Brief #79: Apple Zero-Days, North Korean Threats, OWASP LLM Risks

Happy Sunday!

I hope this Brief finds you well and ready to tackle the week ahead.

In this edition, I am covering:

• Apple's urgent patch for two zero-day vulnerabilities affecting macOS systems
• OWASP's updated Top 10 LLM Security Risks, with data exposure climbing to second place
• Microsoft's findings on how organizations managing multiple security solutions face increased incidents

And much more.

INDUSTRY NEWS

Fake AI Video Generator Sites Distribute Lumma and AMOS Infostealers

• Threat actors are promoting fake "EditProAI" video generator sites through social media and search results, targeting both Windows and macOS users with infostealers that steal credentials, crypto wallets, and browser data.

• The Windows variant deploys Lumma Stealer using a stolen code signing certificate from Softwareok.com, while macOS systems are targeted with the AMOS malware, both sending stolen data to a command panel at proai[.]club.

• Campaign spreads through deepfake political videos on X (formerly Twitter), leading victims to professional-looking websites at editproai[.]pro (Windows) and editproai[.]org (macOS) that distribute malicious installers.

North Korean Threat Actors Expand Operations with IT Workers and Advanced Exploitation Techniques

• North Korean threat actors have developed sophisticated cryptocurrency theft operations through social engineering, with Sapphire Sleet stealing over $10M in a six-month period by posing as venture capitalists and recruiters.

• DPRK has deployed thousands of IT workers abroad who generate revenue through legitimate work while using stolen identities, AI-generated content, and facilitators to bypass sanctions. These workers have earned hundreds of millions of dollars operating from North Korea, Russia, and China.

• Ruby Sleet has increased targeting of aerospace and defense organizations through sophisticated phishing and supply chain attacks, including compromising legitimate certificates and developing custom malware for specific targets' environments.

Apple Patches Two Zero-Day Vulnerabilities Under Active Exploitation in macOS

• Zero-day vulnerabilities in JavaScriptCore and WebKit components are being actively exploited against Intel-based Mac systems, discovered by Google's Threat Analysis Group.

• The flaws (CVE-2024-44308 and CVE-2024-44309) could allow attackers to execute arbitrary code and perform cross-site scripting attacks through maliciously crafted web content on Intel Mac systems.

• Apple has released urgent security updates across multiple platforms including iOS 18.1.1, macOS Sequoia 15.1.1, and iOS 17.7.2 to address these vulnerabilities, though no specific attack details or IOCs were provided.

LEADERSHIP INSIGHTS

Microsoft Data Security Index Reveals AI-Driven Security Challenges and Opportunities

• Organizations are managing an average of 12 different data security solutions, with fragmentation leading to increased vulnerability - companies using 11+ tools experienced 202 security incidents compared to 139 incidents for those with fewer tools.

• Unauthorized AI app usage is widespread, with 65% of organizations reporting employees using unsanctioned AI applications, while 96% express concerns about employee use of generative AI. In response, 93% are developing or implementing new controls.

• Organizations show strong optimism for AI in security, with 77% believing AI will enhance sensitive data discovery and protection. Those already using AI-powered security tools receive fewer daily alerts (47 vs 79) and report improved effectiveness in threat detection.

Kubernetes Data Plane Security: Key Attack Vectors and Defense Strategies

• Applications with RCE vulnerabilities in exposed pods present a primary attack vector, allowing attackers to gain initial access and potentially move laterally through service account privileges or container escapes to host systems.

• Container images serve as a critical access point, where malicious images can enable host-level access through vulnerabilities like Leaky Vessels, emphasizing the need for image verification, signing, and maintaining trusted registries.

• Execution-as-a-service platforms using Kubernetes face unique risks of cross-tenant access, requiring strict isolation through namespace separation, network policies, and sandboxing technologies like Kata containers or gVisor.

SOC Implementation Guide: Choosing Between In-House, Hybrid, and Outsourced Models

• A SOC serves as a centralized security hub providing comprehensive services including continuous monitoring, incident response, threat hunting, and compliance management across an organization's infrastructure.

• Decision factors should include thorough evaluation of operational costs (infrastructure, staffing, training), scalability requirements, and response time capabilities for each model - with in-house requiring highest investment but offering maximum control.

• Organizations must assess their compliance requirements and internal security maturity, considering factors like available security talent, industry regulations, and long-term business objectives before selecting between the three models.

CAREER DEVELOPMENT

Cybersecurity Consulting Interview Tips: Focus on Problem-Solving and Soft Skills

• Interviewers prioritize consulting skills including report writing, client communication, and project management abilities - often comprising 60% of the job responsibilities over technical expertise for intern positions.

• Candidates should demonstrate strong research aptitude and problem-solving methodology - being transparent about knowledge gaps while explaining how they would find solutions using resources like vendor documentation and trusted online sources.

• Hiring managers assess personality fit through behavioral questions, looking for structured thinking, learning agility, and professional communication skills that indicate potential for client-facing consulting work.

Career Growth in Cybersecurity: Specialist vs Generalist Path Analysis

• Being a specialist provides higher immediate value and compensation potential, but carries increased risk during technology shifts or organizational changes, potentially limiting long-term career mobility.

• Generalists have greater adaptability and are well-positioned for leadership roles, but may face a lower technical career ceiling without transitioning to management positions. Success heavily depends on developing strong soft skills.

• Career path choice should align with long-term goals - specialists excel in technical roles (Senior Engineers, Architects), while generalists are better suited for broader program management positions (Security Directors, CISO) where comprehensive security knowledge is vital.

Software Engineer Shares Journey and Tips for Transitioning to Offensive Security

• Andrzej Olchawa, a software engineer with 15 years of experience, shares his personal journey transitioning from software engineering to offensive security.

• Olchawa emphasizes the importance of setting clear goals, managing expectations, and putting in significant effort when making a career transition, especially when moving into a different field like infosec.

• To narrow down specific roles to focus on within offensive security, Olchawa suggests listing areas of interest and ranking them based on existing skills and the effort required to excel, considering one's strengths and weaknesses in areas like pentesting, exploit development, reverse engineering, and application security.

Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.

AI & SECURITY

OWASP Updates Top 10 LLM Security Risks with Data Exposure and Supply Chain Concerns

• Sensitive information disclosure rises to second place (from sixth) in OWASP's 2025 Top 10 LLM risks, highlighting increased concerns about AI systems potentially exposing PII and intellectual property during interactions.

• Supply chain vulnerabilities climb to third place as organizations face real-world incidents of poisoned foundation models and compromised datasets, moving beyond theoretical risks identified in the previous version.

• New risks added include vector/embedding weaknesses and system prompt leakage, reflecting the growing adoption of RAG (Retrieval-Augmented Generation) architectures in enterprise AI deployments and recent security incidents exposing sensitive prompt information.

AWS Releases Threat Modeling Guide for Generative AI Security Assessment

• AWS introduces a four-stage threat modeling framework focused on LLM security risks, emphasizing the importance of evaluating both traditional and AI-specific vulnerabilities in generative AI workloads.

• The framework recommends documenting system architecture through data flow diagrams, identifying threats using established frameworks like STRIDE and MITRE ATLAS, and implementing both preventative and detective controls for each identified threat.

• Key security concerns include prompt injection risks and data exposure, with AWS providing practical examples through their open-source Threat Composer tool to help organizations document and track potential security threats.

ChatGPT Container Environment Reveals File Management and Data Access Capabilities

• Researchers discovered that ChatGPT's containerized environment allows file management operations including uploading, executing, and relocating files within the sandbox, demonstrating previously undocumented system access capabilities.

• Investigation revealed ability to extract GPT instruction sets and knowledge data, highlighting OpenAI's intentional transparency in allowing controlled access to certain system components while maintaining security boundaries.

• OpenAI considers these sandbox interactions as intended features rather than vulnerabilities, drawing a clear line at actual container escape attempts while permitting exploration within the controlled environment for research and learning purposes.

MARKET UPDATES

McKinsey: AI's Impact on Cybersecurity Market Creates $2 Trillion Opportunity

• Organizations now take an average of 73 days to contain security incidents, while facing an expanded attack surface and AI-enhanced threats, including a 1,265% increase in phishing attacks since 2022.

• Market growth is driven by regulatory compliance needs and talent gaps, with cyber budgets shifting toward third-party vendors (65%) over internal labor (35%), creating significant opportunities for SecOps and cloud security providers.

• Companies are "highly willing" to invest in AI-enabled security tools, with 97% planning increased vendor spending for AI security, while the zero-trust architecture shows highest adoption potential in middle-market companies.

Wiz Acquires Dazz to Enhance Cloud-to-Code Security Remediation

• Wiz is expanding its Cloud Native Application Protection Platform (CNAPP) by integrating Dazz's remediation engine, enabling security teams to correlate data from multiple sources and manage application risks in a unified platform.

• The acquisition strengthens Wiz's Application Security Posture Management (ASPM) capabilities, with Dazz's technology allowing teams to identify and fix vulnerabilities at the source code level while maintaining cloud context in security workflows.

• The merger brings together complementary technologies focused on risk detection and resolution, aiming to bridge the gap between cloud and code while facilitating better collaboration between security and engineering teams through contextual analysis.

Palo Alto Networks Reports Strong Platform Consolidation Strategy Results in Q1 FY2025

• Company reached 1,100 platformization deals, with 70+ new additions this quarter, maintaining trajectory toward 2,500-3,500 deals goal by FY2030. One-third of new deals came from recent IBM QRadar acquisition.

• Financial performance shows momentum with 14% revenue growth to $2.14B and 80% increase in net income to $351M. Closed 305 transactions over $1M (up 13% YoY) and 60 deals over $5M (up 30% YoY).

• Strategy includes offering customers deferred billing options until competitor contracts expire, despite short-term revenue impact. CEO notes industry trend as other vendors increasingly adopt similar platform-focused approaches.

TOOLS

Workbench

A scalable python framework for security research and development teams. Workbench focuses on simplicity, transparency, and easy on-site customization.

SOARCA

SOARCA is an open-source Security Orchestration, Automation and Response (SOAR) tool that automates threat and incident response workflows using CACAO security playbooks. It supports standardized formats and technologies, including CACAOv2 and OpenC2, and allows for extensibility and customization.

Charlotte

Charlotte is a C++ based fully undetected shellcode launcher, designed to bypass traditional security measures and execute shellcode discreetly.

Before you go

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity leadership insights and tips, follow me on LinkedIn, BlueSky and Mastodon.

Best, 
Nikoloz