Happy Sunday!
Hope you're enjoying your weekend! While you were busy wrapping up another week, the cybersecurity world has been pretty active (as always!). I've picked some interesting stories that I think you'll want to know about.
- Chinese hackers managed to break into the U.S. Treasury using a stolen API key
- Microsoft is taking hackers to court for abusing their AI services
- A whopping 70% of CISOs are feeling the heat from personal liability risks
And there's plenty more where that came from. Grab your favorite Sunday beverage and dive in!
Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.
INDUSTRY NEWS
Chinese State Actors Access U.S. Treasury Systems Using Stolen BeyondTrust API Key
-
Threat actors gained unauthorized access to Treasury Department systems through a compromised API key from BeyondTrust's Remote Support service, enabling them to reset passwords and access unclassified workstations and documents.
-
The incident, discovered on December 8th, has been attributed to a Chinese state-sponsored APT group based on evidence gathered during investigations by CISA and FBI.
-
BeyondTrust identified two vulnerabilities in their products, with CVE-2024-12356 receiving a critical CVSS score of 9.8 and being actively exploited in the wild, leading to its addition to CISA's Known Exploited Vulnerabilities catalog.
Azure Airflow Kubernetes Misconfiguration Enables Cluster-Wide Admin Access
-
Discovery of three security flaws in Azure Data Factory Apache Airflow integration allows attackers to gain unauthorized access through DAG files, potentially leading to complete cluster compromise.
-
Initial access requires write permissions to storage accounts via compromised credentials, but exploiting a misconfigured service account with cluster-admin privileges enables full control of the Kubernetes environment.
-
Attackers could leverage root access to deploy malicious pods, modify cluster nodes, and manipulate Geneva service logs, potentially maintaining persistent access while avoiding detection through falsified logging.
Banshee Stealer Malware Targets macOS Users Through GitHub and Phishing Campaigns
-
New stealer-as-a-service malware sold for $3,000 on underground forums targets macOS users, stealing credentials, crypto wallets, and sensitive data while using Apple's XProtect encryption algorithm to evade detection.
-
Malware distributed through phishing sites and malicious GitHub repositories masquerading as legitimate software (Chrome, Telegram, TradingView), with simultaneous campaigns targeting Windows users with Lumma Stealer.
-
Source code leaked in November 2024 leading to shutdown of public operations, but active campaigns continue with removal of Russian language check suggesting geographical expansion of targets.
LEADERSHIP INSIGHTS
OWASP Releases First Top 10 Non-Human Identities Security Risks List
-
The inaugural list focuses on securing service accounts, API keys, and automated system identities, with improper offboarding, secret leakage, and vulnerable third-party integrations identified as the top three risks.
-
Common security challenges include excessive permissions, poor credential management, and inadequate monitoring of non-human identities (NHIs) which can lead to widespread damage if compromised.
-
The rankings were developed using recent breach data, CVE scores, and industry surveys including Datadog's State of Cloud Security and the DBIR 2024 report.
KPMG and MIT Study Reveals AI's Potential Role in Strengthening Cybersecurity Culture
-
Research involving 40 cybersecurity leaders across industries reveals that 68% of cybersecurity breaches involve non-malicious human elements, highlighting the critical importance of human risk management.
-
Study identifies key cybersecurity culture challenges including change resistance, secure technology adoption, and management of interconnected systems, suggesting AI could help address these through personalized training and real-time risk detection.
-
The CAMS Cybersecurity Culture Model emphasizes a three-tiered approach (leadership, group, individual) to building security culture, with external influences and managerial mechanisms playing crucial roles in shaping organizational behavior.
70% of CISOs Express Concern Over Personal Liability Risks in Leadership Role
-
Survey reveals 70% of CISOs have negative feelings about their role due to increasing personal liability for cybersecurity incidents, with only 10% seeing increased security budgets despite heightened board attention.
-
CISOs face a critical disconnect between accountability and authority, with many security leaders being held responsible for decisions made by committee while lacking direct control over security implementations.
-
Security experts recommend CISOs negotiate protective measures including indemnification, professional liability insurance coverage, and strong exit clauses, as talent drain becomes a growing concern in the industry.
Discover my collection of industry reports, guides and cheat sheets in Cyber Strategy OS.
CAREER DEVELOPMENT
SOC Analysts Share Unusual Workplace Security Incidents Including Data Misuse and False Positives
-
An air-gapped network was infected with a wormable virus, requiring complete system restoration from backup tapes. The incident revealed critical backup reliability issues, with only 80% tape readability and resulted in 2 weeks of data loss.
-
A corporate-wide alert involving 3,000 machines was triggered by Dropbox software update that mimicked APT behavior being studied in a SANS class, leading to unnecessary incident response deployment.
-
Multiple cases of insider incidents were reported where work email systems were misused for personal activities, including dating sites and sharing inappropriate content, requiring SOC teams to collaborate with HR and Legal departments for investigations.
Security Professionals Discuss Value and Challenges of Proactive Threat Hunting
-
Threat hunting focuses on proactively searching for signs of compromise using behavioral analysis tools and threat intelligence, rather than waiting for alerts from existing security controls.
-
Organizations struggle with justifying threat hunting programs due to intangible benefits, requiring security teams to demonstrate value through real-world examples and actionable findings from smaller initial exercises.
-
Security managers report mixed results, with some questioning the return on investment compared to traditional detection engineering, while others emphasize its importance as an early warning system despite well-configured security controls.
Cybersecurity Professionals Report Diverse Job Responsibilities Beyond Core Security Functions
-
Survey reveals many practitioners spend significant time on administrative tasks like software licensing, patch management, and device tracking alongside core security duties.
-
Red Team specialists report most focused security work, with 80% of time on pentesting activities and only 20% on administrative, training, and reporting tasks.
-
GRC professionals and consultants indicate heaviest non-security workload, with some spending up to 95% of time on business tasks, documentation, and stakeholder management rather than technical security work.
AI & SECURITY
Microsoft Takes Legal Action Against Foreign Hackers Exploiting AI Services
-
Foreign threat actors gained unauthorized access to generative AI services by using scraped credentials, then resold access to other malicious actors for creating harmful content.
-
Microsoft's Digital Crimes Unit discovered attackers were specifically targeting OpenAI's DALL-E and other AI tools to power sophisticated attacks against third-party organizations.
-
The company has implemented countermeasures including enhanced safeguards and credential revocation, while warning that AI-powered phishing campaigns are becoming increasingly personalized through social media scraping.
DHS Releases GenAI Deployment Playbook for Public Sector Organizations
-
DHS completed three pilot programs in 2024 focused on investigative lead enhancement, hazard mitigation planning, and immigration officer training - all designed to support rather than replace human workers.
-
The playbook outlines 7 key areas for successful GenAI implementation including mission alignment, governance, infrastructure, responsible use considerations, monitoring, talent development, and user feedback.
-
Emphasizes importance of executive sponsorship and cross-functional governance through integrated project teams comprising cybersecurity, legal, privacy and civil rights experts to oversee development and deployment.
LLM-Based Proactive Defense Architecture Proposed for Cloud Security
-
Novel defense architecture called LLM-PD introduced, integrating large language models to provide intelligent, proactive protection against advanced cloud-based threats through comprehensive data analysis and sequential reasoning.
-
System features 5 core components: data collection/reconstruction, status/risk assessment, task inference/decision-making, defense deployment/execution, and effectiveness analysis/feedback, enabling self-evolution based on experience without additional training.
-
Experimental results demonstrate superior performance compared to existing methods, with notably high success rates in defending against various attack scenarios including DDoS and MITM attacks through dynamic defense mechanism creation and deployment.
MARKET UPDATES
1Password Acquires Trelica to Enhance Shadow IT Detection and Access Management
-
1Password is acquiring U.K.-based Trelica to strengthen its Extended Access Management platform, with a focus on detecting unauthorized SaaS applications and managing access controls.
-
Trelica's technology identifies shadow IT by analyzing system logs and browser activity, detecting when employees use unauthorized services or create insecure software integrations with sensitive data repositories.
-
The acquisition will enhance 1Password's enterprise offerings, combining Trelica's SaaS management capabilities with 1Password's existing single sign-on and device security features, though financial terms remain undisclosed.
Darktrace Acquires Cado Security to Enhance Cloud Investigation Capabilities
-
Darktrace plans to acquire UK-based Cado Security, a forensics specialist offering investigation and response solutions across multi-cloud environments, with deal expected to complete in February pending regulatory approval.
-
Integration will enhance Darktrace's ActiveAI platform by combining Cado's forensic investigation technology with existing capabilities, improving data collection across cloud environments and augmenting Cyber AI Analyst functionality.
-
Acquisition follows Darktrace's recent expansion into cloud security with launches for AWS and Azure, addressing growing concerns as research shows cloud/SaaS platforms are common entry points for threat actors.
Synology Launches ActiveProtect Enterprise Backup Solution with All-in-One Architecture
-
New unified backup platform combines hardware and software into single appliance, supporting up to 150,000 workloads across multiple platforms including VMs, databases, and Microsoft 365, with built-in hypervisor for backup testing.
-
Solution features advanced security capabilities including immutable backups and air-gap protection, along with global source-side deduplication to optimize storage efficiency and reduce network load.
-
Introduces unique pricing model eliminating per-workload licensing fees, allowing organizations to manage up to three backup servers license-free with optional CMS licenses for larger deployments.
TOOLS
Kunai
Kunai is a Linux-based system monitoring tool that provides real-time monitoring and threat hunting capabilities.
getallurls (gau)
Fetches known URLs from various sources for a given domain.
Verity
Verity is a comprehensive compliance management tool that helps organizations manage their governance, risk, and compliance initiatives.
Before you go
If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!
For more frequent cybersecurity leadership insights and tips, follow me on LinkedIn, BlueSky and Mastodon.
Best,
Nikoloz
