Brief #64: Critical AWS Flaws, Office Zero-Day, AMD Chip Vulnerability, AI-Powered Email Security Raises $250M

Before you start your Monday, catch up on the latest in cybersecurity!

Researchers have uncovered significant vulnerabilities in AWS services, while AI-powered security tools continue to attract major investments. Leaders in the field are sharing insights on career transitions, and new open-source tools are emerging to help assess cloud security postures.

Critical AWS Flaws Allow Privilege Escalation and Data Theft

• Aqua, a cloud security firm, discovered multiple critical flaws in Amazon Web Services (AWS) offerings that could lead to remote code execution, full-service user takeover, data exfiltration, and denial-of-service.

• The issue, dubbed "Bucket Monopoly", involves a Shadow Resource attack vector where attackers can create S3 buckets in unused AWS regions and wait for legitimate customers to use susceptible services, gaining covert access to the bucket's contents.

• Five other AWS services (Glue, EMR, SageMaker, CodeStar, and Service Catalog) were found to be vulnerable to similar attacks, potentially allowing threat actors to escalate privileges and perform malicious actions.

Microsoft Office Zero-Day Vulnerability Awaits Patch

• Microsoft has disclosed a high-severity zero-day vulnerability affecting Office 2016 and later, which enables unauthorized actors to access protected information such as system status, personal info, or connection metadata.

• The CVE-2024-38200 vulnerability impacts multiple 32-bit and 64-bit Office versions, and while Microsoft's assessment says exploitation is less likely, MITRE has tagged the likelihood as highly probable.

• More details about the vulnerability will be shared by PrivSec Consulting security consultant Jim Rush in his upcoming "NTLM - The last ride" Defcon talk, which will cover several new bugs disclosed to Microsoft and gaps in Microsoft NTLM related security controls.

CrowdStrike Falcon Sensor Crashes Caused by Mismatch in IPC Template Type Inputs

• CrowdStrike's analysis reveals that a mismatch between the number of input fields expected by the IPC Template Type (21) and the number actually provided by the sensor code (20) led to an out-of-bounds read in the Content Interpreter, causing Windows sensor crashes.

• The issue was triggered by a Rapid Response Content update on July 19 that introduced a non-wildcard matching criterion for the 21st input parameter in the IPC Template Instances delivered via Channel File 291.

• Multiple layers of validation and testing failed to catch the mismatch due to the use of wildcard matching in the 21st field during testing and in initial production Template Instances, and a logic error in the Content Validator.

Massive US, UK, and Canada Citizen Data Breach Allegedly Perpetrated by USDoD Threat Actor

• The threat actor USDoD claims to have breached the nationalpublicdata.com domain, leaking a vast amount of citizen data from the United States, Canada, and the United Kingdom spanning from 2019 to 2024.

• The leaked data is of unprecedented scale, with 2.9 billion rows and a compressed size of 200GB to 4TB uncompressed, including sensitive information such as full names, addresses, phone numbers, and Social Security Numbers.

• While the threat actor is offering access to the dataset for $3.5 million, the enormity of the data suggests potential exaggeration, and further investigation is needed to validate the claims and assess the true scope and impact of the alleged breach.

Decades-Old AMD Chip Flaw Allows Undetectable Malware Infection

• IOActive researchers Enrique Nissim and Krzysztof Okupski discovered a vulnerability in AMD chips dating back to 2006, which they named Sinkclose.

• The flaw allows hackers to run code in the privileged System Management Mode, potentially planting a bootkit that evades antivirus tools and survives operating system reinstallation.

• AMD acknowledged the findings and released mitigation options for its EPYC datacenter and Ryzen PC products, with patches for embedded products coming soon.

Cybersecurity Leaders Share Challenges in Transitioning from Technical to Managerial Roles

• I started a Reddit thread where cybersecurity professionals who transitioned into leadership roles shared their main worries and challenges, such as struggling to get buy-in from IT for implementing critical security controls like MFA.

• Leaders emphasized the importance of clearly communicating risk in business terms, understanding that security involves trade-offs, and building trust with other departments rather than relying on scare tactics.

• Moving beyond people management into higher leadership roles can be particularly challenging, requiring a shift in mindset from focusing on technical details to strategic thinking and effective communication with non-technical stakeholders.

Cyber Insurance Dynamics Complicate Lessons from Major Incidents

• The article, written by an unnamed author, highlights how the cyber insurance market's rapid growth and varying policy conditions can make it difficult for CISOs to draw consistent lessons from major ransomware incidents like the recent attacks on Ascension and Change Healthcare.

• Differences in insurer products and response decisions, such as incentivizing rapid ransom payment and collaboration with law enforcement, may not mitigate risk for all companies equally, making it hard to locate common standards of approach.

• The author argues that CISOs and cybersecurity professionals should take an active role in standardizing cyber insurance practice to make it easier to learn the right lessons from major incidents, as the insurance industry has only recently grown to substantially impact cyber risk management.

Cybersecurity Trends and Investments Drive CISO Priorities in 2024

• Bessemer Venture Partners shares insights on how innovation and investments in cybersecurity and AI are shaping CISO agendas and priorities for SaaS businesses in 2024.

• Public cybersecurity companies have reached unprecedented market capitalizations, with Palo Alto Networks exceeding $100 billion, while private later-stage cybersecurity startups show continued promise and growth.

• Five key trends impacting the CISO agenda in 2024 include: consolidation of the cyber market, cybercriminals exploiting AI tools for malicious attacks, AI counterattacking fraud and deep fakes, growing importance of identity solutions in the cloud, and the rise of cyber insurance.

Reddit Discussion Reveals Key Factors for Cybersecurity Job Interviews

• A Reddit discussion thread shares insights from managers on why they didn't hire certain candidates for cybersecurity positions.

• One manager immediately canceled an interview after the candidate lost their temper and yelled at the executive assistant, emphasizing the importance of professionalism and respect.

• Other tips include demonstrating strong critical thinking skills, being honest about knowledge gaps, staying humble, and avoiding the use of AI to answer interview questions.

Ethical Hacking 101 Course Covers Web App Penetration Testing for Beginners

• HackerSploit's YouTube channel offers a free, nearly 3-hour "Ethical Hacking 101" course that provides an introduction to web application penetration testing for beginners.

• The course covers a wide range of topics and tools, including setting up Burp Suite, spidering with DVWA, performing brute force attacks, discovering hidden files with ZAP, detecting web application firewalls with WAFW00F, and using DirBuster.

• It also delves into various attack types and vulnerabilities, such as XSS (Reflected, Stored & DOM), CSRF, cookie collection and reverse engineering, HTTP attribute-based cookie stealing, and SQL Injection.

Ethical Hacking Projects for Beginners Repository Offers Hands-On Cybersecurity Experience

• The "Ethical Hacking Projects for Beginners" GitHub repository by yourusername provides seven beginner-level projects focused on essential ethical hacking and cybersecurity techniques.

• Projects cover topics such as network scanning with Nmap, web application testing using OWASP Juice Shop, password cracking with John the Ripper, honeypot deployment using Cowrie, Wi-Fi auditing with Aircrack-ng, phishing attack simulation, and exploiting SQL injection vulnerabilities on DVWA.

• Each project includes detailed instructions in its own markdown file, guiding users through the setup, execution, and analysis steps using popular tools like Kali Linux, Burp Suite, SQLMap, and more.

JFrog Researchers Discover RCE Vulnerability in Vanna.AI via Prompt Injection

• JFrog Application Security Researchers discovered CVE-2024-5565, a remote code execution vulnerability in the Vanna.AI library, which offers a text-to-SQL interface leveraging large language models (LLMs).

• The vulnerability stems from an "Integrated Prompt Injection" attack, where the LLM is directly linked to command execution, allowing the injection to result in a severe security issue.

• After executing SQL queries, Vanna.AI can present results graphically using Plotly, but the Plotly code is dynamically generated via LLM prompting and evaluation, enabling full RCE by maneuvering Vanna.AI's predefined constraints.

Anthropic Launches Bug Bounty Initiative to Identify Universal AI Jailbreaks

• Anthropic announces a new bug bounty initiative focused on identifying and mitigating universal jailbreak attacks that could consistently bypass AI safety guardrails across a wide range of areas, particularly in critical, high-risk domains such as CBRN and cybersecurity.

• The invite-only program, in partnership with HackerOne, offers bounty rewards up to $15,000 for novel, universal jailbreak attacks and provides participants early access to test Anthropic's latest safety mitigation system before its public deployment in a controlled environment.

• Anthropic encourages experienced AI security researchers or those with demonstrated expertise in identifying jailbreaks in language models to apply for an invitation through their application form by Friday, August 16, aligning with their commitments to developing responsible AI.

Meta Releases CYBERSECEVAL 3 to Evaluate Cybersecurity Risks in Large Language Models

• Meta released CYBERSECEVAL 3, a suite of security benchmarks for large language models (LLMs), to empirically measure cybersecurity risks and capabilities across 8 areas in two categories: risks to third parties and risks to application developers/end users.

• Evaluation of the Llama 3 models found capabilities that could potentially be used in cyber-attacks, but risks were comparable to other state-of-the-art open and closed source models. Risks to application developers can be mitigated using provided guardrails.

• Key offensive security capabilities assessed include automated social engineering via spear-phishing, scaling manual offensive cyber operations, autonomous offensive cyber operations, and autonomous software vulnerability discovery and exploit generation.

Abnormal Security Raises $250M at $5.1B Valuation for AI-Powered Email and SaaS Security

• Abnormal Security, an email security firm, has raised $250 million in a Series D funding round led by Wellington Management, valuing the company at $5.1 billion.

• The company's AI-native human behavior security platform aims to detect and block attacks targeting email accounts and popular SaaS applications, including Microsoft 365, Google Workspace, Slack, Salesforce, ServiceNow, Workday, and Zoom.

• Abnormal claims to have surpassed $200 million in annual recurring revenue and serves more than 2,400 organizations, including 17% of the Fortune 500 companies.

EQT Acquires Majority Stake in Acronis at $4B Valuation

• EQT has bought a majority stake in cybersecurity firm Acronis, which specializes in data protection, cloud, and integrated security solutions for managed service providers and corporate IT teams.

• The deal values Acronis higher than its last disclosed valuation of $3.5 billion in 2022, with sources indicating an actual valuation around $4 billion.

• Acronis' cloud business' annual recurring revenue is growing at 40%, and the company has expanded its customer base to include 20,000 service providers and more than 750,000 businesses.

Trend Micro Explores Sale Amid Buyout Interest

• Reuters reports that Japanese cybersecurity firm Trend Micro is exploring a sale after attracting buyout interest from potential buyers, including private equity firms.

• Trend Micro's shares have underperformed compared to Japanese peers, making it an attractive acquisition target, especially with the recent weakening of the yen.

• Despite the sale exploration, Trend Micro reported a 13% year-over-year increase in second-quarter net sales and a 42% rise in operating income, attributed to improving its operating margin to 18%.

Scout Suite

Open source multi-cloud security-auditing tool for assessing security posture of cloud environments.

BodgeIt Store

Vulnerable web application for beginners in penetration testing.

bettercap

A powerful and extensible framework for reconnaissance and attacking various networks and devices.

If you found this newsletter useful, I'd really appreciate if you could forward it to your friends and share your feedback below!

Have questions? Let me know in the comments or on LinkedIn and Mastodon.

Best, 
Nikoloz