Brief

Brief #53: Veeam Zero-Day, AI Governance Gaps, Cybersecurity Burnout, and Cryptography Learning Tips

Week 21: Veeam patched a critical zero-day, Replicate AI had a vulnerability exposing customer data, CISOs face burnout from relentless demands, and the cybersecurity skills gap is self-inflicted.

8 min read
mandos brief newsletter week 21 of 2024 nikoloz kokhreidze

Happy week 21!

In this issue, I'm covering a critical vulnerability in Veeam's backup software, the lack of AI governance policies in most organizations, and insights on addressing the systemic issue of cybersecurity burnout. I also have tips from a cryptography expert on how to effectively learn this important field, as well as news on CyberArk's acquisition of Venafi and some useful open-source tools for security professionals.


Let's dive into this week's topics.

Industry News

Veeam Patches Critical Flaw Allowing Unauthenticated Account Access in VBEM

Veeam warned customers to patch a critical vulnerability (CVE-2024-29849) that allows unauthenticated attackers to sign into any account via the Veeam Backup Enterprise Manager (VBEM). VBEM is a web-based platform for managing Veeam Backup & Replication installations, but is not enabled by default. Veeam has released version 12.1.2.172 to patch the flaw, which has a CVSS base score of 9.8/10.


Attackers Leverage Native BitLocker Feature for Malicious Encryption

Mandiant researchers discovered an advanced VBS script that abuses the legitimate BitLocker encryption feature in Windows to encrypt entire volumes and steal the decryption key. The script, found in incidents across Mexico, Indonesia and Jordan, does not use typical code obfuscation since it is deployed after the attackers already have full control of the target system. It uses WMI to query OS information, then performs disk resizing operations on fixed local drives to create new partitions for encrypting data while avoiding detection on network drives.


GitLab Fixes High-Severity XSS Flaw Allowing Account Takeover

GitLab addressed a high-severity cross-site scripting (XSS) vulnerability, tracked as CVE-2024-4835, that allows unauthenticated attackers to take over user accounts. An attacker can exploit this issue by using a specially crafted page to exfiltrate sensitive user information. The vulnerability impacts versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. The flaw was fixed with the release of versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).


Elastic Security Labs Identifies Intrusion Set REF4578 Leveraging Vulnerable Drivers for Crypto Mining

Elastic Security Labs identified an intrusion set named REF4578 that incorporates malicious modules and exploits vulnerable drivers to disable EDR solutions for crypto mining. The primary payload, dubbed GHOSTENGINE, establishes persistence, installs an undocumented backdoor, and executes the XMRIG miner. The malware authors incorporated numerous contingency and duplication mechanisms to ensure the installation and persistence of the miner.


Microsoft Unveils AI-Powered "Recall" Feature for Windows 11, Raising Privacy Concerns

Microsoft announced a new AI feature called "Recall" for Copilot+ PCs that records users' activities, including app usage, meeting communications, and browsed websites. While the data is encrypted and stored locally, the feature raises privacy concerns. Recall takes screenshots every few seconds, allowing users to search through their activity history and transcribed meeting content. Despite Microsoft's assurances about data privacy, the potential for abuse by unauthorized account access persists.


AI & Security

Critical Flaw in Replicate AI Service Could Have Exposed Customer Models and Data

Wiz researchers discovered a vulnerability in AI provider Replicate that could have allowed threatActors to access customers' proprietary AI models and sensitive information. The issue stems from Replicate using the open-source Cog tool to package models, which can allow arbitrary code execution and enable cross-tenant attacks via malicious models. The researchers achieved remote code execution with elevated privileges on Replicate's infrastructure and manipulated the centralized Redis server to tamper with customer requests and AI outputs, threatening model integrity and accuracy.


Two-thirds of Organizations Lack Policies for Managing AI Risks

New research finds 60% of employees use generative AI tools at work, but only 15% of organizations have formal AI governance policies. The gap is attributed to leaders' discomfort with rapidly evolving AI technologies and employees prioritizing AI benefits over adhering to policies. Experts suggest building AI policies from the ground-up with employee input and leveraging industry frameworks like NIST's AI Risk Management Framework. In cybersecurity, AI risks include data poisoning, evolving threats, and model bias due to opacity.


Google Uses GenAI to Patch 15% of Simple Software Bugs in Internal Experiment

Google researcher Alissa Irei described at RSAC 2024 how the company has seen modest but significant success using generativeAI to patch software vulnerabilities. On average, a data breach from a known vulnerability costs $4.17 million, and nearly half remain unpatched two months after fixes are available. Google's experiment used an AI model similar to Gemini Pro to generate and test patches for 1,000 simple bugs, with engineers approving 15% to add to Google's codebase, potentially saving months of effort.


Leadership Insights

Cybersecurity Burnout Rooted in Relentless Work Demands and Isolation

Dr. Ryan Louie, a psychiatrist, highlights the importance of psychological safety in medical teams, which is often lacking in cybersecurity due to the need for secrecy and discretion. Malcolm Harkins, chief security and trust officer at Hidden Layer, emphasizes that burnout in cybersecurity is a systemic problem, with origins in the relentless pace of demands like Patch Tuesday. Surveys confirm the toll of never-ending work cycles on cybersecurity professionals' mental health. CISOs face additional isolation due to the secrecy and confidentiality expected in their roles, compounded by the increasing complexity of securing remote and hybrid workforces.


Cyber Security Leaders Confident in SOCs Despite Recent Breaches, Expect Budget Increases

According to a KPMG survey of 200 security leaders, CISOs, and AI security officers at firms with over $1 billion in revenue, 40% reported their SOC was hit by a recent cyberattack leading to a security breach. However, 85% remained confident in their SOC's ability to prevent sophisticated attacks. Nearly 90% anticipated their company's SOC budgets and headcount will increase by under 20% over the next two years, with the average annual SOC budget currently at $14.6 million. The anticipated budget increases come amid a growing number of cyber threats against large organizations.


Technical Debt: The Silent Killer in Cybersecurity

Richard Starnes, a strategic CISO, warns that technical debt is a often-overlooked threat in cybersecurity. Technical debt refers to the accumulation of shortcuts, workarounds, and outdated systems that prioritize speed over long-term security. Legacy systems with technical debt often contain unpatched vulnerabilities that can be exploited in attacks like ransomware and supply chain compromises. Technical debt also hinders the ability to implement new security solutions and establish effective governance.


Career Development

Advice for Learning Cryptography from Prof Bill Buchanan OBE FRSE

Prof Bill Buchanan OBE FRSE, Professor of Applied Cryptography at Edinburgh Napier University, provides tips on how to get started learning cryptography. He recommends focusing on one topic at a time, including hashing, symmetric key, key exchange, public key, KDFs, MACs, tunneling, and digital signatures. OpenSSL is highlighted as a valuable tool for exploring cryptographic methods. Prof Buchanan emphasizes the importance of understanding both theory and practice, and suggests diving deep into specific topics of interest. He also provides links to several cryptography libraries to facilitate hands-on learning.


Tips for Cybersecurity Professionals with ADHD

Reddit users share advice for managing ADHD while working in cybersecurity. Key tips include taking breaks to avoid hyperfocus burnout, prioritizing tasks, setting boundaries, and taking care of your mental health. Some find ADHD traits like hyperfocus can be an advantage in the field. Medication may help with inconsistent work ethic. Put on a professional mask when needed but be yourself otherwise. Make notes to stay on track when context switching.


Cybersecurity Skills Gap Self-Inflicted by Industry's Unrealistic Expectations and Gatekeeping

I argue that the cybersecurity skills gap is largely due to the industry's unrealistic job requirements and elitist gatekeeping. Entry-level positions often demand years of experience, advanced certifications, and proficiency in multiple programming languages. This creates an intimidating barrier to entry that discourages talented individuals, including experienced software engineers, from transitioning into cybersecurity roles. I suggest hiring for potential and attitude, investing in training and mentoring, fostering inclusive environments, and celebrating diverse backgrounds to help close the skills gap.


Supply Chain

CyberArk to Acquire Venafi for $1.54B to Secure Human and Machine Identities

CyberArk announced a deal to acquire Venafi for $1.54 billion to integrate Venafi's machine identity and access management expertise with CyberArk's human IAM offerings. The acquisition is expected to enable CyberArk to secure every identity with the right privilege controls in a cloud-first, GenAI, post-quantum world. The deal includes $1 billion in cash and $540 million in shares, and is expected to close in the second half of 2024.


SonicWall Unveils SonicPlatform Cybersecurity Management Platform for MSPs and MSSPs

SonicWall announced its new SonicPlatform cybersecurity management platform at RSA Conference 2024, designed to unify SonicWall products into a single interface. The platform aims to simplify management of both cloud and on-premises infrastructures, and deliver deep product integration for sharing contextual information across enforcement points. SonicPlatform is especially beneficial for MSPs and MSSPs, enabling efficient management of multiple client environments, automation of key tasks, and valuable insights through a user-friendly interface.


SAGE Cyber Launches CDPO Platform to Optimize Cybersecurity Planning

SAGE Cyber, formerly part of HolistiCyber, has launched as an independent company offering a cybersecurity defense planning and optimization (CDPO) platform. The SAGE Platform helps CISOs assess overlapping tools, eliminate redundant platforms, and perform strategic self-assessments. By automating various processes, the platform enables data-driven decisions to optimize security posture, budgets, and gain visibility into the effectiveness of security programs, while improving operational efficiency and reducing risk.


Community Highlights

Formbook Malware Analysis Reveals AutoIt3 Scripting and Potential Loader

Malware researcher shares their first public malware analysis of Formbook, a threatActor malware that has been active in the wild for over 5 years, spread mainly through phishing campaigns. Static analysis using Detect It Easy and Exeinfo PE reveals the malware executable contains an embedded AutoIt3 script, a BASIC-like scripting language for automating Windows tasks. The researcher hypothesizes the executable is a loader that prepares memory and loads the AutoIt script for execution.


Flipper Zero Ultimate Guide: Capabilities, Setup, and Hacking Use Cases

Ilias Mavropoulos provides a comprehensive guide to the Flipper Zero multi-tool device. The guide covers the unique features, basic functionality, and step-by-step instructions for common hacking use cases seen in the wild, such as capturing and replaying Sub-GHz signals, using it as a BadUSB to emulate a keyboard, RFID fuzzing, exploiting insecure NFC cards, and interacting with screens or HVAC systems during red team engagements. It also provides resources for customizing the firmware and extending functionality with external plugins.


Bypassing HTTP Strict Transport Security (HSTS) Using NTP Attacks

Jose Selvi reviews the strengths and weaknesses of HTTP Strict Transport Security (HSTS), a protection against SSLStrip attacks. An attacker could exploit an inter-operation vulnerability to bypass HSTS protection and use techniques like SSLStrip. The Network Time Protocol (NTP) is used by operating systems for time synchronization and uses UDP port 123. Selvi introduces Delorean, a tool that can be used in MitM attacks to manipulate NTP responses and jump the victim's clock to a future date, potentially bypassing HSTS.


Tools

Graylog

Powerful open-source log management platform for data analysis.


PFSense

Versatile security appliance solution, offering firewall and VPN functionalities.


Charlotte

A C++ shellcode launcher designed to be fully undetected.

Thank You

If you found this newsletter useful, I'd really appreciate if you could forward it to your friends and share your feedback below!

Have questions, comments, or more detailed feedback? Let me know on LinkedIn, Twitter, or share your feedback.

Best, 
Nikoloz

Share This Post

Check out these related posts

Brief #83: TP-Link Ban, LastPass Breach Impact, SOC Analyst Crisis

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #82: Apple iCloud Vulnerability, Cloud Security Skills Gap, SolarWinds ARM Flaw

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #81: OpenAI Container Risks, Cloudflare Tunnel Attacks, AWS IR Service Launch

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read