Brief #82: Apple iCloud Vulnerability, Cloud Security Skills Gap, SolarWinds ARM Flaw

Happy Sunday!

I hope this Brief finds you well and ready to tackle the week ahead.

In this edition, I am covering:

• Massive exposure of 336,000+ Prometheus servers through debugging endpoints
• OWASP's new framework for LLM application security risks
• Supply chain attack targeting popular AI library Ultralytics

Plus insights on cloud security careers, zero-trust developments, and new security tools to strengthen your defense strategy.

Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.

Sponsored

InfoSecHired

AI-powered platform that helps cybersecurity professionals land their dream jobs with 4x higher interview success rates. InfoSecHired's smart AI agents analyze job descriptions and your resume to create tailored applications in minutes, saving you 3+ hours per application while optimizing for ATS systems.

Learn More →

INDUSTRY NEWS

Prometheus Servers Exposed to DoS Attacks Through Debugging Endpoints

• Over 336,000 internet-exposed Prometheus servers and exporters discovered, with many lacking proper authentication, allowing attackers to gather sensitive information including credentials and API keys.

• Exposed /debug/pprof endpoints enable potential DoS attacks by overwhelming system resources through intensive profiling operations, leading to service outages and pod crashes in Kubernetes environments.

• Researchers identified RepoJacking vulnerabilities in several Prometheus exporters, where attackers could potentially execute malicious code by taking over abandoned GitHub repository names referenced in official documentation.

SolarWinds ARM Vulnerability Enables Domain-Wide Privilege Escalation

• Pre-authentication file deletion vulnerability in SolarWinds Access Rights Manager (ARM) allows attackers to delete files with domain account privileges, affecting systems across entire Active Directory domains.

• When ARM runs with Domain Admin credentials (a common configuration), attackers can exploit this vulnerability to achieve local privilege escalation on any domain-joined Windows machine, even without ARM installed.

• The vulnerability (CVE-2024-23474) was patched in ARM version 2024.3 and involved unauthorized access through port 55555/TCP, allowing attackers to invoke dangerous file deletion methods through .NET Remoting services.

iOS TCC Bypass Vulnerability Enables Unauthorized iCloud Data Access (CVE-2024-44131)

• A critical FileProvider vulnerability allows malicious apps to bypass iOS Transparency, Consent and Control (TCC) system, enabling unauthorized access to sensitive iCloud data including photos, contacts, and location without user notification. Apple patched this in iOS 18 and macOS 15.

• The exploit leverages a symlink manipulation technique during file operations, abusing elevated privileges of the fileproviderd process to redirect files to attacker-controlled locations. Most concerning is access to /var/mobile/Library/Mobile Documents, which contains predictable paths to iCloud data.

• The vulnerability impacts both mobile and desktop platforms, with particular risk to WhatsApp backups and other apps using iCloud storage, as their directory structures remain constant across devices making them easily targetable.

LEADERSHIP INSIGHTS

OWASP Releases 2025 Top 10 LLM Application Security Risks

• First comprehensive update introduces new categories including Vector Embeddings and System Prompt Leakage to address emerging threats in LLM applications.

• Expanded focus on Excessive Agency risks as LLMs gain more autonomous capabilities through plugins and agent architectures.

• Document provides detailed mitigation strategies across 10 risk categories, with emphasis on multimodal AI security and real-world attack scenarios.

ISC2 Survey Highlights Leadership Skills Gap in Cybersecurity Industry

• Survey reveals severe lack of communication and strategic skills among cybersecurity leaders, with 85% of respondents citing communication as the most crucial leadership quality, yet finding it notably deficient in current leaders.

• Only 63% of cybersecurity professionals received formal leadership training, with 81% learning primarily through observation of others, highlighting a significant gap in structured development programs.

• Industry's rapid evolution from technical roots has created an imbalance where promotion historically focused on technical expertise rather than management capabilities, leading to a deficit in business acumen among leaders.

Risk Management Frameworks Need Modernization Due to Evolving Threats

• Traditional Three Lines of Defense (3LOD) framework is criticized for being too rigid and compliance-focused, failing to address modern enterprise risk challenges and velocity of emerging threats.

• Organizations are overly focused on compliance requirements rather than actual business risks, leading to a disconnect between risk management and security operations.

• Forrester analysts recommend a modern approach based on three pillars: dynamic risk assessment across multiple dimensions, continuous monitoring instead of point-in-time checks, and recognition that cyber risk directly impacts business risk.

Discover more industry reports, guides and cheat sheets in my free Cyber Strategy OS.

CAREER DEVELOPMENT

Incident Response Career Insights from IBM X-Force Strategic Analyst

• Dave Bales, co-lead of IBM X-Force Incident Command, emphasizes that communication skills and formal cybersecurity education were crucial to his career progression from Air Force IT specialist to threat analyst.

• Daily threat intelligence collaboration and information sharing are vital components of the role, with regular meetings focusing on emerging threats, breaches, and vulnerabilities across teams.

• The field requires continuous learning and adaptation, as cyber threats evolve constantly - Bales notes that while past incidents provide context, no two security events are identical, making adaptability essential.

Top Cybersecurity Skills Survey Reveals Cloud Security as Most In-Demand Capability

• Cloud security ranks highest in demand with 36% of hiring managers and 48% of non-hiring managers prioritizing these skills, driven by increasing cloud-based attacks targeting storage, SaaS, and infrastructure.

• Security engineering emerges as second most sought-after skill, with organizations willing to pay average salaries of $127K due to the immediate ROI in preventing breaches and maintaining defenses.

• Despite AI/ML dominating headlines, it ranks lowest among desired skills as hiring managers focus on immediate needs, though Gartner predicts 17% of cyberattacks will involve generative AI by 2027.

Cybersecurity Hiring: Looking Beyond Traditional Resume Evaluation

• Traditional resumes can be misleading in cybersecurity hiring, as they often fail to demonstrate crucial qualities like problem-solving abilities, adaptability, and technical competence. Many strong candidates may have modest CVs while weaker ones can craft impressive-looking documents.

• Effective evaluation should focus on tangible demonstrations of skills through work samples, technical discussions, and problem-solving scenarios. Reference checks and detailed conversations about past experiences, including failures, provide more valuable insights than paper credentials.

• The most critical attributes for cybersecurity professionals - including intellectual curiosity, ethical judgment, and continuous learning mindset - are best assessed through interactive evaluation methods rather than traditional resume screening.

AI & SECURITY

Supply Chain Attack on Ultralytics AI Library Exploits GitHub Actions for Cryptomining

• Malicious actor compromised Ultralytics versions 8.3.41 and 8.3.42 through GitHub Actions by exploiting branch names in pull requests, injecting unauthorized XMRig cryptomining code into PyPI packages.

• Attack leveraged vulnerable "Publish Docs" workflow in the CI/CD pipeline, allowing execution of malicious code through crafted branch names. The compromise affected multiple AI packages including ComfyUI Impact Pack due to dependencies.

• Impact reaches approximately 10% of cloud environments using Ultralytics. Users of affected versions should immediately uninstall packages, restore systems to clean state, and monitor for cryptomining activity.

LLM Testing Framework for Security Code Analysis Detailed by DryRun Security

• DryRun Security developed a comprehensive testing framework to ensure their LLM-based code analyzers produce consistent and accurate security evaluations, overcoming the inherent probabilistic nature of LLMs through structured validation processes.

• The system uses a "Code Inquiry" approach where analyzers ask specific boolean questions about code changes, with test cases organized in a structured repository containing anonymized code hunks sorted into true/false validation buckets.

• The framework implements rigorous integration testing using PyTest to validate LLM responses against known outcomes, ensuring reliability across different programming languages and maintaining accuracy when system prompts or context parameters are modified.

OWASP Releases Top 10 Security Risks Framework for AI Agents

• OWASP has published a comprehensive framework identifying the top 10 vulnerabilities specific to autonomous AI systems, including critical issues like authorization hijacking, goal manipulation, and knowledge base poisoning.

• The framework provides detailed mitigation strategies for each risk category, helping organizations implement secure AI agent architectures and protect against emerging threats in AI deployments.

• Project contributors include security experts from major organizations like Cisco, Google, and Palo Alto Networks, with the framework now being maintained under OWASP standards and moved to a new repository at github.com/precize/OWASP-Agentic-AI.

MARKET UPDATES

Citrix Enhances Zero-Trust Security Through Strategic Acquisitions of deviceTRUST and Strong Network

• Citrix expands its security capabilities by acquiring deviceTRUST, enabling real-time contextual security controls for VDI and DaaS environments with continuous device attestation and dynamic access management.

• The Strong Network acquisition brings secure cloud development environments with built-in DLP features and patented data infiltration detection to protect against phishing, malware, and credential theft.

• Citrix Secure Private Access extends hybrid deployment support, providing unified zero-trust controls across on-premises and cloud environments for web, SaaS, virtual desktop, and traditional client/server applications.

CyberProof Enhances CTEM Capabilities Through Interpres Security Acquisition

• CyberProof has acquired Interpres Security to provide Continuous Threat Exposure Management (CTEM) capabilities, moving beyond traditional periodic security assessments to enable real-time threat monitoring and response.

• The integration combines Interpres' automated security control assessment technology with CyberProof's managed security services, allowing organizations to continuously evaluate their security posture against emerging threats.

• The acquisition strengthens CyberProof's service portfolio by adding Interpres' expertise in Department of Defense security practices and their Gartner-recognized capabilities in ASCA (Automated Security Control Assessment).

Astrix Security Secures $45M Series B for Non-Human Identity Protection Platform

• Company raises Series B funding to address critical security challenges around non-human identities (NHIs), including API keys, service accounts, and secrets, particularly relevant as agentic AI adoption increases in enterprises.

• Platform provides agentless discovery and remediation of over-privileged or malicious access, with research showing that 1 in 5 organizations have experienced NHI security incidents, yet only 15% feel confident in their ability to secure them.

• Company has experienced 5x growth since Series A, serving Fortune 500 customers including Figma, NetApp, and Workday, with funding to be used for expanding their infrastructure to cover both human and non-human identity security.

TOOLS

SpyShelter

A software tool that enhances visibility and control over application activities on a user's computer, helping to identify and prevent potential security threats.

MasterParser

A comprehensive Linux log analysis tool that streamlines the investigation of security incidents by extracting and organizing critical details from supported log files.

Codacy

A developer-first, API-driven platform that provides development teams with a suite of tools to improve code quality, security, and engineering performance, seamlessly integrated into their existing development workflows.

Before you go

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity leadership insights and tips, follow me on LinkedIn, BlueSky and Mastodon.

Best, 
Nikoloz