Brief #108: Apple Zero-Click Exploit, Microsoft Entra Breach, Cloud Database Exposure

Happy Sunday!

I've read the Orca Security report this week showing that 38% of organizations have publicly exposed databases containing sensitive data. It's one of those findings that makes you pause and wonder how we're still dealing with such fundamental security gaps in 2025. The challenge isn't just technical anymore - it's about execution and getting the basics right consistently.

In this week's brief:

• Apple patched a zero-click Messages vulnerability that was actively exploited to target journalists with spyware
• A major survey reveals that over 93% of organizations lack confidence in securing their AI-driven data, with nearly half having no AI-specific controls
• A seasoned cybersecurity professional with two decades of experience shares their struggle finding remote work despite applying to over 1,000 positions

Industry News

Apple Zero-Click Vulnerability in Messages App Exploited to Deploy Paragon Spyware Against Journalists

• Apple patched CVE-2025-43200, a zero-click vulnerability in Messages app that was actively exploited to target Italian journalist Ciro Pellegrino and another European journalist with Paragon's Graphite spyware.

• The attacks occurred through maliciously crafted photos or videos shared via iCloud Links, requiring no user interaction and making detection extremely difficult for victims.

• Paragon has terminated its contracts with Italy citing the government's refusal to allow independent verification, while Italian intelligence confirmed limited use of Graphite for national security purposes.

Fog Ransomware Uses Unusual Mix of Legitimate and Open-Source Tools

• Fog ransomware operators deployed an atypical toolset including Syteca employee monitoring software for credential harvesting and GC2 backdoor that uses Google Sheets for command-and-control communications.

• The attack targeted a financial institution in Asia using open-source tools like Stowaway proxy, Adapt2x C2, and SMBExec for lateral movement and post-exploitation activities.

• Researchers noted this unusual combination of legitimate software and open-source pentesting tools helps threat actors evade detection compared to traditional ransomware attack methods.

Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool

• Threat actors leveraged the open-source TeamFiltration penetration testing framework to conduct large-scale account takeover attacks against Microsoft Entra ID, affecting over 80,000 user accounts across hundreds of organizations since December 2024.

• The UNK_SneakyStrike campaign utilized AWS servers across multiple geographic regions (primarily US, Ireland, and Great Britain) to launch coordinated password spraying and user enumeration attacks in concentrated bursts followed by 4-5 day lulls.

• Successful compromises granted attackers access to Microsoft Teams, OneDrive, Outlook, and other native applications, enabling data exfiltration and persistent access through malicious file uploads to victims' cloud storage.

Leadership Insights

Prowler Survey Reveals High Cloud Security Confidence Despite Persistent Challenges

• While 96% of security teams report confidence in their cloud security, the 4% who aren't highlight significant concerns around shadow IT, inadequate tooling, and high operational costs.

• Open-source cloud security tools are dominating with 88% adoption, delivering measurable security improvements (86%), enhanced collaboration (83%), and cost savings (80%) through better visibility.

• Organizations using automation save 19 hours weekly, yet 37% failed compliance audits last year despite having appropriate frameworks, indicating an execution rather than tooling problem.

Orca Security Report Reveals 38% of Organizations Have Publicly Exposed Databases Containing Sensitive Data

• Multi-cloud adoption has reached 55% of organizations, with each cloud asset containing an average of 115 vulnerabilities, creating expanded attack surfaces and increasingly interconnected risks.

• 13% of organizations have a single cloud asset responsible for creating more than 1,000 attack paths, while 76% have at least one public-facing asset that enables lateral movement to high-value targets.

• 84% of organizations are now using AI in the cloud, with 62% having at least one vulnerable AI package, while 93% have at least one privileged Kubernetes service account, significantly expanding potential attack surfaces.

CISO Rick Bohm Discusses AI Integration and API Security Challenges in Modern Cybersecurity

• Veteran CISO Rick Bohm emphasizes that successful security leaders must bridge the gap between technical teams and business executives through storytelling and empathy, treating AI as both an assistant and adversary in cybersecurity operations.

• Organizations commonly lack visibility into their API attack surface, with companies believing they have three APIs when security assessments reveal 300, highlighting the critical need for comprehensive API inventory and security integration.

• Modern CISOs must combine technical expertise with business acumen, using incident response muscle memory and treating cybersecurity education as positive manipulation rather than fear-based compliance enforcement.

Discover my collection of industry reports, guides and cheat sheets in Cyber Strategy OS

Career Development

Cybersecurity Professional With Advanced Credentials Reports Severe Burnout Despite Industry Success

• A cybersecurity professional with 3 years of experience, a Master's degree, and employment at prestigious companies reports significant burnout despite having strong paper credentials.

• The individual describes struggling with unrealistic expectations in the workplace, specifically being required to compress multiple days of work into 8-hour shifts while maintaining constant self-improvement.

• While still expressing interest in cybersecurity work theoretically, the professional questions whether their experience reflects issues specific to their role or indicates broader systemic problems within the technology sector.

Computer Science Student Inquires About Value Of Google Cybersecurity Certification](https://www.reddit.com/r/SecurityCareerAdvice/comments/1l8qcot/is_a_google_certification_in_cybersecurity_worth/)

• A second-year CompSci major posted in r/SecurityCareerAdvice seeking guidance on whether Google's cybersecurity certification would be valuable for breaking into the cybersecurity field.

• The student expressed they are "extremely interested" in cybersecurity and is evaluating this certification as a potential step toward building relevant credentials alongside their bachelor's degree.

• The post has garnered attention from the security career community with 72K members, showing the prevalent interest in entry-level pathways into cybersecurity careers among college students.

Senior Cybersecurity Professional With 20+ Years Experience Struggles To Find Remote Work

• A veteran cybersecurity professional with over 20 years of experience in defensive security, advanced degrees, and industry certifications (CISSP, CEH) has applied to 1,000+ positions over six months with minimal interview success.

• Despite strong credentials including a Computer Science BS, Cybersecurity Masters, and network infrastructure background, the individual cites lack of Cloud and AI experience as possible barriers to employment.

• The professional is not experiencing burnout but is seeking career transition recommendations after becoming discouraged with the cybersecurity job market despite passion for the field and keeping current with security trends.

AI & Security

CISOs Evaluate Security Implications of Emerging Agentic AI Technology

• Agentic AI systems now account for 15% of IT use cases in cybersecurity, with agents capable of autonomous monitoring, anomaly detection, and incident remediation without human intervention.

• Multi-agent systems coordinate specialized functions across detection, response, and recovery, offering speed advantages against increasingly complex threats through orchestrated automation.

• Enterprise adoption faces challenges with legacy data infrastructure, as more than half of organizations struggle with data quality issues that could cause agents to make harmful decisions based on incomplete information.

Enterprise AI Risk Survey Shows Major Governance Gaps

• Survey of 233 security and data leaders reveals 93.2% lack full confidence in securing AI-driven data, with 47.2% having no AI-specific controls in place and only 6.4% possessing advanced AI security strategies.

• AI-powered data leaks (69.5%), unstructured data exposure (58.4%), and shadow AI (48.5%) are identified as the top security concerns for 2025, while 80.2% of organizations remain unprepared for AI regulatory compliance.

• Organizational responsibility for AI governance is fragmented, with 21.9% reporting no clear ownership, creating significant barriers to implementing effective AI risk management frameworks.

Researchers Propose ETDI Framework to Prevent Tool Poisoning and Rug Pull Attacks in MCP

• Researchers introduced the Enhanced Tool Definition Interface (ETDI), a security extension for the Model Context Protocol (MCP) that addresses critical vulnerabilities in how Large Language Models interact with external tools.

• The ETDI framework uses cryptographic verification, immutable versioned tool definitions, and explicit permission management to mitigate Tool Poisoning attacks (where malicious tools masquerade as legitimate ones) and Rug Pull attacks (when approved tools are maliciously modified).

• The paper proposes enhancing ETDI with OAuth 2.0 integration and policy-based access control using systems like Cedar or Open Policy Agent to enable fine-grained, context-aware authorization beyond static permissions.

Market Updates

ZeroRISC Raises $10 Million for Open Source Silicon Security Solutions

• ZeroRISC secured $10 million in seed funding to accelerate adoption of production-grade open source silicon security solutions based on Google's OpenTitan root of trust project.

• The company's Integrity Management Platform enables organizations to define their own security policies for data centers, industrial control systems, and IoT devices without relying on manufacturers.

• Founded by former Google OpenTitan team members, ZeroRISC addresses critical silicon supply chain integrity challenges affecting cloud infrastructure and operational technology systems.

EU Invests €145.5 Million To Strengthen Cybersecurity Across Healthcare Systems

• The European Commission is allocating €145.5 million through two funding calls to help public administrations and SMEs adopt cybersecurity solutions, with €30 million specifically earmarked for strengthening ransomware protection in hospitals and healthcare providers.

• The first funding call (€55 million) will support pilot projects that develop technical plans and demonstration implementations across member states, helping healthcare institutions comply with the NIS2 Directive and providing cybersecurity education to staff.

• The second call (€90.5 million) focuses on advancing AI applications in cybersecurity, developing new operational tools, improving privacy-enhancing technologies, and supporting research in post-quantum cryptography, with application deadlines set for October 7 and November 12 respectively.

Horizon3.ai Secures $100M Series D Funding for Autonomous Security Platform

• Horizon3.ai raised $100M in Series D funding led by NEA to expand its NodeZero® Autonomous Security Platform, which uses AI to conduct penetration tests with no human involvement.

• NodeZero demonstrated its effectiveness by compromising a bank in just 4 minutes and accessing sensitive US aircraft carrier design data through a third-party supplier, highlighting critical vulnerabilities in even well-protected systems.

• The company will use funding to expand partner ecosystems across Americas, EMEA, and APAC, enhance product capabilities including web application pentesting, and scale federal market presence through NSA's Continuous Autonomous Pentesting program.

Tools

Todyl

Todyl is a modular cybersecurity platform that consolidates SASE, SIEM, EDR/NGAV, MXDR, and GRC capabilities into a single-agent solution with centralized management.

Varonis Data Security Platform

A unified data security platform that discovers, classifies, monitors, and protects sensitive data across cloud, SaaS, and on-premises environments while ensuring compliance and automating security processes.

OSINTLeak

OSINTLeak is a tool for discovering and analyzing leaked sensitive information across various online sources to identify potential security risks.

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity, leadership and AI updates, follow me on LinkedIn, BlueSky and Mastodon.

Best, 
Nikoloz