Brief #47: Palo Alto Zero-Day Exploited, AI-Powered Malware, CISO Burnout, and the Value of Mentorship

Week 15: State-sponsored attackers exploit Palo Alto Networks zero-day, cybercrime group uses AI-generated scripts to load malware, CISOs face burnout, and the importance of mentorship.

7 min read
mandos brief newsletter week 15 2024 nikoloz kokhreidze

Industry News

State-Sponsored Hackers Exploit Palo Alto Networks Zero-Day to Breach Networks

A critical zero-day vulnerability (CVE-2024-3400) in Palo Alto Networks firewalls has been exploited by suspected state-sponsored hackers since March 26 to breach internal networks, steal data, and credentials. The attackers installed a custom Python backdoor named 'Upstyle' to execute commands on compromised devices and pivot to internal networks. Volexity, who discovered the zero-day, believes the attackers are highly likely to be state-sponsored based on the resources required and the capabilities displayed.

LG Smart TV Vulnerabilities Allow Root Access and Command Injection

Researchers discovered vulnerabilities in LG webOS on smart TVs that enable authorization bypass and root access. The flaws, CVE-2023-6317 through CVE-2023-6320, impact webOS versions 4.9.7 to 7.3.1 and were patched in March 2024. Exploitation allows gaining elevated privileges and running arbitrary commands, potentially impacting over 91,000 internet-exposed devices primarily in South Korea, Hong Kong, and the U.S.

Raspberry Robin Malware Evolves to Use Highly Obfuscated Windows Script Files for Initial Infection

The Raspberry Robin Windows worm has updated its infection chain to deliver payloads via heavily obfuscated Windows Script Files (WSF). These scripts implement robust anti-analysis and virtual machine detection capabilities to evade security controls. The malware establishes device integrity checks before downloading its DLL payload, adds Microsoft Defender exclusions, and restarts execution to break debugger sessions.

GitHub Repositories Abused to Spread Keyzetsu Malware

Threat actors are using GitHub automation features and malicious Visual Studio projects to distribute a new variant of the Keyzetsu clipboard-hijacking malware, targeting cryptocurrency payments. The attackers create GitHub repositories with names optimized for search rankings and artificially boost their popularity using automated commits and fake accounts. Users downloading files from these repositories are infected with malware hidden within Visual Studio project files, which is stealthily executed during the build process.

Metasploit Meterpreter Installed via Vulnerable Redis Servers

Attackers are targeting misconfigured and outdated Redis 3.x servers to install Metasploit Stager malware and the PrintSpoofer privilege escalation tool. The Stager downloads the memory-resident Meterpreter backdoor from a C&C server, providing ongoing access. Organizations running Redis should update to the latest version, restrict external access to servers, and use endpoint protection to detect and block the malware.

AI & Security

Cybercrime Group Uses Likely AI Script to Load Info Stealer

Proofpoint researchers identified TA547 targeting German organizations with an email campaign delivering Rhadamanthys malware, an information stealer. The actor appeared to use a PowerShell script suspected to be generated by a large language model (LLM) to load the malware into memory without writing it to disk. While LLMs can assist threat actors, the potentially LLM-generated code did not change the malware's functionality or impact defenses against it.

AI-Powered Security Platforms Race Heats Up with Microsoft, Google, and Simbian

Microsoft, Google, and startup Simbian are investing heavily in generative AI (GenAI) systems to automate cybersecurity tasks using natural language. These platforms aim to streamline security operations by identifying breaches, connecting threat signals, and analyzing data, potentially reducing the time required from weeks or months to mere seconds.

Sama Launches Red Team Service to Enhance Generative AI Safety and Reliability

Sama, a data annotation solutions provider, announced its new offering, Sama Red Team, to address the growing ethical and safety concerns surrounding generativeAI. The service focuses on tricking AI models and exposing vulnerabilities through techniques such as prompt hacking, testing for compliance, public safety, privacy, and fairness. Sama's team conducts tests using real-world scenarios to identify potential risks and determine whether prompts should be refined or recreated to enhance AI safeguards.

Leadership Insights

CISOs Struggle to Sell Cybersecurity Value and Face Burnout

Allan Alford, CEO at Alford and Adams Consulting, shares that two CISOs he spoke with recently wanted to quit not just their roles but the cybersecurity field altogether due to feeling a lack of leadership support. Alford emphasizes the need for CISOs to effectively sell the value of their work, continuously re-evaluating their approach and seeking feedback from peers while also prioritizing self-care to avoid burnout in this challenging role.

Using "No" Strategically Can Help CISOs Drive Business Value

Clarke Rodgers from AWS says that CISOs should track how often they must say "No" to business requests. If a CISO has to frequently say "No", it indicates the organization lacks a strong security culture, adequate funding, and executive understanding of cyber risk. CISOs can use data on the cost of saying "No" to justify initiatives like building security into CI/CD pipelines, embedding Security Ambassadors in product teams, and supporting AI adoption while mitigating risks.

How Google Cloud’s Office Of The CISO Is Shaping The Future

Forbes sits down with the members the Office of CISO of Google Cloud. The OCISO aims to address the unique cybersecurity challenges and regulatory landscapes of each sector by providing tailored, empathetic guidance rooted in the team's experience as former CISOs. Members share details about their approach, frameworks and ways of working.

Playbooks Provide Context and Automation for SecOps

Aimei Wei, founder and CTO of Stellar Cyber, discusses how playbooks can enhance SecOps by providing context and automation. Traditional SecOps techniques struggle to combine insights from various tools, but playbooks in XDR solutions offer visibility into the entire attackSurface while correlating alerts using AI and ML. Playbooks can automate response actions and improve analyst productivity through better root cause analysis.

Career Development

Mentorship Crucial for Building Successful Security Careers

Michael Dorn, Executive Director of Safe Havens International, emphasizes the mutual benefits of mentorship, learning from both superiors and employees. Jennifer Franks, Director of Information Technology and Cybersecurity at GAO, highlights the need for tailored mentorship approaches to navigate the vast and fast-moving cybersecurity field. Shannon Brewster, Director and General Manager at AT&T Cybersecurity, thinks having a mentor is probably one of the most instrumental things that you can have in terms of really realizing success. Colin Daugherty mentions the leadership is about promoting others before yourself.

NIST Releases Free Online Courses on SP 800-53 Security and Privacy Controls

NIST has released three free online introductory courses covering the SP 800-53 security and privacy control catalog, SP 800-53A control assessment procedures, and SP 800-53B control baselines. The courses provide high-level overviews of foundational security and privacy risk management concepts based on their respective NIST Special Publications. The courses range from 45-60 minutes and do not require registration, making them easily accessible for those looking to gain a basic understanding of these important cybersecurity standards.

Comprehensive List of InfoSec Interview Questions Across Key Domains

The pbnj/infosec-interview-questions GitHub repository provides an extensive collection of interview questions for various information security roles. The questions span key domains including applicationSecurity, architecture, blue team, encryption, forensics, incident response, networking, red team, and vulnerabilityManagement. Example questions cover topics like implementing secure login fields, types of XSS attacks, differences between encoding/encryption/hashing, and how TLS sessions are established.

Vendor Spotlight

Cybersecurity Funding Declines 20% YoY in Q1 2024, Seed Rounds Dominate

Nathan Eddy from Pinpoint Search Group reports that cybersecurity funding deals declined by 20% year-over-year to $2.3 billion in Q1 2024. Despite the decrease, 77 funding rounds closed, with seed rounds constituting 40% of the transactions. The report also noted a decline in merger and acquisition activity, from 31 deals in Q1 2023 to 24 in Q1 2024. However, March 2024 saw vendors exceeding $1 billion in funding for the first time in thirteen months, indicating potential stabilization of the market.

TrojAI Raises $5.75M to Secure AI Models and Applications

TrojAI, a Canada-based provider of enterprise AI security solutions, announced a $5.75 million seed funding round. The company's platform helps organizations comply with AI security benchmarks and privacy regulations by testing models before deployment and protecting against risks such as sensitive data loss.

Cyera Raises $300M Series C at $1.4B Valuation for Data Security Posture Management

Cyera, an Israeli DSPM startup, has raised $300 million in Series C funding led by Coatue, bringing its total funding to $460 million. The company's agentless platform discovers, classifies, assesses, and protects structured and unstructured data across clouds, SaaS, data lakes, and on-prem environments. With the accelerated adoption of AI, Cyera aims to address the growing data attack surface for modern enterprises.

Wiz Acquires Gem Security for $350M to Consolidate Cloud Security

Wiz, a well-funded cybersecurity provider, has acquired Gem Security, a developer of a platform for protecting cloud environments from cyber attacks, for a reported $350 million. The acquisition aims to address tool sprawl, silos, and visibility gaps in the cloud security market, while continuing to innovate and simplify complex security challenges.



.NET command and control framework designed for offensive .NET tradecraft and collaboration.


Assists with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF).


An open-source phishing toolkit for businesses and penetration testers to set up and execute phishing engagements and security training.

Community Highlights

How I discovered a 9.8 critical security vulnerability in ZeroMQ with mostly pure luck and my two cents about xz backdoor

Fang-Pen Lin shares how she discovered CVE-2019-13132 in ZeroMQ while implementing authentication using CurveZMQ. Vulnerability allowed stack overflow via large metadata in authentication payload, achieving CVSS 9.8 severity. Quickly patched and disclosed to ZeroMQ maintainers, who rolled out fix to major Linux distributions.

Combining SaaS Attack Techniques for Effective Attack Chains

Poisoned tenants involve an adversary registering a SaaS app tenant they control and tricking target users to join it. SAMLjacking is where an attacker uses SAML SSO configuration settings for a SaaS tenant they control to redirect users to a malicious link during authentication. Combining these techniques allows an attacker to compromise user credentials without direct phishing, potentially leading to businessImpact across multiple SaaS applications.

How I got RCE in one of Bugcrowd's Public Programs

Bug bounty hunter, discovered an Apache Struts 2 instance running on a non-standard port during reconnaissance of a Bugcrowd public program's assets using Shodan. After fuzzing directories and attempting to exploit known CVEs for the specific Tomcat versions, an OGNL injection payload was successfully used to achieve remote code execution via the showLogin.action endpoint. The vulnerability was reported to Bugcrowd and the program resolved it by decommissioning the affected asset.

Thank you

If you found this issue useful, I'd really appreciate if you could forward it to your friends and colleagues!

Have questions, comments, or feedback? Let me know on LinkedIn, Twitter, or share your feedback.


Share This Post

Check out these related posts

Brief #51: VPN Decloaking Attack, Azure Health Bot Vulnerabilities, CISO Dissatisfaction, and Incident Response Challenges

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read

Brief #50: Postman API Credential Leaks, DHS AI Threat Guidelines, Effective Risk Communication, Cybersecurity Analyst Insights

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read

Brief #49: Palo Alto XDR Exploit, GPT-4 Vulnerability Exploitation, CISO Insights, and Top Cybersecurity Courses

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 7 min read