Brief #80: Cloudflare Data Loss, Godot Malware, Claude AI Vulnerability

Happy Sunday!

I hope this Brief finds you well and ready to tackle the week ahead.

In this edition, I am covering:

• Cloudflare's major logging incident resulting in 55% data loss
• A concerning vulnerability in Claude's Computer Use feature enabling malware execution
• Practical insights on macOS lateral movement techniques

And much more.

INDUSTRY NEWS

Cloudflare Logs Service Disruption Results in 55% Data Loss During 3.5-Hour Incident

• A misconfiguration in Logfwdr service caused a cascade failure, resulting in approximately 55% of customer logs being lost during a 3.5-hour disruption on November 14, 2024, affecting the majority of Cloudflare Logs customers.

• The incident began when a blank configuration triggered a "fail open" failsafe mechanism, causing a 40x increase in buffer creation (from 1 million to 40 million buffers) that overwhelmed the Buftee storage system.

• Root cause analysis revealed that while protective mechanisms existed in the Buftee system to prevent such cascading failures, they were not properly configured, leading Cloudflare to implement new alerts and regular "overload tests" to prevent future incidents.

Gaming Engine Godot Exploited as Undetected Malware Loader Platform

• New malware loader "GodLoader" leverages Godot gaming engine to execute malicious GDScript code, remaining undetected by most antivirus solutions while infecting over 17,000 machines since June 2024.

• Distributed through the Stargazers Ghost Network via GitHub, the malware uses sophisticated anti-sandbox techniques and targets multiple platforms including Windows, Linux, and macOS by exploiting Godot's cross-platform capabilities.

• The technique poses potential risks to over 1.2 million users of Godot-developed games through possible infection scenarios involving legitimate game modifications or downloadable content.

Malicious SSH Backdoor Campaign Targets Popular npm Libraries Through Typosquatting

• Threat actor "sanchezjosephine180" published six typosquatted packages mimicking popular npm libraries (babel-cli, chokidar, streamsearch, ssh2, npm-run-all, node-pty), accumulating over 700 downloads before detection.

• The packages execute malicious code via postinstall scripts to create SSH backdoors on Linux systems, adding attacker's public key to authorized_keys while exfiltrating victim's username and IP address through webhook-test[.]com.

• Campaign includes a seventh dormant package targeting Python's paramiko library, suggesting potential for future malicious updates, highlighting risks of supply chain attacks through package manager confusion and version control exploitation.

LEADERSHIP INSIGHTS

macOS Lateral Movement Techniques and Real-World Attack Examples

• Attackers exploit SSH keys through theft and unauthorized access, demonstrated by malware like ZuRu and PyTorch dependency attacks that target .ssh directories for credential exfiltration and network traversal.

• Apple Remote Desktop (ARD) enables attackers to gain powerful centralized control over connected machines, offering advantages like user impersonation and GUI access through port 3283, with the ardagent process indicating successful connections.

• Remote Apple Events (RAE) can be leveraged through AppleScript to execute commands remotely over port 3031, allowing attackers to perform file operations, deploy payloads, and establish persistence through LaunchAgents on compromised systems.

AWS S3 Bucket Namesquatting Risk in Region-Based Naming Conventions

• Research reveals widespread use of predictable naming patterns in AWS service buckets, particularly those containing region identifiers, making them susceptible to namesquatting attacks in future AWS regions.

• Investigation of AWS Ground Station service found potential vulnerability in us-west-3 region bucket naming, highlighting risks when new regions are launched without pre-reserved bucket names.

• AWS has begun implementing random suffixes in newer service bucket names as a mitigation strategy, though this affects Infrastructure as Code (IaC) implementation by requiring explicit region mapping.

My LinkedIn Post About Cybersecurity Metrics Need Financial Translation for Business Impact

• Conventional security metrics like firewall blocks and IDS alerts fail to resonate with business leaders - CFOs care about financial impact, not technical statistics.

• Security leaders should partner with Finance to quantify incident costs, including downtime and response expenses - for example, if each incident costs $50K and EDR prevents 10 monthly, that's $6M annual savings.

• Focus reporting on ROI metrics that demonstrate prevented financial losses rather than threats blocked, and translate security investments into business value to gain executive buy-in.

CAREER DEVELOPMENT

Cybersecurity Career Entry: Experience and Practical Skills Outweigh Certifications

• Real-world experience is consistently valued over certifications, with many professionals and hiring managers emphasizing that hands-on technical work, even in help desk or adjacent IT roles, provides the most valuable foundation for cybersecurity careers.

• Certifications serve primarily as HR checkpoints and compliance requirements (like DoD positions), but practical demonstrations of skills through personal projects, problem-solving abilities, and unique technical initiatives carry more weight in technical interviews.

• Hiring managers prioritize candidates who show initiative through self-directed projects (like home labs, VPS setups) and demonstrate genuine interest in cybersecurity through practical application, rather than those who solely possess certifications without hands-on experience.

Cloud Security Certification Recommendations: Industry Insights and Comparisons

• CCSP emerges as the leading vendor-neutral certification, offering comprehensive cloud security knowledge though less technical than SANS courses. Many professionals recommend completing CISSP first due to content overlap.

• Cloud-specific certifications from major providers are highly valued - AWS Solutions Architect Associate leading to Security Specialty, and Azure's path from AZ-104 to AZ-500 are recommended technical paths.

• The Cloud Security Alliance's CCSK certification provides fundamental cloud security knowledge with free training materials, making it an ideal starting point before pursuing more advanced certifications like CCSP or vendor-specific credentials.

CISA Launches New Learning Management System to Replace FedVTE

• CISA Learning, now available at learning.cisa.gov, offers 850 hours of cybersecurity training content mapped to the NICE Framework, replacing the Federal Virtual Training Environment (FedVTE).

• The platform is accessible to federal employees, contractors, SLTT government staff, military personnel, veterans, and the general public through Login.gov authentication, though internal CISA users must wait for system preparation.

• Training includes certification preparation courses for CISSP, CISM, and Ethical Hacking, with content ranging from beginner to advanced levels covering topics like cloud security, malware analysis, and risk management.

Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.

AI & SECURITY

AI in Cybersecurity: Warning Against Over-Reliance on Automation

• Recent research shows cybersecurity professionals are developing a "Great Machine" mindset, incorrectly viewing AI as a complete replacement for human expertise rather than an augmentation tool.

• This oversimplification threatens organizational security by neutralizing the traditional advantages of experienced staff and training programs, particularly when dealing with novel cyber threats.

• To address this issue, CISOs should implement diverse AI education programs, encourage role rotation, and develop penetration testing requirements that engage cross-sections of workforce skill levels to demonstrate AI's variable outcomes and limitations.

Claude Computer Use Vulnerability Enables C2 Control Through Prompt Injection

• Researcher demonstrated how Claude's new Computer Use feature can be compromised through prompt injection, allowing unauthorized download and execution of C2 malware by simply asking Claude to download and run a "support tool"

• The attack leveraged Claude's ability to use Firefox for downloads, bypassing security restrictions on direct wget commands, successfully connecting the host to a Sliver C2 server infrastructure

• The vulnerability highlights fundamental security risks in AI systems with computer control capabilities, particularly when processing untrusted input, with potential for more sophisticated attacks including having Claude write and compile malware directly

Enterprise Shadow AI Usage Poses Data Security Risks, 35% of Companies Report Monitoring Challenges

• Strategy Insights survey reveals over one-third of organizations struggle to monitor unsanctioned AI tools, particularly when integrated with legacy systems, based on responses from 3,320 directors across multiple regions.

• Recent incidents highlight data exposure risks, with Samsung implementing an internal GenAI ban after employees inadvertently shared sensitive code and meeting notes through ChatGPT. A separate study found 20% of UK firms experienced potential data exposure through GenAI use.

• Organizations are implementing protective measures including honey tokens for data leak tracking, with 67% emphasizing governance frameworks and 48% prioritizing employee training, especially in regulated industries like healthcare and finance.

MARKET UPDATES

Swiss AI Governance Startup Calvin Risk Raises $4M Seed Funding for Enterprise Risk Management

• ETH Zurich spin-off Calvin Risk secured funding to expand their AI governance platform, which helps enterprises assess and monitor artificial intelligence risks through automated testing and quantitative assessment, particularly crucial as the EU AI Act approaches.

• The platform provides real-time monitoring of companies' AI portfolios with pre-deployment testing capabilities, already gaining traction with major financial institutions including Aviva and Lloyds Banking Group, while earning recognition as Risk.net's Model Risk Management Product of the Year 2024.

• Company achieved significant milestone through partnership with Lufthansa Industry Solutions, resulting in the first GenAI model to receive TÜV Süd's "Assessment Seal Certification", demonstrating their ability to meet stringent technical and ethical standards for compliance.

N-able Expands Security Portfolio with $266M Adlumin XDR Acquisition

• N-able is acquiring cybersecurity partner Adlumin for $266M through a combination of $220M cash and stock, with potential additional earnouts of $30M based on performance milestones through 2026.

• Adlumin's cloud-native XDR platform leverages AI to detect anomalous network behavior and includes vulnerability detection capabilities, serving over 3,500 customers through their managed detection and response services.

• The acquisition aims to strengthen N-able's MSP offerings by integrating Adlumin's security solutions, with N-able projecting increased revenue growth between $111.5M and $113M despite slightly lower adjusted EBITDA.

Kong Secures $175M Series E Funding for API Management Platform at $2B Valuation

• Kong's Series E round was led by Tiger Global and Balderton, with participation from both existing and new investors, representing a 45% increase in valuation from their previous round. The funding will support their vision of becoming the universal broker of API traffic.

• The company plans to expand their product capabilities with focus on AI Gateway development, Insomnia enhancement, and open-source projects, while strengthening their global presence in new markets including Japan and India.

• Kong emphasizes the critical role of APIs in AI development, noting that each AI token generation requires multiple API calls, positioning them to build the world's first comprehensive API inventory system for unified management, security, and observability.

TOOLS

Compliance Scorecard – Governance as a Service

Compliance Scorecard is a governance as a service (GaaS) platform designed specifically for Managed Service Providers (MSPs) to help them integrate compliance into their daily operations, rather than treating it as a mere response to audits or events.

SecurityVulnerability.io

SecurityVulnerability.io is a tool that collects, enriches, and displays vulnerability information in a format that is easily accessible and understandable for both humans and computers.

Vidoc Security

VIDOC is an innovative security tool designed to enhance the security of software development pipelines. It combines the speed and efficiency of artificial intelligence with the precision and expertise of human security engineers.

Before you go

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity leadership insights and tips, follow me on LinkedIn, BlueSky and Mastodon.

Best, 
Nikoloz