fortune 500 clients across finance, healthcare, and government sectors, having previously raised $60M Series B funding at a reported $400M valuation.

• The acquisition comes amid rising AI-related security concerns, with nearly three-fourths of companies reporting an AI-related breach in 2024, and Morgan Stanley projecting the AI-based cybersecurity market to reach $135 billion by 2030.

Tools

SafeLine WAF

SafeLine WAF is an open-source web application firewall that protects web services by filtering malicious HTTP traffic through intelligent semantic analysis and machine learning-based detection.

Tromzo Product Security Operating Platform

An Application Security Posture Management platform that provides visibility, security controls, and automated workflows across the software development lifecycle from code to cloud.

Boman.ai

A DevSecOps platform that combines SAST, DAST, SCA, and secret scanning with AI/ML-based analysis for continuous application security testing and vulnerability management.

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity, leadership and AI updates, follow me on LinkedIn, BlueSky and Mastodon.

Best, 
Nikoloz