Happy week 22!
In this issue, I'm covering the critical Fortinet vulnerability, the U.S. Treasury sanctions on the 911 S5 botnet, the new committee at OpenAI for AI safety and security, and the DHS guidelines for AI security in critical infrastructure. I also highlight the need for security leaders to focus on high-impact programs, the growing challenges faced by CISOs, and the in-demand skills for cybersecurity professionals.
Let's dive into this week's topics.
Industry News
Fortinet Patches Maximum Severity RCE Flaw in FortiSIEM, PoC Exploit Released
Security researchers have released a PoC exploit for a maximum-severity command injection vulnerability (CVE-2024-23108) in Fortinet's FortiSIEM solution, patched in February. The flaw enables remote command execution as root without authentication via crafted API requests. Fortinet initially denied the validity of the CVEs but later confirmed they were variants of a previously patched vulnerability.
U.S. Treasury Sanctions Chinese Nationals Behind 911 S5 Proxy Botnet
The U.S. Department of the Treasury has imposed sanctions on three Chinese nationals for allegedly operating 911 S5, an online anonymity service that routed Web traffic through malware-infected computers worldwide. KrebsOnSecurity identified one of the men, Yunhe Wang from Beijing, as the apparent owner or manager of 911 S5 in a July 2022 investigation. The service was popular among cybercriminals for its reliability and low prices, allowing them to route malicious traffic through computers geographically close to their targets. 911 S5 built its proxy network mainly by offering "free" VPN services that secretly turned users' computers into traffic relays for paying customers.
ABN Amro Client Data Potentially Compromised in Third-Party Ransomware Attack
ABN Amro, a Dutch bank, announced that client data may have been compromised in a ransomware attack targeting AddComm, a third-party services provider. While AddComm has contained the incident and restored its systems, the extent of the data stolen remains unclear. ABN Amro has temporarily suspended the use of AddComm's services, which include distributing physical and digital documents and tokens to clients and employees. The bank is prioritizing informing clients and minimizing the impact of the data breach, although there are currently no indications of malicious use of the potentially stolen data.
Ticketmaster Breached, 560M Customer Records Allegedly Stolen
Cybercriminals known as ShinyHunters claim to have stolen 1.3TB of data on 560 million Ticketmaster customers and are selling it on the BreachForums marketplace for $500,000. The Australian government has confirmed it is aware of a "cyber incident" impacting Ticketmaster. The allegedly stolen records include customers' PII, order info, and partial credit card details, though the authenticity of the data has not been verified.
Malicious PyPI Package 'pytoileur' Targets Windows Users with Trojanized Binaries
Sonatype discovered a malicious PyPI package named 'pytoileur', which is part of a broader "Cool package" campaign. The package targets Windows users by downloading and installing trojanized binaries capable of surveillance, persistence, and crypto theft. Notably, the campaign employs StackOverflow to lure victims into installing the malicious package.
AI & Security
OpenAI Forms Committee for Critical AI Safety and Security Decisions
OpenAI CEO Sam Altman and board members will lead a new committee to make critical safety and security decisions for all of its projects as the company begins training its next AI model. The committee will evaluate OpenAI's processes and safeguards over the next three months, recommending improvements to be adopted consistent with safety and security. The formation of this committee follows reports that OpenAI disbanded its "superalignment" security team dedicated to preventing AI systems from going rogue, with some leaders leaving due to misalignment on the security approach.
DHS Releases Guidelines for AI Security in Critical Infrastructure
The U.S. Department of Homeland Security (DHS) released guidelines to help critical infrastructure owners and operators develop AI security and safety, based on insights from CISA's cross-sector analysis of AI risk assessments. The guidelines highlight three categories of AI risk: attacks using AI, attacks targeting AI systems, and failures in AI design and implementation. The guidelines incorporate four core functions from the NIST AI Risk Management Framework: govern, map, measure, and manage. These efforts coincide with CISA being named the National Coordinator for Critical Infrastructure Security and Resilience and the establishment of a new Artificial Intelligence Safety and Security Board.
Swift Launches AI Pilots to Combat Cross-Border Payment Fraud
Swift, the global messaging service, announced it is launching two AI-based experiments to help member banks recognize fraud. Fraud cost the financial industry $485 billion in 2023, and AI can play a strong role in reducing these costs while also helping achieve the G20's goal of increasing the speed of cross-border payments. The first pilot will enhance Swift's Payment Controls service using an AI model to develop a more accurate picture of potential fraud based on historical activity patterns on the Swift network.
Leadership Insights
Security Leaders Wasting Time on Wrong Priorities, Should Focus on High-Impact Programs
Andy Ellis, Hall of Fame CSO and leadership advisor, argues that CISOs are misusing the common Risk Nine-Box model to prioritize their work. He categorizes issues into "Litter" (low damage, low likelihood), "Hygiene" (low damage, high likelihood), "Incidents" (high damage, high likelihood), and "Programs" (high damage, low likelihood). Ellis asserts that security teams waste time nagging others about Litter and Hygiene issues that should be handled by mature organizational processes. Instead, he believes CISOs should focus on high-impact Programs to mitigate complex risks through far-reaching improvements to technology, processes, and organizations.
CISOs Face Growing Threats, Shrinking Budgets, and Personal Liability in 2024
CISOs are struggling to defend against increasingly complex cyber threats in 2024, fueled by technologies like generative AI. Cyber budgets are shrinking while CISOs can now be held personally liable for breaches. 61% of CISOs feel unprepared for an attack and 68% believe their organization is at risk. CISOs must clearly communicate cyber risk to boards in monetary terms and file honest yet balanced SEC 10K disclosures without exposing vulnerabilities.
Security Leaders Increasingly Worried About Material Cyber Attacks, Survey Finds
Proofpoint surveyed 1,600 Security Leaders across 16 countries and found 70% worry their organization is at risk of a material cyber attack in the next 12 months, up from 68% last year. Nearly a third believe a significant attack is "very likely." CISOs in South Korea (91%), Canada (90%), and the US (87%) are most concerned. 43% report their organization is unprepared for an attack, an improvement from 61% last year. Top threats cited include ransomware, malware, email fraud, cloud account compromise, insider threats, and DDoS attacks.
Career Development
Cloud, Automation, and Programming Skills Top Cybersecurity Recruiter Wish Lists for 2024
A recent Reddit discussion reveals that cloud and automation skills are the most sought-after by cybersecurity recruiters looking ahead to 2024. For those aiming for higher pay ranges, adding programming skills to the mix is a key differentiator, particularly among big tech companies who value the combination of security and development expertise. Commenters also highlight the importance of stamina to navigate lengthy interview processes, as well as project management skills, even for non-PM roles.
34% of Organizations Lack Cloud Cybersecurity Skills
Cado Security's report reveals that 90% of organizations suffer damage before containing and investigating incidents, with 23% of cloud alerts remaining uninvestigated. The primary contributing factor is the lack of visibility and control over cloud environments, with 82% of organizations requiring multiple platforms and tools for investigations and 34% reporting limited cybersecurity skills specific to cloud technologies. As regulatory reporting requirements evolve, 42% of organizations face challenges with the increasing scope and staying abreast of new regulations, while 34% have been fined for not meeting regulatory requirements.
Practical Skills Land SOC Analyst Job Over Theory
Mike Miller, a vCISO / Senior Security Consultant / Penetration Tester, shares how he landed his first SOC Analyst job despite lacking certain theoretical knowledge. During the interview, Miller was given Wireshark printouts and asked to analyze the packet captures. He identified the use of insecure protocols and unauthorized downloads of music from LimeWire within the organization. Miller was hired on the spot, even though he couldn't count in binary, describe the OSI model, or have a security certification at the time. Hands-on practical knowledge can sometimes be more valuable than theoretical understanding.
Supply Chain
OpenText Acquires MDR Platform Pillr to Enhance Cybersecurity Offerings
OpenText has acquired Pillr, a cloud-native MDR platform from Novacoast, to accelerate its cybersecurity product roadmap. Pillr provides threatHunting and response capabilities, including 24x7 SOC services, and is designed for MSPs. The acquisition aims to address challenges like skill gaps, skill shortages, and alert fatigue. OpenText plans to introduce API integrations and product/pricing bundling to provide a more comprehensive solution against cyber threats.
SOCRadar Raises $25.2M Series B to Expand External Threat Intelligence Platform
SOCRadar, a provider of threatIntelligence and brand protection, raised $25.2M in a Series B round led by PeakSpan Capital. With 83% of respondents citing external threats as the top cause of cyber threats, SOCRadar aims to deliver pre-emptive defense against ransomware, phishing, and BEC attacks. The company's XTI SaaS platform offers a suite of solutions, including Cyber Threat Intelligence, External Attack Surface Management, Brand Protection, and Dark Web Monitoring. The funds will be used to drive expansion in the US and EU markets, penetrate the MSP and MSSP markets, and invest in AI-driven threat detection and response capabilities.
Zendata Emerges From Stealth With AI Governance and Data Security Platform
San Francisco-based Zendata announced raising $2 million in seed funding led by PayPal Ventures and others to develop its no-code platform for data security, AI governance, and privacy across the data lifecycle. The company's solutions include scanners for identifying PII risks in websites, code, and IT infrastructure, as well as tools for cookie management and data subject access requests. Zendata aims to help organizations navigate the complex landscape of AI governance, data privacy and security.
Community Highlights
Threat Hunting 101 Guide: Proactively Identify and Mitigate Threats
Dan Williams shares a comprehensive guide, "Threat Hunting 101", designed for cybersecurity professionals to proactively identify and mitigate threats within their networks. The guide covers essential tools and log data needed for effective threat hunting, even with limited resources. It provides step-by-step instructions for eight practical threat hunts to identify suspicious activities such as unusual software, behavior changes, and DNS abuse. The guide also includes real-world insights and tips from LogRhythm's expertise.
SOC Analysts Share Most Common False Positives on Reddit
A Reddit thread has SOC analysts discussing their most hated false positive alerts. One analyst says impossible travel detection rules are outdated now that corporate VPNs are common, causing people to "logically zip around the country." They replaced it with an alert for activity from new countries. Another mentions GuardDuty's "Recon:EC2/PortProbeUnprotectedPort" alert needing constant tuning by detection engineers. The thread highlights how SOCs must continually refine detections to reduce alert fatigue from benign behaviors.
Insider Threats: Accidental Data Exposure, Negligence, and Theft
A fun reddit thread about worse cases of insider threats. A new employee at a company did a public Facebook Live broadcast walkthrough of a secure office, exposing physical security features, client names, and sensitive information. A network consultant put 100 network device configs with passwords for financial institutions on a public indexed website. Other incidents include fraud, embezzlement, contractors stealing equipment, and a loaded weapon found in an employee's desk.
Tools
Today we will be covering the classics!
Kali
Debian-based Linux distribution designed for digital forensics and penetration testing.
Metasploit
Advanced open-source framework for developing, testing, and using exploit code.
NMAP
Classic network scanner for network discovery and security auditing.
If you found this newsletter useful, I'd really appreciate if you could forward it to your friends and share your feedback below!
Have questions, comments, or more detailed feedback? Let me know on LinkedIn, X, or fill-out the form.
Best,
Nikoloz