Brief

Brief #51: VPN Decloaking Attack, Azure Health Bot Vulnerabilities, CISO Dissatisfaction, and Incident Response Challenges

Week 19: VPN decloaking attack discovered, Azure Health Bot vulnerabilities exposed, CISOs face growing dissatisfaction, and the demanding role of incident responders.

9 min read
Mandos brief newsletter week 19

Happy week 19!

In this issue, I'm covering the growing frustration among CISOs, the rapid changes in cybersecurity strategies driven by evolving threats, and insights on the life of a cybersecurity incident responder.


Let's dive into this week's topics.

Industry News

VPN Traffic Decloaking Attack Discovered, Impacts Most VPNs Since 2002

Researchers have discovered an attack called TunnelVision that can force nearly all VPNapplications to send traffic outside of their encrypted tunnel. The attack largely negates the purpose of VPNs to protect traffic from snooping or tampering. It is believed to affect all VPNs when connected to a hostile network, with no prevention except on Linux or Android, and may have been used in the wild since 2002.


Russian National Indicted for Operating LockBit Ransomware-as-a-Service

The US Justice Department has indicted Dimitry Yuryevich Khoroshev, a 31-year-old Russian national, for creating and operating the notorious LockBit ransomware-as-a-service (RaaS). Khoroshev allegedly designed LockBit, recruited affiliates, maintained the RaaS infrastructure, and received over $100 million in ransom payment shares. LockBit targeted over 2,500 victims across 120 countries, including critical infrastructure, hospitals, schools, and government agencies, extorting at least $500 million in ransom payments.


Dell Investigating Data Breach Impacting 49 Million Customers

Dell is notifying customers of a data breachafter a threat actor claimed to have stolen information for approximately 49 million customers from a Dell portal containing purchase-related data. The stolen data includes namephysical address, and Dell hardware and order information, but does not include financial, payment, or contact information. Dell is working with law enforcement and a third-party forensics firm to investigate the incident.


Researchers Prove Autonomous Vehicle Camera Sensors Can Be Tricked to Not Recognize Road Signs

Researchers from universities in Singapore have demonstrated an attack called GhostStripe that can trick autonomous vehicles using CMOS camera sensors to not recognize road signs. The attack exploits the rolling shutter mechanism of CMOS sensors by using rapidly flashing diodes to vary the color captured on each line of the image. This results in a distorted image full of mismatched lines that the vehicle’s deep neural network classifier cannot interpret correctly. The researchers were able to elongate the interference to create a constant stream of unrecognizable images, posing a serious security concern for autonomous vehicles that rely heavily on camera-based computer vision.


Ascension Healthcare Network Diverts Ambulances Due to Suspected Ransomware Attack

CNN reports that Ascension, a major U.S. healthcare network, is diverting ambulances from several hospitals due to a suspected ransomware attack by the Black Basta gang that has been causing clinical operation disruptions and system outages since Wednesday. The attack took offline systems including the MyChart electronic health recordssystem, phone systems, and systems for ordering tests, procedures, and medications. Ascension has temporarily paused some non-emergent elective procedures, tests, and appointments while working to restore systems, and expects to use downtime procedures for some time.


AI & Security

Multiple Vulnerabilities in Azure Health Bot Exposed Sensitive Medical Data

Breach Proof researchers discovered several vulnerabilities in Microsoft’s Azure Health Bot, a software used by healthcare providers as a patient-facing chatbot. The flaws could have allowed attackers to access confidential medical information and backend infrastructure across multiple tenants. Microsoft quickly fixed the issues after receiving the report, and found no evidence of exploitation. The most severe vulnerability enabled taking control of a shared backend server with access to databases containing multi-tenant data.


Adversary Use of AI and LLMs Mapped to TTPs in New GitHub Project

A new GitHub project aims to organize and track the techniques used by threatActors leveraging artificialIntelligence in their attacks. The project focuses on cyber threat attacks facilitated by AI, excluding political influence or mis/dis/mal information campaigns, with some coverage of AI-enhanced fraud activities. Confirmation of AI use by threat actors is limited to reporting from organizations using their own AI tools or actors using AI on already-compromised endpoints. The project also attempts to map these techniques to MITRE ATT&CK and ATLAS, and builds off Microsoft and OpenAI’s classification of LLM TTPs to better describe this activity.


IBM and AWS Study Finds No Easy Solution for Secure Generative AI

A new study by IBM and AWS reveals that while generativeAI is a top priority for many organizations, there is no simple solution to ensure its security. The survey found 82% of C-suite leaders believe secure and trustworthy AI is crucial for business success. However, organizations are currently securing only 24% of their generative AI projects, highlighting a discrepancy between priorities and actions. IBM is working with AWS on approaches to improve the situation and is launching the IBM X-Force Red Testing Service for AI to advance generative AI security.


Leadership Insights

CISOs Increasingly Dissatisfied Due to Lack of Executive Support and Increased Liability

A growing number of CISOs are dissatisfiedwith their roles, with 75% open to changing jobs according to recent studies. CISOs cite a lack of executive support, misalignment on acceptable risk, and increased personal liability from new regulations as key reasons for their frustration. To address this, experts say organizations should give CISOs a direct line to the board, include them in D&O insurance, and provide standalone security budgets to better align authority and accountability.


95% of Companies Adjusted Cybersecurity Strategy in Past Year Amid Evolving Threats

LogRhythm reports that 95% of companies worldwide adjusted their cybersecurity strategy in the past year due to the rapidly changing threat environment. 78% state that the cybersecurity leader or CEO are now responsible for protecting against and responding to cyber incidents, reflecting a shift to viewing cybersecurity as a central pillar of business strategy. The top factors driving strategy changes include the shifting regulatory landscape (98%), customer expectations for data protection (89%), and the rise of AI-driven threats (65%). However, communication gaps remain, with 44% of non-security executives not understanding regulatory requirements.


CISOs Dissatisfied with Compensation Amid Industry Challenges

New research from IANS Research and Artico Search reveals that nearly a third of CISOs in the tech sector are dissatisfied with their compensation. The study found that CISO pay varies significantly based on organization type and size, with those at publicly listed firms earning the most (median $1 million) and those at founder-majority-owned companies earning the least. The researchers note that the complexity of the CISO role increases with company scale, leading to higher compensation packages, but emphasize that “not all CISO roles are equal in tech.” The dissatisfaction among CISOs, coupled with the high-pressure nature of the role and potential business impact of cyberattacks, raises concerns for cybersecurity industry leaders.

Career Development

Huntress Threat Operations Team Choreographs 24/7 Threat Defense

Dray Agha, a UK member of the Huntress Threat Operations team, describes a day in the life working with US and Australian colleagues to provide 24/7 threat defense. The global team has developed a smooth process to handoverincomplete cases between regions. Internal team sync-ups happen over Zoom calls and asynchronous communication to brainstorm improvements. When investigating suspicious activity, the team uses every available tool and telemetry source to gain context and provide detailed analysis to partners. Tuning detectionsand alerts is a constant process to reduce false positives. Downtime is used to proactively hunt for novel attackTechniques that don’t yet have detections.


Cybersecurity Incident Responders: A Day in the Life

George Platsis describes the life of a cybersecurity incident responder, which can go from calm to chaotic in an instant when an incident occurs. Responders are driven by a sense of duty, enjoy challenges, and thrive in the constant change. Pre-incident tasks include vulnerability scanning, threat research, and tool configuration. When an incident hits, responders jump into action following the NIST incident response lifecycle of preparation, detection and analysis, containment, eradication, and recovery, and post-incident activities. Thorough preparation is key to reducing harm and stress during the response. Incident response is intense and demanding, requiring both technical and soft skills, and organizations should support responders’ well-being.


Red Teams Hired to Infiltrate High-Security Companies Using Real-World Hacking Methods

Tom Van de Wiele, principal security consultant at F-Secure, leads red team operations that are hired by well-protected companies to thoroughly test their security by taking on the role of attackers. The red teams use a diverse range of skills and real-world hacking methods to find weak points in the companies’ security, often involving on-location physical access in addition to digital attacks. The goal is to help companies protect against real-world threats from criminals and opportunistic attackers.

Vendor Spotlight

Akamai to Acquire Noname Security to Enhance API Protection

Akamai Technologies announces a definitive agreement to acquire API security company Noname Security. The acquisition will enable Akamai to extend protection across all APItraffic locations and meet growing customer demand as API usage expands. Akamai has seen 109% year-over-year growth in API attacks and believes the addition of Noname will provide the breadth of integrations and deployment choices needed to deliver comprehensive API protection for customers across all environments.


Wiz Raises $1B at $12B Valuation, Reflects on Growth and Future

Wiz, a CNAPP provider, has raised $1 billion at a $12 billion valuation, led by Andreessen Horowitz, Lightspeed Venture Partners, and Thrive Capital. The company attributes its success to the dedication of its employees, investors, and customers who trust Wiz to support their cloud security journey. Wiz plans to use the new capital for talent acquisition, product expansion, and strategic acquisitions to propel innovation and cover more ground in the rapidly evolving cybersecurity landscape.


Anomali Launches AI-Powered Security Operations Platform with Intelligent Copilot

Anomali unveiled its new AI-powered Security Operations Platform, centered around an intelligent Anomali Copilot that automates key tasks. The platform leverages a proprietary cloud-native security data lake for improved speed, scale, performance and reduced costs. Former DoD CIO Dana Deasy praised the Copilot’s automated productivity benefits for security talent.


Community Highlights

LLM Security 101: Exploring Offensive and Defensive Tools and Capabilities

Embracing Large Language Models (LLMs) requires understanding the associated risks and actively mitigating potential security implications. The article explores risks, vulnerabilities, and ethical considerations based on the author’s experiences with LLMs. It aims to provide insights for security enthusiasts new to LLM security, including an overview of the OWASP Top 10 for LLM applications, vulnerability categorization, and open-source offensive and defensive tools for bug bounty hunters and pentesters to try.


Empty S3 Bucket Leads to Huge AWS Bill Due to Misconfigured Open Source Tool

Maciej Pocwierz created an empty private S3bucket for testing and was shocked to find a $1,300 AWS bill the next day due to nearly 100,000,000 PUT requests. Enabling CloudTraillogs revealed thousands of unauthorized write requests from third parties due to a popular open source tool having a default configuration using the same bucket name. AWS charges for unauthorized requests to S3 buckets, so the author was billed despite the requests being rejected. The author also found they could collect over 10GB of sensitive data in 30 seconds by opening the bucket to public writes, highlighting the potential for serious data leaks.


Auth0 Misconfiguration Allows Bypassing Login Restrictions

Amjad Ali discovered a bug allowing unauthorized account creation in a web app using Auth0 for authentication. The app had registration disabled, but by modifying the login request to the /dbconnections/signup endpoint with required parameters like client_idconnectionemail, and password, he successfully created an account and logged in. This authentication bypass is due to improper configuration of Auth0’s “Disable Sign Ups” feature. To mitigate, ensure this setting is enabled in the Auth0 application database settings.

Tools

Amass

In-depth tool for attack surface mapping and asset discovery in network security.


Brute Ratel C4

Advanced red team and adversary simulation software in the current C2 market.


Ivy

A framework for executing arbitrary VBA source code directly in memory.

Thank you

If you found this issue useful, I'd really appreciate if you could forward it to your friends and colleagues!

Have questions, comments, or feedback? Let me know on LinkedIn, Twitter, or share your feedback.

Best, 
Nikoloz

Share This Post

Check out these related posts

Brief #83: TP-Link Ban, LastPass Breach Impact, SOC Analyst Crisis

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #82: Apple iCloud Vulnerability, Cloud Security Skills Gap, SolarWinds ARM Flaw

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #81: OpenAI Container Risks, Cloudflare Tunnel Attacks, AWS IR Service Launch

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read