Mandos
Brief

Brief #88: PayPal Security Fine, Cisco's AI-SOC, Critical Palo Alto Vulnerabilities

Nikoloz Kokhreidze

Nikoloz Kokhreidze

9 min read

Subaru's admin panel flaw enabled unauthorized vehicle control. ChatGPT crawler vulnerability enables DDoS attacks.

mandos brief newsletter for cybersecurity leaders week 4 of 2025

Happy Sunday!

Hope you're enjoying your weekend! While you were busy wrapping up another week, the cybersecurity world served up some interesting developments that I think you'll want to know about.

  • PayPal got hit with a $2M fine after credential stuffing attacks exposed customer SSNs (yikes!)
  • MIT researchers just dropped a massive AI risk database with 1000+ scenarios to keep us up at night
  • Cisco's showing us how to build smarter SOCs with their new telemetry-first approach

Plus plenty more stories.

Let's dive in!

Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.

INDUSTRY NEWS

PayPal Fined $2M for Cybersecurity Failures Exposing Customer SSNs in 2022

  • PayPal's inadequate cybersecurity controls led to exposure of customer PII through credential stuffing attacks, allowing criminals to access federal tax forms for tens of thousands of customers over a 7-week period.

  • The breach was discovered after a security analyst found "PP EXPLOIT TO GET SSN" message online, followed by a spike in platform access attempts. The vulnerability emerged after PayPal modified data flows to expand tax form accessibility.

  • New York DFS investigation revealed PayPal lacked qualified cybersecurity staff and proper training. The company has since implemented MFA, CAPTCHA controls, and forced password resets on affected accounts to prevent unauthorized access.

Multiple Critical Firmware Vulnerabilities Found in Palo Alto Networks Security Appliances

  • Researchers discovered BootHole vulnerability (CVE-2020-10713) affecting multiple Palo Alto NGFW models (PA-3260, PA-415, PA-1410), allowing attackers to bypass Secure Boot protections and potentially install malicious bootloaders.

  • PA-3260 model contains 6 high-severity vulnerabilities in InsydeH2O firmware, including SMM code flaws that could enable privilege escalation and security bypass, with CVSS scores of up to 8.2.

  • Newer PA-1410 and PA-415 models affected by PixieFail vulnerabilities enabling remote code execution through DHCPv6 exploitation during network boot process, with additional TPM and flash access control weaknesses discovered.

  • Security researchers discovered a vulnerability in Subaru's Starlink admin portal that allowed password resets without verification, bypassing two-factor authentication and exposing customer accounts across US, Canada, and Japan.

  • Unauthorized access to the admin panel exposed sensitive data including vehicle VIN numbers, location history, and customer PII including billing information, phone numbers, and addresses.

  • The flaw enabled complete remote control of vehicles through unauthorized user addition, allowing attackers to start, stop, lock, and unlock cars without owner notification. Subaru patched the vulnerability within 24 hours of disclosure.

LEADERSHIP INSIGHTS

Cisco Outlines AI-Native SOC Framework with Telemetry-First Approach and TaaP Integration

  • Cisco introduces Telemetry-First Design as a foundational principle for AI-Native SOCs, emphasizing comprehensive data collection and contextualization before implementing AI tools or automation.

  • New TaaP (Telemetry as a Platform) concept transforms security operations by unifying all data sources into a single platform, enabling real-time threat detection and automated response capabilities.

  • Cisco's recent Splunk integration creates a unified data fabric across networks and applications, establishing a foundation for multi-domain observability and enhanced threat detection.

Non-Human Identity Management Report Details Growing Security Risks and Market Evolution

  • Identity sprawl poses major risks with non-human identities (NHIs) now outnumbering human identities by 25-50x, leading to 80% of identity-related breaches involving compromised service accounts, API keys and machine credentials.

  • Organizations face critical challenges including plain-text credentials in code, lack of rotation, over-privileged accounts, and inadequate monitoring, with only 15% confident in their ability to secure NHIs. The rise of GenAI and cloud services is accelerating these risks.

  • The NHI security market saw explosive growth in 2024 with ~$400M in VC funding and major acquisitions like CyberArk's $1.54B purchase of Venafi, as vendors rush to address gaps in lifecycle management and real-time threat prevention capabilities.

Enterprise Survey Shows Cyber Recovery Differs Significantly from Traditional Disaster Recovery

  • Organizations report cyber recovery (CR) requires distinct approaches from disaster recovery (DR), with 68% stating it involves different processes and technologies, while 58% note it needs different skill sets.

  • Survey reveals CR is significantly more challenging, with 4.6x more respondents rating CR technologies as more complex than DR, and 3.3x more reporting difficulty in finding staff with appropriate skills.

  • While 52% of organizations include CR within their DR programs, 91% emphasize that significant time is required for forensics to determine attack scope, and 85% stress the importance of establishing clean room environments before recovery.

Discover my collection of industry reports, guides and cheat sheets in Cyber Strategy OS.

CAREER DEVELOPMENT

EU's DORA Implementation Strains Financial Sector's Cybersecurity Resources

  • New Digital Operational Resilience Act requires financial institutions to implement comprehensive ICT risk management frameworks, with implementation costs ranging from €5-15M for planning alone, and enforcement beginning January 2024.

  • Survey reveals 43% of UK financial firms won't achieve compliance for at least three months, citing insufficient organizational prioritization and skills shortage as main barriers, with potential fines up to 1% of worldwide daily turnover.

  • Smaller financial institutions face particular challenges in securing required expertise, leading to increased reliance on external service providers and managed services for compliance, though proportionality principle allows simplified implementation based on organization size.

Security Industry Shifts Focus: Experience and Multi-Skilled AppSec Engineers in High Demand

  • Modern AppSec roles require candidates with software development backgrounds, with most employers seeking engineers who can write code and build scalable security automations rather than just perform manual security tasks.

  • Future AppSec engineers must demonstrate expertise across four key areas: traditional security skills, development capabilities, program management, and influence skills - including the ability to communicate effectively with different stakeholders.

  • Entry-level security positions are becoming rare, as organizations prioritize candidates who can be immediately productive and bring practical engineering experience, particularly in building and managing large-scale security tooling and bug bounty programs.

Target's CSIRT Position Switches from Remote to Onsite After 7-Round Interview Process

  • Candidate went through extensive 7-round interview process over 2 months for Senior Cybersecurity Analyst (CSIRT) role, initially advertised as remote/hybrid, including technical assessments and multiple 1:1 interviews.

  • After reaching final selection stage as top 3 candidate, company introduced new requirements including a 4 AM shift option and potential additional interviews, followed by delays attributed to new VP oversight.

  • Position ultimately transitioned to mandatory onsite requirement in Minnesota, contradicting initial remote work arrangement, leading to withdrawal of candidate who was unable to relocate.

AI & SECURITY

MIT Researchers Launch Comprehensive AI Risk Repository with 1000+ Identified Risks

  • Repository categorizes AI risks across seven domains and 23 subdomains, using systematic search strategy to analyze 56 different AI risk classifications and frameworks

  • Database employs dual classification system: a Causal Taxonomy explaining how/when/why risks occur, and a Domain Taxonomy organizing risks by impact areas like misinformation and privacy

  • Research team developed searchable database with source attribution, enabling professionals to explore risks through multiple lenses including pre-deployment concerns and specific threat vectors

Google Introduces Three Key Tool Types for AI Agent Development

  • Extensions, Functions, and Data Stores are introduced as primary tool types that enable Google AI models to interact with external systems and real-world data.

  • The tools are designed to bridge the gap between foundational models and external systems through an orchestration layer that uses reasoning frameworks like ReAct and Chain-of-Thought.

  • Agent architectures combine a language model core with these tools through a cyclical process of information gathering, reasoning, and action-taking to achieve specific goals autonomously.

OpenAI's ChatGPT Crawler Vulnerability Enables DDoS Attacks Through API Endpoint

  • High severity (CVSS 8.6) vulnerability in ChatGPT's crawler allows attackers to trigger DDoS attacks on target websites by exploiting an attribution API endpoint that lacks rate limiting and duplicate request checks.

  • The vulnerability enables significant attack amplification through OpenAI's Azure infrastructure, with a single malicious request capable of spawning thousands of simultaneous crawler connections to victim websites.

  • After failed responsible disclosure attempts through multiple channels, the vulnerability was publicly revealed, leading OpenAI to disable the vulnerable /backend-api/attributions endpoint.

MARKET UPDATES

Citrix Acquires Unicon to Enhance Endpoint Security and Management for Hybrid Work

  • Citrix's acquisition of Unicon brings the eLux operating system and Scout management platform, currently deployed across 2.5 million endpoints in 65+ countries, enhancing their ability to provide secure endpoint management without additional OS licensing costs.

  • The integration enables organizations to repurpose existing hardware beyond Windows 10 end-of-support, supporting sustainability initiatives while maintaining secure access to Citrix Virtual Apps, Desktops, and Enterprise Browser.

  • This strategic move follows Citrix's recent acquisitions of deviceTRUST and Strong Network, strengthening their zero-trust security portfolio and expanding their capabilities in the finance, public sector, and healthcare industries.

Axoflow Secures $7M Seed Funding for Security Data Pipeline Management

  • Hungarian-founded startup developed a vendor-agnostic platform that automates security data curation, promising over 50% reduction in data volume and elimination of manual data wrangling.

  • Platform features automated discovery of security data sources (syslog, OpenTelemetry, Windows), with capabilities for data classification, normalization, and enrichment in both SaaS and air-gapped environments.

  • Funding led by EBRD Venture Capital will accelerate development for general availability by August 2024, with total company funding now reaching $10M.

AI Security Startup DryRun Secures $8.7M for Application Security Platform

  • DryRun's platform combines static analysis and AI to provide real-time vulnerability insights, integrating directly with GitHub for immediate security feedback during development.

  • Company launched new Natural Language Code Policies feature allowing teams to create security rules using conversational language, eliminating need for custom scripting in security policy enforcement.

  • Investment led by LiveOak Venture Partners and Work-Bench will support expansion of go-to-market operations for their Contextual Security Analysis (CSA) platform, which identifies code vulnerabilities before deployment.

TOOLS

DIANNA AI Cyber Companion

DIANNA is an AI-powered cybersecurity companion from Deep Instinct that analyzes and explains unknown threats, offering malware analysis and translating code intent into natural language.

SentinelOne Purple AI

SentinelOne Purple AI is an AI-powered security analyst solution that simplifies threat hunting and investigations, empowers analysts, accelerates security operations, and safeguards data.

Sense Defence

Sense Defence is a next-generation web security suite that leverages AI to provide real-time threat detection and blocking.

Before you go

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity leadership insights and tips, follow me on LinkedInBlueSky and Mastodon.

Best, 
Nikoloz

Share With Your Network

Check out these related posts

Mandos Brief week 3 of 2025 - newsletter for cybersecurity professionals and leaders

Brief #87: AWS S3 Ransomware, Google's 97% Automated Threat Detection, Microsoft AI Red Team Report
mandos brief cybersecurity leadership newsletter week 2 of 2025

Brief #86: BeyondTrust API Exploit, Microsoft vs AI Hackers, OWASP Non-Human Identity Risks
mandos brief cybersecurity newsletter covering week 1 of 2025

Brief #85: Windows LDAP Exploit, Tenable Nessus Outage, Security Leadership Pay