Brief #75: Fortinet Zero-Day, Agentic AI Risks, Growring Strategic Influence of CISOs

Happy Sunday!

I hope this Brief finds you well and ready to tackle the week ahead.

In this edition, I am covering:

• Fortinet's zero-day vulnerability impacting organizations worldwide through FortiManager exploitation
• The evolving role of CISOs, with 20% now reporting directly to CEOs
• A new AI jailbreak technique achieving 65% success rate in bypassing chatbot security controls

And much more.

Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.

INDUSTRY NEWS

Fortinet Zero-Day Vulnerability Exploited in the Wild Since June 2024

• Mandiant reports that a recently patched zero-day vulnerability in Fortinet's FortiManager product has been actively exploited by threat actors since at least June 27, 2024, affecting over 50 potential victims across various countries and industries.

• The vulnerability, tracked as CVE-2024-47575, allows remote, unauthenticated attackers to execute arbitrary code and exfiltrate data that could be used to further compromise the FortiManager, move laterally to managed Fortinet devices, and target the enterprise environment.

• Researcher Kevin Beaumont believes that state-sponsored threat actors have exploited the vulnerability, dubbed "FortiJump," to conduct espionage through managed service providers (MSPs), as tens of thousands of internet-exposed FortiManager systems remain unpatched.

Microsoft SharePoint Flaw Added to CISA's Known Exploited Vulnerabilities Catalog

• The U.S. CISA has added a high-severity Microsoft SharePoint flaw (CVE-2024-38094) to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation.

• The vulnerability, with a CVSS score of 7.2, is a deserialization flaw that could lead to remote code execution when exploited by an authenticated attacker with Site Owner permissions.

• Patches for the flaw were released in July 2024, but the risk is compounded by the availability of proof-of-concept exploits in the public domain, as reported by SOCRadar.

APT29 Phishing Campaign Targets Militaries, Governments, and Enterprises Worldwide

• APT29, a notorious Russian threat actor, has been conducting a widespread phishing campaign targeting militaries, public authorities, and enterprises across a wide geography, as reported by the Computer Emergency Response Team of Ukraine (CERT-UA).

• The campaign, which dates back to August, used malicious domain names mimicking Amazon Web Services (AWS) to send emails with attachments containing malicious configuration files for Remote Desktop Protocol (RDP), granting attackers extensive access to target computers.

• To mitigate the risk, CERT-UA recommends monitoring network logs for connections to APT29-linked IP addresses, while Tenable's Satnam Narang suggests blocking RDP files at the email gateway to prevent this type of attack.

LEADERSHIP INSIGHTS

Considerations for Evaluating GenAI in Cybersecurity

• Yeo Siang Tiong, General Manager for Southeast Asia at Kaspersky, shares three key considerations for organizations evaluating generative AI (GenAI) solutions for cybersecurity.

• Usage Confidence: Due to the risk of hallucinations, vendors often include caveats stating that users need to verify the output, which can introduce delays and divert resources from true positives when responding to incidents.

• Usage Friction: Writing good prompts can be challenging, and some GenAI solutions struggle with ad-hoc and open-ended security queries, negating the desired capability of solving problems at "machine speed". Utility charging models can also discourage use.

CISOs Gaining Strategic Influence as Cyber Threats Evolve

• Deloitte's "Global Future of Cyber Survey" reveals that 20% of CISOs now report directly to CEOs, signaling the increasing strategic importance of the role as AI-generated threats become more sophisticated.

• CISOs are becoming key advisors to CEOs and boards, with 39% of respondents already extensively using AI in their cybersecurity programs and focusing on safeguarding investments in emerging technologies like cloud security (48%) and Generative AI (41%).

• 25% of respondents from cyber-mature companies experienced 11 or more cybersecurity incidents in the past year, a 7% rise from 2023, while 57% anticipate increasing their cybersecurity budgets over the next 12 to 24 months.

CISOs Face Evolving Challenges Amidst Growing Cyber Threats and Talent Shortages

• A recent BCG and GLG survey of over 350 global cybersecurity leaders reveals that while overall cyber maturity is growing, gaps remain in areas like app security, data protection, and software supply chain risk management.

• CISOs are more concerned about the rising frequency of known threats like ransomware, keeping risk mitigation in pace with tech innovation, and navigating the increasingly complex cyber and privacy regulations landscape than controlling cyber spending.

• Cyber-mature organizations distinguish themselves through greater CISO accountability, coordinating IT recovery with business continuity, and centralized decision-making, while AI-enabled threats like phishing and malware attacks are becoming more prevalent, with CISOs eager to leverage AI in defense.

CAREER DEVELOPMENT

Intro to Becoming a SOC Analyst: A New Approach

• Eric Capuano, the author, outlines a new approach to quickly gaining skills needed for an entry-level SOC analyst job, leveraging modern technology.

• The traditional approach involved setting up a complex virtual machine environment with various components like firewalls, routers, and log aggregation tools, which was time-consuming but provided valuable indirect learning.

• The new approach focuses on getting straight to the core SOC work using a commercial offering called LimaCharlie, which saves time and is free for this level of use, while teaching universally applicable methodologies.

TCM Security Offers Free Ethical Hacking Courses on YouTube

• TCM Security, a cybersecurity training company, is offering over 27 hours of free ethical hacking material on their YouTube channel.

• The free courses cover topics such as practical ethical hacking, OSINT fundamentals, Linux for hackers, buffer overflows, Python fundamentals, and web application hacking.

• For those looking for more comprehensive training, TCM Security also offers an All-Access Membership that provides access to all of their courses and exclusive content.

CISO Job Turnover Drops as Opportunities Dwindle

• IANS Research finds that CISO turnover has decreased from 21% in 2022 to an annualized 11% in H1 2024, limiting opportunities for compensation growth through job changes.

• Nearly a quarter of cybersecurity leaders are actively looking to leave their organization, with 93% citing stress or job demands as factors impacting their decision.

• Advancements in cybersecurity automation have resulted in a surplus of highly skilled executives on the job market, outstripping demand and stifling salary growth for CISOs.

AI & SECURITY

Google Advocates for Simplifying Security with AI and Consolidated Solutions

• Abhishek A Hemrajani, director of product management for cloud security at Google, says security is complex due to overlapping tools, gaps in systems, and silos between teams.

• Conventional security approaches fall short in addressing the pace, velocity and complexity of threats, with attackers employing sophisticated techniques and leveraging zero-day vulnerabilities.

• Google believes generative AI represents an inflection point for security that will transform workflows and give defenders an advantage, but attacks on AI are increasing, requiring secure-by-default solutions.

AI Jailbreak Method Bypasses Chatbot Guardrails with 65% Success Rate

• Palo Alto Networks researchers discovered a new AI jailbreak method called "Deceptive Delight" that mixes malicious and benign queries to trick chatbots into bypassing their guardrails, with a 65% success rate across eight different large language models (LLMs).

• The method exploits LLMs' limited "attention span" by presenting a mix of safe and unsafe information, causing the model to overlook critical details and progressively steering the conversation toward harmful or unethical content.

• To mitigate these prompt-injection attacks, organizations can enforce privilege control on LLM access, add human approval for privileged operations, segregate external content from user prompts, establish trust boundaries, and manually monitor LLM input and output periodically.

Agentic AI on the Rise: Harnessing Power While Mitigating Security Risks

• Stephen Kaufman, Chief Architect at Microsoft, discusses the rise of agentic AI, which involves autonomous agents that can make decisions and act without human intervention, presenting both transformative opportunities and new security risks.

• Agentic AI brings together tools, frameworks, and patterns to automate end-to-end business workflows using AI agents that perform specific tasks and integrate into a broader workflow controlled by rules and decisions, with the ability to incorporate external agents.

• Key risks of agentic AI include unexpected or problematic behavior, ethical concerns like bias and unintended consequences, and lack of human controls, necessitating robust security measures, governance, monitoring, and the ability to override operations when needed.

MARKET ANALYSIS

Practical SOC Analyst Skills Blog Series Uses LimaCharlie for Hands-On Learning

• Eric Capuano's blog series "So you want to be a SOC Analyst?" offers a modern, hands-on approach to learning essential SOC analyst skills using LimaCharlie.

• The series requires only a computer and no cost, covering VM setup, adversary emulation, detection crafting, attack blocking, false positive tuning, and YARA scan triggering.

• Emphasizing practical knowledge over certifications, the series provides a fast-track for aspiring cybersecurity professionals to gain hands-on experience in threat detection and response.

Socket Raises $40M to Protect Against Open Source Supply Chain Attacks

• Socket, a San Francisco-based startup, announced the closing of a $40 million Series B funding round led by Abstract Ventures, bringing its total raised to $65 million.

• The company's platform monitors open source dependencies in real-time, detecting and blocking over 70 signals of supply chain risks, including malware, misleading packages, and permission creep across six programming languages.

• With the new funding, Socket plans to accelerate product development and expand its team to meet the increasing demand for its platform, which is already used by organizations in finance, manufacturing, media, and tech, blocking more than 100 attacks per week.

Securonix and AVANT Partner to Enhance Cybersecurity Offerings

• Securonix, a five-time Gartner Magic Quadrant Leader in SIEM, announced a partnership with AVANT, a distributor of technology services, to provide AVANT's network with Securonix's SIEM platform and advanced cybersecurity solutions.

• The collaboration will give Trusted Advisors access to Securonix's AI-Reinforced SIEM and UEBA solutions, enabling organizations to strengthen their security posture and stay resilient against today's complex threat landscape.

• The partnership will enhance AVANT's Securonix Elevate partner program, providing Trusted Advisors with access to AI-Reinforced CyberOps capabilities, tiered pricing, and robust enablement resources to generate new revenue streams while delivering essential cybersecurity solutions.

TOOLS

InQuest Labs

An experiment that measures the security efficacy of email providers against real-world emerging malware. It also provides various tools and resources for threat intelligence, including a reputation database, IOC database, and YARA rule generators.

https://cybersectools.com/tools/blauhaunt

Blauhaunt is a tool collection for filtering and visualizing logon events, designed to help answer the 'Cotton Eye Joe' question (Where did you come from where did you go) in Security Incidents and Threat Hunts

Bubblewrap

Bubblewrap is a setuid implementation of a subset of user namespaces. It provides a way to run unprivileged containers without requiring root privileges. It is designed to be a more secure alternative to other container runtimes like systemd-nspawn and Docker.

Before you go

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity leadership insights and tips, follow me on LinkedIn, BlueSky and Mastodon.

Best, 
Nikoloz