Brief

Brief #55: Snowflake Breach, AI-Powered Malware, CISO AI Pressures, Cybersecurity Talent Shortage

Snowflake data breach may be one of the largest ever, cybercriminals use AI-generated scripts for malware, 92% of CISOs question their role due to AI/GenAI, the US needs 225,200 more cybersecurity workers and much more.

8 min read
mandos brief newsletter week 23 of 2024

Happy week 23!

In this issue, I'm covering the Snowflake data breach potentially being one of the largest ever, the destructive malware taking down over 600,000 SOHO routers, the growing pressures CISOs face from AI and GenAI, and the need for more cybersecurity workers in the US.


Industry News

Snowflake Customer Data Breach Potentially One of the Largest Ever

Matt Burgess from Wired reports that the data breach targeting customers of cloud storage company Snowflake may become one of the biggest ever. Cybercriminals have claimed to be selling stolen data from Ticketmaster, Santander, Advance Auto Parts, and LendingTree, allegedly taken from Snowflake accounts. The attack involved using infostealer malware to obtain login credentials and target accounts with single-factor authentication. The full scope and scale of the breach remains uncertain.


Destructive Malware Takes Over 600,000 SOHO Routers Offline

Lumen Technologies' Black Lotus Labs identified a destructive event where over 600,000 SOHO routers from a single ISP were taken offline over a 72-hour period in October. The infected devices were rendered permanently inoperable, requiring hardware replacement. The primary payload responsible was "Chalubo," a commodity remote access trojan (RAT). Chalubo has payloads for major SOHO/IoT kernels, can perform DDoS attacks, and execute Lua scripts. The malware was highly active in November 2023 and early 2024, with over 330,000 unique IPs communicating with C2 nodes in October alone. Lumen assesses with high confidence this was a deliberate destructive attack, likely using commodity malware to obfuscate attribution.


Fake Browser Updates Deliver BitRAT and Lumma Stealer Malware

eSentire reports that fake browser updates are being used to deliver RAT and information stealer malware such as BitRAT and Lumma Stealer. The attack starts with a malicious website redirecting users to a fake browser update page hosting a ZIP archive containing malicious JavaScript that downloads additional payloads. ReliaQuest also discovered a ClearFake campaign variant that tricks users into manually executing malicious PowerShell code disguised as a browser update.


Advance Auto Parts Breached, 3TB of Data Stolen from Snowflake Account

Threat actors claim to have stolen 3TB of data from Advance Auto Parts, a leading automotive aftermarket parts provider, after breaching the company's Snowflake cloud storage account. The stolen data includes 380 million customer profiles, 140 million customer orders, 44 million loyalty/gas card numbers, and employee information with SSNs and driver's license numbers. While Advance has not publicly disclosed the breach, BleepingComputer has confirmed that a large number of the customer records are legitimate.


Critical RCE Flaw in Apache HugeGraph Database Exploited in the Wild

The Apache Software Foundation disclosed a CVSS 9.8-rated remote command execution vulnerability (CVE-2024-27348) affecting Apache HugeGraph versions before 1.3.0. Exploit code for the flaw, which allows attackers to bypass sandbox restrictions and achieve RCE using malicious Gremlin commands, is now publicly available on GitHub. Successful exploitation gives attackers full control of the server, enabling them to steal data, move laterally, or deploy ransomware. Admins are urged to upgrade to HugeGraph 1.3.0 immediately.


AI & Security

Hugging Face Discloses Unauthorized Access to Its Spaces Platform

Hugging Face, an AI company, disclosed that it detected unauthorized access to its Spaces platform earlier this week, with suspicions that a subset of Spaces' secrets could have been accessed without authorization. In response, Hugging Face is revoking a number of HF tokens present in those secrets and notifying affected users via email. The company has alerted law enforcement agencies and data protection authorities of the breach, which is currently under further investigation.


Windows Recall Screenshots Stored Unencrypted, Easily Extracted by Hackers

Microsoft's new Windows Recall tool, set to launch on June 18, takes screenshots of user activity every five seconds. Security researchers discovered that the preview versions store this data in an unencrypted database, making it vulnerable to attackers. Ethical hacker Alex Hagenah developed a demo tool called "TotalRecall" that can automatically extract and display the recorded information, including captures of encrypted messaging apps like Signal and WhatsApp. Hagenah aims to encourage Microsoft to address these security concerns before the full launch of Windows Recall.


Raspberry Pi Launches $70 AI Kit with Hailo-8L Accelerator for Edge ML

Raspberry Pi has released its first-party AI accessory - an M.2 Hat board with a Hailo-8L AI accelerator, offering 13 TOPS of INT8 performance. While not the most powerful accelerator, the Hailo-8L consumes just 1-5 watts and the entire Raspberry Pi 5 plus AI Kit combo costs around $150, far less than a typical NPU-equipped SoC. Raspberry Pi intentionally chose a disaggregated architecture to keep costs down.


Leadership Insights

92% of CISOs Question Role Amid Growing AI and GenAI Pressures

Trellix and CSIS research reveals 92% of CISOs are questioning their future role due to growing pressures from AI and generative AI (GenAI). Harold Rivas, Trellix CISO, notes that new threat actors or novel techniques can fundamentally change an organization's cybersecurity posture, investments, and strategy in a short period. Former Federal CISO Grant Schneider adds that AI enables adversaries to find vulnerabilities much more quickly, putting CISOs' long-term remediation plans at risk. The report indicates 90% of CISOs feel exposed to increased liability, and 92% believe using GenAI without clear regulations puts their organization at risk.


CISO Tradecraft: Evolving CISO Role, Generative AI Impact, and Effective Leadership Strategies

Rafeeq Rehman, guest on CISO Tradecraft hosted by G Mark Hardy, discusses the evolving role of CISOs and the impact of Generative AI. Rehman introduces the CISO Mind Map, a tool for understanding the breadth of cybersecurity leadership responsibilities. Key focus areas for CISOs in 2024-2025 include cautious Gen AI adoption, tool consolidation, cyber resilience, security team branding, and maximizing the business value of security controls. The episode emphasizes the importance of understanding and adapting to technological advancements, advocating for cybersecurity as a business-enabling function, and the significance of lifelong learning in information security.


Handling Breaches Well Can Boost Security Reputation

Ross Haleliuk shares an interesting observation on LinkedIn: a company's security reputation is not necessarily harmed by experiencing a breach, but rather depends on how well they handle the incident. If a company responds effectively to a breach, their standing in the security community may actually improve more than if they had avoided a breach altogether. The reaction to a breach caused by a basic vulnerability will be mixed, but good communication can mitigate reputational damage. For breaches resulting from advanced threats, as long as the company avoids being uncooperative in their response and communications, the security community tends to be understanding toward the victim.


Career Development

CyberSeek Data Reveals 225,200 More Cybersecurity Workers Needed in the US

CyberSeek, a joint initiative of NIST's NICE program, CompTIA, and Lightcast, provides data on the US cybersecurity job market. Despite having over 1.2 million cybersecurity workers, the US still needs 225,200 more people to fill the available jobs, with only 85% of positions currently filled. Between May 2023 and April 2024, nearly 470,000 cybersecurity job postings were recorded, with network and system engineers, system administrators, cybersecurity engineers, cybersecurity analysts, and information systems security officers being in the highest demand. Although the tech hiring slowdown in 2023 affected cybersecurity jobs, with a 29% decrease in job postings, the impact was less severe compared to the overall IT sector, which saw a 37% decline.


Strategies to Attract and Retain Cybersecurity Blue Team Talent

Alex Vakulov discusses the challenges in recruiting young cybersecurity professionals for defensive Blue Team roles, which are often perceived as less exciting than offensive Red Team positions. Vakulov suggests partnering with universities, offering internships, marketing attractive salaries and career paths, providing extensive training, and implementing strong mentoring programs to attract and retain Blue Team talent. Regular cyber exercises, hands-on experience at cyber training polygons, and Purple Teaming activities can help develop skills from basic to advanced levels. Businesses should also train all company specialists, not just the Blue Team, to ensure comprehensive security.


Reddit Thread Offers Glimpse into Daily Life of Cybersecurity Professionals Across Different Roles

A recent Reddit thread asked cybersecurity professionals to share what their typical workday looks like across various roles such as GRC, cybersecurity engineering, and architecture. Responses highlight the diversity of tasks and responsibilities in the field. Many users reported a mix of technical duties like monitoring systems and non-technical aspects like meetings and documentation.

Supply Chain

Netskope Surpasses $500M ARR, Delays IPO Plans

Sanjay Beri, CEO of cloud-based cybersecurity startup Netskope, says the company has crossed $500 million in annual recurring revenue (ARR). Netskope is preparing internally for an IPO but has no immediate plans to go public this year, focusing instead on becoming profitable. The company's subscription revenue growth exceeds the industry average of 29%, and it competes in the secure access service edge (SASE) market, which is expected to reach over $25 billion by 2027.


Cloudflare Acquires BastionZero to Extend Zero Trust to Infrastructure

Cloudflare has acquired BastionZero, a Zero Trust infrastructure access platform, to extend their Zero Trust Network Access (ZTNA) capabilities to natively protect infrastructure like servers, Kubernetes clusters, and databases. While application access is often prioritized due to visibility and use of modern authentication like SSO, infrastructure access is equally critical but relies on fragmented castle-and-moat network controls. Bad actors increasingly target infrastructure to take down swaths of applications or steal sensitive data. Cloudflare One's ZTNA will now protect infrastructure with user- and device-based policies and MFA.


Cybersecurity Market Projected to Reach $311.4 Billion by 2031

According to a new report by Meticulous Market Research, the cybersecurity market is projected to reach $311.4 billion by 2031, growing at a CAGR of 12.8% from 2024-2031. The growth is driven by factors such as the increasing significance of cybersecurity in banking, rising data breaches and cyberattacks, and growing IoT deployment. However, a shortage of trained professionals may restrain market growth.


Community Highlights

The Best Way to Start with AWS Security Hub

Rich Mogul shares tips for using AWS Security Hub. AWS Security Hub is a native tool that can consolidate security events and findings across multiple AWS accounts and regions into a single, normalized feed. It collects events from nearly any AWS security service like GuardDuty, and provides CSPM capabilities to assess configurations. The key benefit is creating an organization-wide security feed in one place, though aggregated findings are in a different format than the originating service.


Novel Windows Kernel Rootkit Bypasses Endpoint Security Using 0-Day

Ruben Boonen and Valentina Palmiotti from IBM will present a full-chain Windows kernel post-exploitation scenario at Blackhat USA 2023. They weaponized a Windows 0-day vulnerability to load a versatile kernel rootkit that neutralizes various endpoint sensors. The rootkit uses Direct Kernel Object Manipulation (DKOM) to alter OS telemetry, rendering endpoint security ineffective. Additional advanced attacks like disrupting EDR cloud telemetry and high-performance global keylogging will be demonstrated. As kernel rootkits become more accessible to various threat actors, configuring systems to maximize attacker obstacles is crucial.


Coverage Guided Fuzzing Extends Instrumentation to Find Bugs Faster

Bruno Oliveira from IncludeSec discusses how they develop fuzzing harnesses for clients as part of security assessments. Coverage-guided fuzzing (CGF) uses instrumentation to determine if fuzz test case inputs discover new edges or branches in the binary execution paths. The authors modified the Fuzzilli patch for JerryScript, which has a known vulnerability, to demonstrate how extending Fuzzilli's instrumentation can help identify vulnerabilities and provide feedback to the fuzzer. Fuzzing submits inputs to trigger unexpected application behavior, and modern fuzzers consider various aspects like seeds to generate complex inputs that can reach more of the target program and discover vulnerabilities.


Tools

Cloud and Container Security

S3Scanner

S3Scanner scans for misconfigured S3 buckets across S3-compatible APIs, identifying potential security vulnerabilities and data exposure risks.


Endpoint Security

Daytripper

A laser tripwire tool to hide windows, lock computer, or execute custom scripts upon motion detection.


Security Operations

Ripple

A panic button app for triggering a ripple effect across apps responding to panic events.

Thank You

If you found this newsletter useful, I'd really appreciate if you could forward it to your friends and share your feedback below!

Have questions, comments, or more detailed feedback? Let me know on LinkedIn, X, or fill-out the form.

Best, 
Nikoloz

Share This Post

Check out these related posts

Brief #83: TP-Link Ban, LastPass Breach Impact, SOC Analyst Crisis

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #82: Apple iCloud Vulnerability, Cloud Security Skills Gap, SolarWinds ARM Flaw

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #81: OpenAI Container Risks, Cloudflare Tunnel Attacks, AWS IR Service Launch

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read