Mandos
Brief

Brief #107: Salesforce Data Breach, CISO Budget Cuts, Unit 42 AI Attacks

Nikoloz Kokhreidze

Nikoloz Kokhreidze

9 min read

Palo Alto's AI executes ransomware in 25 minutes. Fake Cloudflare CAPTCHAs deliver malware while Meta automates security reviews.

mandos newsletter for cybersecurity leaders and professionals

Happy Sunday!

I've been thinking about the paradox many of us face - while CISOs are finally getting the executive recognition we've fought for years to achieve, our budgets keep shrinking. It's like being promoted to captain of a ship while being handed a smaller crew and less fuel. The data showing cybersecurity budgets dropping from 1.1% to 0.6% of revenue really hits home for anyone trying to defend their organization.

In this week's brief:

  • How recent layoffs are creating unexpected security backdoors through dormant accounts and insider threats
  • Research showing AI can now execute complete ransomware attacks 100x faster than traditional methods
  • Why CISOs are gaining executive status but losing budget battles, and what successful leaders are doing differently
Did your security budget also shrink? How are you handling this?

I'd love to hear your thoughts. Reply directly to this email or share your thoughts in comments section below.

Industry News

Layoffs Create Cybersecurity Vulnerabilities Through Dormant Accounts And Disgruntled Employees

  • Mass layoffs leave behind dormant accounts that can become backdoors for attackers, with CrowdStrike reporting a 50% year-over-year increase in access broker advertisements promoting these credentials as entry points into enterprises.

  • Disgruntled employees pose serious insider threats, with 1 in 20 employees admitting to engaging in rage deletion before leaving, and younger workers twice as likely to do so according to CrashPlan research.

  • Organizations should implement proactive measures including zero-trust network access, automation of credential decommissioning, and establishing clear communication channels between HR and IT to quickly disable access when layoffs occur.

New Phishing Campaign Hijacks Clipboard Via Fake CAPTCHA For Malware Delivery

  • Attackers are cloning Cloudflare Turnstile interfaces to trick users into executing hidden PowerShell commands through clipboard manipulation, requiring no file downloads and exploiting users' verification fatigue.

  • The ClickFix campaign delivers various payloads including information stealers like Lumma and Stealc, as well as RATs such as NetSupport Manager designed for complete system compromise.

  • This technique has been adopted by nation-state threat actors including North Korea's Kimsuky group, Iran's MuddyWater, and Russia's APT28, with traditional endpoint protection solutions often missing these browser-based attacks.

Hackers Steal Salesforce Data Through Vishing Campaign

  • Threat group UNC6040 is targeting Salesforce users across hospitality, retail, and education sectors through vishing attacks where they impersonate IT support staff and convince victims to install a modified version of Salesforce Data Loader.

  • The attackers exploit Salesforce's OAuth-based "Connected Apps" feature to gain access to victim data, then move laterally through the infrastructure to target additional cloud services including Okta and Microsoft 365.

  • Google Threat Intelligence Group (GTIG) believes UNC6040 has partnered with another threat actor to monetize the stolen data through extortion attempts, which sometimes occur months after the initial breach.

Leadership Insights

CISO Stature Rises, but Security Budgets Remain Tight

  • While CISOs at large US companies earn an average compensation of $532,000 and increasingly gain executive status, cybersecurity budgets have decreased from 1.1% to 0.6% of annual revenue over the past two years.

  • 59% of CISOs report they are not consulted or consulted too late during strategic business decisions, despite their expanded responsibilities now often including risk assessment, product security, and digital strategy.

  • Effective CISOs are shifting from positioning security as a cost center to demonstrating its role in value creation, with initiatives involving cybersecurity teams resulting in a median value of $36 million across surveyed organizations.

AI Agents Emerge As Critical Security Threat With 80% Of Organizations Reporting Unauthorized Actions

  • SailPoint research reveals 82% of companies now use AI agents with 53% accessing sensitive data daily, yet only 44% have implemented governance policies despite 96% of professionals identifying them as security threats.

  • AI agents have performed unintended actions in 80% of organizations, including accessing unauthorized systems (39%), handling sensitive data inappropriately (33%), and being coerced into revealing access credentials (23%).

  • Unlike traditional identities, AI agents typically require multiple credentials with broader system access (54%), are provisioned faster with less oversight, and 98% of organizations plan to deploy new AI agent solutions within the next year despite the risks.

State and Local Cybersecurity: Rising Threats Meet Federal Support Cuts

  • State and local government entities face a 51% increase in ransomware attacks and a 148% surge in malware incidents, with average ransom demands reaching $872,656 per attack and total costs often exceeding $1 million.

  • More than 80% of State, Local, Tribal, and Territorial (SLTT) organizations operate with fewer than five dedicated cybersecurity employees, leaving critical infrastructure vulnerable to increasingly sophisticated threats from both criminal groups and nation-states.

  • Recent federal CISA cuts have eliminated $10 million in funding for the Multi-State Information Sharing and Analysis Center (MS-ISAC), leaving municipalities to defend against attacks without vital threat intelligence and support systems.

Discover my collection of industry reports, guides and cheat sheets in Cyber Strategy OS

Career Development

CISO Stature Rises, but Security Budgets Remain Tight

  • While CISOs at large US companies earn an average compensation of $532,000 and increasingly gain executive status, cybersecurity budgets have decreased from 1.1% to 0.6% of annual revenue over the past two years.

  • 59% of CISOs report they are not consulted or consulted too late during strategic business decisions, despite their expanded responsibilities now often including risk assessment, product security, and digital strategy.

  • Effective CISOs are shifting from positioning security as a cost center to demonstrating its role in value creation, with initiatives involving cybersecurity teams resulting in a median value of $36 million across surveyed organizations.

Cybersecurity Professionals Share Strategies for Maintaining Skills in a Fast-Moving Field

  • Cybersecurity experts recommend focusing on work-life balance by dedicating specific time during work hours for learning, which prevents burnout in a field that can demand 24/7/365 attention.

  • Many professionals advise following a targeted approach to learning, focusing on areas that align with personal interests or career directions rather than trying to master the entire cybersecurity field.

  • Strategic prioritization methods like the Eisenhower Matrix help professionals decide what to learn, while understanding fundamental concepts makes it easier to adapt to new vulnerabilities as they emerge.

Network Engineers Can Successfully Transition To Cybersecurity Roles With Existing Skills

  • Network engineers typically make excellent firewall engineers, with many able to skip SOC analyst roles and move directly into security admin or engineering positions.

  • Professionals with networking backgrounds are valued in security because they understand the "front door" to systems, with some reaching CISO roles after transitioning from network/system engineering.

  • Rather than bootcamps (which industry pros generally consider scams), focus on targeted certifications like CompTIA Security+, vendor-specific certifications (Palo Alto, Fortinet), and developing scripting skills in Python, PowerShell, and Bash.

How do you like Mandos Brief?

Terrible Bad Okay Good Excellent

AI & Security

Unit 42 Develops Agentic AI Attack Framework That Accelerates Cyberattacks 100x

  • Palo Alto Networks' Unit 42 simulated a complete ransomware attack in just 25 minutes using AI agents across every stage of the attack chain – a 100x increase in speed compared to traditional attacks.

  • The research demonstrates how autonomous AI systems can make decisions without human intervention, executing adaptive multi-step operations that constantly self-prompt to overcome obstacles during attacks.

  • Unit 42 created purpose-built AI agents for each attack stage (reconnaissance, initial access, execution, persistence, defense evasion, discovery, and exfiltration) that will be integrated into their purple teaming exercises to help organizations test defenses.

Meta To Replace Human Risk Assessors With AI For Product Safety Evaluation

  • According to internal documents reviewed by NPR, Meta is planning to automate 90% of its privacy and integrity reviews using AI, moving beyond the previously stated scope of only "low-risk" releases.

  • The new system will use AI to make decisions on safety features, youth risk, and integrity (including misinformation and violent content moderation), with product teams submitting questionnaires and receiving instant risk decisions.

  • While the automation may speed up app updates in line with Meta's efficiency goals, insiders warn it could pose greater risks to billions of users, including unnecessary threats to data privacy.

Shadow AI Adoption Poses Data Security Risks Despite Blocking Efforts

  • Zscaler ThreatLabz reports a 36x increase in AI and ML traffic across enterprises in 2024, identifying over 800 different AI applications in use despite organizational blocking attempts.

  • Employees are circumventing restrictions through workarounds like emailing files to personal accounts or using personal devices, creating a growing "Shadow AI" blind spot that puts sensitive data at risk.

  • Rather than simply blocking access, organizations should implement context-aware, policy-driven governance with data loss prevention tools – Zscaler detected over 4 million DLP violations where sensitive enterprise data was prevented from being sent to AI applications.

Market Updates

Zero Networks Raises $55 Million For Microsegmentation Solution

  • Israeli firm Zero Networks has secured $55 million in Series C funding led by Highland Europe, bringing its total funding to over $100 million for its agentless microsegmentation solution that prevents lateral movement after initial compromise.

  • The company's unified platform combines Zero Trust Network Access (ZTNA) and Identity Least Privilege solutions to enforce least privilege access across devices, users, and workloads while dividing enterprise environments into isolated micro-segments.

  • With offices in Tel Aviv and Orlando, Zero Networks will use the funding to expand R&D, sales, marketing, and customer support teams, while investing in go-to-market strategies across North America, EMEA, and APAC regions.

MIND Raises $30 Million for Data Loss Prevention Platform

  • Seattle-based MIND has secured $30 million in Series A funding led by Paladin Capital Group and Crosspoint Capital Partners, bringing their total funding to $41 million since their founding in 2023.

  • The company's DLP platform combines AI and smart automations to provide real-time detection capabilities that instantly block exfiltration attempts across endpoints, email, SaaS, gen-AI applications, and on-premises systems.

  • MIND's platform is already being used by numerous Fortune 1000 organizations and has prevented data losses across hundreds of thousands of endpoints, with the new funding aimed at expanding R&D and go-to-market teams.

Cellebrite Acquires Corellium For $200 Million In Controversial Merger

  • Israel-based Cellebrite has agreed to acquire US-based Corellium for $170 million in cash, with $20 million converted to equity at closing and up to $30 million in additional performance-based payments over two years.

  • The merger combines Cellebrite's forensic investigation tools with Corellium's device virtualization solutions to enhance capabilities for vulnerability identification, virtual device interaction, and mobile penetration testing.

  • Both companies have controversial histories – Cellebrite's tools have been linked to spyware campaigns exploiting zero-days, while Corellium was previously sued by Apple for iOS copyright infringement and has connections to NSO Group.

Tools

Levo.ai

An API security platform that provides automated discovery, documentation, and continuous security testing throughout the API lifecycle.

Panorays

Panorays is a third-party cyber risk management platform that combines external attack surface monitoring with automated security questionnaires to assess, remediate, and continuously monitor vendor security postures.

Check Point CloudGuard

A comprehensive cloud security platform that provides threat prevention, posture management, and risk prioritization across cloud applications, networks, and workloads.

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

How do you like Mandos Brief?

Terrible Bad Okay Good Excellent

For more frequent cybersecurity, leadership and AI updates, follow me on LinkedInBlueSky and Mastodon.

Best, 
Nikoloz

Share With Your Network

Check out these related posts

mandos newsletter by nikoloz kokhreidze cybersecurity, leadership, ai

Brief #106: GitHub AI Exploit, TikTok Malware Campaign, Zscaler Acquires Red Canary
cybersecurity leadership newsletter by nikoloz kokhreidze

Brief #105: npm Package Attacks, Cybersecurity Offshoring Trend, AWS Strands Agents
mandos newsletter by Nikoloz kokhreiodze

Brief #104: Coinbase $400m Breach, Wiz's Zero-CVE OS, Cisco Readiness Index