Happy week 24!
In this issue, I'm covering the latest phishing attacks targeting GitHub accounts, a critical Microsoft vulnerability that requires urgent patching, and insights on securing cloud and AI systems as well as improving CISO-executive collaboration through outcome-driven metrics.
Industry News
Microsoft Patches Critical MSMQ Bug Among 49 Flaws in June Update
Microsoft has fixed 49 vulnerabilities in its June Patch Tuesday update, including a critical RCEbug (CVE-2024-30080, CVSS 9.8) in Microsoft Message Queuing (MSMQ) that could allow attackers to take over servers by sending a malicious packet. The bug affects all Windowsversions from Server 2008 and Windows 10 onward. Security researchers expect to see this flaw included in exploit frameworks soon, so prompt patching is crucial.
GitHub Accounts Hijacked in Ongoing Phishing and Extortion Campaign
Threat actors are impersonating GitHub’s security and recruitment teams in an ongoing phishing campaign that hijacks repositories using malicious OAuth apps, according to CronUp security researcher Germán Fernández. Victims are targeted via fake job offers or security alert emails after being tagged in spam comments, redirecting them to phishing sites requesting authorization of malicious OAuth apps with extensive permissions. Many victims report having their accounts disabled and losing access to all repos, with the attackers wiping repository contents and demanding contact on Telegram to recover the data. GitHub staff advise users to report suspicious activity, avoid authorizing unknown OAuth apps, and periodically review authorized apps to protect their accounts.
Chinese Hackers Exploit Fortinet VPN Vulnerability to Deploy CoatHanger Malware
Netherlands government officials reported that Chinese state hackers gained access to over 20,000 Fortinet VPN appliances by exploiting a critical heap-based buffer overflow vulnerability (CVE-2022-42475, CVSS 9.8). Fortinet silently patched the flaw in November 2022 but only disclosed it two weeks later. The hackers targeted government agencies, international organizations, and defense industry companies, installing a custom-made malware called CoatHanger designed for the FortiOS operating system. The malware can persist through reboots and updates while evading traditional detection measures.
Linux Malware ‘DISGOMOJI’ Uses Emojis for C2 in Attacks on Indian Government
Volexity discovered a new Linux malware dubbed ‘DISGOMOJI’ that uses emojis for command and control (C2) in attacks targeting government agencies in India. The malware is linked to a Pakistan-based threat actor known as ‘UTA0137’ and allows attackers to execute commands, take screenshots, steal files, and deploy additional payloads. DISGOMOJI’s use of Discord and emojis for C2 helps it evade detection by security software looking for text-based commands.
Researchers Trojanize Popular VSCode Theme, Infect Over 100 Orgs
Amit Assaraf, Itay Kruk, and Idan Dardikman created a malicious extension that typosquatsthe popular ‘Dracula Official’ VSCode theme, which has over 7 million installs. By registering the domain ‘darculatheme.com’, the researchers became verified publishers on the VSCode Marketplace, adding credibility to the fake extension. The experiment highlights security gaps in the VSCode Marketplace, which have previously allowed extension and publisher impersonation, as well as extensions that steal developer authentication tokens.
AI & Security
Apple Introduces Private Cloud Compute for Secure AI Processing
Apple’s Security Engineering and Architecture (SEAR) team announced Private Cloud Compute (PCC), a new cloud intelligence system for private AI processing. PCC extends the security and privacy of Apple devices into the cloud, ensuring personal user data sent to PCC isn’t accessible to anyone other than the user, not even Apple. PCC is built with custom Apple silicon and a hardened operating system designed for privacy.
OpenAI Shares High-Level Details on Research Supercomputer Security Architecture
OpenAI operates some of the largest AI training supercomputers, enabling industry-leading model capabilities and safety. To achieve their mission safely, they prioritize securing these systems, including measures to protect sensitive model weights within a secure environment. The research infrastructure, built on Azure and utilizing Kubernetes, must support protecting model weights, algorithmic secrets and other assets while giving researchers sufficient access.
Global AI in Cybersecurity Market Projected to Reach $114.30 Billion by 2031
SkyQuest projects the global AI in cybersecurity market will reach $114.30 billion by 2031, growing at a CAGR of 22.53% from 2024-2031. The increasing use of real-time threat detectionsystems is driving demand for AI in cybersecurity. Organizations are realizing the need for proactive threat detection and response due to the growing complexity and frequency of cyberattacks. Service offerings like automated threat detection, real-time response, and predictive analytics are dominating the market due to their effectiveness in mitigating sophisticated cyber threats.
Leadership Insights
Amazon CISO Amy Herzog on Collaborating with Product and DevOps Teams for Cybersecurity
Amy Herzog, one of several CISOs at Amazon, is responsible for securing hardware devices and advertising products and services. Herzog describes how Amazon takes a “working backwards” approach, starting with customer needs and involving security specialists early in the product development process to collaborate with design and product teams. This avoids last-minute security reviews and fosters a positive feedback loop, producing better results faster.
CIO and CISO Collaboration Crucial for Organizational Resilience
Robert Grazioli, CIO at Ivanti, says effective cybersecurity is non-negotiable in today’s complex threat landscape. Despite increased spending on risk management and cybersecurity, companies face challenges managing their attack surface due to staffing shortages and uncertain economic conditions. Grazioli argues it’s time to break down silos between IT and security by fostering alignment between the CIO and CISO roles, which have historically had distinct and sometimes contradictory objectives.
Outcome-Driven Metrics Bridge Communication Gap Between CISOs and Boardrooms
Richard Starnes discusses how the rise in cyberattacks has created a communication gap between CISOs and executives. Traditional security metrics often fail to provide a clear picture of the effectiveness of cybersecurity investments. Outcome-driven metrics (ODMs) offer a solution by shifting focus from activity-based metrics to measuring actual protection levels achieved. ODMs help align security with business objectives and risk appetite, fostering better communication and resource allocation.
Career Development
Cybersecurity Professional Progresses Career Without Certifications
A Reddit user shares their experience progressing in the cybersecurity industry over 5 years without any certifications. They started in an entry-level SOC analyst role monitoring alerts, then moved into a tuning-focused role dealing with false positives and SIEM projects. Now they are getting offers for full SOC L2 positions. The user questions whether their hands-on experience has weighed more heavily than certifications, or if they have just been lucky in their career journey so far.
Career Ceiling for Cybersecurity Individual Contributors Without Management Path
A Reddit thread explores the career progression options for cybersecurity professionals who prefer to remain as individual contributorsrather than transitioning into management roles. Responses suggest that while there are senior, staff, and principal engineer positions available for software engineers, the equivalent path for cybersecurity is less clearly defined. Some suggest that security architect roles may be the closest parallel, while others point out that the ceiling and opportunities vary greatly depending on the organization and industry. The discussion highlights the need for clearer career progression frameworks and recognition for high-level technical expertise within the cybersecurity field.
First Steps for New Security Leaders: Risk Assessment, Compliance Gap Analysis, Building Trust
A recent discussion thread explores what security leaders should prioritize when starting in a new role. Commenters suggest beginning with a thorough risk assessment and business impact analysis to understand the organization’s current security posture. Choosing a security framework and evaluating the company’s level of compliance is also recommended. Building trust and relationships with key stakeholders from the outset is seen as critical for the success of any new security initiatives. The overall advice is to first assess where things stand before developing a roadmap to address gaps and strengthen the security program.
Supply Chain
CrowdStrike-AWS Partnership Yields Mutual Benefits and Massive Growth
Cole Gromus shares insights on the strategic brilliance of the CrowdStrike-AWS partnership. CrowdStrike, a long-time AWS customer potentially spending over $10M annually, leveraged this relationship to establish a strong partnership. By selling products on the AWS Marketplace since 2017, CrowdStrike became the first cybersecurity partner to hit $1 billion in sales. Remarkably, Amazon is now an eight-figure customer of CrowdStrike, fueling their growth towards $10 billion ARR. This symbiotic partnership allows CrowdStrike to scale while providing AWS with a robust security narrative.
Fortinet to Acquire Cloud Security Unicorn Lacework
Fortinet announced plans to acquire cloud security startup Lacework for an undisclosed amount. Lacework, founded in 2015 and valued at over $1 billion, raised $1.9 billion from investors like Google Ventures. The acquisition will modernize Fortinet’s cloud security offerings by integrating Lacework’s CNAPP product into Fortinet’s Unified SASE solution, allowing customers to identify and remediate risks in cloud-native infrastructures. Fortinet will ensure a smooth transition for Lacework’s 1,000 customers and partners.
Seven AI Raises $36M to Equip Companies with AI-Powered Cybersecurity
Seven AI, co-founded by Yonatan Striem Amit and Lior Div, raised $36 million led by Greylock to develop AI-based software that autonomously hunts for cyber threats. The company, valued at over $100 million, is testing its system with early corporate users to perform actions like verifying user identities and removing threats. The NSA recently highlighted the security challenges of AI systems and the need to harden defenses as AI is increasingly integrated into business operations.
Community Highlights
Detecting AiTM Phishing Sites with Fuzzy Hashing
Obsidian Security detects phishing kits or Phishing-as-a-Service (PhaaS) websites for customers by analyzing fuzzy hashes of visited website content. EvilProxy/Tycoon is an Adversary-in-the-Middle (AitM) phishing kitthat steals credentials and session cookies in real-time, often protected by Cloudflare’s bot/scraping protection. Computing a fuzzy hash for the DOM after Javascript obfuscation is unwound proves useful for detecting similar EvilProxy/Tycoon sites. The same fuzzy hashing technique can catch users visiting phishing sites created by a popular APT group targeting different companies.
Hermes: Swift-Based Tool for Red Teaming macOS Environments
Justin Bui introduces Hermes, a tool developed in Swift for testing and exploiting the security of macOS systems. The talk covers the development process, functionality, and practical applications of Hermes in red teamingscenarios. Bui provides insights into how this tool can be used to improve security assessments and enhance defense strategies for macOS platforms.
OTP Bots: Automating Social Engineering to Bypass 2FA
Scammers are increasingly using OTP bots to bypass two-factor authentication (2FA) by manipulating victims into sharing one-time passwords (OTPs) via social engineering. The bots automate the process of calling victims, following pre-configured scripts to impersonate legitimate organizations like banks, payment systems, or cloud services. Attackers manage the bots through browser-based panels or Telegram, customizing the calls with victim details and using features like voice selection and phone number spoofing to increase credibility. Once the victim shares the OTP, the attacker gains access to their account.
Tools
Vshadow
A command line utility for managing volume shadow copies with capabilities for evasion, persistence, and file.
StreamAlert
Serverless, real-time data analysis framework for incident detection and response.
AWS Auto Remediate
Open source application to instantly remediate common security issues through the use of AWS Config.
If you found this newsletter useful, I'd really appreciate if you could forward it to your friends and share your feedback below!
Have questions, comments, or more detailed feedback? Let me know on LinkedIn, X, or fill-out the form.
Best,
Nikoloz