Brief #49: Palo Alto XDR Exploit, GPT-4 Vulnerability Exploitation, CISO Insights, and Top Cybersecurity Courses

Week 17: Palo Alto XDR exploited to deploy malware, researchers claim GPT-4 can autonomously exploit vulnerabilities, LinkedIn CISO shares leadership insights, top cybersecurity training courses and more.

7 min read
mandos brief newsletter week 17 of 2024

Happy week 17!

In this week's issues I am covering Palo Alto XDR exploitation to deploy malware, the ability of GPT-4 to autonomously exploit vulnerabilities (should we really be concerned?), the practical applications of AI in security workflows, and insights from industry leaders on navigating the evolving talent landscape and upskilling opportunities.

Let's dive into this week's topics.

Industry News

Researcher Exploits Palo Alto XDR to Deploy Malware

Shmuel Cohen, security researcher at SafeBreach, reverse-engineered Palo Alto Networks' Cortex XDR and exploited it to deploy a reverse shell and ransomware. XDR solutions require high privileges and access to sensitive information to perform real-time monitoring and threat detection across IT ecosystems. Cohen discovered plaintext Lua files crucial to Cortex's operation and bypassed the anti-tampering mechanism using a hard link to edit the files and load a vulnerable driver, gaining complete control. Palo Alto worked with Cohen to develop fixes but left the Lua files unencrypted, as encryption would not effectively deter attackers. Other XDR platforms may be susceptible to similar attacks.

GitHub Flaw Abused to Distribute Malware via Microsoft Repo URLs

McAfee reports a new LUA malware loader is being distributed through URLs associated with Microsoft's vcpkg GitHub repository, making the files appear trustworthy. The flaw allows threat actors to attach malware to any public repository without the project owner's knowledge by uploading files to unsaved comments. These auto-generated download links continue to work even if the comment is deleted, and can be abused to create convincing lures impersonating any company using GitHub. Disabling comments is the only current mitigation, but significantly impacts project development.

MITRE Targeted by Nation-State Cyber Attack Exploiting Ivanti Connect Secure Zero-Days

MITRE Corporation revealed it was the target of a nation-state cyber attack exploiting two zero-day flaws in Ivanti Connect Secure appliances starting in January 2024. The intrusion compromised MITRE's unclassified research network called NERVE. The attackers exploited CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1) to bypass authentication, run commands, move laterally, and deploy backdoors and web shells for persistence and credential harvesting. MITRE contained the incident and found no indication that its core enterprise network or partners' systems were affected.

North Korean APT Targets npm Packages with Evolved Malware Targeting macOS

Phylum's automated risk detection platform flagged new publications from a North Korean APT campaign targeting npm packages with evolved malware. The attackers used an obfuscated preinstall hook to gain arbitrary code execution upon package installation. While the core malware appears similar to earlier versions, the script now includes commands targeting macOS systems in addition to Windows, creating a directory in the Library/Application Support folder to silently execute a suspicious file. Phylum continues investigating these packages and the ongoing attack.

Cisco Firewalls Exploited by State-Sponsored Hackers to Access Government Networks

Cisco revealed that its Adaptive Security Appliances were targeted by state-sponsored spies who exploited two zero-day vulnerabilities to compromise government networks globally in a campaign called ArcaneDoor. While Cisco declined to attribute the intrusions, sources suggest the campaign aligns with China's state interests. The hackers utilized sophisticated, bespoke tooling demonstrating a focus on espionage and in-depth knowledge of the targeted devices.

AI & Security

Researchers Claim GPT-4 Can Autonomously Exploit Real-World Vulnerabilities Using CVE Advisories

University of Illinois Urbana-Champaign (UIUC) computer scientists report that OpenAI's GPT-4 large language model can autonomously exploit vulnerabilities in real-world systems when given a CVE advisory describing the flaw. GPT-4 successfully exploited 87% of 15 tested one-day vulnerabilities, including ones categorized as critical severity, compared to 0% for other models and scanners tested. While the research is an important step in agent-like capabilities of AI solutions, 15 one-day vulnerabilities are by no means a proof that GPT-4 (or other models) will consistently identify and exploit such vulnerabilities. More research in this area is needed.

OpenAI Open Sources Security Slackbots for Incident Response, SDLC, and Triage

OpenAI has open-sourced a trio of security bots they built for internal use. The Incident Response Slackbot automatically chats with users who have been part of an incident alert to gather context. The SDLC Slackbot decides if a project merits a security review based on risk factors. Finally, the Triage Slackbot routes inbound requests in Slack to the appropriate sub-teams. These bots showcase practical applications of AI to streamline security workflows.

AI-Powered Cyber Threats Pose Significant Challenge for Organizations in 2024

Darktrace's State of AI Cybersecurity Report, based on a survey of 1,800 security practitioners, reveals that AI-powered threats are a major concern for 74% of organizations. 89% believe these threats will remain a significant challenge beyond the next two years. AI can impact every stage of the attack lifecycle, requiring defenders to prepare for faster, more unique threats. Organizations are also concerned about internal risks like leakage of sensitive information due to employee use of generative AI tools. While 71% have taken steps to reduce risks associated with AI adoption, practitioners see a gap compared to executives' perceptions.

Leadership Insights

LinkedIn CISO Geoff Belknap on AI, Talent, and Diversity in Cybersecurity

Geoff Belknap, CISO and VP of Engineering at LinkedIn, joins this Microsoft podcast to discuss key cybersecurity topics. Belknap previously led security efforts at Slack, safeguarding both physical and digital assets. They explore the potential impact of AI on the cybersecurity talent landscape and emphasize the importance of work-life balance in high-stress security roles. Belknap also highlights the value of diverse perspectives in building strong security programs.

AWS CISO Chris Betz Shares Insights on Successful Security Leadership

Chris Betz, CISO of AWS and former security leader at companies like Apple, Microsoft, and Capital One, discusses the qualities that make a successful CISO. Betz emphasizes the importance of establishing a culture of security, hiring for diversity, and mentoring the next generation of security leaders. As a former customer, Betz brings a unique perspective to answering customer security questions and building their confidence in AWS.

Minimal Viable Transformation for SOCs Faces Challenges

Anton Chuvakin discusses the challenges of transforming traditional security operations centers (SOCs) to a modern, automated model. Many organizations are reluctant to embrace the required scale of change, preferring incremental improvements instead. Chuvakin suggests that the DNA of a SOC largely determines its fate, with traditional SOCs struggling to scale with evolving threats and assets.

Career Development

Cybersecurity Professionals Share Top Training Courses for SOC, SecOps, and Leadership Roles

Reddit users discuss their most impactful cybersecurity training courses. Recommendations span SOC and SecOps roles, with offerings from, Active Countermeasures, and Antisyphon. SANS courses, particularly SANS 503, GCIA, and FOR610, are praised for advancing technical skills in network monitoring and DFIR. The OSCP certification is highlighted for helping blue teamers understand offensive techniques. SANS LDR514 is recommended for developing strategic planning and leadership skills.

Pentesting Projects for Building a Strong Cybersecurity Personal Brand

David Meece, a cybersecurity professional, shares 7 free pentesting projects, one for each networking layer, to help build a strong personal brand in cybersecurity. The projects utilize various tools such as Nmap, Wireshark, Ettercap, and Scapy to perform tasks like rogue device detection, MITM attacks, TCP spoofing, session hijacking, and brute forcing services. Completing these projects can enhance practical skills and showcase expertise to potential employers.

SOC Analyst Roles, Responsibilities, and Daily Life

Berkay Soylu provides an inside look at the daily life of a SOC analyst, the frontline defenders against cyberattacks. SOC analysts are responsible for threat monitoring, incident response, and forensics. The article explores the different tiers of SOC analysts, the technical skills required, and the tools they use like SIEM, SOAR, and EDR. Being a SOC analyst has both advantages and challenges in the dynamic world of cybersecurity.

Vendor Spotlight

IBM Nears Deal to Acquire Cloud Software Provider HashiCorp

Reuters reports that IBM is close to finalizing a deal to acquire HashiCorp, a cloud software provider, according to an unnamed source. The potential acquisition aligns with IBM CEO Arvind Krishna's strategy of focusing on acquisitions to expand the company's cloud offerings. HashiCorp's software enables customers to set up and manage their infrastructures on the cloud, and the company has seen strong revenue growth, surpassing analysts' estimates.

Dropzone AI Raises $16.85M for AI-Powered Security Analysts

Dropzone AI, a Seattle-based startup, announced a $16.85M Series A funding round led by Theory Ventures, with participation from existing investors and cybersecurity leaders. The company's AI analysts work alongside human analysts to investigate security alerts 24/7, using LLMs to replicate elite analyst techniques. Dropzone AI's solution can be deployed in 30 minutes without requiring playbooks, code, or chat prompts, enabling SecOps teams to focus on high-priority threats and amplify their output.

Anvilogic Raises $45M Series C to Enable Security Data Lakes and Expand Generative AI in SOCs

Anvilogic, founded in 2019, announced a $45 million Series C funding round led by Evolution Equity Partners, bringing its total funding to $85 million. The company's multi-data platform SIEM helps SOCs adopt modern security analytics that scale across diverse data lakes without replacing their existing SIEM, reducing costs and risk. Anvilogic plans to use the funds to expand its generativeAI features across the entire SOC lifecycle and scale up go-to-market efforts.



Security Orchestration, Automation, and Response platform for automating security workflows.


Comprehensive identity and access management suite for risk and compliance management.


A Python-based DNS subdomain scanner using wordlists.

Community Highlights

LLM Agents Not Capable of Autonomously Exploiting One-day Vulnerabilities, Analysis Finds

Chris Rohlf analyzes a research paper claiming LLM agents can autonomously exploit one-day vulnerabilities and disagrees with its conclusions. The researchers built a small dataset of 15 open-source vulnerabilities, mostly consisting of XSS, CSRF, SQLi, and RCE. Rohlf found public exploits for 11 out of the 15 CVEs, suggesting GPT-4 is demonstrating its value in automation by joining existing content and code snippets rather than an emergent capability to analyze and exploit vulnerabilities. The lack of transparency and evidence in the paper is less than convincing and can reinforce a false narrative about AI models being dangerous for cybersecurity.

Nahamsec Shares 3 Bug Bounty Escalation Methods to Turn $500 Bug into $30K+ at Live Hacking Event

Nahamsec, a well-known bug bounty hunter, shares three different methods to escalate a certain vulnerability type in a recent video. He later demonstrates how he used a similar technique to convert a $500 bug into a $30,000+ payout (before dupe split) at a HackerOne live hacking event. This showcases the potential for skilled researchers to significantly increase the businessImpact and rewards of their findings through creative thinking and persistence.

Backdooring .NET Applications to Exfiltrate Login Credentials

Nicholas Starke demonstrates how to manually modify a .NET application's binary to introduce a backdoor that sends user login credentials to a remote server. The process involves disassembling the application with ildasm, injecting custom code to capture and exfiltrate the credentials, and reassembling the modified code using ilasm. Setting up a test environment and using decompilers like software DotPeek to analyze the binary are key steps. The backdoor is triggered on successful logins, sending the credentials via HTTP POST to a hardcoded attackType C2 server.

Thank you

If you found this issue useful, I'd really appreciate if you could forward it to your friends and colleagues!

Have questions, comments, or feedback? Let me know on LinkedIn, Twitter, or share your feedback.


Share This Post

Check out these related posts

Brief #51: VPN Decloaking Attack, Azure Health Bot Vulnerabilities, CISO Dissatisfaction, and Incident Response Challenges

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read

Brief #50: Postman API Credential Leaks, DHS AI Threat Guidelines, Effective Risk Communication, Cybersecurity Analyst Insights

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read

Brief #48: PuTTY Zero-Day, LLMs as Pentesters, Securing Layoffs, High-Paying Cybersecurity Skills

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 8 min read