Brief #89: DeepSeek AI Breach, TeamViewer Zero-Day, AWS Security Automation

Happy Sunday!

Hope you're enjoying your weekend! While you were busy wrapping up another week, the security world kept spinning with some pretty interesting developments. Here's what caught my attention:

• Apple's M-series processors have a couple of sneaky new vulnerabilities that let attackers steal data right through your browser
• An AWS engineer built something cool - an AI tool that automatically generates security guardrails for Terraform
• A quarter of CISOs are thinking about switching careers due to burnout (we need to talk about this!)

Plus plenty more stories that'll make you go "hmmm..." Grab your favorite Sunday beverage and dive in!

Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.

INDUSTRY NEWS

TeamViewer Patches Privilege Escalation Vulnerability in Windows Client

• High-severity vulnerability (CVE-2025-0065) with CVSS 7.8 discovered in TeamViewer's Windows applications, allowing local attackers to perform argument injection in 'TeamViewer_service.exe' for privilege escalation.

• Affects multiple versions (11.x through 15.x) of TeamViewer Full Client and Host applications. Fixed in versions 15.62, 14.7.48799, 13.2.36226, 12.0.259319, and 11.0.259318.

• No evidence of exploitation in wild, but TeamViewer has history of being targeted by threat actors for remote access and malware deployment in attacks.

Apple M-Series CPUs Vulnerable to New Side-Channel Attacks FLOP and SLAP

• Researchers discovered two new side-channel vulnerabilities affecting Apple M2/M3/A15/A17 processors, allowing attackers to steal sensitive data through malicious websites using JavaScript or WebAssembly without requiring malware installation.

• The attacks (FLOP and SLAP) exploit flaws in speculative execution implementations to bypass browser sandboxing and steal cross-origin data from Safari and Chrome, including email contents, calendar events, and location history.

• While Apple acknowledged the vulnerabilities reported in March and September 2024, they remain unpatched but claim there is no immediate risk to users. The only current mitigation is disabling JavaScript, which impacts website functionality.

ESXi Ransomware Attackers Exploit SSH Tunneling for Stealth Persistence

• Threat actors are targeting VMware ESXi infrastructure not just for ransomware deployment, but also as network pivot points using SSH tunneling techniques to avoid detection while moving laterally through networks.

• Attackers gain initial access through stolen admin credentials or by exploiting vulnerabilities, then establish persistence using native SSH functionality for remote port-forwarding to C2 servers, taking advantage of ESXi's high uptime.

• ESXi's distributed logging system complicates forensic investigation, but key detection opportunities exist in monitoring syslog files for suspicious activities like SSH service enabling, firewall rule modifications, and unusual port forwarding commands.

LEADERSHIP INSIGHTS

AWS Engineer Develops AI-Powered Security Guardrails Generator for Terraform

• Created a Python-based automation framework that uses Claude 3.5 to transform security requirements from Checkov and Prowler into comprehensive AWS service security guidelines and corresponding Terraform modules.

• The solution consists of two main components: a Requirements Generator that consolidates scanning tool outputs, and a Terraform Creator that automatically generates secure, reusable IaC modules with built-in security controls.

• Implementation focuses on reducing engineering burden through "secure-by-design" principles, enabling teams to inherit security best practices through standardized modules while maintaining flexibility for customization across different cloud providers and requirements.

Wiz CTO Shares Insights on Top Container Security Challenges in 2025 AMA

• RBAC and identity management remain critical vulnerabilities, with default Kubernetes networking allowing unrestricted Pod-to-Node communication and widespread use of embedded long-lived secrets in container images.

• Container image security coverage is a major challenge at scale, particularly in tracing vulnerabilities back to source code and ensuring proper signing and scanning policies are enforced before deployment.

• The rise of AI workloads introduces new risks around model security, with researchers uncovering patterns of lateral movement between AI infrastructure components and resource hijacking for cryptomining activities.

Software Development Environments Show Universal High-Risk Security Issues in 2025 Report

• 100% of organizations have exposed secrets in their development environments, with 36% of secrets found outside source code in tickets, logs, and artifacts. On average, 33% of repositories contain exposed secrets.

• AI security emerges as a significant concern with 46% of organizations using AI models in source code in risky ways, while misconfigurations affect 89% of organizations' pipelines.

• Security testing shows major inefficiencies with 78% of organizations having duplicate SCA scanners and 85% having least privilege violations, while compliance rates with security frameworks range from just 33% (OWASP CI/CD) to 76% (ISO).

CAREER DEVELOPMENT

CISO Burnout Drives 25% to Consider Leaving Profession, Survey Shows

• BlackFog survey reveals 1 in 4 CISOs contemplate career change due to burnout and challenging work conditions, with most working 16.5 extra hours weekly while facing 24/7 on-call responsibilities

• Key stressors include lack of authority despite full accountability, limited C-suite visibility, and increasing cyber threats from AI-powered attacks while dealing with resource constraints

• Industry experts recommend negotiating better employment terms including D&O liability protection, developing business communication skills, and prioritizing mental health to extend CISO careers

Cybersecurity Career Survey Shows Strong Emphasis on Software Development Skills and Work-Life Balance

• Software engineering skills are increasingly vital for security roles, with multiple professionals noting that learning to code before transitioning to security provides significant career advantages, particularly in tech companies.

• Career longevity and advancement are hindered by excessive company loyalty, with multiple respondents reporting 7-17 year tenures ending in layoffs despite dedicated service and strong performance.

• Professionals emphasize the importance of maintaining proper work-life boundaries, noting that long on-call periods and 60-80 hour workweeks led to burnout without proportional career benefits.

Redditors Share 2024 Cybersecurity Salaries

• Entry-level positions like SOC Analysts and Security Engineer roles range from $75K-95K base salary, with internships around $47K. Most common certifications at this level include Security+ and CySA+.

• Mid-level positions with 3-5 years experience like Senior Security Engineers and Detection Engineers earn $100K-150K base salary. Common requirements include hands-on experience and certifications like CISSP.

• Senior and leadership positions like Intelligence Analysts at FAANG companies can reach $300K+ total compensation including base salary, bonuses and stock options. Career progression focuses more on networking and reputation than certifications.

AI & SECURITY

DeepSeek AI Services Expose Sensitive Data Through Unsecured ClickHouse Database

• Wiz Research discovered an unauthenticated ClickHouse database belonging to DeepSeek AI, containing over 1 million log entries including chat histories, API secrets, and backend details accessible through ports 8123 and 9000.

• The exposed database allowed full control over operations with no authentication required, potentially enabling attackers to execute arbitrary SQL queries and access sensitive information through the database's web interface.

• The breach impacted DeepSeek's oauth2callback and dev subdomains, exposing log streams dating from January 6, 2025, before being promptly secured after responsible disclosure by Wiz Research.

Google Releases Risk Assessment Framework for AI Prompt Injection Attacks

• Google has developed a new methodology to evaluate prompt injection risks in AI systems, focusing on both direct attacks and more sophisticated indirect manipulation attempts.

• The framework uses a systematic approach to assess potential attack vectors, including analyzing user input boundaries, model behavior patterns, and application-specific vulnerabilities in AI deployments.

• Research findings emphasize the importance of implementing robust input validation controls and maintaining clear documentation of model interactions to prevent unauthorized prompt manipulation across different deployment scenarios.

AI Research Shows Autonomous Offensive Security Agent Successfully Exploiting Systems

• Autonomous agent ReaperAI demonstrated ability to identify and exploit vulnerabilities on Hack The Box platform by leveraging GPT-4 and task-driven penetration testing frameworks.

• Research implemented novel approaches including RAG (Retrieval Augmented Generation) for enhanced memory/context and structured task trees to guide decision-making and command generation.

• While successful in controlled environments, key challenges remain around command parsing, error handling, and maintaining ethical constraints, highlighting areas needed for future enhancement.

MARKET UPDATES

Seraphic Security Raises $29M for Enterprise Browser Security Solution

• Company secured Series A funding led by GreatPoint Ventures, with participation from CrowdStrike's Falcon Fund, to expand their browser security solution that protects against zero-day exploits and HTML smuggling attacks.

• Technology implements a unique JavaScript-based browser agent using Moving Target Defense strategy, working independently of threat intelligence feeds while maintaining user experience and preventing data exfiltration.

• Solution addresses security gaps in SaaS environments by providing granular admin controls, dynamic data masking, and session watermarking, while supplementing existing security service edge deployments with zero-trust network access principles.

Tenable Acquires Vulcan Cyber for $150M to Enhance Exposure Management Platform

• Tenable will acquire Vulcan Cyber in a $147M cash and $3M stock deal, expected to close in Q1 2025, strengthening their exposure management capabilities.

• Integration will provide customers with enhanced risk consolidation across 100+ security products, along with AI-powered prioritization and automated remediation workflows.

• The acquisition follows Tenable's strategic growth pattern, coming after their $30M purchase of Eureka Security, as part of broader industry consolidation in the exposure management space.

Cybersecurity Startup Exits Now Require Double the Revenue and Triple the Funding Compared to COVID Era

• Modern cybersecurity startups need to reach $375M in annual recurring revenue before exit - nearly double the COVID-era benchmark of $194M, according to new research from Acrew Capital.

• Funding requirements have skyrocketed, with current private cybersecurity startups averaging $717M in capital raised compared to $301M during COVID era and just $6M in the Dot-Com era.

• Despite increased financial demands, the average time to exit remains stable at 11-12 years, while companies must demonstrate both strong revenue growth and innovation to attract acquisition opportunities or achieve IPO.

TOOLS

Inlyse

A cutting-edge AI-based IT security platform that identifies malware and cyber-attacks within seconds

MindgardAI

Mindgard is a continuous automated red teaming platform that enables security teams to identify and remediate vulnerabilities in AI systems, including generative AI and large language models.

Vectra AI

Vectra AI offers an AI-driven Attack Signal Intelligence platform that uses advanced machine learning to detect and respond to cyber threats across hybrid cloud environments.

Before you go

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity leadership insights and tips, follow me on LinkedIn, BlueSky and Mastodon.

Best, 
Nikoloz