Brief #72: NVIDIA flaw, 3.8 Tbps Cloudflare DDoS, AWS AI hijacking

Happy Sunday!

I hope this Brief finds you well and ready to tackle the week ahead.

In this edition, I am covering:

• A massive 3.8 Tbps DDoS attack targeting financial and telecom sectors
• How humor can enhance cybersecurity training effectiveness
• The launch of a new AI-powered mobile app for CISOs

And much more.

Prefer to listen?

Brief 72 NVIDIA flaw 38 Tbps Cloudflare DDoS AWS AI hijacking

0:00

/717.96

1×

(Led by AI characters)

How would you prefer to consume Mandos Brief newsletter?

1️⃣ Written format only (no podcast)

2️⃣ Written format + AI-generated podcast

3️⃣ Written format + podcast with me speaking

Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.

INDUSTRY NEWS

Record-Breaking 3.8 Tbps DDoS Attack Targets Financial and Telecom Sectors

• Cloudflare researchers reported a month-long DDoS campaign targeting organizations in the financial services, internet, and telecommunications sectors, with the largest volumetric attack peaking at 3.8 Tbps.

• The attacks leveraged a global network of compromised devices, including Asus routers, MikroTik systems, DVRs, and web servers, with many located in Russia, Vietnam, the U.S., Brazil, and Spain.

• Cloudflare successfully mitigated all attacks autonomously, while a separate report from Akamai confirmed that recently disclosed CUPS vulnerabilities in Linux could be a viable vector for future DDoS attacks.

Critical NVIDIA Container Toolkit Flaw Allows Container Escape Attacks

• Wiz Research discovered a critical vulnerability (CVE-2024-0132, CVSS 9.0) in the NVIDIA Container Toolkit, which allows adversaries to perform container escape attacks and gain full access to the host system.

• The flaw affects NVIDIA Container Toolkit 1.16.1 and earlier, and GPU Operator 24.6.1 and older, impacting over 35% of cloud environments that rely on these tools for GPU access in AI applications.

• Attackers can exploit the lack of secure isolation between the containerized GPU and the host by mounting sensitive parts of the host filesystem or accessing writable Unix sockets, enabling them to execute commands or exfiltrate data.

Mysterious Linux Malware Exploits Thousands of Server Misconfigurations

• Aqua Nautilus researchers have analyzed the long-running "perfctl" malware that has been infecting Linux servers worldwide for years, exploiting misconfigurations to deploy cryptomining and proxyjacking malware.

• The malware is highly persistent and difficult to eradicate, constantly hiding itself. It targets any Linux server connected to the Internet, and has likely compromised thousands out of millions targeted.

• Researchers discovered a list of nearly 20,000 potential exploit paths used by the malware, including over 12,000 known server misconfigurations, 2,000 paths for stealing credentials and keys, 1,000 unauthorized login techniques, and dozens of application-specific flaws.

LEADERSHIP INSIGHTS

Humor Emerges as Powerful Tool in Cybersecurity Training and Culture

• According to a CompTIA study, the human element accounts for 52% of data breaches, but traditional cybersecurity training often fails to engage employees, resulting in low retention of key security concepts.

• Humor in training can boost retention, create a more relaxed learning environment, and transform routine tasks into memorable experiences, as supported by research from TrainSmart and Edutopia showing humor activates dopamine pathways essential for motivation and memory.

• While humor can be effective in combating security fatigue and engaging remote workers, it also carries risks if not implemented carefully, as it may trivialize serious threats, so balance is key to engage without undermining the importance of cybersecurity.

API Security Maturity Model Assesses Weaknesses and Vulnerabilities

• Isabelle Mauny, Field CTO at 42Crunch, formulated a six-domain API security maturity model to determine an organization's current security posture and roadmap toward a more secure posture. The model includes inventory, design, development, testing, protection, and governance domains.

• The model features activities for each domain, which may exist to varying degrees based on maturity levels: non-existent, emerging, or established. Key elements include maintaining an accurate API inventory, addressing security concerns during the design phase, following secure coding practices, integrating security testing into CI/CD, implementing dedicated API protection mechanisms, and ensuring APIs meet organizational governance requirements.

• Without adequate API security measures, organizations risk deploying insecure APIs vulnerable to attacks. A defense-in-depth approach and robust governance process are essential to reduce risk and ensure APIs are designed, developed, tested, and protected according to the organization's methodology.

Secrets Sprawl in Public Repos Reaches 12.8 Million, Driven by API Keys

• GitGuardian's State of Secrets Sprawl report reveals that 12.8 million secrets were detected in GitHub public repos in 2024, up from 10 million the previous year and 6 million the year before, with the vast majority being API keys.

• The term "machine identities" is being adopted to distinguish the unique challenges of secrets sprawl related to machine-to-machine communication, such as API access keys, certificates, and PKI, from human identities and credentials.

• The historical reliance on password-based authentication for machine-to-machine communication has led to the current problem of credentials being leaked into code and collaboration platforms at an alarming rate.

CAREER DEVELOPMENT

Qualys Offers Free Cybersecurity Training and Certification Courses

• Qualys provides free self-paced and instructor-led certified training on core cybersecurity topics including Vulnerability Management, Policy Compliance, PCI Compliance, and Endpoint Detection and Response (EDR).

• The training includes hands-on labs featuring the latest Qualys Suite features and best practices, allowing learners to gain practical experience.

• Foundational courses are available for each topic to help learners understand the basics before diving into more advanced courses that cover specific tools and strategies for effective cybersecurity management.

CyberThreat 2024: Empowering Europe's Cyber Security Community in London

• The National Cyber Security Centre (NCSC) and SANS Institute are hosting the two-day CyberThreat 2024 conference in London on December 9-10, 2024, bringing together Europe's cyber security community.

• The event covers both offensive and defensive disciplines with a focus on technical aspects, featuring presentations from renowned experts, hands-on opportunities like CTF events, team problem solving, and "Hackathon" challenges.

• Attending in-person offers benefits such as participating in the challenging CyberThreat CTF, attempting the interactive hackable badge challenge, enjoying cutting-edge tech features, and networking with like-minded security practitioners.

Cisco Offers Free Cybersecurity Training and Certification in Giveaway

• Cisco is offering a free cybersecurity training and certification giveaway aimed at network engineers looking to transition into cybersecurity roles.

• Five randomly selected winners will be able to choose from e-learning and exam bundles for Cisco Certified CyberOps Associate, Cisco Certified CyberOps Professional, CCNP Security, or a 1-year subscription to Cisco U. Essentials.

• The giveaway is open until November 15, 2024, and aims to help participants enhance their skills and become their organization's "cybersecurity superstar."

AI & SECURITY

LLMs' Package Hallucination Problem Poses Supply Chain Risk

• A multi-university study found that Large Language Models (LLMs) have a serious "package hallucination" problem, where they generate code referencing non-existent Python and JavaScript packages, potentially leading to a wave of maliciously-coded packages in the software supply chain.

• The study generated 2.23 million code samples using various LLM models and discovered that 19.7% contained references to hallucinated packages, with 205,474 unique examples of hallucinated package names, highlighting the severity and pervasiveness of the threat.

• Researchers discuss potential mitigations, such as addressing the underlying issue of why LLMs generate hallucinations, using Retrieval Augmented Generation (RAG), and fine-tuning LLMs to improve output on tasks more likely to generate hallucinations, but note that LLM developers themselves need to act to implement these improvements.

MITRE Launches AI Incident Sharing Initiative to Improve Collective Defense

• MITRE's Center for Threat-Informed Defense collaborated with over 15 companies to launch the AI Incident Sharing initiative, aiming to improve collective awareness and defense of AI-enabled systems by enabling rapid and protected sharing of information about attacks or accidents.

• The Secure AI collaboration also extended the ATLAS threat framework to update the adversarial threat landscape for generative AI-enabled systems, adding new case studies, attack techniques, and mitigation methods to the public knowledge base.

• MITRE operates other information-sharing public-private partnerships, including the Common Vulnerabilities and Exposures (CVE) list and the Aviation Safety Information Analysis and Sharing (ASIAS) database, and recently announced the full release of the EMB3D Threat Model for embedded devices.

Attackers Hijacking AWS AI Infrastructure to Power Unfiltered Sexual Roleplaying Chatbots

• Permiso reports that attacks against AWS Bedrock GenAI infrastructure have increased substantially over the last 6 months, particularly with exposed access keys.

• Attackers are hijacking victim GenAI infrastructure to power their own LLM applications, including sexual roleplaying chatbots that allow users to have 1:1 conversations with AI characters and generate CSEM content.

• Attackers perform 3 main steps when hijacking LLMs in Bedrock: checking for model availability, requesting access to models, and invoking the models through prompting, bypassing content filters using common jailbreak techniques.

MARKET ANALYSIS

Apono Raises $15.5M in Series A Funding to Advance Cloud Access Governance

• Apono, a leader in privileged access for the cloud, announced the successful completion of its $15.5 million Series A funding round led by New Era Capital Partners.

• The funds will be used to accelerate product development, deliver value to customers, and solidify Apono's position in the identity security space, bringing the total investment to $20.5 million.

• Apono's AI-driven solution addresses critical challenges in cloud access management, providing organizations with robust, scalable solutions to manage and secure access in today's dynamic cloud environments.

Safe Security Launches Generative AI-Powered Mobile App for CISOs

• Safe Security, an AI-based cyber risk management company, has launched Safe X, a new generative AI-powered mobile app that provides CISOs with real-time business impact insights into their cybersecurity posture.

• Safe X integrates data from existing cybersecurity products and converts them into actionable insights, enabling CISOs to make proactive decisions that drive the highest risk reduction and improve risk prioritization.

• The app leverages generative AI to provide instant answers to pressing cybersecurity questions, such as vulnerability to the latest ransomware attacks, cyber risks with the highest business impact, and the effectiveness of investments in reducing risks.

CrowdStrike Expands Marketplace to Meet Demand for Integrated Cybersecurity Solutions

• CrowdStrike announces the expansion of the CrowdStrike Marketplace, which has grown to over 260 listings from 140 partners in its first year, adding strategic resellers to help customers discover, try, and buy integrated third-party solutions.

• The Marketplace assists customers in optimizing their cybersecurity investments, reducing risks associated with siloed tools and complex security stacks, and maximizing the power of the Falcon platform.

• With the addition of top global and national resellers like CDW, GuidePoint Security, Optiv, and World Wide Technology (WWT), CrowdStrike is expanding access to leading ISVs, strengthening the Marketplace's role in aligning the cybersecurity ecosystem around customer success.

TOOLS

RE&CT Framework

A framework — knowledge base of actionable Incident Response techniques. A community-driven collection of Security Incident Response and a data source of the Atomic Threat Coverage framework.

Wapiti

The web-application vulnerability scanner Wapiti allows you to audit the security of your websites or web applications. It performs 'black-box' scans by crawling webpages, looking for scripts and forms to inject data, and acts like a fuzzer to test vulnerabilities.

Shuffler

Shuffle Automation is an open-source SOAR (Security Orchestration, Automation, and Response) solution designed to streamline security workflows and improve incident response times.

Before you go

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity leadership insights and tips, follow me on LinkedIn, BlueSky and Mastodon.

Best, 
Nikoloz