Brief #111: 12-Year Sudo Vulnerability, Ahold Delhaize 2.2M Breach, Ransomware Recovery Costs Drop 44%

Nikoloz Kokhreidze
Attackers increasingly weaponize legitimate tools in 84% of incidents. Ransomware recovery costs plummet to $1.53M. Financial sector faces strategic DDoS campaigns with 23% spike in app-layer attacks.

Happy Sunday!
I've been thinking about how we keep talking about "insider threats" but completely miss the new players in our networks. With 84% of attacks now using legitimate system tools against us, it's clear attackers have figured out something we're still catching up to - they don't need to break in when they can just blend in.
In this week's brief:
- A 12-year-old Sudo vulnerability that's been hiding in plain sight finally surfaces
- AI agents are becoming the insider threats we never saw coming
- Why executives bypassing security controls might be your biggest career lesson yet

Industry News
CVE-2025-32462: Sudo Host Option Privilege Escalation Vulnerability Found After 12 Years
-
Stratascale's Cyber Research Unit discovered a privilege escalation vulnerability in Sudo's host option that allows attackers to bypass hostname restrictions and gain root access by referencing unrelated remote host rules.
-
The vulnerability affects Sudo versions 1.8.8 to 1.9.17 and has been present since 2013, impacting enterprises using Host_Alias directives in their sudoers configurations.
-
Immediate remediation requires upgrading to Sudo 1.9.17p1 or later, as no workarounds exist for this vulnerability that has been verified on Ubuntu 24.04.1 and macOS Sequoia 15.3.2.
Ahold Delhaize Hit With Data Breach Affecting 2.2M Employees, INC Ransomware Claims Responsibility
-
A data breach at Ahold Delhaize USA Services impacted over 2.2 million individuals with stolen data including SSNs, driver's license numbers, financial accounts, and health information from current and former employees.
-
The unauthorized access occurred November 5-6, 2024, but wasn't publicly attributed until April 2025 when the INC ransomware group claimed responsibility on their dark web leak site, posting sample data and threatening full release.
-
This represents the largest data breach in the food and beverage sector since tracking began in 2018, with the company offering affected individuals two years of complimentary monitoring and identity protection services.
Azure Arc Vulnerabilities Enable Hybrid Network Privilege Escalation
-
Azure Arc extends Azure management to on-premises systems, allowing attackers to potentially exploit misconfigured Service Principals with the Azure Connected Machine Resource Administrator role to execute code remotely as SYSTEM.
-
Hardcoded secrets in deployment scripts, especially when using Group Policy or SCCM deployment methods, provide attackers with credential material that can be leveraged to gain control of both cloud and on-premises infrastructure.
-
Multiple code execution vectors exist within Azure Arc, including Run Commands and Custom Script Extensions (CSE), which can be used for persistence and lateral movement between hybrid environments.

Leadership Insights
DDoS Attacks Against Financial Sector Evolve From Nuisance To Strategic Threat
-
The financial sector remains the top target for DDoS attacks, with a significant spike in October 2024 and a 23% increase in application-layer attacks between 2023-2024, particularly targeting APIs (58% increase).
-
Today's DDoS attacks are increasingly sophisticated, with threat actors employing methodical reconnaissance, multi-vector strategies, and dynamic tactics designed to bypass automated defenses, sometimes causing service outages lasting days.
-
Notable threat actors include BlackMeta, NoName057(16), RipperSec, and GorillaBot, with attacks often coinciding with geopolitical events, demonstrating the strategic nature of modern DDoS campaigns.
Bitdefender Report Reveals 84% of Cyberattacks Use Living Off the Land Techniques
-
Bitdefender's 2025 Cybersecurity Assessment Report analyzed 700,000 cyber incidents, finding that 84% of major attacks now leverage Living Off the Land (LOTL) techniques where attackers use legitimate system tools like PowerShell and WMI to evade detection.
-
68% of security leaders agree that reducing the attack surface by disabling unnecessary tools and applications is critical, as the modern risk environment is increasingly built from within rather than external perimeters.
-
Significant perception gaps exist between organizational levels, with 45% of C-level executives reporting high confidence in cyber readiness compared to only 19% of mid-level managers, potentially leading to misaligned priorities and investments.
Sophos State of Ransomware 2025: Data Encryption Reaches Six-Year Low as Recovery Costs Decline
-
Data encryption in ransomware attacks dropped significantly from 70% in 2024 to 50% in 2025, while the average recovery cost (excluding ransom) fell by 44% to $1.53 million, down from $2.73 million last year.
-
Vulnerabilities remain the top attack vector (32% of incidents), followed by compromised credentials (23%) and malicious emails (19%), with 40.2% of victims citing lack of expertise as the primary operational factor contributing to successful attacks.
-
The median ransom payment fell by half to $1 million (from $2 million in 2024), with organizations typically paying 85% of the initial demand, while recovery speed improved with 53% of companies fully restored within a week compared to 35% in 2024.
Discover my collection of industry reports, guides and cheat sheets in Cyber Strategy OS

Career Development
Executives Bypassing MFA Requirements Lead To Security Breach
-
Security professional shares experience with executives who don't take security seriously, requiring hand-holding through security reports and questioning consequences of unaddressed risks.
-
A CEO's work email was hacked after being placed on a conditional access list that removed MFA requirements, likely due to credential breach or phishing.
-
Many business leaders, including those working with sensitive sectors like the US Military, admitted to never implementing security measures despite their leadership positions.
Cybersecurity Hiring Manager Shares Key Interview Success Factors
-
Beyond technical skills and certifications, hiring managers seek candidates who demonstrate an understanding of security workflows and can explain how they've solved problems using specific tools in detail.
-
Strong communication abilities are essential as security professionals must collaborate with business teams to explore risk mitigation options rather than simply dictating security requirements.
-
Professional composure – including presentation skills and corporate social etiquette – has become a critical hiring factor, with modern security roles requiring business interaction rather than isolated technical work.
-
Using AI during interviews is an automatic disqualifier, though AI can be valuable for preparation before interviews to develop more thoughtful responses to anticipated questions.
Red Team Contractor Reports CAD 140/hr Rate With 10+ Years Experience
-
A cybersecurity professional with 10+ years of experience shared they earn CAD 140/hr as a red teamer contractor, initiating a discussion about current market rates.
-
The post appeared in r/cybersecurity, a community of 1.2M members focused on technical professionals discussing cybersecurity news, research, and threats.
-
This data point provides valuable compensation benchmark information for cybersecurity professionals considering contract work in the offensive security space.
How do you like Mandos Brief?

AI & Security
AI Agents Identified As Emerging Insider Security Threat
-
AI agents are increasingly performing user-like actions (logging in, accessing systems, triggering workflows) but most security teams still treat them as static infrastructure, creating blindspots in identity governance and allowing them to operate with unchecked privileges.
-
Only 30% of organizations regularly map non-human identities to critical assets, despite 85% claiming readiness for AI in security, and AI impersonation of users ranks as the top concern for 37% of security leaders.
-
Healthcare organizations, among the fastest adopters of AI, are particularly vulnerable with 61% reporting identity-related attacks and only 23% offering passwordless authentication, significantly lagging behind other sectors in identity maturity.
State of LLM Security Report 2025 Reveals Highest Proportion of Serious Vulnerabilities
-
LLM pentests reveal that 32% of findings are classified as serious vulnerabilities (high or critical risk), the highest proportion among all asset types tested, yet only 21% of these get resolved – the lowest resolution rate across all pentest types.
-
Organizations struggle with remediation of complex LLM vulnerabilities, often prioritizing quicker fixes for simpler issues (19-day MTTR for resolved issues) while leaving more challenging vulnerabilities unaddressed, particularly those dependent on third-party model providers.
-
Despite 72% of security professionals citing genAI threats as a top IT risk, only 66% of organizations conduct regular security assessments for their LLM deployments, indicating a critical gap between risk awareness and testing practices.
CISOs Approaching Tipping Point in AI Adoption for Security Operations
-
While CISOs have enabled other departments to adopt AI tools, they've been more hesitant about implementing these technologies within security operations due to understandable trust concerns.
-
Security is an ideal candidate for AI adoption as it handles text-heavy, high-volume, time-sensitive tasks across multiple domains including vulnerability management, security data pipelines, and application security.
-
New AI-native security companies are emerging in key areas like identity management, digital risk protection, and automated pentesting, offering solutions that can finally help security teams achieve "inbox zero."

Market Updates
Cato Networks Raises $359M to Enhance AI-Powered SASE Platform
-
Tel Aviv-based Cato Networks secured $359 million in Series G funding at a $4.8B+ valuation, led by Vitruvian Partners and ION Crossover Partners, to enhance their SASE cloud platform that unifies enterprise networking and security.
-
The company will use the funding to accelerate AI security capabilities, platform innovation, and expand global operations across its customer and partner ecosystem serving over 3,500 enterprise customers.
-
Founded by Shlomo Kramer and Gur Shatz, Cato's cloud-native platform offers comprehensive security features including SD-WAN, SSE, ZTNA, XDR, and LAN security with real-time visibility and automation.
Zero Networks Secures $55M Series C Funding for Microsegmentation Technology
-
Tel Aviv-based cybersecurity startup Zero Networks raised $55M in Series C funding led by Highland Europe, bringing total funding to over $100M for its microsegmentation solutions.
-
The company will use funding to increase go-to-market investments across North America, EMEA, and APAC regions while developing its automated zero trust architecture that prevents lateral movement at the source.
-
Zero Networks offers Zero Trust Network Access and Identity Least Privilege solutions on a unified platform, using an MFA-driven approach that ensures privilege access across users, devices, and workloads.
Cybersecurity Market Expected To Reach $550 Billion By 2033
-
The global cybersecurity market is projected to grow from $262.23 billion in 2025 to $549.96 billion by 2033, at a CAGR of 9.7%, driven by increasing targeted attacks and evolving cyber threats.
-
North America currently holds the largest market share (36%) while Asia Pacific represents the fastest-growing region, with the healthcare sector expected to see the highest growth rate among end-users.
-
Services segment dominates the market as organizations, especially SMEs with limited budgets, seek consultative approaches before implementing specific cybersecurity solutions.

Tools
Appgate SDP
Appgate SDP is a Zero Trust Network Access solution that provides secure, context-aware access to resources across hybrid environments while eliminating traditional VPN limitations.
Strobes Security Consulting Services
Strobes Security Consulting Services provides an integrated cybersecurity platform that combines attack surface management, penetration testing, vulnerability management, and application security with expert consulting services.
SOCRadar Digital Risk Protection Platform
A digital risk protection platform that combines threat intelligence, dark web monitoring, attack surface management, brand protection, and supply chain intelligence to detect and respond to external cyber threats.
If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!
How do you like Mandos Brief?
For more frequent cybersecurity, leadership and AI updates, follow me on LinkedIn, BlueSky and Mastodon.
Best,
Nikoloz