Brief #103: Cisco Perfect 10 Vulnerability, CrowdStrike Layoffs, Cybersecurity Budget Increases

Happy Sunday!

The budget increases reported in this week's threat management report (71% of orgs boosting security spending) show we're responding to growing threats, but I wonder if we're investing in the right places when only 29% feel prepared for AI-powered attacks.

In this week's brief:

• GitHub Actions security hardening recommendations to protect against supply chain attacks
• The emerging risk of "Shadow MCP Servers" giving AI tools unchecked access to systems
• Insights from a cybersecurity manager who quit their Fortune 100 role over corporate politics

Industry News

Critical GitHub Actions Security Hardening Recommendations Following Supply Chain Attacks

• Recent supply chain attacks including the tj-actions compromise demonstrate how attackers exploit GitHub Actions vulnerabilities through compromised Personal Access Tokens and poisoned workflows.

• Configure organization-level protections by setting default workflow permissions to read-only, limiting to verified actions, using repository allowlists, and implementing proper secrets management to prevent credential exposure.

• Mitigate Poisoned Pipeline Execution risks by avoiding dangerous triggers like pull_request_target, hash-pinning third-party actions, and isolating self-hosted runners by trust level with ephemeral infrastructure where possible.

Critical Vulnerability In Cisco IOS XE Wireless Controllers Allows File Upload And Root Access

• A critical vulnerability (CVE-2025-20188) with CVSS 10.0 in Cisco IOS XE Wireless LAN Controllers allows unauthenticated attackers to upload arbitrary files and execute commands with root privileges due to a hard-coded JWT.

• The vulnerability affects multiple Catalyst 9800 series controllers but only impacts systems with the Out-of-Band AP Image Download feature enabled, which is not enabled by default.

• Cisco has released patches and recommends disabling the vulnerable feature as a temporary mitigation until updates can be applied, as no other workarounds are available.

Sophisticated RAT Malware Campaign Uses Geo-Fencing and Legitimate Services

• FortiMail discovered a multilayered email attack distributing RAT malware targeting organizations in Spain, Italy, and Portugal through fake invoice emails that bypass SPF checks by exploiting the legitimate serviciodecorreo email service.

• The attack employs sophisticated evasion techniques including geofencing that serves malicious content only to Italian IP addresses while showing harmless decoy files to others, allowing it to bypass security scanners operating from non-targeted regions.

• The malware leverages multiple legitimate services (Dropbox, MediaFire, Google Drive) and Ngrok tunneling to deliver a Java-based Remote Access Trojan that can execute commands, log keystrokes, and steal data on systems with Java Runtime Environment installed.

Leadership Insights

2025 Cybersecurity Threat and Risk Management Report Shows Budget Increases Amid Rising Incidents

• 71% of organizations are increasing their cybersecurity budgets to an average of $24 million, with 66% reporting an increase in cybersecurity incidents over the past year (up from 61% in 2024).

• Organizations are prioritizing internal assessments of security practices (63%), investing in more cybersecurity tools (56%), and implementing SASE/SSE architectures, with 66% having fully or partially deployed these solutions.

• High-performing organizations demonstrate better practices including consistent enterprise-wide incident response plans, regular C-level briefings, and greater visibility into AI systems (64% vs 42% for other respondents).

2025 Futures Report: Organizations Underprepared for AI-Powered Cybersecurity Threats

• Only 29% of organizations report being prepared for AI-powered threats, despite 42% expecting them in the next year. The research surveyed 1,500 executives across 14 countries and found that 30% suffered a breach in the past 12 months.

• Organizations are experiencing a significantly higher volume of attacks (41%) with emerging threats including deepfakes (44% expect them but only 32% feel prepared) and software supply chain vulnerabilities (49% report low to moderate visibility). Resilient organizations invest more in advanced threat detection (91% vs 63% overall).

• Enterprise alignment of cybersecurity with business objectives is improving – 66% report cybersecurity teams aligned with business units and 60% measure leadership roles against cybersecurity KPIs. However, CEOs (38%) are more concerned than CIOs (22%) that their reactive approach to cybersecurity puts their business at risk.

Ransomware Attacks Decline in April With Qilin Gang Rising as RansomHub Goes Dark

• Comparitech researchers logged 479 ransomware attacks in April 2025 (39 confirmed), showing a significant decline from Q1 figures partly due to RansomHub going dark, while Qilin emerged as the most prolific strain with 67 attacks.

• Healthcare sector saw increased targeting with six confirmed attacks across different countries, including DaVita Inc. hit by Interlock (1.5TB data stolen) and ChangShen Hospital targeted by NightSpire (800GB data stolen).

• Despite the overall decline, several high-profile attacks occurred, including Marks & Spencer (attributed to Scattered Spider) and Oregon Department of Environmental Quality facing a $2.7 million ransom demand from Rhysida.

Discover my collection of industry reports, guides and cheat sheets in Cyber Strategy OS

Career Development

Cybersecurity Manager Quits Fortune 100 Role Due to Corporate Politics

• Former security engineering manager at a Fortune 100 company resigned without another position lined up, citing corporate politics, favoritism, and constant firefighting as primary reasons for departure.

• The professional, previously a SOC team lead during the Log4j crisis, plans to travel and upskill while taking a career break before returning to the job market.

• Several commenters shared similar experiences, with one noting they left management to return to an individual contributor role with better work-life balance despite lower compensation.

DevSecOps Jobs Face Uncertain Future as AI and Cloud Solutions Advance

• Reddit users debate if DevSecOps engineers will still have jobs in 10 years, with many believing automation and agentic AI will significantly reduce the need for dedicated specialists.

• Several professionals suggest DevSecOps will evolve rather than disappear – likely becoming integrated with cloud-based DevOps as security functions become more accessible and user-friendly.

• Complex tasks like debugging Static Application Security Testing (SAST) scans in sophisticated workflows may continue to require human expertise, as these involve edge cases AI might struggle to address fully.

Cybersecurity Salary Guide 2025 Reveals Persistent Skills Gap and Rising Compensation

• The global cybersecurity workforce gap has increased by 8% since last year, with Europe facing a deficit of 300,000 skilled professionals, highlighting the critical need for collaboration between governments, academia, and private companies to invest in training programs.

• Specialist roles command significant compensation, with senior positions like Enterprise Security Architect (€120,189-€147,522), Cloud Security Architect (€120,189-€147,522), and Incident Analyst (€115,000-€173,250) seeing the highest salaries in the Netherlands market.

• Key factors reshaping the 2025 cybersecurity landscape include economic constraints forcing strategic resource optimization, growing cloud security challenges, rising geopolitical tensions affecting critical infrastructure, and the continued integration of AI in cybersecurity operations.

AI & Security

Shadow MCP Servers Emerge as New Security Risk for AI Tools

• Model Context Protocol (MCP) servers act as bridge layers giving AI assistants like Claude and Cursor the ability to execute commands on local systems, including running shell scripts, editing files, and connecting to databases.

• The rise of "Shadow MCPs" occurs when employees add MCP servers without oversight, creating a significant governance gap as AI tools gain access to sensitive data and production systems without proper security controls.

• Security teams should inventory all MCP servers, implement approval flows, and monitor AI interactions, with Prompt Security offering solutions for visibility and control of these emerging AI extension points.

Wiz Launches MCP Server: AI-Powered Cloud Security Integration

• Wiz has released its Model Context Protocol (MCP) Server in preview, allowing integration between AI models and security tools through a standard gaining support from OpenAI, Microsoft, and Google.

• The MCP Server creates a unified security data source that simplifies investigations by connecting multiple data sources, providing instant visibility into cloud inventory and enriching security operations with precise business context.

• Key use cases include code vulnerability remediation within development environments, attack surface reduction through real-time threat detection, and natural language querying for cloud security posture assessment.

Morgan Stanley Successfully Implements Enterprise-Wide AI With Focus On Evaluation

• Morgan Stanley deployed OpenAI's technology with a systematic evaluation process to ensure quality and safety, resulting in 98% of advisors now using AI daily and document access increasing from 20% to 80%.

• The financial services company focused on three initial evaluation areas: language translation, summarization accuracy, and comparison against human expert responses to build confidence for production implementation.

• Enterprise AI adoption delivers measurable improvements in workforce performance, routine automation, and enhanced product experiences, with Morgan Stanley advisors now spending more time on client relationships.

Market Updates

Ox Security Raises $60 Million in Series B Funding

• Ox Security, an AppSec platform specializing in code protection, secured $60 million in Series B funding led by DTCP with participation from Swisscom, IBM, Evolution Equity, and Team 8, bringing their total funding to $94 million.

• The company's proprietary Code Projection technology analyzes how code behaves in real-world environments, focusing on evaluating reachability, exploitability, and business impact to identify the critical 5% of vulnerabilities that pose genuine risk.

• Ox is developing AI-powered agentic code review capabilities to address challenges with AI-generated code, which may contain structural flaws undetectable by traditional security tools.

CrowdStrike Lays Off 500 Workers as AI Improves Operational Efficiency

• CrowdStrike is reducing its workforce by 5% (500 employees) as the company leverages AI to increase operational efficiency, with CEO George Kurtz noting that artificial intelligence "flattens our hiring curve" and serves as a "force multiplier throughout the business."

• The layoffs represent the second-largest workforce reduction in the cybersecurity industry since 2020, with the company expecting to spend between $36-53 million on severance payments and stock-based compensation while continuing to "prudently hire" in customer-facing and product engineering roles.

• Despite ongoing challenges including the July 2024 Falcon platform update that disrupted 8.5 million systems and cost $60 million in expenses, CrowdStrike reaffirmed its guidance for the fiscal year ending January 2026 and maintains its goal of reaching $10 billion in annual recurring revenue.

Minimus Launches Platform Reducing Application Security Vulnerabilities by 95%

• Pioneering application security startup Minimus unveiled a platform that eliminates over 95% of Common Vulnerabilities and Exposures (CVEs) from software supply chains, backed by a $51 million seed round from YL Ventures and Mayfield.

• The platform provides secure, minimal container images and virtual machines that seamlessly replace existing artifacts in development workflows with a single configuration change, allowing organizations to avoid rather than remediate vulnerabilities.

• Minimus integrates threat intelligence throughout its platform, providing real-time insight into active exploits and EPSS/CISA-KEV metrics for prioritizing the remaining 5% of CVEs.

Tools

Strobes ASPM

A threat exposure management platform that unifies security operations by discovering assets, prioritizing vulnerabilities based on risk, and providing guided remediation across an organization's attack surface.

Seemplicity

A remediation operations platform that streamlines vulnerability management by connecting security findings to fixing teams through automated workflows.

Beagle Security

An automated security testing platform that performs AI-driven penetration testing and vulnerability assessment for web applications and APIs with compliance reporting capabilities.

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity, leadership and AI updates, follow me on LinkedIn, BlueSky and Mastodon.

Best, 
Nikoloz