Brief

Brief #57: Docker API Malware, CISO-CFO Collaboration, AI Security Toolkit

Malware targets Docker APIs, OpenAI appoints cybersecurity expert, CISOs and CFOs collaborate on budgets, and new security toolkit for LLMs introduced.

9 min read
mandos brief newsletter week 25 of 2024

Happy week 25!

This week we're covering a malware campaign targeting Docker APIs, OpenAI's strategic move to bolster cybersecurity expertise, the importance of CISO-CFO collaboration for optimizing security budgets, and a new security toolkit for safer interactions with Large Language Models.


Malware Campaign Targets Exposed Docker APIs for Cryptomining

Datadog researchers uncovered a new malware campaign targeting publicly exposed Docker API endpoints to deliver cryptocurrency miners and other malicious payloads. The attack uses a remote access tool capable of downloading and executing additional malware and propagating via SSH. The campaign shares tactical overlaps with previous "Spinning YARN" activity targeting misconfigured services for cryptojacking.


Criminals Tricking Users into Running Malicious PowerShell Scripts with Fake Error Messages

Proofpoint researchers discovered multiple malware campaigns targeting organizations worldwide using fake Chrome, Word, and OneDrive error messages to trick users into running malicious PowerShell scripts. Victims are instructed to click a "fix" button and paste code into PowerShell or Run dialog, executing a remote script that downloads and runs malware. The TA571 and ClearFake gangs were observed using this technique, likely to spread ransomware.


Apple Internal Tools Source Code Allegedly Leaked by Notorious Threat Actor IntelBroker

Notorious threat actor IntelBroker claims to have obtained source code for several internal Apple tools, including AppleConnect-SSO, an authentication system used by employees to access internal resources. The alleged data breach, which IntelBroker says occurred in June 2024, has no apparent impact on Apple customer data. IntelBroker, known for previous high-profile breaches of companies like AMD and government agencies, did not provide further details or confirm if the data is for sale.


Threat Actors Leverage Unique Social Engineering to Run Malicious PowerShell Scripts

Proofpoint researchers identified a technique used by TA571 and the ClearFake activity cluster that leverages clever social engineering to trick users into running malicious PowerShell scripts to install malware like DarkGate, Matanbuchus, NetSupport, and info stealers. The attack chain requires significant user interaction, presenting fake error messages with instructions to copy and paste the script into PowerShell or Run dialog to "fix" the issue. While detection is difficult due to legitimate uses of the techniques, organizations should train users to identify and report this suspicious activity.


U.S. to Ban Kaspersky Antivirus Software Over National Security Concerns

The Biden administration announced plans to bar the sale of Kaspersky antivirus software in the U.S., citing Russia's influence over the company as a significant security risk. The software's privileged access to computer systems could allow it to steal sensitive information, install malware, or withhold critical updates. The U.S. decision is based on concerns over Russia's capacity and intent to exploit Kaspersky to collect and weaponize Americans' personal information.


Anthropic Shares Insights from Red Teaming AI Systems

Anthropic shared details on their red teaming methods used to test AI systems for vulnerabilities. They highlight the need for industry standards, as current practices vary widely, making it difficult to compare AI safety objectively. Methods covered include domain-specific expert testing, policy vulnerability testing for trust & safety, frontier threats testing for national security, and multilingual/multicultural testing. Benefits include leveraging deep subject matter expertise, while challenges involve the time and cost of qualitative testing. Anthropic aims to contribute to establishing systematic AI red teaming practices.


OpenRecall: Open-Source, Privacy-First Digital Memory Tool

OpenRecall, a fully open-source alternative to proprietary solutions like Microsoft's Windows Recall or Limitless' Rewind.ai, allows users to access their digital history while prioritizing privacy. It captures digital history through regular screenshots, analyzes the text and images, and makes them searchable. OpenRecall offers transparency, cross-platform support, local data storage with encryption options, and wide hardware compatibility.


OpenAI Appoints Retired U.S. Army General to Board for Cybersecurity Expertise

OpenAI has appointed retired U.S. Army General Paul M. Nakasone to its Board of Directors. As a leading expert in cybersecurity, Nakasone will join the Board's Safety and Security Committee to make recommendations on critical safety and security decisions for OpenAI's projects and operations. Securing OpenAI's systems, from protecting AI training supercomputers to sensitive model weights and customer data, is crucial as AI becomes more capable and faces increasingly sophisticated cyber threats. Nakasone's insights will also contribute to understanding how AI can strengthen cybersecurity by quickly detecting and responding to threats.


How to Effectively Communicate Vulnerabilities to Compel Action

Jeff Williams, an experienced security researcher, says empathy for developers and building trust are essential for effectively communicating vulnerabilities. Avoid blaming or shaming, appreciate developers' skills, and use collaborative language like "we". Establish trust by accurately describing how the application works before explaining the vulnerability. Provide specific details on the vulnerable code location and business context. Evaluate likelihood and impact, considering factors like ease of exploit and sensitivity of exposed data. Describe a realistic attack scenario and provide thoughtful remediation recommendations. Craft a compelling title conveying who can exploit the issue to do what.


How Security Can Collaborate Better with Engineering to Reduce Friction

Frank Wang discusses how security teams can reduce friction with engineering teams and be better partners. He suggests security should understand engineering processes like sprints and code reviews to better prioritize security asks. Security should also gain an understanding of the product and business to tie their work to objectives and deliver value. Further, security can demonstrate how solving security problems achieves engineering's objectives, like improving platform stability or developer experience. Finally, security should shadow and work with engineering teams to build relationships and gather context to present solutions, not just report issues.


CISOs and CFOs Must Collaborate to Optimize Cybersecurity Budgets

Mimecast's State of Email Security 2023 report found that 66% of organizations have inadequate cybersecurity budgets. CFOs lead the budgeting process and need input from CISOs to make the best case for cybersecurity investments. Taking the time to understand how CFOs think and what they value is a first step in opening the lines of communication. Regular dialogue, greater collaboration, and a laser focus on the business impact of cybersecurity investments benefit both the CISO and CFO. Interesting lead for those wanting to get buy in from ELT.


Security+ Certification Value Debated by Cybersecurity Community

A SOC analyst with 4 years of experience asked the cybersecurity community if the Security+ certification is worth pursuing. Replies varied, with opinions differing based on the respondent's industry and background. Some found the certification valuable for establishing foundational knowledge and opening doors early in a cybersecurity career. Others felt hands-on experience and skills were more important than the certification itself for more senior roles. Overall, the discussion provided useful insights for those considering cybersecurity certifications and how their value may depend on career stage and goals.


How to Hunt for Jobs Like a Hacker with Jason Blanchard

Jason Blanchard from Black Hills Information Security shares tips on how to effectively job hunt by combining OSINT, marketing technology, and a hacker/social engineer mindset. He emphasizes being a proactive "hunter" of jobs rather than just a seeker. Key points include writing your resume during the job hunt and recognizing that you might already have your dream job. The goal is to help viewers approach job hunting differently and apply these skills to land their ideal career or a stepping stone job to reach their dream role within 5 years.


Penetration Testing Interview Questions Cover Basics, Methodologies, Teams, and Certifications

Ravi Das provides an overview of the top 30 questions you may face in a penetration testing job interview. The questions cover the basics of pentesting, including the definition, purpose, and goals. Das explains the difference between vulnerability testing and pentesting, and describes the three types of pentesting methodologies: black-box, white-box, and gray-box testing. He also details the roles of the red team, blue team, and purple team in conducting pentests. Das highlights the importance of certifications like CEH and OSCP for demonstrating deep skills and knowledge. Finally, he advises explaining pentest results to C-level executives in terms of financial impact.


SpyCloud Raises $35M to Expand Account Takeover Prevention Platform

SpyCloud, a cybersecurity startup founded in 2016, announced it has raised $35 million led by CIBC Innovation Banking to expand its account takeover prevention platform. The platform helps companies detect leaked employee credentials online and protect consumer accounts from fraud. SpyCloud gathers breach data, malware-infected device data, and dark web sources to provide actionable insights for preventing ransomware, investigating cybercrime incidents, and disrupting attackers' ability to profit from stolen information.


PQShield Raises $37M for Post-Quantum Cryptography as Industries Rush to Get Quantum-Ready

Dr Ali El Kaafarani, PQShield's founder and CEO, announced a $37M Series B raise as organizations hasten to get "quantum-ready" ahead of the first post-quantum cryptography (PQC) standards being released. Industries with sensitive data, communication, and devices that have long product life spans like the semiconductor industry are already adopting PQC. PQShield provides both hardware and software PQC solutions and works with companies like AMD, Microchip Technologies, and Sumitomo Electric to embed their IP into chips. The funding will be used to fuel innovation and strengthen PQShield's commercial team as they work to mitigate the risk quantum computers pose to traditional encryption.


Israeli Startup Aim Security Raises $18M to Secure Enterprise AI Use

Aim Security, an Israeli startup, has raised $18 million in a Series A funding round to help businesses securely use AI tools. Aim's platform addresses unique threats to AI, such as sensitive data exposure, supply chain vulnerabilities, and harmful or manipulated outputs. The company aims to serve as a trusted AI security ally for enterprise security leaders, allowing organizations to confidently unleash the potential of these technologies.


Detecting AiTM Phishing Sites with Fuzzy Hashing

Obsidian Security detects phishing kits or Phishing-as-a-Service (PhaaS) websites for customers by analyzing fuzzy hashes of visited website content. EvilProxy/Tycoon is an Adversary-in-the-Middle (AitM) phishing kit that steals credentials and session cookies in real-time, often protected by Cloudflare's bot/scraping protection. Computing a fuzzy hash for the DOM after Javascript obfuscation is unwound proves useful for detecting similar EvilProxy/Tycoon sites. The same fuzzy hashing technique can catch users visiting phishing sites created by a popular APT group targeting different companies.


Hermes: Swift-Based Tool for Red Teaming macOS Environments

Justin Bui introduces Hermes, a tool developed in Swift for testing and exploiting the security of macOS systems. The talk covers the development process, functionality, and practical applications of Hermes in red teaming scenarios. Bui provides insights into how this tool can be used to improve security assessments and enhance defense strategies for macOS platforms.


OTP Bots: Automating Social Engineering to Bypass 2FA

Scammers are increasingly using OTP bots to bypass two-factor authentication (2FA) by manipulating victims into sharing one-time passwords (OTPs) via social engineering. The bots automate the process of calling victims, following pre-configured scripts to impersonate legitimate organizations like banks, payment systems, or cloud services. Attackers manage the bots through browser-based panels or Telegram, customizing the calls with victim details and using features like voice selection and phone number spoofing to increase credibility. Once the victim shares the OTP, the attacker gains access to their account.


LLMGuard

LLM Guard is a security toolkit that enhances the safety and security of interactions with Large Language Models (LLMs) by providing features like sanitization, harmful language detection, data leakage prevention, and resistance against prompt injection attacks.


cors-scanner

A multi-threaded scanner that helps identify CORS flaws/misconfigurations It can scan multiple URLs simultaneously, making it a powerful tool for identifying CORS vulnerabilities.


mass-s3-bucket-tester

This tool is designed to test the security of AWS S3 buckets by checking if they have directory listings enabled or if they are uploadable

Thank You

If you found this newsletter useful, I'd really appreciate if you could forward it to your friends and share your feedback below!

Have questions, comments, or more detailed feedback? Let me know on LinkedIn, X, or fill-out the form.

Best, 
Nikoloz

Share This Post

Check out these related posts

Brief #83: TP-Link Ban, LastPass Breach Impact, SOC Analyst Crisis

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #82: Apple iCloud Vulnerability, Cloud Security Skills Gap, SolarWinds ARM Flaw

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #81: OpenAI Container Risks, Cloudflare Tunnel Attacks, AWS IR Service Launch

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read