Brief #83: TP-Link Ban, LastPass Breach Impact, SOC Analyst Crisis

Happy Sunday!

I hope this Brief finds you well and ready to tackle the week ahead.

In this edition, I am covering:

• TP-Link routers under U.S. federal investigation with potential 2025 sales ban
• New findings reveal 67% of open source vulnerabilities are silently patched
• CISA's new cloud security standards that will reshape federal IT

Plus updates on major acquisitions, career insights, and practical security tools to strengthen your defense strategy.

Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.

Sponsored

InfoSecHired

AI-powered platform that helps cybersecurity professionals land their dream jobs with 4x higher interview success rates. InfoSecHired's smart AI agents analyze job descriptions and your resume to create tailored applications in minutes, saving you 3+ hours per application while optimizing for ATS systems.

Learn More →

INDUSTRY NEWS

US Government Investigates TP-Link Routers Over National Security Concerns

• TP-Link routers, commanding a significant market share in US homes and federal agencies including the Defense Department, are under investigation for potential national security risks, with possible sales ban in 2025.

• Chinese state-sponsored hackers have been using a botnet of compromised TP-Link routers to launch attacks against Microsoft Azure cloud services, though no evidence suggests TP-Link's direct involvement.

• The company faces multiple federal investigations, including concerns over security vulnerabilities and pricing practices, while maintaining presence in sensitive locations like US military bases through Army, Air Force, and Navy exchanges.

LastPass Data Breach Leads to $5.3M Cryptocurrency Theft in December 2024

• Blockchain investigator ZachXBT reports that threat actors exploited data from LastPass's 2022 breach to steal $5.36 million in cryptocurrency from over 40 victims across December 16-17, 2024. Stolen funds were converted to ETH and transferred through various exchanges.

• LastPass's Chief Secure Technology Officer states no conclusive evidence links the cryptocurrency thefts to the 2022 incident, though they continue investigating claims through their Threat Intelligence team.

• The 2022 breach exposed customer vault data backups stored in cloud-based storage, with LastPass warning users with weak master passwords to change stored site credentials due to potential decryption risks.

Microsoft Teams Vishing Attack Delivers DarkGate RAT Through Remote Access Tools

• Threat actors conducted a vishing attack via Microsoft Teams, following a phishing email campaign, attempting to install remote support tools to ultimately deliver the DarkGate RAT to the victim's device.

• The attackers used social engineering to convince the target to install AnyDesk, establishing a C2 connection to deploy DarkGate through an AutoIt script, enabling remote control, command execution, and system information gathering.

• The malware's capabilities include cryptocurrency mining, keylogging, privilege escalation, browser data theft, and the ability to deploy additional RATs like Remcos, demonstrating the expanding delivery methods of DarkGate beyond traditional phishing and malvertising.

LEADERSHIP INSIGHTS

API Honeypot Study Reveals Rapid Discovery and Targeting of New APIs

• First-ever API honeypot deployment across 14 global locations shows new APIs are discovered and targeted in under 2 minutes, with port 80 (19%) being most probed, followed by unexpected port 26657 for blockchain services.

• Study reveals 54.4% of total attacks specifically target APIs over web applications, with common endpoints like "/status" and "/info" being rapidly discovered. Top attack types include authentication checks (26%) and service discovery attempts (34%).

• Analysis of 337 unique API requests shows attackers frequently probe for known services like Docker, Grafana, and Prometheus, with 40% of top-50 common API requests attempting to exploit specific CVEs.

CISA Issues BOD 25-01 Mandating Secure Cloud Configuration Standards

• CISA released BOD 25-01 requiring Federal Civilian Executive Branch agencies to implement specific Secure Cloud Business Applications (SCuBA) configurations by June 20, 2025, focusing on Microsoft 365 services including Azure AD, Defender, Exchange Online, and Teams.

• The directive mandates strict security controls including blocking legacy authentication, enforcing phishing-resistant MFA, implementing strict external sharing policies, and enabling comprehensive audit logging across cloud services.

• While mandatory only for federal agencies, CISA strongly recommends all organizations adopt these SCuBA baseline configurations and utilize the provided assessment tools to enhance their cloud security posture and reduce organizational risk.

My LinkedIn Post About CISO Role Challenges Sparked Discussion on Leadership Sustainability

• Current CISO responsibilities deemed unsustainable with average tenure under 2 years, facing expectations to be universal security experts while managing limited resources and authority to implement change across organizations.

• Key survival strategies include ruthless risk prioritization, delegation through strong team building, and shifting focus from complete risk elimination to effective risk management frameworks.

• Organizations need structural changes including proper budget allocation, strategic involvement of CISOs in planning, and reformed accountability models to prevent CISOs from becoming scapegoats during security incidents.

Discover my collection of industry reports, guides and cheat sheets in Cyber Strategy OS.

CAREER DEVELOPMENT

Real-World Cybersecurity Career Challenges: Documentation, Meetings, and Incident Response

• Most security incidents (approximately 90%) stem from internal mishaps rather than sophisticated attacks - including email disclosures, misconfigurations, lost devices, and users falling for phishing attempts.

• The role involves significant administrative overhead, with professionals spending considerable time on documentation, attending meetings, and managing routine tasks like incident reports, security assessments, and control reviews.

• Career success requires constant learning, dealing with limited budgets, and managing stress from repetitive tasks, while many incident response recommendations and root cause analyses may not lead to meaningful organizational changes.

CIO Jerry Cochran Emphasizes Empathy in Cybersecurity Leadership

• Deputy CIO Jerry Cochran of Pacific Northwest National Laboratory advocates for empathy as a crucial leadership principle, emphasizing its importance in both communication with teams and understanding adversarial perspectives.

• With over 25 years in cybersecurity experience across military, public, and private sectors, Cochran emphasizes that effective defense requires thinking like an attacker to better anticipate and prevent potential threats.

• In his role overseeing the CISO office and enterprise IT operations at the DOE-managed laboratory, Cochran promotes a balanced approach combining empathetic leadership with data-driven decision-making strategies.

SOC Analyst Role Faces Retention Crisis Due to Burnout and Limited Growth

• High volume of daily alerts and false positives creates unsustainable pressure on SOC analysts, leading to widespread burnout and high turnover rates, with constant fear of missing critical security events.

• Integration of AI solutions proposed to transform role by automating repetitive tasks, including threat intelligence enrichment, alert triage, and 24/7 monitoring, allowing analysts to focus on proactive threat hunting.

• Organizations must implement structured career development through mentorship, specialized training, and strategic involvement in decision-making to retain talent and create sustainable career paths for SOC analysts.

AI & SECURITY

AI-Assisted Pattern Analysis Reveals Document ID Vulnerability in File Upload System

• Initial investigation found suspicious 49-character document IDs that didn't match standard hash lengths, with first characters showing patterns and last digits appearing sequential for identical file uploads.

• Using Claude 3.5 to analyze 100 generated IDs revealed that first 8 characters contained hex timestamps, enabling prediction of document IDs through timestamp manipulation in a sandwich attack.

• The vulnerability allowed unauthorized access to other users' documents due to improper authorization mapping between user cookies and document IDs, demonstrating how AI can accelerate pattern recognition in security research.

Security Startups Embrace Agentic Workflows for SOC Automation and Code Analysis

• The security startup landscape has seen significant growth in agentic solutions, particularly in three key areas: incident triage automation, code vulnerability analysis, and security copilots. Companies like Dropzone.AI and CommandZero are focusing on SOC automation to reduce manual analysis workload.

• Code security solutions are emerging to address the increasing volume of machine-generated code, with companies like Pixee AI acting as automated security engineers to identify vulnerabilities and propose fixes. These solutions are expanding to include configuration and deployment script analysis.

• Major platforms like Microsoft Security Copilot and SentinelOne's Purple AI are leading the natural language security interface movement, while startups like Simbian AI are developing specialized agents for specific security tasks, focusing on ecosystem integration and workflow automation.

AI-Powered Tool Discovers 67% of Open Source Vulnerabilities Go Unreported

• Aikido Intel, powered by LLMs, has identified 511 undisclosed vulnerabilities in open-source packages since January, revealing that 67% of security patches are implemented without public disclosure, including critical severity issues.

• Most common unreported vulnerabilities include cross-site scripting (14.8%) and sensitive information exposure (12.3%), with major projects like Axios (56M weekly downloads) and Apache ECharts silently patching security issues.

• The tool analyzes package changelogs using dual LLM models with human security engineer verification, finding that disclosed vulnerabilities take an average of 27 days from patch release to CVE assignment, with some taking up to 9 months.

MARKET UPDATES

Cisco Acquires SnapAttack to Enhance Splunk Security Capabilities)

• SnapAttack's threat detection platform will be integrated into Cisco's Splunk security portfolio, combining threat intelligence, attack emulation, and behavioral analytics to identify network vulnerabilities proactively.

• The platform will enhance Splunk's SIEM capabilities by providing curated detection content discovery prioritized by threat activity and continuous validation of deployed security content.

• This marks Cisco's fourth acquisition in 2024, following their $28 billion Splunk acquisition in 2023, demonstrating continued focus on security and AI technology investments.

Bureau Raises $30M to Expand No-Code Risk Intelligence Platform

• Bureau's platform unifies compliance, fraud prevention, and credit risk management into a single solution, leveraging device intelligence and behavioral AI to surpass traditional rule-based systems.

• The Series B funding round was led by Sorenson Capital Partners, with participation from PayPal Ventures and other investors, bringing total funding to $50.7M across four rounds.

• Platform capabilities include money mule detection, account takeover prevention, and fraud ring detection, serving banking, fintech, gaming, and e-commerce sectors through a unified API approach.

Arctic Wolf Acquires BlackBerry's Cylance Endpoint Security for $160M Deal

• Arctic Wolf will integrate Cylance's AI-powered endpoint protection into their Aurora platform, aiming to reduce alert fatigue and enhance their open-XDR capabilities, with the deal including $80M cash at closing and $40M after one year, plus 5.5M Arctic Wolf shares.

• The acquisition strengthens Arctic Wolf's position in the security operations market by adding native endpoint security to their portfolio, making them the only provider supporting over 15 endpoint solutions through their open platform architecture.

• BlackBerry retains its Secure Communications portfolio (including UEM, AtHoc, and SecuSUITE) while gaining benefits as both a reseller for government customers and a stakeholder in Arctic Wolf's future growth.

TOOLS

Ploy

A platform that helps companies automate the management of their SaaS identities and applications, providing visibility, security, and compliance across the organization's SaaS ecosystem.

AttackIQ

Provides breach and attack simulation products for security control validation, offering three different products to meet the needs of organizations of various sizes and maturity levels.

SerpAPI

SerpApi is a Google Search API that allows you to scrape Google and other search engines with ease.

Before you go

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity leadership insights and tips, follow me on LinkedIn, BlueSky and Mastodon.

Best, 
Nikoloz