Brief #48: PuTTY Zero-Day, LLMs as Pentesters, Securing Layoffs, High-Paying Cybersecurity Skills

Week 16: PuTTY vulnerability allows ECDSA key recovery, LLMs perform as well as humans in pentesting, securing mass layoffs with empathy, and top-paying cybersecurity skills.

• 8 min read
mandos brief week 16 nikoloz kokhreidze

Happy week 16!

This week's newsletter covers important topics for cybersecurity professionals and leaders, including a critical vulnerability in PuTTY, the use of LLMs for pentesting, guidance on securing mass layoffs, and insights on high-paying cybersecurity skills.

Let's dive into this week's topics.

Industry News

PuTTY SSH Client Flaw Allows Recovery of ECDSA Private Keys

Researchers from Ruhr University Bochum discovered a critical vulnerability (CVE-2024-31497) in PuTTY versions 0.68 through 0.80 that could allow an attacker to recover NIST P-521 (ecdsa-sha2-nistp521) private keys. The flaw stems from the generation of biased ECDSA cryptographic nonces, with the first 9 bits of each nonce being zero. An attacker who compromises a server and obtains a few dozen signed messages along with the public key could recover the private key and forge signatures. The vulnerability also impacts other products incorporating the affected PuTTY versions, including FileZilla, WinSCP, TortoiseGit, and TortoiseSVN.

Attackers Exploit Critical OpenMetadata Vulnerabilities in Kubernetes Clusters

Microsoft Threat Intelligence reports that attackers are exploiting new critical vulnerabilities (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254) in OpenMetadata, an open-source metadata management platform, to gain access to Kubernetes workloads for cryptomining. The attack involves exploiting the vulnerabilities in exposed OpenMetadata instances to execute code on the container, conduct reconnaissance, and download cryptomining malware. Microsoft recommends updating OpenMetadata to version 1.3.1 or later and provides guidance for detecting malicious activity using Microsoft Defender for Cloud.

Cisco Duo MFA Provider Breached via Social Engineering Attack

Cisco has warned customers that a third-party provider handling SMS and VOIP traffic for its Duo MFA service was breached on April 1 via a social engineering attack using compromised employee credentials. The threat actor downloaded SMS logs containing phone numbers and other metadata for certain Duo users between March 1 and March 31, 2024. Cisco advised notifying impacted users and remaining vigilant against phishing attacks. This follows a trend of attacks targeting identity security providers, underscoring the need for these companies to bolster their defenses and for enterprises to assess the impact of such breaches on their own security posture.

Nexperia Confirms Ransomware Attack Allegedly Compromising Client Data

Nexperia, a Netherlands-based semiconductor manufacturer, has confirmed being targeted by the Dark Angels ransomware group, which claims to have stolen 1 Tb of data from the company's systems in March. The allegedly compromised information includes client folders for nearly 900 companies, confidential project data, industrial production data, and corporate information. Nexperia has disconnected the affected systems, launched an investigation, and notified authorities, while the threatActors are threatening to leak the data unless a ransom is paid.

LastPass Warns of Phishing Campaign Using CryptoChameleon Kit

LastPass is warning users of a phishing campaign targeting them with the CryptoChameleon kit, which is associated with cryptocurrency theft. The kit was previously used to target FCC employees and users of Binance, Coinbase, Kraken, and Gemini. LastPass discovered a malicious site hosted at "help-lastpass[.]com" impersonating their service. The attackers use voice phishing to pose as LastPass employees and send a phishing email with a link to the fake site, allowing them to change account settings and lock out the user if the master password is entered. Users should be cautious of suspicious communications claiming to be from LastPass and report them to

AI & Security

Confidential Computing Emerges as Key Solution for Protecting Data Privacy in Generative AI Era

Cisco's 2024 Data Privacy Benchmark Study reveals that data privacy is a top concern for enterprises adopting generative AI (GenAI) technologies. The rise of "Shadow AI" poses significant risks, including data leakage and compliance violations, with record-breaking fines imposed on companies for breaching customer trust. Traditional methods like data sanitization and anonymization are insufficient against modern AI capabilities, necessitating more robust privacy-preserving techniques like confidential computing, which uses hardware-based trusted execution environments (TEEs) to secure data during processing.

Google Extends Generative AI to Cybersecurity with Chronicle Updates

Google announced updates to its Chronicle cybersecurity platform at the Google Cloud Next '24 conference, leveraging the Gemini LLM to summarize threat intelligence and guide investigations. Google is also adding security capabilities to GCP, including a natural language interface for Cloud Assist to identify potential attack paths, an Autokey tool for encryption key management, and recommendations for invoking confidential computing services. The company previewed a Privileged Access Manager (PAM) tool, Principal Access Boundary for identity-based policies, and released a next-generation firewall (NGFW), DDoS protection, and data protection services.

LLMs Used as Pentesting Agents in Real Network Environments

Maria Rigaki, Sebastian Garcia and colleagues from MUNI in Brno presented research on using large language models (LLMs) as pentesting agents in real network environments. They developed NetSecEnv, a simulated and real environment allowing multiagent, multigoal scenarios to study attack/defense dynamics. Human experts achieved a 100% win rate in a small 5-host environment without defenders. LLMs were then tested, showing they can work as effective planning agents that generalize to any environment without further training. The most successful used a two-stage "ReAct" design to reason then select the best action. Models like GPT-4 performed as well as humans, while fine-tuned local models outperformed GPT-3.5. However, challenges remain around LLM stability, hallucinations, repetition and cost. The research is part of a 4-year "AI Dojo" project to train human and AI agents.

Leadership Insights

Securing Mass Layoffs: Lessons from IT and Security Leaders

Kane Narraway, Security at Canva, shares insights from over ten IT and security leaders on securing mass layoffs. He notes that systems aren't designed to handle exiting thousands of people at once, leading to issues like email delays and access not being removed promptly. Narraway emphasizes the importance of considering the experience of those impacted and designing the process with empathy. He presented on this topic at ComfyCon, sharing lessons learned from the group's collective mistakes.

100 Day Plan Framework: Onboarding Guidance for New CISOs

Christina S., a CIO at KIK Consumer Product, shares a comprehensive 100 day plan framework for onboarding new CISOs. The plan focuses on defining the CISO's role, building rapport, assessing the current security program, developing a strategic plan, and gaining stakeholder support. Key activities include meeting with leadership, the security team, and critical partners, performing a gap analysis, identifying top risks, and presenting the security plan. The post generated extensive discussion, with cybersecurity leaders offering additional insights on understanding the business impact, evaluating the security culture, and maintaining flexibility in executing the plan.

Guide for IT Cybersecurity Pros to Get Started in ICS/OT Security

Mike Holcomb wrote a guide to help IT cybersecurity professionals get started in industrial control systems (ICS) and operational technology (OT) security. The 10 steps include learning to think like an engineer, understanding ICS basics, exploring training options, learning standards and regulations, gaining hands-on experience, networking with the community, staying current, finding a mentor, building soft skills, and getting certified. Lee notes another version exists for engineering and automation professionals.

Career Development

Software Engineer Shares Tips for Pivoting to Cybersecurity Role

A software engineer who recently transitioned to an information security engineer role, shares tips for others looking to make a similar career change. They recommend targeting a specific area of cybersecurity that aligns with your interests and background. Earning relevant certifications like Security+ and CEH can help, but are not guaranteed job offers. Getting feedback on your resume is crucial - if you're applying to many jobs without landing interviews, your resume likely needs improvement. Networking on LinkedIn and connecting with recruiters can open doors. In interviews, aim to be clear, concise and confident. Persistence is key - don't give up in a challenging job market.

People Leadership, Technical Writing, and AppSec Engineering Are Top Paying Cybersecurity Skills

Interesting discussion about the highest paying skills in cybersecurity industry. Some users says that combining deep technical skills with people leadership abilities in security is highly valuable and well-compensated. Others highlight application security (AppSec) engineering as a high-impact, well-paid skill, especially designing minimally invasive security controls in development pipelines.

Internal promotions should be easier than external hiring to retain top talent

Kevin Fielder, CISO at NatWest Boxed & Mettle, says many companies have slick hiring processes for external candidates but challenging internal promotion processes. To retain the best talent that already has organizational knowledge and demonstrated great work, companies should nurture existing employees and make it easy for them to progress. Otherwise, top performers will eventually take an easier path to career growth by moving on to another company.

Vendor Spotlight

Wiz in Talks to Acquire Lacework for Up to $200M Amid Valuation Plunge

Cloud security startup Wiz is reportedly in advanced negotiations to acquire rival Lacework for $150-200 million, a 98% markdown from Lacework's $8.3 billion valuation in 2021. Lacework has faced challenges including layoffs, C-suite turnover, and lagging adoption of its agent-based workload protections. The acquisition could expand Wiz's SMB customer base and complement its agentless approach to cloud workload security.

Staple Raises US$4M to Expand AI-Powered Document Processing Solutions

Singapore-based startup Staple has raised US$4 million in a pre-Series A funding round led by Wavemaker Partners. Staple uses AI to bridge the gap between physical documents and digital workflows, addressing document management challenges for businesses across 56 countries. The company plans to use the funds to enter new markets, improve its AI technology, and expand its document processing solutions. CEO Ben Stein emphasized Staple's focus on breaking down language barriers and simplifying complex document processing tasks, particularly in linguistically diverse regions like South-east Asia.

Cisco Invests in Upstream Security's Cloud-based XDR Platform for IoT and Connected Vehicles

Upstream Security, a provider of XDR for connected vehicles and IoT, received an investment from Cisco Investments. The spread of complex IoT devices in mobility, automotive, and transportation introduces operational efficiencies and data-driven services, but also opens the door to large-scale cyber risks. Upstream's cloud-based platform analyzes the state of IoT assets in real-time to identify and mitigate risks, requiring no software or hardware installation. With 95% of new vehicles expected to have embedded connectivity by 2030, investing in automotive cybersecurity solutions is critical for wide adoption of the technology.



Open-source network monitoring tool, focusing on security-driven analysis.


A SIEM tool designed for Red Teams, aiding in tracking and alerting on Blue Team activities, with enhanced usability for extended operations.

Phish Report

Tool for reporting phishing websites to help combat cybercrime.

Community Highlights

Facebook Account Takeover via Nonce Bruteforce in Password Reset Flow

Samip Aryal discovered a rate-limiting issue in Facebook's password reset flow that allowed bruteforcing a 6-digit nonce to takeover any account. The vulnerable endpoint lacked proper invalidation of the nonce after multiple incorrect attempts and had a long expiration time of ~2 hours. By bruteforcing the entire search space of 000000 to 999999, an attacker could obtain a valid nonce and reset the account password, resulting in a 0-click or 1-click account takeover depending on how the nonce was rendered to the user.

Exploit for CVE-2024-3400 Published After Actively Exploited in the Wild

Researchers released an exploit code for the actively exploited vulnerability CVE-2024-3400 in Palo Alto Networks’ PAN-OS. Justin Elze, CTO at TrustedSec, also published the exploit used in attacks against the CVE-2024-3400 vulnerability on twitter. This week, US CISA added CVE-2024-3400 to its Known Exploited Vulnerabilities (KEV) catalog, giving U.S. federal agencies until April 19th to remediate the flaw. The public availability of the exploit code may lead to a surge in exploitation attempts.

Bank IDOR Vulnerability Exposes PII, Nets $5K Bounty

@bxmbn discovered an IDOR vulnerability in a major U.S. bank's special offer application process. By decoding a ridNumber parameter, they could access other users' offers, exposing PII like full names, addresses, emails, phone numbers, and birthdates. The bank, despite having an active bug bounty program, had overlooked this issue which could have allowed attackers to harvest customer data.

Thank you

If you found this issue useful, I'd really appreciate if you could forward it to your friends and colleagues!

Have questions, comments, or feedback? Let me know on LinkedIn, Twitter, or share your feedback.


Share This Post

Check out these related posts

Brief #51: VPN Decloaking Attack, Azure Health Bot Vulnerabilities, CISO Dissatisfaction, and Incident Response Challenges

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read

Brief #50: Postman API Credential Leaks, DHS AI Threat Guidelines, Effective Risk Communication, Cybersecurity Analyst Insights

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read

Brief #49: Palo Alto XDR Exploit, GPT-4 Vulnerability Exploitation, CISO Insights, and Top Cybersecurity Courses

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 7 min read