Brief

Brief #50: Postman API Credential Leaks, DHS AI Threat Guidelines, Effective Risk Communication, Cybersecurity Analyst Insights

Week 18: Postman API network leaks thousands of live credentials, DHS releases guidelines to protect critical infrastructure from AI threats, cybersecurity leaders discuss overuse of "critical" and effective risk communication, and insights on the daily work of cybersecurity analysts.

8 min read
Brief #50: Postman API Credential Leaks, DHS AI Threat Guidelines, Effective Risk Communication, Cybersecurity Analyst Insights

Happy week 18!

In this week's issue, I'm covering the DHS guidelines for protecting critical infrastructure from AI threats, Google's use of generative AI to speed up incident response, and insights on securing the AI software supply chain and effective risk communication from industry leaders.


Let's dive into this week's topics.

Industry News

Postman Public API Network Leaking Thousands of Live Credentials

Security research firm TruffleSecurity estimates over 4,000 live credentials are currently leaking publicly on Postman's Public API Network for a variety of popular SaaS and cloud providers. The most commonly identified secret type was a sensitive URI, including URLs containing basic auth information. Researchers attribute the leaks to unclear UI, ambiguous taxonomy, and insufficient secret scanning, creating an environment where developers are unintentionally exposing sensitive data.


Millions of Malicious Imageless Containers Found on Docker Hub

JFrog's security research team revealed that approximately 25% of the 12.5 million repositories on Docker Hub lack useful functionality and serve as vehicles for spam, pirated content promotion, and malware dissemination. The attack exploited Docker Hub's community features, allowing users to publish repositories with only documentation pages, devoid of actual container images, leading unsuspecting users to phishing and malware-hosting websites. Three main malware campaigns were identified: the "Downloader" campaign, the "eBook Phishing" campaign, and the "Website" campaign, each employing distinct tactics to evade detection.


DropBox Sign Breached, Exposing Customer Data and Authentication Tokens

DropBox disclosed that threatActors breached the production systems of its DropBox Sign (formerly HelloSign) eSignature platform on April 24. The attackers gained access to an automated system configuration tool, allowing them to execute applications with elevated privileges and access the customer database. Exposed data included customer emails, usernames, phone numbers, hashedPasswords, API keys, OAuth tokens, and MFA keys. DropBox found no evidence that customer documents or agreements were accessed. The company has reset all user passwords, logged out all sessions, restricted API key usage, and is emailing impacted customers.


Latrodectus Malware Distributed in Phishing Campaigns Using Microsoft Azure and Cloudflare Lures

Security researchers have discovered that the Latrodectus malware is being distributed in phishing campaigns using Microsoft Azure and Cloudflare lures to evade detection by email security platforms. Latrodectus acts as a backdoor, downloading additional EXE and DLL payloads or executing commands. The malware has been linked to the developers of the widely-distributed IcedID modular malware loader based on distribution and infrastructure similarities.


Android Leaks DNS Queries Despite Always-on VPN and Kill Switch

A Mullvad VPN user discovered that Android devices leak DNS queries when switching VPN servers, even with the "Always-on VPN" and "Block connections without VPN" (kill switch) features enabled. The leak occurs when apps make direct calls to the getaddrinfo C function, and happens when a VPN is active with no DNS server configured, or when the VPN app re-configures the tunnel, crashes, or is forced to stop. Until Google fixes this OS bug, users should be cautious when using Android devices for sensitive activities.


AI & Security

Google Leverages Generative AI to Accelerate Security Incident Response by 51%

Google security researchers Lambert Rosique, Jan Keller, Diana Kramer, Alexandra Bowen and Andrew Cho share how they are using generative AI to significantly speed up writing incident summaries as part of their security and privacy incident response process. By structuring incident data with tags and refining AI prompts, they found AI-generated summaries covered all key points, were rated 10% higher in quality than human-written ones, and cut drafting time in half. Risks of AI errors are mitigated through human review, disabling data storage, and monitoring quality over time.


DHS Releases Guidelines to Protect Critical Infrastructure from AI Threats

The Department of Homeland Security (DHS) has released new guidelines to help critical infrastructure owners and operators defend against threats related to artificialIntelligence (AI) systems. The guidance addresses risks such as adversarial manipulation of AI systems, unintended consequences due to AI shortcomings, and the use of AI to augment and scale attacks. It emphasizes the need for transparency, secure by design practices, and a culture of AI risk management throughout the AI lifecycle.


Google Publishes Secure AI Framework to Address Growing AI Supply Chain Risks

Google has published a new Secure AI Framework white paper detailing their approach to securing the AI software supply chain. As AI becomes more integrated into everyday products, the same software supply chain security problems are emerging as with traditional software, but at an accelerated pace. Google argues that existing security measures like provenance metadata, SLSA, and artifact signing can be adapted to AI ecosystems. The framework emphasizes capturing and organizing metadata, increasing integrity, and sharing provenance info with others to enable AI practitioners to verify the source and integrity of models and datasets. Google believes building security into AI infrastructure from the start is key to preventing future supply chain attacks.


Leadership Insights

Overuse of "Critical" in Cybersecurity Hinders Effective Risk Communication

Jonathan Trull, Chief Security Officer at Qualys, shares his perspective on the overuse of the word "critical" in cybersecurity. He advocates for greater focus on cyber risk quantification and using business language to effectively communicate with executives, boards, and risk committees.


New SOC-CMM Assessment Tool Released with NIST CSF 2.0 Mapping

The SOC-CMM team has released a new version of their assessment tool with minor bug fixes, improvements, and added guidance based on community feedback. A major change is the addition of mapping to NIST CSF 2.0, while retaining NIST CSF 1.1 mapping for now. Future versions will drop the 1.1 mapping. The tool also now includes an embedded results sharing form to share anonymized assessment results back to SOC-CMM for trend analysis.


Zscaler Shares Five Qualities of a Great Virtual CISO

Zscaler shares insights on the career path of a CISO and the option to become a virtual CISO (vCISO). A vCISO is an independent or contracted employee who carries out the role of a CISO for companies that may not have the case or budget for a full-time equivalent. vCISOs can advise multiple organizations simultaneously or focus on one at a time, typically working from home. The article highlights five signs that a seasoned CISO may be ready to transition into a vCISO role.


Career Development

Senior Threat Intelligence Analyst Shares Typical Workday Tasks

Adam Goss, a senior CTI analyst, shares his typical workday which involves threatIntelligence, vulnerabilityIntelligence, and threatHunting tasks. In the morning, his team analyzes threat intelligence from open sources and their TIP to identify new threats relevant to their organization. They also analyze vulnerability intelligence to check for new vulnerabilities that may impact their systems and report them to the vulnerability management team for patching. For threat hunting, they use IOC-based hunting with indicators from their CTI database, behavior-based hunting with SIEM/EDR detection rules, and TTP-based hunting with Sigma rules.


Cybersecurity Analyst Shares Insights on Daily Work Life

Euan Doyle, a businessInformationSecurityAnalyst, describes his journey from musician to cybersecurity professional. He manages security training programs, phishing simulations, and external support teams. Doyle also handles security exceptions, vetting and approving requests from the business. Indicator of Compromise (IOC) checks are an ongoing task, involving sharing information with industry peers and ensuring email and firewall security are properly managed.


Chevron Cyber Threat Intelligence Analyst Protects Global Assets

Jessica Lee, a cyber threat intelligence analyst at Chevron, works to protect the company's information and technology assets across all countries where Chevron operates. With a background in linguistics, Lee transitioned from a coordinator role to an analyst position, leveraging her skills in researching and writing about the cyber threats Chevron faces. In collaboration with other teams, Lee helps make recommendations to keep the company protected against adversaries attempting to steal data, corrupt systems, or force shutdowns. Staying ahead of highly motivated threat actors is one of the biggest challenges in cybersecurity.


Vendor Spotlight

Apex Raises $7M Seed Round to Secure Enterprise AI Adoption

Israeli startup Apex, focused on protecting rapid enterprise adoption of AI tools, raised $7M in a seed round led by Sequoia Capital and Index Ventures, with participation from OpenAI CEO Sam Altman. Apex has been running trials with Fortune 500 companies and investment firms, nearing paid contracts. The funds will accelerate product development, hiring, and marketing. With growing demand for AI tools like ChatGPT, users seek ways to protect their data and prevent threats and inappropriate data from entering their systems. Apex is building extra security layers needed for enterprises to safely adopt AI.


Darktrace Agrees to $5.3B Sale to Thoma Bravo, Citing UK Undervaluation

British cybersecurity firm Darktrace announced it has agreed to be acquired by U.S. private equity firm Thoma Bravo for $5.315 billion in an all-cash deal. The board believes Darktrace's achievements are not reflected in its current valuation on the London Stock Exchange, trading at a discount compared to its global peers. The deal represents a 44.3% premium to Darktrace's average share price over the past three months. Darktrace, founded in 2013 and based in Cambridge, UK, specializes in AI-based protection against cloud attacks for large companies and events.


StepSecurity Raises $3M Seed Round to Secure CI/CD Pipelines

Ashish Kurmi and Varun Sharma, former Microsoft engineers and cybersecurity veterans, founded StepSecurity in 2022 to help developers secure their CI/CD pipelines. The startup raised a $3M seed round led by Runtime Ventures to expand its product that currently supports GitHub Actions, with plans to add other CI/CD tools. StepSecurity has paying customers across crypto, healthcare, and cybersecurity industries, aiming to prevent CI/CD attacks like the SolarWinds and Codecov hacks.


Community Highlights

IcedID Malware Leads to Dagon Locker Ransomware Attack in 29-Day Intrusion

A phishing campaign in August 2023 distributed IcedID malware using the Prometheus Traffic Direction System (TDS), leading victims to download a malicious JavaScript file from a fake Azure portal. The executed file downloaded and ran an IcedID DLL, establishing persistence and C2 communication. After 30 hours, IcedID downloaded a Cobalt Strike beacon, which the threat actor used for discovery, credential access via LSASS, and privilege escalation with GetSystem. Within 5 minutes, lateral movement began, targeting a domain controller and file shares using tools like AdFind and a custom PowerShell script called AWSCollector. Data exfiltration to AWS S3 buckets started 1.5 hours later, and additional Cobalt Strike beacons were deployed to more hosts over the following days as discovery efforts continued, focusing on the virtualization infrastructure and sensitive documents. On day 8, AnyDesk was installed on a domain controller, a new user was created, and another Cobalt Strike beacon was deployed.


Network Segmentation Best Practices for Corporate Networks Released

Sergio Marotco shares a project publishing best practices for segmenting corporate networks suitable for any company. Diagrams are available showing basic segmentation at Level 1 to protect against targeted attacks, though the corporate network should still be considered potentially compromised. Level 2 adopts more security practices like duplicating production infrastructure and implementing DevSecOps, making it harder to compromise production but increasing cost and complexity. Level 3 requires strong executive support for cybersecurity and a sizable dedicated security team.


Apple Discussions Forum Stored XSS Vulnerability Earns Researcher $5000 Bounty

Security researcher Crypto discovered a stored XSS vulnerability in the Apple Discussions forum that allowed arbitrary JavaScript execution via user profiles. By injecting a malicious payload in the "Location" field of a profile, the XSS could be triggered when other users viewed it, potentially allowing cookie theft and other attacks. Apple awarded a $5000 bounty for the finding after a 3-month remediation process and acknowledged the researcher on their security Hall of Fame page.


Tools

Elastic

Platform for search, logging, security, and analytics, using the Elastic Stack.


Velociraptor

Advanced tool focusing on endpoint monitoring, digital forensics, and incident response.


AttackSurfaceMapper

A tool that automates the reconnaissance process for identifying attack surfaces.


Thank you

If you found this issue useful, I'd really appreciate if you could forward it to your friends and colleagues!

Have questions, comments, or feedback? Let me know on LinkedIn, Twitter, or share your feedback.

Best, 
Nikoloz

Share This Post

Check out these related posts

Brief #83: TP-Link Ban, LastPass Breach Impact, SOC Analyst Crisis

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #82: Apple iCloud Vulnerability, Cloud Security Skills Gap, SolarWinds ARM Flaw

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #81: OpenAI Container Risks, Cloudflare Tunnel Attacks, AWS IR Service Launch

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read