Brief #60: Blast-RADIUS Flaw, AI Disinformation Tool, CISO Lawsuits, Interview Tips

Happy week 28!

This week we're covering the Blast-RADIUS vulnerability affecting RADIUS protocol implementations, the use of AI-powered tools in disinformation campaigns, legal challenges facing cybersecurity leaders, interview tips for job seekers, a positive trend in cybersecurity funding, and a new open-source intelligence tool for malware analysis.

Blast-RADIUS Attack Allows MITM to Forge RADIUS Accept Messages

Sharon Goldberg discovered the Blast-RADIUS vulnerability in the RADIUS protocol, which could allow a man-in-the-middle attacker to forge a valid protocol accept message in response to a failed authentication request, potentially granting access to network devices and services without guessing or brute-forcing passwords.
The vulnerability affects all RADIUS implementations using non-EAP authentication methods over UDP, impacting a wide range of applications such as enterprise networks, VPNs, ISPs, Wi-Fi authentication, cellular roaming, and critical infrastructure.
Short-term mitigation involves mandating clients and servers to send and require Message-Authenticator attributes for all requests and responses, while the long-term solution is to use RADIUS inside an encrypted and authenticated channel like (D)TLS.

AT&T Confirms Data Breach Affecting Nearly All Customers

AT&T confirmed a data breach that allowed cybercriminals to steal phone records of "nearly all" its customers, including cellular and landline customers, as well as those of other carriers using AT&T's network.
The stolen data includes phone numbers, call and text message records, and approximate location information from May 1, 2022 to October 31, 2022, affecting around 110 million customers, but does not contain the content of calls or texts.
The breach is linked to recent data thefts targeting Snowflake's customers, and AT&T is working with law enforcement, with at least one person apprehended, marking the second security incident disclosed by the company this year.

Akira Ransomware Group Exfiltrates Airline Data in Just 2 Hours

BlackBerry Threat Research and Intelligence Team reports that the Akira ransomware group, likely Storm-1567, gained initial access to a Latin American airline's network via an unpatched Veeam backup server and exfiltrated data within 133 minutes.
The threat actor created a user named "backup", added themselves to the Administrator group, installed legitimate tools like Advanced IP Scanner and WinSCP, and exfiltrated data before deploying the Akira ransomware the next day.
The shrinking time-to-exfiltration, down to under 24 hours in 45% of cases this year according to Palo Alto Networks, highlights the need for robust security architecture, zero-trust framework, and basic practices like perimeter patching and port access restrictions.

Chinese State-Sponsored Hacker Group APT40 Actively Targeting Global Networks

Multiple international cybersecurity agencies, including the US CISA and the UK NCSC, have issued a joint advisory warning about a Chinese state-sponsored hacker group — APT40 — actively targeting global networks.
The advisory highlights APT40's ability to quickly exploit newly discovered vulnerabilities in widely used software such as Log4J, Atlassian Confluence and Microsoft Exchange within hours or days of public release.
APT40 possesses the capability to rapidly transform and adapt exploit proof-of-concept(s) (POCs) of new vulnerabilities and immediately utilize them against target networks possessing the infrastructure of the associated vulnerability.

Hijacking GitHub Runners to Compromise Organizations

Hugo Vincent from Synacktiv explains how they compromised a GitHub app with permissions to register self-hosted runners at the organization level, allowing them to register a runner with the ubuntu-latest tag and gain access to jobs meant for GitHub-provisioned runners.
By exploiting a workflow vulnerability that used attacker-controlled data from the GitHub context without proper validation, they obtained a registration token for the whole organization, enabling them to register a malicious self-hosted runner.
Using a custom tool called gh-hijack-runner.py, they set up a proxy between the self-hosted runner and GitHub to reverse engineer the registration process and fetch jobs, successfully leaking all CI/CD secrets from the target repositories without needing to bypass branch protections.

Russian Threat Actors Used AI-Powered Meliorator Tool for Disinformation Campaigns

A joint advisory from US government agencies reveals that Russian threat actors affiliated with RT, a Russian government-backed media organization, used the AI-enabled Meliorator software to create fake online personas for spreading disinformation targeting multiple countries.
Meliorator consists of an administrator panel named Brigadir and a seeding tool named Taras, which allowed threat actors to create and control bots based on specific parameters or archetypes and automate actions on behalf of bot groups.
As of June 2024, RT had used Meliorator, which was only compatible with X, to create 968 accounts for their influence operations, and the US seized two domain names used by private email servers to register these fake social media accounts.

Securing AI Systems: Challenges and Strategies with Dmitrijs Trizna

Dmitrijs Trizna, a Security Researcher at Microsoft, discusses the complex landscape of securing AI systems, focusing on the emerging challenges of Trustworthy AI.
Trizna explores how threat actors exploit vulnerabilities through techniques like backdoor poisoning, using gradual benign inputs to deceive AI models.
He highlights the multidisciplinary approach required for effective AI security, combining AI expertise with rigorous security practices, and shares insights from his recent presentation at Blue Hat India.

Real-World AI Definitions Provide Practical Framework for Discussion

Daniel Miessler provides his own set of real-world AI definitions designed to be usable in everyday discussion. The definitions focus on the practical implications of AI rather than technical specifics.
Key terms defined include AI, Machine Learning, Prompt Engineering, Retrieval Augmented Generation (RAG), AI Agents, Chain-of-Thought, Prompt Injection, Jailbreaking, Artificial General Intelligence (AGI), and Artificial Super-Intelligence (ASI).
Miessler proposes a 5-level framework for AGI based on an AI system's ability to replace an average $80K/year knowledge worker, ranging from "Better, But With Significant Drawbacks" to "Pinnacle Human Employee". He also outlines 3 levels of ASI - Superior, Dominant and Godlike - based on an AI's capability to surpass human intelligence and manipulate reality.

Cybersecurity Leaders Increasingly Targeted in Breach Lawsuits

Joe Sullivan, former Uber CSO, is defending himself in court for mishandling a 2016 data breach, despite his extensive cybersecurity and legal background.
The US government is shifting responsibility for cybersecurity to larger corporations, using enforcement actions to create precedents and deter poor security practices.
Experts warn that targeting CISOs may deter experienced professionals from taking on the role, leading to a degradation in the quality of cybersecurity defenders.

Cybersecurity Strategies Evolve in 2024 Amid AI, Regulations, and Threats

LogRhythm's Andrew Hollister and Kevin Kirkwood discuss how 95% of organizations have adjusted their security strategy in 2024, driven by factors like AI, changing regulations, customer expectations, and evolving cyberthreats.
The use of AI in cybersecurity is prompting strategy changes in 65% of organizations, with AI being used to attack (via sophisticated threats), defend (enhancing SOC capabilities), and develop (prioritizing AI security and ethics).
78% believe breach responsibility lies with top leadership, reflecting a shift in accountability as cybersecurity is recognized as a critical business risk; aligning security with business objectives is crucial for success.

Transitioning to Zero-Trust Privileged Access Management

Gal Helemski, co-founder and CTO/CPO at PlainID, argues that the future of access security requires a transition to a zero-trust privileged access management (PAM) model, where each action is assessed in real-time against adaptive policies.
Implementing continuous authorization is crucial, using micro-authorizations, contextual awareness, and distributed and real-time enforcement of policies to provide multidimensional protection of managed enterprise resources.
Enhancing operational workflows with integrated security is vital, ensuring that security does not hinder operational agility but rather facilitates it by making security seamless and integral to daily tasks, ultimately streamlining access procedures and maintaining robust security protocols.

How to Fail a Cybersecurity Interview: Common Mistakes to Avoid

Stephen Semmelroth shares advice on why people fail cybersecurity interviews, including not conveying a deep understanding of the cyber domain, lacking passion through self-learning projects, and not aligning their application to the job description.
Other reasons for failure include poor audiovisuals and personal optics during virtual interviews, social faux pas, and insufficient due diligence about the company.
Preparation is key to avoiding mistakes and being successful in cybersecurity interviews, rather than just focusing on doing everything right.

Home Lab Setup Guide: Equipment, Design, and Benefits

0xBEN provides an overview of the benefits of running a home lab, including developing core IT skills in areas like virtualization, administration, engineering, cybersecurity, and more.
When designing a home lab, work within your constraints based on available space, noise tolerance, and network setup. Minimum recommended specs include dual NICs, 128-256GB SSD for OS, 1TB+ storage, quad-core CPU, and 64GB+ RAM motherboard.
Good options for lab equipment include small form factor PCs like Intel NUCs, mini PCs, laptops, towers, and rackmount servers. Use tools like LabGopher to find deals on eBay.

Building a Home Lab for Infosec with Ralph May

Ralph May from Antisyphon Training provides a comprehensive overview of how to build a home lab for infosec, covering key components like network, storage, and compute.
May discusses various options for each component, such as using a firewall like pfSense or OPNsense, choosing between local and NAS storage, and selecting compute hardware like AMD desktops, laptops, or servers.
The video also covers topics like virtualization/containers, automation, and infosec-specific applications like AD labs, IDS/IPS, HELK for logging, and leveraging cloud providers to augment the home lab setup cost-effectively.

Exein Secures €15M Series B to Expand Embedded IoT Security Globally

Exein, a Rome-based IoT cybersecurity company, has raised €15 million in a Series B round led by 33N, with participation from Partech and existing investors.
The funding will support Exein's expansion across Europe, the US, and Taiwan, including doubling its workforce and opening a new office in Taipei to drive growth in the APAC region.
Exein's innovative approach embeds AI-powered security directly into device software, creating a digital immune system that adapts and reacts proactively to threats, ensuring compliance with global regulations.

Cybersecurity Funding Rebounds in Q2 2024, Driven by Early-Stage Investments

Pinpoint Search Group's report reveals a 71% increase in cybersecurity funding in Q2 2024 compared to Q2 2023, with $3.3 billion raised across 120 transactions.
Early-stage rounds (seed and series A) accounted for 55% of funding rounds, indicating investor confidence in new vendors addressing current and future challenges like AI-powered threats.
While consolidation remains a consistent feature in the market, multiple vendors are still necessary to cover an enterprise's entire security environment, presenting opportunities for MSPs and MSSPs to serve SMB customers.

Security Operations Market Trends Show Growth and Innovation

Nick Schneider, president and CEO of Arctic Wolf Networks, discussed security operations market trends at RSA Conference 2024, noting that customers want fewer tools and vendors to manage, leading to industry consolidation.
Arctic Wolf's platform allows customers to consolidate vendors and choose best-of-breed products for specific cyber-use cases, while a managed service platform operates across all attack surfaces and outcomes.
The security operations market segment is underserved due to talent shortages and budget constraints, and Arctic Wolf addresses this by focusing on product market fit and go-to-market philosophy to meet the specific needs of upmarket customers.

BlueBox Malware Analysis Box and Cyber Threat Hunting

Open Source Intelligence solution for threat intelligence data enrichment and quick analysis of suspicious files or malware.

Kharon Project

Studying Android malware behaviors through Information Flow monitoring techniques.

Gatekeeper Library by Psecio

A simple drop-in library for managing users, permissions, and groups in your application.

Thank You

If you found this newsletter useful, I'd really appreciate if you could forward it to your friends and share your feedback below!

Have questions? Let me know in the comments or on LinkedIn and X.

Best,
Nikoloz