Brief #62: North Korea Operative Infiltrates KnowBe4, SAP AI Core Flaws, CISO Challenges, Layoffs

Before you start your Monday, catch up on the latest in cybersecurity!

This week, we dive into a startling case of a North Korean operative infiltrating a major security firm, explore the evolving challenges faced by CISOs in light of new regulations, and examine the implications of Google's failed bid to acquire Wiz. We also look at practical tips for setting up secure cybersecurity labs and highlight new tools to enhance your security posture.

North Korean Operative Infiltrates KnowBe4 as Fake Software Engineer

• KnowBe4, a security awareness training firm, revealed that a North Korean operative posing as a software engineer bypassed their hiring background checks and attempted to plant malware on a company workstation within the first 25 minutes of employment.

• The attacker, whose identity was an AI deepfake, used a Raspberry Pi to download malware, manipulate session history files, and execute unauthorized software before being detected and contained by KnowBe4's security team.

• KnowBe4 CEO Stu Sjouwerman warned that this incident is one of hundreds of cases where North Korean nation-state operatives pose as IT workers to infiltrate US companies, demonstrating a high level of sophistication in creating believable cover identities and exploiting weaknesses in hiring processes.

Critical UEFI Firmware Flaw Affects Hundreds of Devices from 10 Vendors

• Binarly Research Team discovered that 813 UEFI products from 10 vendors, including Acer, Dell, HP, and Lenovo, use an untrusted "master key" generated by American Megatrends International (AMI), making them susceptible to PKfail, a critical firmware supply-chain issue.

• Exploiting PKfail allows attackers to bypass Secure Boot and deploy UEFI malware like CosmicStrand and BlackLotus by manipulating the Key Exchange Key (KEK) database, the Signature Database (db), and the Forbidden Signature Database (dbx).

• To mitigate PKfail, vendors should generate and manage the Platform Key using cryptographic key management best practices and replace any test keys with securely generated ones, while users should apply firmware updates addressing the issue as soon as possible and use the pk.fail website to scan for vulnerable devices.

Zero-Day Exploit Targets Telegram for Android, Patched in July

• ESET researchers discovered a zero-day exploit targeting Telegram for Android, which was advertised for sale on an underground forum on June 6th, 2024. The vulnerability, named EvilVideo, allowed attackers to send malicious Android payloads disguised as multimedia files.

• ESET reported the vulnerability to Telegram on June 26th, 2024, and Telegram released an update fixing the issue on July 11th, 2024 in versions 10.14.5 and above. The exploit only worked on Telegram for Android versions 10.14.4 and older.

• Further investigation revealed that the threat actor behind the exploit also advertised a fully undetectable (FUD) Android cryptor-as-a-service on the same underground forum since January 11th, 2024.

Spytech Software Breached, Exposing Stalkerware Activities and Targeted Devices

• Spytech Software, a Minnesota-based company producing monitoring software like SpyAgent, has been breached by unknown hackers, exposing its activities and targeted devices.

• The exfiltrated data includes logs from over 10,000 remotely controlled devices, mostly Windows-based PCs and Android phones, with the earliest records dating back to 2013.

• The unencrypted activity logs and location data provide a clear picture of the compromised devices' whereabouts, with most mobile devices located in Europe and the US.

Grant Thornton Australia Innovates BitLocker Recovery After CrowdStrike Debacle

• Rob Woltz, a senior systems engineer at Grant Thornton Australia, recalled that barcode scanners are treated like keyboards during PC boot, which helped streamline the recovery process after CrowdStrike's faulty software caused widespread BSODs.

• The firm prioritized server recovery manually, but the large number of affected PCs required an automated solution that avoided distributing or verbally sharing 48-character BitLocker keys.

• Woltz and his team created a script that generated barcodes from the BitLocker keys, displayed them on a secure server's desktop, and used off-the-shelf barcode scanners to input the keys during the boot process, fixing all PCs by lunchtime on Monday.

SAPwned: Vulnerabilities in SAP AI Core Expose Customer Data and Cloud Credentials

• Wiz Research discovered vulnerabilities in SAP AI Core that allowed attackers to move laterally, take over the service, and access customers' private files and cloud credentials for AWS, Azure, SAP HANA Cloud, and more.

• The vulnerabilities allowed researchers to read and modify Docker images on SAP's internal container registry and Google Container Registry, modify artifacts on SAP's internal Artifactory server, and gain cluster administrator privileges on SAP AI Core's Kubernetes cluster.

• The root cause was the ability for attackers to run malicious AI models and training procedures, which are essentially code, highlighting the need for improved isolation and sandboxing standards when running AI models in the industry.

Addepar Introduces RedFlag: AI-Powered Tool for Efficient Security Testing

• Addepar, a financial technology company, has developed RedFlag, an AI-powered tool that leverages Anthropic's Claude v3 model via Amazon Bedrock to revolutionize their approach to security scoping and manual testing of their core product, the Addepar Platform.

• RedFlag analyzes each Pull Request (PR) in a Release Candidate (RC), enriches it with related Jira ticket information, and determines if it warrants a manual security review, enabling the Offensive Security team to scope an entire Platform RC with hundreds of PRs and determine what needs to be tested in just 10 minutes.

• The tool has already proven effective, reducing the number of PRs needing review per RC from an average of 400 to fewer than 100, and identifying six high severity issues that were fully remediated before the release was deployed, all at an average cost of $0.02 per commit review using the Claude v3 Sonnet model.

Rabbit Issues Security Advisory for AI Assistant r1

• Rabbit, the manufacturer of the AI assistant r1, has issued a security advisory about a potential security risk when a user loses or sells their device, which could allow access to sensitive data like chats and photos through jailbreaking.

• Rabbit has implemented measures such as a factory reset option, reducing logged data, and restricting access to the user's Rabbithole journal section to mitigate the risk.

• The r1 is an AI-powered gadget that can manage apps, answer questions, and perform various tasks using a Large Action Model (LAM) to translate voice commands, with more features promised in the future.

CISOs Face Challenges with New Cybersecurity Regulations and Evolving Role

• Onyxia Cyber reports that the CISO role has changed dramatically in recent years, with a greater emphasis on security strategy and quantifying and mitigating business risk, but 67% of CISOs feel unprepared for new compliance regulations like the SEC's cybersecurity disclosure rules and DORA.

• 56% of CISOs admit discomfort with their current incident response strategies, and 67% report difficulties in effectively persuading the C-suite of their security strategies and securing buy-in for their initiatives.

• Despite 84% of CISOs currently measuring the effectiveness and performance of their security programs with manual methods, 97% believe AI can enhance risk management, such as identifying gaps in security stack coverage and automating business-level risk reporting.

CISO Role Evolves, Requiring Blend of Diverse Skills and Experiences

• Hearst CIO Atefeh "Atti" Riazi says the CISO position requires someone "somewhere between Mother Teresa and a kamikaze pilot".

• The CISO's internal role involves running IT security and making cybersecurity decisions, while the external role includes persuading LOB executives, explaining policies to customers, and interacting with senior executives and the board.

• Ideal CISO candidates must have mastery of cybersecurity, magnificent persuasive and communication skills, deep understanding of the business, and the ability to simplify complex concepts for the board.

Enhancing Application Security Crucial as Threat Landscape Evolves

• Sandeep Johri, CEO at Checkmarx, emphasizes the critical need to enhance application security to minimize security gaps while integrating AppSec into every aspect of the development process.

• Research found that 89% of organizations have suffered breaches in the last year due to vulnerabilities in their own software, with 60% of these vulnerabilities emerging during the coding, building, or testing stages.

• To effectively communicate the importance of AppSec, CISOs should regularly present key metrics to the board, such as the Security Risk scoring of each application and the number of critical vulnerabilities in production.

Secure Cybersecurity Lab Setup: Isolation, Virtualization, and XDR

• The InfoSec Guy shares his journey of building a secure and isolated cybersecurity research lab separate from his home network using VLANs, access ports, trunk ports, PVID, and tagged/untagged ports.

• He sets up the lab using Proxmox for virtualization, configuring storage for VMs and backups, and establishing LAN (vmbr1) and WAN (vmbr0) interfaces for network connectivity.

• The lab includes Active Directory integration, ELK stack and Fleet Server for SIEM, and Wazuh XDR for threat prevention, detection, and response across the lab environment.

Building a Home Lab for Offensive Security & Security Research

• The article by Lesley Carhart provides guidance on building a home lab for practicing penetration testing, application security research, and red teaming.

• Key considerations for the lab include hardware (cloud, laptop/desktop, or dedicated), networking (isolated network), operating systems (Windows servers/clients, Linux), applications (Windows domain, web apps, databases), and security software (IDS, AV, log aggregation).

• The author shares her personal lab setup, which includes an AMD-based desktop, managed switch for VLANs, Raspberry Pis, Debian host OS with KVM virtualization, and pfSense virtual router/firewall.

Cybersecurity Layoffs Leave Professionals Struggling to Find New Opportunities

• Tony Bradley, a seasoned cybersecurity marketing director, was blindsided when he was recently laid off, leading to emotional and financial challenges as he searches for a new role.

• The cybersecurity sector has seen significant layoffs in 2023, with 366 tech companies laying off 107,370 employees according to layoffs.fyi, leaving many professionals scrambling for new opportunities.

• Experts suggest that the job search process is fundamentally broken, with inaccurate job descriptions, oversaturated job listings, and a lack of understanding from recruiters, leading to psychological damage for job seekers and a need to navigate the system through networking and targeted applications.

Google's $23B Bid to Buy Wiz Falls Through, Startup to Pursue IPO Instead

• Wiz CEO Assaf Rappaport announced in an internal memo that the company has decided to turn down Google's $23 billion acquisition offer and instead pursue an IPO.

• The proposed deal would have nearly doubled Wiz's recent valuation of $12 billion, but the company's investors likely saw greater potential return from an IPO.

• Wiz aims to grow into a business with at least $1 billion in recurring revenue and become more valuable in the wake of CrowdStrike's recent worldwide outages.

Chainguard Raises $140M at $1.12B Valuation to Secure Software Supply Chains

• Chainguard, a software supply chain security startup founded by ex-Google engineers, has raised $140 million in a Series C round led by Redpoint Ventures, Lightspeed Venture Partners, and IVP, valuing the company at $1.12 billion.

• The company's growth is driven by demand for its flagship product, Chainguard Images, which provides a secure, fully-managed open source supply chain for building software on top of containers.

• Chainguard plans to use the fresh capital to expand into the U.S. public sector and international markets, and to scale its product suite to provide a single, safe source for any open source software, moving beyond just container images.

Lakera Raises $20M to Secure GenAI Applications Amid Rising Cybersecurity Risks

• Lakera, an AI security company, has raised $20 million in a Series A funding round led by Atomico, bringing its total funding to $30 million.

• With the rapid adoption of GenAI, traditional cybersecurity tools are ill-equipped to address the novel dangers it poses, creating a critical need for AI-specific security solutions.

• Lakera's platform offers real-time AI security that continuously evolves, protecting enterprises from prompt attacks, AI sleeper agents, jailbreaking techniques, and other AI-targeted threats without compromising user experience.

WMI Monitor

WMI is a PowerShell script that monitors WMI consumers and processes, detecting potential malicious activity.

Weakpass

Weakpass is a collection of wordlists for bruteforcing and password cracking, including lists for general purpose, online brute, and more. It provides a comprehensive set of wordlists for various hashing algorithms, including MD5, NTLM, NetNTLMv2, md5crypt, sha512crypt, and WPA2.

Tracecat

Tracecat is an open-source security automation platform that allows users to automate security alerts, build AI-assisted workflows, and close cases fast. It offers a no-code interface, unlimited workflows, and integrations with various security tools.

If you found this newsletter useful, I'd really appreciate if you could forward it to your friends and share your feedback below!

Have questions? Let me know in the comments or on LinkedIn and X.

Best, 
Nikoloz