Happy Sunday and Happy Holidays!
Before diving into today's Brief, I want to express thank you all for your incredible support and engagement throughout 2024.
This year has been remarkable – Mandos community has grown more than 450%, thanks to your active participation and valuable feedback, which has helped me shape the format and enhance the value I want to deliver to you.
Your continued input remains invaluable, and I'm truly honored to serve our community of cybersecurity leaders, professionals and enthusiasts.
Thank you!
Now, let's get into this week's Brief. I hope you're energized and ready for the challenges and opportunities in the new year!
In this edition, I am covering:
- A widespread Chrome extension compromise affecting 140,000+ users through supply chain attacks
- New research on emerging threats for 2025, including AI-driven attacks and evolving ransomware tactics
- Concerning findings about security team burnout, with 25% of leaders considering leaving the field
And much more.
Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.
InfoSecHired
Cybersecurity job market is hyper-competitive and standing out is harder than ever.
InfoSecHired's AI-powered platform helps you break through the noise with perfectly tailored resumes and applications in just 60 seconds. Built by cybersecurity hiring managers, InfoSecHired delivers 4x higher interview success rates by optimizing every application for ATS systems while highlighting your most relevant skills and experience.
INDUSTRY NEWS
Chrome Extension Supply Chain Attack Impacts Multiple Security Tools
-
Cyberhaven's Chrome extension was compromised through a phishing attack on an admin account, allowing attackers to publish a malicious version that steals session data and cookies through cyberhavenext[.]pro domain.
-
Investigation revealed four additional compromised extensions (Internxt VPN, VPNCity, Uvoice, ParrotTalks) affecting over 140,000 users combined, all containing similar malicious code for data exfiltration.
-
Affected users should upgrade to versions released after December 26, reset passwords, clear browser data, and consider complete extension removal if uncertain about security status.
Amazon Redshift Drivers Hit by Three High-Severity SQL Injection Vulnerabilities
-
Three high-severity vulnerabilities (CVE-2024-12744/45/46) discovered in Amazon Redshift drivers, each with a CVSS score of 8.0, potentially allowing privilege escalation through SQL injection attacks.
-
Affected components include the Java Database Connectivity Driver (2.1.0.31), Python Connector (2.1.4), and Open Database Connectivity Driver (v2.1.5.0). Amazon released patches on December 23rd with new versions available for all affected drivers.
-
The vulnerabilities impact Amazon Redshift's data warehousing platform, which processes up to 16 petabytes of data per cluster. Users are advised to either upgrade to the latest versions or revert to specific previous stable versions as detailed in Amazon's security bulletin.
Palo Alto Networks Firewalls Targeted Through Active DoS Vulnerability Exploitation
-
Critical CVE-2024-3393 vulnerability allows unauthenticated attackers to trigger firewall reboots by sending malicious DNS packets, with repeated attacks forcing devices into maintenance mode requiring manual recovery.
-
Vulnerability affects multiple PAN-OS versions and requires 'DNS Security' logging to be enabled. Palo Alto has released patches in versions 10.1.14-h8, 10.2.10-h12, 11.1.5, and 11.2.3, though version 11.0 remains unpatched due to EOL status.
-
Company provides temporary mitigation options including disabling DNS Security logging across affected devices, with separate procedures for unmanaged NGFWs, Panorama-managed systems, and Prisma Access deployments.
LEADERSHIP INSIGHTS
Top 10 Emerging Cybersecurity Threats Expected for 2025
-
Zero-day exploits and supply chain attacks remain critical concerns, with AI-driven tools expected to accelerate both attack and defense capabilities. Notable examples include Log4Shell and SolarWinds incidents, highlighting the cascading impact of these threats.
-
Remote work infrastructure continues to be vulnerable, with threat actors targeting VPNs and RDPs. The rise of cloud misconfigurations poses significant risks, particularly in AWS and Microsoft environments, leading to data breaches and unauthorized access.
-
Emerging threats include exploitation of AI systems, IoT vulnerabilities, and 5G network weaknesses. Ransomware continues to evolve, with some threat actors moving beyond encryption to data deletion, potentially rendering traditional backup strategies insufficient.
EU Cybersecurity State Report Highlights Key Policy and Threat Developments
-
The report marks a significant policy milestone with NIS2 implementation, alongside other initiatives like CRA, CSOA, and EUDIF, establishing comprehensive frameworks for EU-wide cybersecurity improvements.
-
Current threat landscape shows increasing incidents across EU, with ransomware and DDoS attacks being the predominant attack vectors amid volatile geopolitical conditions.
-
Report recommends strengthening technical and financial support through existing structures like NIS Cooperation Group, while emphasizing the need for enhanced supply chain security and cybersecurity skills development.
Group-IB North America Intelligence Report - American Healthcare Sector Hit by Multiple Ransomware Groups in December
-
At least 9 healthcare facilities across US and Canada were targeted by ransomware attacks, with threat actors including RansomHub, Rhysida, and Lynx groups actively compromising medical institutions.
-
Novel phishing techniques emerged using Blob URIs and IPFS (InterPlanetary File System), making attack detection and takedown more challenging as threat actors bypass traditional URL filtering and utilize decentralized hosting.
-
Significant APT activity observed with Lazarus group deploying new macOS malware "RustyAttr" using extended attributes for evasion, while MuddyWater APT targeted law enforcement near Iranian borders.
Discover my collection of industry reports, guides and cheat sheets in Cyber Strategy OS.
CAREER DEVELOPMENT
Working in Cyber Threat Intelligence (CTI)
-
Cyber Threat Intelligence (CTI) primarily involves analyzing adversary behavior and providing context about intrusion activities to help security teams prioritize defense efforts - it's "intrusion analysis on steroids"
-
CTI analysts support multiple stakeholders by collecting and analyzing intrusion data to identify trends and correlations, helping teams like SOC, Threat Hunting, and Detection Engineering focus on the most relevant threats
-
The role requires understanding of pentesting and malware analysis skills to better inform defensive strategies, but differs from pure security testing by focusing on threat actor capabilities, intent, and opportunities to cause harm
Career Paths in Hands-On Cybersecurity: From Access Management to Technical Operations
-
Entry-level Information Assurance roles can serve as stepping stones to more technical positions, with file access management providing foundational experience in implementing least privilege principles and security controls.
-
Technical career paths include SOC analyst roles, penetration testing, and DFIR work, with training resources like Hack The Box and OffSec providing practical certification paths for skill development.
-
Alternative paths include Security Administrator positions managing multiple security tools (EDR, firewalls, IAM) and specialized roles in infrastructure security, such as secure communications systems and public safety networks.
Cybersecurity Staff Burnout Study Reveals Alarming Statistics and Recovery Challenges
-
Study shows 25% of security leaders want to quit, with 45% using substances to cope with work pressure and 69% experiencing social withdrawal, indicating severe workplace stress impacts.
-
WHO defines burnout through three dimensions: energy depletion, job negativity, and reduced effectiveness, with recovery taking significantly longer than standard stress - over 1 year compared to 6-12 weeks for regular stress.
-
Security leaders recommend implementing regular one-on-ones, workload auditing, and professional psychotherapy as preventive measures, while emphasizing the importance of work-life balance and proper time off for recovery.
AI & SECURITY
Builder.ai Exposes 1.29TB Database Including PII and Business Data Through Cloud Misconfiguration
-
Exposed database contained over 3M records including PII of clients (names, emails, addresses) and sensitive project details, discovered on an unsecured cloud storage system belonging to the AI-powered development platform.
-
Despite being notified on October 28, the company took nearly a month to address the misconfiguration, citing "complexities with dependent systems" - raising concerns about incident response capabilities and potential GDPR compliance issues.
-
Exposed data included internal communications, project plans, and financial records such as invoices and payment details, potentially compromising both client and company operations of the VC-backed startup.
LLMs Used to Evade JavaScript Malware Detection Through Code Obfuscation
-
Researchers developed an adversarial algorithm that uses LLMs to rewrite malicious JavaScript code, successfully evading detection 88% of the time while maintaining original malicious functionality.
-
The technique applies iterative transformations like variable renaming and dead code insertion, producing more natural-looking obfuscation compared to traditional tools, making detection significantly harder for security vendors.
-
Researchers defended against this by using data augmentation - retraining detection models on 10,000 LLM-rewritten samples improved real-world malware detection rates by 10% and is now deployed in production.
Side-Channel Attack Extracts AI Model Details from Google Edge TPU
-
Researchers at North Carolina State University developed a novel electromagnetic side-channel attack that can extract hyperparameters from AI models running on Google Edge TPUs with 99.91% accuracy, requiring physical device access and specialized measurement hardware.
-
The attack method, dubbed "TPUXtract," sequentially extracts neural network layer information, taking approximately 3 hours per layer to process. Successfully tested on popular models like MobileNet V3, Inception V3, and ResNet-50.
-
The vulnerability primarily affects devices without memory encryption, like the Coral Dev Board, allowing attackers to potentially recreate proprietary AI models at significantly reduced costs compared to original training expenses.
MARKET UPDATES
OPSWAT Acquires Fend to Strengthen Critical Infrastructure Protection with Data Diode Technology
-
OPSWAT has acquired Fend Inc., enhancing its portfolio with hardware-based security solutions that enforce one-way data flow through optical isolation, specifically designed to protect industrial control systems from cyber threats.
-
Fend's technology serves major critical infrastructure sectors including U.S. government agencies, utilities, and oil & gas companies, with notable clients such as the U.S. Army Corps of Engineers, ExxonMobil, and Naval Facilities Engineering Systems Command.
-
The acquisition expands OPSWAT's capabilities to include unidirectional security solutions that support both legacy systems and emerging technologies like 5G, while maintaining air-gapped environments essential for critical infrastructure defense.
Cybersecurity Certification Market to Reach $8.03B by 2030, Driven by Skills Gap
-
Global cybersecurity certification market projected to grow from $3.98B to $8.03B at 12.4% CAGR, fueled by critical shortage of over 3.5 million cybersecurity professionals worldwide.
-
Market growth driven by increasing regulatory requirements including GDPR, EU Cybersecurity Act, and CMMC, alongside rising demand for specialized certifications in cloud security, AI, and blockchain.
-
Leading certification providers include SGS, Bureau Veritas, and TUV SUD, with Information Security certifications segment capturing largest market share due to compliance requirements and emerging threat landscape.
Cybersecurity Market Growth Drives Focus on Revenue Operations Excellence
-
Global cybersecurity spending projected to reach $212 billion by 2025, representing a 15% increase from 2024, creating intense competition among vendors to capture market share.
-
Leading cybersecurity companies like Fortinet are achieving remarkable forecasting accuracy (97%) by centralizing revenue operations data and implementing unified data systems for better decision-making.
-
Okta's pre-IPO transformation demonstrates how structured forecasting frameworks and cross-functional alignment in RevOps can transform chaotic sales processes into predictable revenue growth.
TOOLS
Verisys File Integirty Monitoring
A next-generation file integrity monitoring and change detection system.
Scout Insight
Provides advanced external threat intelligence to help organizations proactively identify and mitigate potential security threats.
BloodHound
A tool that uses graph theory to reveal hidden relationships and attack paths in an Active Directory environment.
Before you go
If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!
For more frequent cybersecurity leadership insights and tips, follow me on LinkedIn, BlueSky and Mastodon.
Best,
Nikoloz
