Happy Sunday!
I hope this Brief finds you well and ready to tackle the week ahead.
In this edition, I am covering:
- Dark web prices for cloud credentials are dropping - what this means for security
- A major supply chain attack on the popular YOLO AI model
- Record-breaking data breach costs reaching $4.88M in 2024
And much more.
InfoSecHired
AI-powered platform that helps cybersecurity professionals land their dream jobs with 4x higher interview success rates. InfoSecHired's smart AI agents analyze job descriptions and your resume to create tailored applications in minutes, saving you 3+ hours per application while optimizing for ATS systems.
INDUSTRY NEWS
Dark Web Shows Declining Prices for Stolen Cloud Credentials, Indicating Market Shift
-
IBM X-Force report reveals stolen cloud credential prices dropped 12.8% from 2022-2024, with average prices falling from $11.74 to $10.23, suggesting market normalization rather than oversaturation.
-
While basic stolen credentials remain cheap, validated cloud access credentials command premium prices reaching thousands of dollars, indicating criminals are prioritizing direct system penetration.
-
Report highlights increasing focus on exploiting cloud vulnerabilities, with XSS attacks emerging as the top discovered CVE, enabling session token theft and privilege escalation in cloud environments.
Russian APT BlueAlpha Exploits Cloudflare Tunnels for Malware Distribution
-
BlueAlpha, a FSB-linked threat actor, is leveraging free Cloudflare Tunnels to hide their GammaDrop malware staging infrastructure, making traditional detection methods less effective.
-
The group employs HTML smuggling techniques through embedded JavaScript in email attachments, using modified deobfuscation methods and the onerror HTML event to bypass security controls.
-
Their malware suite consists of two main components: GammaDrop (dropper) and GammaLoad (loader), which enable data exfiltration, credential theft, and persistent network access through fast-flux DNS techniques.
Corrupted File Technique Bypasses Email Security Through Recovery Mechanisms
-
Threat actors are using intentionally corrupted ZIP and Office documents that evade detection by preventing security tools from scanning the files, while still remaining openable through built-in recovery features.
-
The phishing campaign, active since August 2024, delivers malicious attachments disguised as employee benefits documents, which contain QR codes leading to credential theft pages or malware downloads.
-
The technique exploits recovery mechanisms in WinRAR, Word, and Outlook to ensure corrupted files can still be opened by targets, while remaining undetectable by most antivirus solutions and email security filters.
LEADERSHIP INSIGHTS
Data Breach Costs Hit Record High with 10% Increase to $4.88M in 2024
-
Global average breach costs jumped to $4.88 million, driven by increased business disruption and post-breach response costs totaling $2.8 million - the highest combined amount in 6 years.
-
Organizations with extensive AI automation in security prevention workflows saved an average of $2.2 million in breach costs compared to those without AI tools. Two-thirds of organizations now deploy security AI.
-
Staffing shortages in security teams increased 26.2% from previous year, corresponding to $1.76 million in additional breach costs. Breaches involving shadow data (35% of cases) led to 16% higher costs.
Supply Chain Security Risks in Digital Product Procurement
-
Organizations face multiple attack vectors across the supply chain, including OSS repositories, third-party components, and internal development processes, requiring comprehensive security controls at each stage.
-
Technology manufacturers must implement specific mitigations including secure development practices, content scanning, digital signatures, and insider threat controls to protect against supply chain compromises.
-
Pre-purchase evaluation should assess both product security and manufacturer credibility through attestations, vulnerability reporting practices, and threat modeling capabilities to ensure alignment with organizational risk tolerance.
Agentic AI Evolution Shows Shift Towards Advanced Autonomous Decision-Making Systems
-
Agentic AI systems are developing into sophisticated multimodal frameworks capable of autonomous decision-making, with projected global GDP contributions of $2.6-4.4 trillion annually by 2030.
-
The technology has evolved through three key phases: ML integration (2000s), multimodality introduction (2010s), and advanced autonomy (2020s), with current systems featuring both "fast thinking" and "slow reasoning" orchestration capabilities.
-
Middle East adoption is accelerating, with 73% of regional CEOs believing GenAI will significantly transform their business value creation within three years, particularly in the energy sector where investments are expected to triple to $140 billion by decade's end.
Discover more industry reports, guides and cheat sheets in my free Cyber Strategy OS.
CAREER DEVELOPMENT
SIEM Rule Development Time and Productivity Metrics
-
Average development time ranges from 5 minutes to 6 hours per rule, with complex anomaly detections potentially taking up to a week for proper implementation and testing.
-
Rule complexity varies significantly based on detection type - simple atomic rules can be created quickly, while new techniques requiring research and cross-SIEM implementation demand more time.
-
Key factors affecting development speed include data normalization, existing logging infrastructure, QA processes, and whether rules are being created for new vs existing clients.
Experienced Windows Admin Seeking SOC Career Transition - Community Recommendations
-
Strong foundation in Windows infrastructure should focus on practical experience over certifications - community suggests hands-on labs with Azure Sentinel and Splunk's free training resources as primary learning paths.
-
Security+ certification recommended as baseline qualification, with Microsoft's SC-200 being particularly valuable for environments with heavy Microsoft stack integration.
-
Practical skill development should include MITRE ATT&CK framework familiarity and hands-on experience with SIEM tools like Splunk, with TryHackMe's SOC path suggested for structured learning.
Certifications Alone Don't Guarantee Cybersecurity Expertise
-
Reddit users discuss whether cybersecurity professionals with many certifications are actually less skilled in practice. Some view certifications as providing a structured learning path and a way to measure progress, while others pursued them for Master's degree credit.
-
One analogy compares certifications to martial arts belts - a black belt who confidently discusses their real-world experience is more trusted than one who just boasts about their rank. Certifications and degrees demonstrate training, but experience on a resume is where practical skills shine through.
-
Even those with impressive credentials like a Master's in Cybersecurity, CEH, CISM, CISSP, and HCISPP admit that certifications alone don't make them good at their jobs. Rather, they pursued them to learn standards and expectations for companies. Ultimately, real-world experience and performance matter most.
Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.
AI & SECURITY
Ultralytics AI Model Supply Chain Attack Deploys Cryptominer Through PyPI
-
Popular YOLO11 AI model versions 8.3.41 and 8.3.42 were compromised through malicious code injection, affecting thousands of users through the Python Package Index (PyPI) repository.
-
The malware deploys an XMRig cryptominer at '/tmp/ultralytics_runner', connecting to a mining pool and causing Google Colab users to be banned for abusive activity.
-
Attack originated from two malicious Pull Requests submitted by a Hong Kong-based user, with new trojanized versions (8.345 and 8.346) continuing to appear on PyPI despite initial remediation efforts.
OpenAI ChatGPT Container Environment Reveals File System Access and GPT Instruction Extraction
-
Researcher discovered ChatGPT's containerized Debian environment allows file system navigation and Python script execution within a controlled sandbox at
/home/sandbox/and/mnt/data/directories. -
Users can upload, execute, and move files within the container, with the ability to share access to uploaded files across different ChatGPT sessions through specific prompts.
-
OpenAI intentionally allows extraction of custom GPT configurations and knowledge bases as a transparency feature, though this raises concerns about potential exposure of sensitive data embedded in custom GPTs.
Agentic AI Set to Transform Cybersecurity Operations in 2025
-
Agentic AI represents a shift from human-prompted AI to autonomous systems that can perform complex tasks with minimal human intervention, with Gartner predicting 1/3 of GenAI interactions will use autonomous agents by 2028.
-
Major impact expected in three key areas: AppSec (addressing the 37,000+ annual CVEs), GRC (automating compliance processes), and SecOps (handling alert triage, threat hunting, and incident response through multi-agent systems).
-
Security concerns include credential management for AI agents, with organizations already struggling with non-human identities outnumbering human users by 10-50x, and potential exploitation risks from malicious actors using similar autonomous capabilities.
MARKET UPDATES
Major Cybersecurity Vendors Report Growth in SIEM and Zero Trust Markets
-
Palo Alto Networks leverages IBM QRadar acquisition to expand SIEM market presence, onboarding 550+ customers and building $1B+ pipeline, positioning for significant market share capture through their XSIAM platform.
-
CrowdStrike maintains 97% customer retention despite July outage impact, though experiencing delayed sales cycles and $25M reduction in new ARR, with customer commitment packages helping mitigate impact.
-
Zscaler positions zero trust platform as firewall replacement solution, gaining traction with 14 U.S. cabinet-level agencies and focusing on displacing traditional perimeter-based security architecture for large enterprises.
Wiz Launches Cloud-Native Security Operations Platform with Context-Driven Detection
-
New Wiz Defend platform combines cloud security context with runtime data and CSP audit logs to provide comprehensive threat detection across identity, data, network, compute, and control plane layers.
-
Platform demonstrated effectiveness during recent PAN-OS exploitation campaign, where 24% of enterprise environments contained vulnerable devices and 7% were exposed to unauthenticated RCE through CVE-2024-0012 and CVE-2024-9474.
-
Solution offers agentless scanning capabilities, automated threat correlation, and MITRE ATT&CK mapping, enabling SecOps teams to detect and respond to cloud-native threats without traditional endpoint agent limitations.
AWS Launches Cloud Incident Response Service Starting at $7,000 Monthly
-
AWS's new Security Incident Response service combines automated threat detection with 24/7 human expertise from their Customer Incident Response Team (CIRT), integrating with GuardDuty and Security Hub for comprehensive monitoring.
-
The service provides a centralized console for managing security notifications and coordinating remediation efforts across teams, with pricing tiers based on customers' total AWS spending across enrolled accounts.
-
Currently available in 12 global AWS regions, the platform leverages AI analysis for threat detection and offers both guided and self-service investigation options, allowing customers to work with third-party security vendors if desired.
TOOLS
DShield Raspberry Pi Sensor
The DShield Raspberry Pi Sensor is a tool that turns a Raspberry Pi into a honeypot to collect and submit security logs to the DShield project for analysis.
Securden Unified PAM
A powerful tool that enables organizations to discover, manage, and secure privileged access, helping to reduce the risks associated with privileged accounts and activities.
AWVS
A hosted web application security testing tool that enables security researchers to register, activate their accounts, and scan web applications for vulnerabilities.
Before you go
If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!
For more frequent cybersecurity leadership insights and tips, follow me on LinkedIn, BlueSky and Mastodon.
Best,
Nikoloz
