Brief

Brief #52: Black Basta Ransomware Targets Critical Infrastructure, AI-Generated Malware Threats, CISO Credibility Gap, and Cybersecurity Career Paths

Week 20: Black Basta ransomware targets critical infrastructure, AI-generated malware poses new risks, CISOs struggle with board credibility, and cybersecurity career stories.

8 min read
Mandos Brief week 20 2024

Happy week 20!

In this issue, I'm covering the rise of AI-powered malware, the need for CISOs to gain more credibility with boards, and the diverse paths into the cybersecurity field.


Let's dive into this week's topics.

Industry News

Black Basta Ransomware Targets Over 500 Organizations Across 12 Critical Infrastructure Sectors

A joint advisory by CISAFBIHHS, and MS-ISAC reveals that the Black Basta ransomware-as-a-service (RaaS) operation has targeted more than 500 private industry and critical infrastructure entities across North America, Europe, and Australia since April 2022. The threat actors employed a double-extortion model, encrypting systems and exfiltrating data from at least 12 out of 16 critical infrastructure sectors. Black Basta affiliates use common initial access techniques such as phishing and exploiting known vulnerabilities. The ransom notes provide victims with a unique code and instruct them to contact the gang via a .onion URL.


IBM Pen Testers Hack Major Tech Firm in 8 Hours Using AI

Chris Thompson, global head of X-Force Red at IBM, says his team hacked into “the largest manufacturer of a key computer component” within 8 hours using their AI-powered platform Vivid. The pen test, originally scoped for 3 weeks, demonstrates the power of AI to accelerate vulnerability discovery and data analysis in security assessments. While AI won’t replace skilled hackers, it can significantly boost efficiency in connecting the dots across vast datasets.


FBI Seizes BreachForums, a Marketplace for Stolen Data and Malware

The FBI, in collaboration with international law enforcement partners, has seized BreachForums, a website that openly traded in malware and data stolen from hacks. The site served as an online marketplace where criminals could buy and sell compromised data, including passwords, customer records, and sensitive information. Recent incidents involving the sale of Dell customer data and the exposure of Europol data on BreachForums highlight the site’s business impact. The seizure message on the website indicates that the FBI and DOJ are analyzing the backend data and inviting individuals with information about the site to contact them.


Trendmicro Report Reveals Waterbear RAT’s Sophisticated Tactics Used by Earth Hundun Threat Actor

Trendmicro shares a report using a case study to describe how the threat actor Earth Hundun uses the Waterbear RAT and plugin during the second stage attack. The report examines major updates to Deuterbear, including the ability to accept plugins with shellcode formats and function without handshakes during RAT operation. The sophisticated tactics employed by Earth Hundun are showcased through their interaction with victims via the Waterbear and Deuterbear malware.


Phishing Attacks Mimic DocuSign Using Fake Templates and Stolen Credentials

Abnormal Security researchers have observed a significant increase in phishing attacks mimicking legitimate DocuSign requests over the past month. The attackers obtain fake email and document templates resembling DocuSign from a Russian cybercrime forum for as little as $10. These templates enable attackers to craft convincing phishing emails that trick employees into entering their PII or DocuSign login credentials on fake pages. Attackers can then probe compromised DocuSign accounts for sensitive documentation to use in extortion attacks or sell to other criminals.


AI & Security

Google Launches AI-Powered Theft Protection for Android Devices

Google announced new AI-powered theft protection features for Android devices running versions 10 and later. The features aim to secure users’ devices and data before, during, and after a theft attempt. A new “private space” feature allows users to host sensitive apps in a hidden, PIN-protected area. Theft Detection Lock uses Google AI to sense if someone snatches the phone and tries to flee, automatically locking the screen. Offline Device Lock provides added protection when a thief tries to disconnect the phone for prolonged periods.


AI-Generated Malware Poses Serious Threats to Cybersecurity Landscape

Palo Alto Networks researchers Bar Matalon and Rem Dudas discuss their groundbreaking research into AI-generated malware on the Threat Vector podcast. The researchers successfully generated sophisticated malware samples based on MITRE ATT&CK techniques for Windows, macOS and Linux, testing them against their Cortex product. Alarmingly, AI models can impersonate specific threat actors and malware families with high accuracy using open-source materials. Dudas predicts impersonation and psychological warfare will be significant in coming years, potentially enabling nation-state actors to conduct false flag attacks that complicate attribution and detection.


API Vulnerabilities Expose Critical Data in AI Projects at NVIDIA, Mercedes

Wallarm’s Q1 API ThreatStats report highlights the business impact of API vulnerabilities in AI projects. Mercedes-Benz suffered a major API leak exposing source code and internal data. NVIDIA’s Triton Inference Server, used for AI model deployment, had a vulnerability (CVE-2023-31036) enabling unauthorized path traversal. The report emphasizes the prevalence of API attacks targeting popular enterprise applications and DevOps tools, resulting from a lack of sufficient security controls in the rush to leverage APIs.


Leadership Insights

Cybersecurity Hiring Managers Overlook Valuable Candidates by Focusing on Arbitrary Requirements

Rex Booth, CISO at SailPoint, argues that cybersecurity hiring managers are looking for candidates in the wrong places by overemphasizing certifications and degrees. Entry-level positions often have burdensome requirements like specific degreescertifications like Security+ or CISSP, and expensive training courses, artificially raising barriers to entry. Recruiters also fall into the trap of using these credentials as de facto indicators of value. Booth suggests broadening the candidate pool and reevaluating which qualifications truly matter to find candidates ready to deliver value in roles like SOC positions.


CISOs Face Credibility Gap with Boards, Leading to Reactive Cybersecurity Spend

Trend Micro surveyed 2600 IT leaders and found that 79% of CISOs feel pressure from their board to downplay the severity of cyber-risks. CISOs are often seen as repetitive, overly negative, or dismissed by the board. This leads to cybersecurity being treated as part of IT rather than a strategic business impact, resulting in a lack of proactive investment until a costly breach occurs. However, when CISOs can measure and communicate the business value of cybersecurity, they gain more credibility with the board.


Cyber Resilience Strategies for 2024: Proactive Leadership and Synergy of Tech and Human Elements

According to Deryck Mitchelson, Field CISO EMEA at Check Point, cyber resilience is crucial as threats increase, with a 90% rise in publicly extorted ransomware victims in 2023. Resilience goes beyond just having a secure perimeter; it’s about maintaining core functions during and after attacks, and being prepared for inevitable breaches. Leadership must actively engage in cyber resilience, treating it as a critical business function, not just an IT issue. The technological and human elements must work together, with advanced solutions like AI for threat detection and human insight for contextualization and fostering a security-aware culture.

Career Development

Cybersecurity Professionals Share Their Career Origin Stories on Reddit

A recent Reddit thread asked cybersecurity professionals to share how they broke into the industry. The responses highlight diverse paths, from transitioning within IT support roles to leveraging military experience. One common theme was the importance of earning the CompTIA Security+ certification to demonstrate foundational cybersecurity knowledge to potential employers. Several commenters also credited a combination of luck and good timing in landing their first security role, emphasizing the importance of being prepared to seize opportunities. The stories underscore that while there is no singular path into cybersecurity, a combination of relevant experience, practical skills, and professional networking can help aspiring practitioners break into this high-demand field.


Sentra CTO Ron Reiter’s Journey from Childhood Hacker to Cybersecurity Professional

Ron Reiter, CTO and co-founder of cybersecurity firm Sentra, started hacking as a teenager in Israel for fun, not harm. His skills led to his recruitment into the IDF’s elite Unit 8200, where he received professional training in SIGINT and cyberwarfare. Reiter’s journey from curious kid to professional hacker was shaped by his military service defending Israel’s national security.


Cybersecurity Certifications: Balancing Practical Value and Superficial Hype

Industry critics argue many top cybersecurity certifications are too theoretical, impractical, and superficial to keep up with rapidly evolving threats. Valuable certifications should emphasize practical application, in-depth knowledge of specific areas, and resourcefulness. For enterprises, certifications ensure employees have necessary skills for security operations and compliance. Employers should carefully evaluate certifications based on showcased knowledge and practical skills, not just popularity. Certifications are one important piece of the holistic cybersecurity puzzle, alongside experience and continuous learning.

Supply Chain

LogRhythm and Exabeam Announce Merger to Create AI-Driven SIEM Leader

LogRhythm CEO Chris O’Malley says the merger between LogRhythm and Exabeam will create a “strong, customer-obsessed, singularly focused global leader in AI-driven security operations.” The deal is expected to close in Q3 with details on leadership and terms not disclosed. The combined company would be the fourth-largest SIEM vendor by revenue based on 2022 IDC data. Forrester analyst Allie Mellen suggests Cisco’s recent $28 billion acquisition of Splunk has created an opening in the SIEM market that may be pressuring other vendors to consolidate.


Palo Alto Networks is Buying IBM’s QRadar

Palo Alto Networks and IBM announced a broad partnership to deliver AI-powered security outcomes for customers. Palo Alto Networks will acquire IBM’s QRadar SaaS assets, including QRadar intellectual property rights. QRadar SaaS clients will be migrated to Palo Alto Networks’ Cortex XSIAM platform, while on-prem QRadar clients can choose to remain or migrate with no-cost migration services offered.


Cybersecurity Insurance Companies Enter MDR Market, Offer Services to MSPs

Cybersecurity insurance companies like Coalition and Beazley are now offering their own MDR services to end customers and MSPs. Coalition’s John Roberts says their services help MSPs become MSSPs. Coalition introduced MDR in Q2 2023 as an outgrowth of their incident response services, after customers asked them to “stick around” following successful engagements. The company aims to provide comprehensive protection by combining insurance with security tools and services.

Community Highlights

Lazarus Group Laundered $200M from 25+ Crypto Hacks to Fiat in 2020-2023

Investigations by ZachXBT reveal that the threatActors Lazarus Group (aka Bluenoroff or APT38), tied to the North Korean government, laundered $200M from over 25 hacks targeting cryptocurrency companies and individuals between August 2020 and October 2023. Funds from hacks like CoinBerryUnibright, and CoinMetro were transferred through intermediary wallets, consolidated, and deposited to Tornado Cash for mixing. The laundered funds were then slowly transferred in batches to P2P marketplaces Paxful and Noones to exchange for fiat until November 2023.


VirtualBox Guest-to-Host Escape Vulnerability Discovered by 18-Year-Old Researcher

Jason Jacobi, an 18-year-old researcher, discovered a VirtualBox guest-to-host escape vulnerability in 2019 which was assigned CVE-2019-2703. Jacobi was inspired by the VirtualBox research of Niklas Baumstark and focused on finding subsystems reachable with guest-controlled inputs. By analyzing the VirtualBox source code and the RT_UNTRUSTED_VOLATILE_GUEST macro, Jacobi identified the VBVA subsystem as a promising attack surface for further investigation.


Cybersecurity Professionals Share Their Automation Wins and Wishlist on Reddit

A Reddit user sparked a discussion among cybersecurity practitioners about their successes in automating security tasks and the challenges they face. The thread reveals a strong desire to streamline processes, but hurdles remain for many. Respondents shared a range of automated tasks, from vulnerability scanning to incident response, while also highlighting areas where automation proves difficult or elusive.

Tools

YARA

Tool aimed at helping malware researchers identify and classify malware samples.

AggressiveProxy

Project to enumerate proxy configurations and generate shellcode from CobaltStrike.

OpenVAS

Comprehensive vulnerability scanner dedicated to identifying and managing security threats.

Thank you

If you found this issue useful, I'd really appreciate if you could forward it to your friends and colleagues!

Have questions, comments, or feedback? Let me know on LinkedIn, Twitter, or share your feedback.

Best, 
Nikoloz

Share This Post

Check out these related posts

Brief #83: TP-Link Ban, LastPass Breach Impact, SOC Analyst Crisis

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #82: Apple iCloud Vulnerability, Cloud Security Skills Gap, SolarWinds ARM Flaw

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #81: OpenAI Container Risks, Cloudflare Tunnel Attacks, AWS IR Service Launch

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read