Brief #63: Ferrari Deepfake Scam, Azure DDoS Attack, AI Security Challenges, Mentorship Value

Before you start your Monday, catch up on the latest in cybersecurity!

This week, we explore the growing threat of AI-powered deepfakes as a Ferrari executive falls victim to an impersonation attempt. We also look into the critical role of mentorship in advancing cybersecurity careers and examine the need for stronger boardroom leadership to address cybersecurity challenges.

Ferrari Executive Targeted in Deepfake Impersonation Attempt

Bloomberg reports that a Ferrari executive received suspicious WhatsApp messages and a call purportedly from CEO Benedetto Vigna, discussing a confidential acquisition and requiring a currency-hedge transaction.
The executive grew suspicious due to slight mechanical intonations in the voice and asked a question to verify the caller's identity, causing the call to abruptly end, prompting an internal investigation.
Experts warn that AI-based deepfake tools are becoming increasingly sophisticated, with some companies already falling victim to fraudsters using this technology, resulting in significant financial losses.

Sophisticated Phishing Campaign Targets Microsoft OneDrive Users

Trellix Advanced Research Center has observed a sophisticated phishing campaign targeting Microsoft OneDrive users, heavily relying on social engineering tactics to deceive users into executing a malicious PowerShell script.
The attack begins with an email containing an .html file that displays an image simulating a Microsoft OneDrive page with an "Error 0x8004de86" message, prompting users to follow instructions to fix the issue by running a command in Windows PowerShell.
The command downloads an archive file, extracts its contents ("script.a3x" and "AutoIt3.exe"), and executes the script using AutoIt3.exe, potentially compromising the user's system and, in enterprise environments, leading to widespread network compromise, financial losses, and reputational damage.

Microsoft Azure Outage Triggered by DDoS Attack, Firm Confirms

Microsoft has confirmed that an Azure outage on July 30, which lasted nearly 10 hours and affected services like Microsoft 365 and Azure, was triggered by a distributed denial of service (DDoS) cyberattack.
The incident started at approximately 11:45am UTC and was resolved at 19:43pm UTC, with Microsoft describing an "unexpected usage spike" that resulted in Azure components "performing below acceptable thresholds, leading to intermittent errors, timeout and latency spikes".
Microsoft admits that while it had DDoS protections in place, an error in the implementation of defenses "amplified the impact of the attack rather than mitigating it", highlighting the importance of thorough software testing.

DigiCert to Revoke SSL/TLS Certificates Due to Domain Validation Oversight

DigiCert, a certificate authority (CA), will revoke a subset of SSL/TLS certificates within 24 hours due to an oversight in verifying domain ownership using Domain Control Validation (DCV).
The issue stems from DigiCert failing to include an underscore prefix with the random value used in some CNAME-based validation cases during a series of changes to their underlying architecture starting in 2019.
The incident impacts approximately 0.4% of applicable domain validations, affecting 83,267 certificates and 6,807 customers, who are recommended to replace their certificates as soon as possible to avoid potential disruptions to websites, services, and applications relying on these certificates for secure communication.

Massive Phishing Campaign Exploits Proofpoint Email Routing Misconfiguration

Guardio Labs researcher Nati Tal reports that an unknown threat actor exploited an email routing misconfiguration in Proofpoint's defenses to send millions of spoofed emails impersonating popular companies.
The campaign, dubbed "EchoSpoofing", started in January 2024 and peaked in June, sending up to 14 million emails per day that bypassed major security protections like SPF and DKIM.
Proofpoint identified a "super-permissive misconfiguration flaw" in their servers that allowed the attacker to relay spoofed messages through their customers' email infrastructures, making the spam more deliverable and harder to detect.

Boardroom Cybersecurity Leadership Crisis Dooming America's Companies

Bob Zukis, a contributor who writes on digital and cybersecurity governance, argues that America's companies have a chronic problem with cybersecurity due to a colossal leadership failure in the corporate boardroom.
Zukis believes that effective boardroom cybersecurity leadership matters and works, as it strengthens all other cybersecurity controls, but some are working against adding cybersecurity expertise to the boardroom.
Research from Virginia Tech identified that lack of director cybersecurity expertise leads to superficial oversight, while its presence enables proactive, value-added oversight and strengthens the effectiveness of the CISO.

CrowdStrike Failure Raises Questions About Software Quality Guarantees

Fernando Maldonado, an independent IT expert, suggests that CrowdStrike's crash-inducing software update highlights the cybersecurity industry's focus on speed over quality when competing with cybercriminals.
Lawyer and cybersecurity consultant Paloma Llaneza points out that software is typically sold "as is," with minimal guarantees or compensation for failures, creating a legal vacuum that would be unthinkable in other industries like critical infrastructure.
Microsoft and IDC argue that the European Commission's 2009 interoperability agreement, which required Microsoft to grant security software makers the same access to Windows as Microsoft itself, may have contributed to the CrowdStrike incident by limiting Microsoft's ability to secure the operating system.

Fortune 50 Company Pays $75M Ransom, Raising Questions for CISOs

Zscaler reports a Fortune 50 company paid a $75 million ransom to the Dark Angels ransomware group in March, almost double the previous top ransom paid.
The public nature of the payment, likely made via Bitcoin, raises concerns about whether it will embolden cybercriminals and pressure companies to find more secretive payment methods.
While the possibility of a payment becoming public may not materially change the decision to pay, CISOs should assume ransom payments will eventually become public and take greater efforts to avoid having to make such payments.

Mentorship: The Key to Advancing Your Cybersecurity Career

According to Jordan Avnaim, CISO at Entrust, curiosity and a willingness to learn from others' experiences are essential qualities for advancing a cybersecurity career.
George Jones, CISO at Critical Start, emphasizes the importance of communication skills for translating technical cybersecurity concepts into terms that executives and senior leaders can understand.
Many security leaders, including Avnaim, Jones, and John Anthony Smith, Founder and CSO of Conversant Group, strongly recommend finding a mentor to help expand your network, skillset, and open doors to new opportunities in your cybersecurity career.

8 Threat Hunts You Can Do with Available Resources

Randy Franklin Smith, an expert on Windows and AD security, provides guidance on 8 types of threat hunts that can be done using a SIEM solution and available log data.
Successful threat hunting requires collecting the right log data from endpoints, servers, firewalls, security solutions, and more. The article lists specific log sources to consider.
The first threat hunt involves recognizing suspicious software by monitoring process names or hashes. Hunting by process name is easier but can be spoofed, while hashes provide higher integrity but are more complex to monitor.

Splunk SIEM Home-Lab for SOC Analyst Training

The article provides an overview of a powerful home-lab focused on setting up Splunk SIEM and real-world use cases for aspiring SOC Analysts (Tier 1/2).
The lab covers requirements, a lab diagram, setting up Splunk SIEM on Ubuntu Server, and exercises investigating web-based and network-based attacks.
Exercises include detecting SQL injection, XSS, CSRF, directory traversal, brute force attacks, session hijacking, RCE, XXE, insecure deserialization, SSRF, port scanning, DDoS, DNS tunneling, malicious payloads, and data exfiltration.

Systematic Approach Needed to Construct Guardrails for Large Language Models

Inan et al. (2023) from Meta advocate for a systematic approach to construct guardrails for Large Language Models (LLMs), considering diverse contexts across various LLM applications.
Current open-source guardrail solutions (Llama Guard, Nvidia NeMo, Guardrails AI) are reviewed, discussing challenges and the need for more complete solutions to mitigate LLM risks with profound societal impacts.
The authors propose employing socio-technical methods through multi-disciplinary collaboration to determine precise technical requirements, exploring advanced neural-symbolic implementations, and developing verification and testing to ensure utmost quality.

AI Security Shared Responsibility Model Clarifies Division of Responsibilities

Daniel Miessler, a cybersecurity expert, introduces the AI Security Shared Responsibility Model, a framework designed to clarify the division of security responsibilities between AI service providers and the businesses that use them.
The model outlines the security responsibilities across various AI deployment models, including SaaS AI models (public and private), PaaS AI models, IaaS AI models, and on-premises AI models, each with different levels of control and risk profiles.
Building a robust AI security stack involves considering multiple security domains, such as application security, AI ethics and safety, user access control, model security, data privacy and security, monitoring and logging, compliance and governance, supply chain security, network security, infrastructure security, and incident response.

Wiz Launches AI Security Challenge to Manipulate Customer Service Chatbot for Free Ticket

Cybersecurity company Wiz has launched the Prompt Airlines AI Security Challenge, tasking participants with manipulating a fictional airline's customer service AI chatbot to obtain a free ticket.
The challenge is structured as a Capture the Flag (CTF) competition, with the goal of finding vulnerabilities or weaknesses in the chatbot to exploit and gain an unauthorized free ticket.
Wiz's Nir Ohfeld and Shir Tamari created the challenge to highlight potential security risks in AI chatbots and encourage research into securing these increasingly common systems against abuse.

Protect AI Raises $60M Series B, Valued at $400M, Amid Surge in AI and Cybersecurity Funding

GeekWire reports that Seattle-based cybersecurity startup Protect AI has raised a $60 million Series B round led by Evolution Equity Partners, following a $35 million Series A round last year.
Protect AI, founded in 2022 by former Amazon and Oracle engineering leaders, offers five products to help companies monitor and secure their machine learning and AI systems, with customers ranging from national security organizations to Fortune 500 companies.
The funding comes amid a surge in investment for AI startups, which raised nearly a third of all dollars in Q2, and cybersecurity startups, which saw a 144% increase in funding, according to CBInsights and Crunchbase, respectively.

Tenable Explores Potential Sale Amid Cybersecurity Sector Consolidation

Bloomberg reports that Tenable, a Columbia, Maryland-based security software company, is exploring options including a potential sale after receiving takeover interest.
Tenable's Tenable One platform offers cybersecurity teams a unified view of all assets to better manage application, cloud, and identity vulnerabilities.
The broader cybersecurity sector is moving toward consolidation, with Tenable gaining market share from 2019 to 2023 at the expense of competitors Qualys and Rapid7.

Devo Launches Data Orchestration and Analytics Cloud for Enhanced SOC Workflows

Devo Technology Inc. announced new offerings including data orchestration, a data analytics cloud, and security operations center (SOC) workflow enhancements to help security teams manage and analyze vast amounts of data cost-effectively.
Devo Data Orchestration provides total control over data from any source at scale, filtering and routing it to destinations like Amazon Kinesis and S3, while the Data Analytics Cloud allows building custom security applications and integrations or using prebuilt alerts, applications, and dashboards.
Enhancements to Devo ThreatLink automate alert triage by correlating and enriching alerts into high-fidelity cases, and updates to Devo Behavior Analytics enhance threat detection with tunable risk-based alerting, instantaneous anomaly flagging, and targeted monitoring of high-risk assets.

Cloudflare Learning Center

The Cloudflare Learning Center provides educational resources covering various cybersecurity and internet-related topics, including DDoS attacks, CDNs, DNS, web application security, serverless computing, encryption protocols, bots, cloud computing, Zero Trust security, SASE, networking, data privacy, video streaming, email security, and AI.

Naabu

A fast port scanner written in Go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests.

Redline

Redline is a free endpoint security tool that provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.

Thank You

If you found this newsletter useful, I'd really appreciate if you could forward it to your friends and share your feedback below!

Have questions? Let me know in the comments or on LinkedIn and Mastodon.

Best,
Nikoloz