Brief

Brief #58: ChamelGang APT, P2Pinfect Malware, TeamViewer Breach, CISO Role Evolution

China-backed APT uses ransomware as cover, P2Pinfect malware targets Redis servers, TeamViewer breached by alleged APT29, and CISOs face expanding responsibilities.

9 min read
mandos brief week 26 of 2024

Happy week 26!

This week we're covering a China-backed APT group using ransomware as a smokescreen, Google's AI-powered vulnerability research project, the evolving responsibilities of CISOs, essential SOC interview preparation, a startup securing non-human identities, and a tool for detecting malicious SSL connections.


Mandos Brief - Industry News
Mandos Brief - Industry News

China-Backed APT ChamelGang Using Ransomware to Disguise Cyberespionage

SentinelOne researchers report that the likely China-backed APT group ChamelGang has been using ransomware as a distraction from their cyberespionage operations for the past three years. Recent targets include critical infrastructure organizations in East Asia and India, such as an aviation organization and the All India Institute of Medical Sciences. The group deploys the CatB ransomware tool towards the end of their missions to destroy evidence of data theft. This tactic allows adversarial countries to claim plausible deniability by attributing the attacks to independent cybercriminals.


Novel P2Pinfect Malware Targets Redis Servers Using Rust and Multiple Evasion Techniques

Cado Security Labs researchers recently encountered a novel malware campaign named "P2Pinfect" targeting publicly-accessible deployments of Redis data stores. The malware, written in Rust, acts as a botnet agent and includes an embedded Windows PE along with a Linux ELF executable. P2Pinfect attempts multiple Redis exploits for initial access, utilizes Rust for payload development to hinder analysis, conducts internet scanning for Redis and SSH servers, and self-replicates in a worm-like manner.


TeamViewer Breached by Alleged APT Group, Product Environment Unaffected

TeamViewer disclosed a cyberattack on their internal corporate IT environment on June 26, 2024. Security firms NCC Group and Health-ISAC allege the APT29 hacking group, linked to Russia's SVR, is behind the attack. TeamViewer states there is no evidence the breach affected the product environment or customer data, and investigations are ongoing. With over 640,000 customers and 2.5 billion installs, any TeamViewer breach is a significant concern due to the product's widespread use and potential for attackers to gain full access to internal networks.


Massive Supply Chain Attack Linked to Single Operator via Leaked Cloudflare Keys

Researchers have traced the recent supply chain attack affecting tens of millions of websites via Polyfill.io, BootCDN, Bootcss, and Staticfile CDNs to a single operator. Accidentally exposed Cloudflare API keys in a public GitHub repository allowed researchers to establish the common entity behind the CDN services. Evidence suggests the attack may have been ongoing since June 2023, with a primitive version of the injected malicious code circulating via BootCSS. The full scope of the impact is yet to be assessed as the threat actors could potentially deploy hoarded domains, turning the incident into a whack-a-mole situation.


New 'Poseidon' Mac Stealer Malware Distributed via Malicious Google Ads

Jérôme Segura reports that a new Mac stealer malware called 'Poseidon' is being distributed via malicious Google ads disguised as the Arc browser. The malware, previously tracked as OSX.RodStealer, is actively being developed as an Atomic Stealer competitor with added features like stealing VPN configurations. The threat actor Rodrigo4 rebranded the malware for better publicity. Clicking the malicious ad leads to a fake Arc download site delivering a malicious DMG installer. Malwarebytes for Mac detects this campaign and recommends using web protection to block malicious ads and websites.


Mandos Brief - AI & Security
Mandos Brief - AI & Security

Wiz Research discovered an easy-to-exploit Remote Code Execution vulnerability (CVE-2024-37032) in Ollama, a popular open-source project for running AI models. The vulnerability, dubbed "Probllama", allows attackers to overwrite files on the server via a Path Traversal exploit in the /api/pull endpoint when pulling models from untrusted registries. In Docker deployments, this can lead to RCE as the server runs with root privileges. Ollama lacks built-in authentication, exposing instances to attack if not protected by a reverse-proxy. Upgrade to Ollama 0.1.34+ to mitigate.


Google's Project Naptime Enables LLMs to Conduct Automated Vulnerability Research

Google researchers Sergei Glazunov and Mark Brand have developed Project Naptime, a framework that allows large language models (LLMs) to perform vulnerability research similar to human security experts. The architecture provides the AI agent with specialized tools to navigate codebases, run fuzzing scripts, observe program behavior, and monitor progress. Project Naptime outperformed GPT-4 Turbo in identifying buffer overflow and memory corruption flaws according to the CYBERSECEVAL 2 benchmarks. The researchers state that this approach enhances the agent's ability to accurately identify and analyze vulnerabilities in a reproducible manner.


Mozilla Launches 0Din Bug Bounty Program for GenAI Security

Mozilla believes that securing GenAI technologies is a shared responsibility too complex for a single entity to handle alone. To address emerging risks of malicious use, Mozilla is investing in the next generation of GenAI security with the 0Day Investigative Network (0Din), a bug bounty program focused on identifying and fixing vulnerabilities in large language models (LLMs) and other deep learning technologies beyond just the application layer. 0Din aims to help researchers contribute to developing new security frameworks and best practices for GenAI, shaping the future of secure AI technologies.


Mandos Brief - Leadership Insights
Mandos Brief - Leadership Insights

CISOs' Expanding Role: Balancing Technical and Business Risks

Jon Oltsik, analyst at Enterprise Strategy Group, discusses the growing responsibilities of CISOs beyond just technical aspects, including working with executives, regulators, and CFOs on budgeting and translating cyber risks to the business. Chirag Joshi, CISO and founder of 7 Rules Cyber consultancy, suggests separating operational and risk responsibilities for improved risk management. However, this separation could lead to accountability challenges and potential friction points around budgets and application maintenance decisions.


CSOs Can Lose Jobs Due to Overconfidence, Complexity, and Complacency

Steve Tcherchian from XYPRO.com says overconfidence in unproven security solutions creates gaps and a false sense of security. Richard Watson from EY notes promoting runaway complexity adds cost and weakens defenses. Scott Hawk from Velaspan warns that shortchanging GRC can lead to overspending and misalignment with the business. Richard Caralli from Axio emphasizes the importance of aligning cybersecurity with enterprise objectives. Complacency and believing everything is under control is the biggest career-crippling mistake according to Howard Taylor from Radware.


The Evolving Role of the CISO: Navigating Regulatory Challenges and Liability Risks

Jennifer Leggio discusses how the role of the CISO has evolved to encompass a myriad of challenges, from stringent regulatory requirements to heightened legal liabilities stemming from data breaches and compliance complexities. Robert Hansen emphasizes the importance of CISOs staying on top of the constantly changing regulatory landscape and suggests seeking legal protection and insurance to mitigate risks. Kayla Williams highlights the limited authority CISOs often have over crucial business decisions impacting cybersecurity investments and strategies, despite being held accountable for protecting the business and customer data.


Mandos Brief - Career Development
Mandos Brief - Career Development

SOC Interview Questions Cover Security Analysis, Incident Response, and Key Cybersecurity Concepts

LetsDefend shares a list of topics that may be covered in a SOC interview, including questions for Security Analyst and Incident Responder roles. The article recommends understanding the specific role requirements, researching the hiring company's SOC structure, and being prepared to discuss salary expectations. Key technical topics to review include: network and operating system fundamentals, malware analysis, and how to detect and remediate specific attacks like golden ticket or phishing.


GRC Analyst Interview Tips: Focus on Fit Over Technical Skills

Gerald Auger and Erika McDuffie discuss what to expect in an entry-level GRC analyst interview. The role involves interfacing with the business to communicate information security needs. Interviews will likely focus more on behavioral and scenario-based questions to assess fit rather than deep technical skills. Tips include taking a breath before answering, asking clarifying questions, and showing passion for the field and ability to learn. Transferable skills and willingness to learn are key to demonstrating your value to the company.


Josh Madakor Releases Cyber Security Interview Questions and Practice Exams

Josh Madakor has published a series of videos covering common cyber security interview questions and answers. The videos discuss key topics like encryption, authentication, the CIA triad, incident response, phishing, SQL injection, and more. Madakor also provides an ultimate guide for getting into cybersecurity with no experience. Additionally, he has released a set of 1500+ practice questions for the new Security+ (SY0-701) certification exam, top 50 interview questions for FAANG cyber security engineer roles, and 1000+ free practice questions for the CompTIA CySA+ certification.


Mandos Brief - Market Analysis
Mandos Brief - Market Analysis

Entro Security Raises $18M to Secure Non-Human Identities and Secrets

Cybersecurity startup Entro Security Ltd. announced it has raised $18 million led by Dell Technologies Capital to scale up its global operations. Entro's platform allows organizations to securely use non-human identities (NHIs) and secrets, oversee their usage, and automate their lifecycle. The rapid pace of cloud and SaaS adoption has led to the proliferation of unmanaged NHIs like API keys, tokens, and certificates, creating vulnerabilities for high-profile attacks. Entro's platform continuously monitors and protects secrets, cloud services, and data access across vaults, source code, collaboration tools, cloud environments, and SaaS platforms.


PortSwigger Raises €104.7M to Accelerate Growth and Innovation in Application Security

PortSwigger, founded by renowned application security expert Dafydd Stuttard, has raised €104.7 million from Brighton Park Capital. The investment will fuel product development, expand research and community initiatives, and strengthen PortSwigger's international presence. PortSwigger's flagship products, Burp Suite Professional and Burp Suite Enterprise, serve nearly 20,000 customers, including Microsoft, Amazon, FedEx, and Salesforce. The company also provides free tools and resources through its "Web Security Academy," benefiting millions worldwide.


Odaseva Raises $54M to Encrypt and Back Up Salesforce Data

Odaseva, a startup that helps enterprises encrypt and back up Salesforce data, has raised $54 million in a Series D round led by Silver Lake Waterman. The company's platform uses five-layer encryption to secure sensitive customer information stored in Salesforce. Odaseva also provides tools for backup and restore, data archiving, and regulatory compliance. The funding will be used to accelerate growth into new markets and expand the platform's features.


Mandos Brief - Community Highlights
Mandos Brief - Community Highlights

SSH Honeypot Reveals 11,599 Login Attempts in 30 Days

Sofiane Hamlaoui ran an SSH honeypot for 30 days on Ubuntu 24.04 LTS, recording an average of 386 login attempts per day. The most commonly targeted usernames were "root", "345gs5662d34" (default for Polycom CX600 IP phones), and "admin". Popular passwords included "345gs5662d34", "3245gs5662d34", "admin", and "123456". Analysis of executed commands revealed attempts to deploy the mdrfckr crypto miner, MIPS malware targeting routers and IoT devices, and the Gafgyt/BASHLITE botnet malware.


Atomic Stealer: Notorious macOS Infostealer Malware Analyzed by SpyCloud Labs

James from SpyCloud Labs reverse-engineered the Atomic Stealer macOS malware to understand its current stealing capabilities. Atomic Stealer is a Malware-as-a-Service that exfiltrates data from browsers, crypto wallets, Telegram, Apple Notes and more on victim machines. It uses osascript utility extensively to automate theft of passwords, files and core functionality. A concerning feature is Atomic Stealer's ability to install a backdoored version of the Ledger Live crypto wallet app if detected on the system.


Demystifying Threat Detection Engineering Interviews

Julie Agnes Sparks shares her experience interviewing for multiple Detection & Response roles after being affected by layoffs. The typical interview process includes a recruiter call, hiring manager screen, technical code screen, and a virtual "on-site" with 3-5 additional interviews covering topics like detection engineering, incident response, threat modeling, security fundamentals, values, and communication. To prepare, practice coding related to working with JSON, interacting with files, and manipulating data structures. For detection engineering, be familiar with concepts like the Detection Development Lifecycle (DDLC), MITRE ATT&CK, and the Pyramid of Pain. For incident response, be prepared to discuss complex incidents in detail. Remember to also interview the company to assess fit.


Mandos Brief - Cybersecurity Tools
Mandos Brief - Cybersecurity Tools

SSLBL - SSL Blacklist

A project that detects malicious SSL connections by identifying and blacklisting SSL certificates used by botnet C&C servers and identifying JA3 fingerprints to detect and block malware botnet C&C communication.


DeHashed

A data-mining and deep web asset search engine for breach analysis and prevention services.


DroidBox

DroidBox is a tool for dynamic analysis of Android applications, providing insights into package behavior and security.

Thank You

If you found this newsletter useful, I'd really appreciate if you could forward it to your friends and share your feedback below!

Have questions? Let me know in the comments or on LinkedIn and X.

Best, 
Nikoloz

Share This Post

Check out these related posts

Brief #83: TP-Link Ban, LastPass Breach Impact, SOC Analyst Crisis

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #82: Apple iCloud Vulnerability, Cloud Security Skills Gap, SolarWinds ARM Flaw

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read

Brief #81: OpenAI Container Risks, Cloudflare Tunnel Attacks, AWS IR Service Launch

  • Nikoloz Kokhreidze
by Nikoloz Kokhreidze | | 9 min read