Brief #90: Microsoft Outlook RCE, Cloud Security Certs, OpenAI EU Data Centers

Happy Sunday!

Hope you're having a relaxing weekend! While you were busy wrapping up another hectic week, the security world kept spinning with some interesting developments I thought you'd want to know about.

• Zyxel devices are facing active exploitation through a new zero-day (heads up if you're using their CPE series!)
• Hugging Face caught some sneaky malware hiding in ML models (yes, even AI platforms aren't safe)
• Some good news for job seekers - SOC roles are still a solid way to break into security

Plus updates on new tools, funding rounds, and more that caught my attention this week.

Let's dive in!

Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.

INDUSTRY NEWS

Zero-day Vulnerability in Zyxel CPE Devices Under Active Exploitation

• Critical command injection vulnerability (CVE-2024-40891) affecting Zyxel CPE Series devices enables unauthenticated attackers to execute arbitrary commands through telnet, with over 1,500 devices exposed online.

• The vulnerability has been incorporated into Mirai botnet variants, with researchers observing significant overlap between IPs exploiting this vulnerability and known Mirai infrastructure.

• Currently unpatched vulnerability requires immediate attention - recommended mitigations include filtering unusual telnet requests to management interfaces, restricting admin interface access to trusted IPs, and disabling unused remote management features.

Critical Microsoft Outlook RCE Vulnerability CVE-2024-21413 Under Active Exploitation

• Newly discovered RCE vulnerability in Microsoft Outlook (CVE-2024-21413) allows attackers to bypass Protected View and execute malicious code through specially crafted email links using the file:// protocol.

• The "Moniker Link" flaw affects multiple Office products and can lead to NTLM credential theft when users preview or open malicious emails, with the Preview Pane itself serving as an attack vector.

• CISA has added this to their Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by February 27, while strongly recommending private organizations to prioritize patching against ongoing attacks.

Microsoft Discovers 3,000+ Public ASP.NET Machine Keys Used in ViewState Code Injection Attacks

• Unattributed threat actor exploited publicly available ASP.NET machine key to deploy Godzilla post-exploitation framework through ViewState code injection, leading Microsoft to identify over 3,000 exposed machine keys in public repositories.

• The attack leverages ViewState's Base64-encoded data field to inject malicious code, which gets executed when processed by ASP.NET Runtime due to matching ValidationKey and DecryptionKey values.

• Microsoft recommends immediate key rotation, released detection scripts on Github, and warns that compromised servers may require complete reformatting due to potential backdoors even after key rotation.

LEADERSHIP INSIGHTS

DSPM Implementation Success Requires Focus on Three Critical KPI Categories

• Track critical issues by monitoring toxic combinations of vulnerabilities, misconfigurations, and access paths that could lead attackers to sensitive data. This helps prioritize remediation efforts on the most severe attack paths requiring immediate attention.

• Monitor data exposure through measuring the percentage of exposed critical data, which helps identify potential breach risks and enables targeted fixes. Focus on implementing proper access governance controls to ensure only authorized users can reach sensitive information.

• Maintain strong compliance posture scores against relevant industry standards (like GDPR, HIPAA) through continuous monitoring and automated assessment of regulatory requirements, helping avoid penalties while building customer trust.

Open Source Cybersecurity Products Face Three Key Monetization Paths

• Enterprises are hesitant to adopt security startups due to data sensitivity concerns, leading companies to choose between massive VC funding, server-hosted products, or the open source route.

• Companies can monetize open source security tools through three main approaches: selling centralization features, offering SaaS versions, or providing support and consultancy services.

• Real-world success stories include Workbrew's enterprise version of Homebrew, Fleet and Kolide building upon osquery, demonstrating how open source projects can evolve into commercial security products.

2024 Saw 20% Increase in Publicly Reported Vulnerability Exploits

• A total of 768 CVEs were reported as exploited in the wild in 2024, marking a 20% increase from 2023's 639 cases, with 112 unique sources providing initial evidence.

• Analysis shows that 23.6% of Known Exploited Vulnerabilities (KEVs) were exploited on or before their CVE disclosure date, slightly down from 27% in 2023, challenging the focus on zero-day threats.

• Monthly exploitation reports maintained a baseline of 30-50 vulnerabilities, with notable spikes occurring during specific industry events and following the introduction of new reporting resources.

CAREER DEVELOPMENT

Wiz Launches Cloud Security Certification Program for Industry Professionals

• Wiz introduces new certification program starting with Cloud Fundamentals exam, designed to validate expertise in Wiz Cloud technology deployment and management for customers, partners, and security professionals.

• Program addresses growing demand for cloud security expertise, citing research showing 57% of companies use multiple cloud platforms and 50% have exposed databases or storage buckets.

• Future specialized exams will build upon the Cloud Fundamentals certification, creating a comprehensive professional development path for cloud security practitioners seeking to demonstrate their expertise.

Cybersecurity Job Market Requires Experience Over Certifications, SOC Roles Serve as Entry Point

• Practical experience and infrastructure knowledge are more valuable than degrees or certifications alone, with SOC Analyst and Support roles serving as foundational stepping stones for advanced positions.

• Current market is experiencing oversaturation at entry-level, particularly for SOC analysts without infrastructure experience, while security engineering positions remain in high demand.

• Alternative pathways include starting in help desk or IT roles, leveraging internal transfers, and focusing on industries outside tech - such as retail and state finance housing authorities which are actively recruiting for junior security positions.

SOC Lead Interview Experience Highlights Toxic Hiring Practices in Cybersecurity

• Candidate with years of SOC experience was dismissed during interview primarily due to lack of knowledge in a specific tool, despite broader security expertise and transferable skills.

• Community response emphasizes this as a red flag, noting that strong SOC leaders should be evaluated on leadership capabilities and fundamental security knowledge rather than tool-specific expertise.

• Multiple security professionals shared similar experiences, suggesting some organizations use undisclosed tool requirements as a pretense for having pre-selected internal candidates or attempting to find exact replicas of departing SMEs.

AI & SECURITY

Malicious Python Code Found in ML Models on Hugging Face Platform

• ReversingLabs discovered "nullifAI" attack technique using broken Pickle files to distribute malware through ML models, bypassing Hugging Face's security scanning by exploiting file validation weaknesses.

• The malicious models contained reverse shell payloads that execute before the corrupted Pickle file fails to load, connecting to hardcoded IP addresses while evading detection from Hugging Face's Picklescan security tool.

• After responsible disclosure, Hugging Face removed the malicious models within 24 hours and updated their scanning tools, but researchers warn that Pickle's inherent security weaknesses make it fundamentally risky for collaborative platforms sharing untrusted code.

AWS Outlines Data Authorization Framework for Generative AI Applications

• Four key locations for sensitive data management in GenAI apps: LLM training, vector databases, tools, and agents - each requiring distinct authorization approaches.

• RAG implementations should enforce authorization before sending data to LLMs, with options for both application-level and metadata filtering to control access to sensitive information.

• Data governance across visibility, access control, quality and ownership is critical, with AWS services like DataZone and Lake Formation helping manage sensitive data authorization.

OpenAI Launches European Data Residency for Enterprise Services

• OpenAI introduces data residency options in Europe for ChatGPT Enterprise, ChatGPT Edu, and API Platform, allowing organizations to meet local data sovereignty requirements while maintaining zero data retention for API requests.

• The platform implements enterprise-grade security measures including AES-256 encryption for data at rest and TLS 1.2+ for data in transit, with a strict policy of not training models on customer data unless explicitly opted in.

• The service supports GDPR compliance and includes a comprehensive Data Processing Addendum, currently serving major European organizations like Booking.com, BBVA, Zalando, and Oxford University.

MARKET UPDATES

Axoflow Secures $7M Seed Funding for Security Data Management Platform

• Company founded by creator of syslog-ng launches platform to automatically discover, classify, parse, normalize, and enrich security data, promising over 50% reduction in data volume and associated costs.

• Platform focuses on improving data quality through automated data curation pipeline, eliminating need for manual coding while preventing "invisible data loss" - a critical concern for compliance in regulated industries.

• Solution targets enterprises with hybrid environments, supporting both cloud and on-premises deployments, with early adoption by large enterprise customers and demonstrations planned for RSA Conference and Gartner Risk and Security Summit.

Dune Security Raises $6M Seed Round for AI-Powered Risk Management Platform

• Company secured funding from multiple investors including Craft Ventures and Alumni Ventures to develop their adaptive security platform that quantifies and manages employee-related security risks.

• Platform uses artificial intelligence to identify high-risk users and automatically implement tailored security controls and training interventions based on individual behavior patterns.

• Solution integrates with existing security infrastructure to help enterprises address the human element of cybersecurity through behavioral analytics and dynamic risk assessment.

ThreatMate Secures $3.2M Seed Funding for AI-Powered Attack Surface Management Platform

• The Delaware-based startup's platform leverages artificial intelligence to provide enterprise-grade cyber protection specifically designed for MSPs serving small to medium-sized businesses, offering comprehensive visibility through a single dashboard.

• Platform capabilities include automated penetration testing, risk scoring, dark web monitoring, and asset discovery, with multi-tenant design enabling MSPs to monitor internal, external, and cloud environments.

• Investment led by Top Down Ventures' Founders Fund I will accelerate product development and expand go-to-market operations, with additional backing from Blu Ventures and Runtime Ventures.

TOOLS

Drata

Drata is a cloud-based platform that automates security and compliance processes, evidence collection, and audit preparation for various industry standards and regulations.

LogRhythm Axon

A cloud-native SIEM platform that provides security analytics, intuitive workflow, and simplified incident response to help security teams defend against cyber threats.

Tessian

Tessian is an AI-powered cloud email security solution that protects against advanced phishing, account compromise, data exfiltration, and helps coach users on email security.

Before you go

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity leadership insights and tips, follow me on LinkedIn, BlueSky and Mastodon.

Best, 
Nikoloz