Brief #96: Apache Tomcat RCE Exploit, Google's $32B Wiz Acquisition, Copilot and Cursor Coding Backdoors

Happy Sunday!

Hope you're enjoying a bit of downtime this weekend. While you were busy wrapping up another week, the security landscape kept evolving with some developments worth noting:

• Apache Tomcat is facing active exploitation of a critical RCE vulnerability just 30 hours after disclosure - a reminder of how quickly threat actors move these days
• Machine identities in cloud environments are presenting 7.5x higher risk than human identities, with organizations managing an average of 41,605 service accounts
• Google is making waves with its record $32 billion acquisition of Wiz, marking the largest cybersecurity deal ever and signaling major shifts in the cloud security market

There's plenty more to unpack this week, including interesting resume insights and new tools to have on your radar.

Let's dive in!

Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.

INDUSTRY NEWS

Apache Tomcat RCE Vulnerability Actively Exploited Within 30 Hours

• A critical RCE vulnerability (CVE-2025-24813) in Apache Tomcat versions 9.x, 10.1.x, and 11.x is being actively exploited after a proof-of-concept was released just 30 hours after disclosure.

• The exploit targets Tomcat's file-based session persistence mechanism, allowing attackers to upload malicious serialized Java payloads via PUT requests that execute during deserialization without requiring authentication.

• Patches are available in Tomcat versions 9.0.99, 10.1.35, and 11.0.3, but security researchers warn attackers will likely expand tactics beyond session storage to upload JSP files, modify configurations, and plant backdoors.

ABYSSWORKER Driver Used in MEDUSA Ransomware Attacks to Disable Security Tools

• The malicious driver, signed with revoked Chinese certificates, is deployed alongside MEDUSA ransomware to target and disable endpoint detection and response (EDR) systems.

• ABYSSWORKER uses multiple techniques including process protection, callback removal, and driver function replacement to blind security tools and prevent detection.

• The driver requires a specific password (7N6bCAoECbItsUR5-h4Rp2nkQxybfKb0F-wgbJGHGh20pWUuN1-ZxfXdiOYps6HTp0X) to enable its functionality and contains numerous IOCTLs for file manipulation, process termination, and security tool evasion.

Black Basta ransomware group linked to Russian authorities through leaked chat logs

• Leaked messages reveal Black Basta's alleged leader Oleg Nefedov (aka GG) claimed to receive help from Russian officials after his arrest in Armenia, using a "green corridor" to escape detention within three days.

• The group operates from two Moscow offices, uses ChatGPT for various malicious activities, and has developed a post-exploitation C2 framework called Breaker alongside a PHP-based brute-forcing tool named BRUTED for targeting corporate firewalls and VPN solutions.

• Technical analysis shows Black Basta is developing new ransomware derived from Conti's source code, suggesting a possible rebranding effort, while maintaining connections with other ransomware operations including Rhysida and CACTUS.

LEADERSHIP INSIGHTS

AWS Releases CloudTrail Network Activity Events for VPC Endpoints

• CloudTrail network activity events provide visibility into API calls passing through VPC Endpoints, helping troubleshoot endpoint policies and detect potential exfiltration attempts.

• Currently supports five AWS services (CloudTrail, EC2, KMS, S3, and Secrets Manager) with the same pricing structure as Data Events ($0.10 per 100,000 events).

• At minimum, organizations should enable logging for VpceAccessDenied events, which offers critical visibility into denied requests without significant cost implications.

Cloudflare Enhances DLP Solution with AI-Powered Context Analysis to Reduce False Positives

• Cloudflare's new algorithm uses AI to analyze context around potential data leaks, adapting to an organization's unique traffic patterns and learning from administrator feedback to reduce false positives.

• The system leverages Workers AI for text embeddings and Vectorize for similarity searches, comparing new potential matches against previously reported true and false positives to improve detection accuracy.

• Currently in closed beta with approximately 400ms added latency for matching requests, the feature will expand beyond HTTP traffic to include CASB and Email Security by the end of 2025.

Machine Identities Pose 7.5x Higher Risk Than Human Identities in Cloud Environments

• Organizations manage an average of 41,605 service accounts compared to just 915 human users, with machine identities being exponentially more numerous and difficult to secure.

• Real-time threat detection and response is now achievable within the "555 Benchmark" (5 seconds to detect, 5 minutes to investigate, 5 minutes to respond), with organizations initiating response actions in under 4 minutes on average.

• The adoption of automated security responses has nearly tripled over the past year, with more organizations implementing preventive actions like container kill, stop, or pause functions when drift is detected.

CAREER DEVELOPMENT

Software Engineer Transitions to Cybersecurity Role at Microsoft Through Data Security Experience

• Ankit Masrani, a 36-year-old software engineer, successfully pivoted to cybersecurity at Microsoft after 6.5 years at AWS, where he gained experience with customer-managed key encryption and data security practices.

• Now a principal software engineer on Microsoft's Security Platform, Masrani develops sovereignty controls ensuring sensitive customer information remains within geographic boundaries, applying his background in IT, computer science, and data experience.

• For others looking to make similar transitions, Masrani recommends developing skills in big data technologies, cloud services, and security fundamentals including data governance, regional regulations like GDPR, and best practices for handling sensitive information.

Cybersecurity Leadership Evolving Beyond Technical Expertise to Include Business Strategy

• Today's cybersecurity leaders increasingly come from finance, law, and corporate strategy backgrounds, bringing risk-management perspectives that complement traditional technical approaches.

• The evolving threat landscape requires security executives who can navigate regulatory compliance, financial risk management, and operational resilience while communicating effectively with boards.

• Cybersecurity must be approached as an enterprisewide risk rather than just a technical challenge or compliance checkbox to drive long-term organizational resilience.

CIRT Manager Working Excessive Hours with Inadequate Compensation

• Overworked manager handling international support alone for 4 months, working split shifts (8am-4pm and 8:30pm-11pm) while team members resist late meetings.

• Manager feels adequately compensated (mid $100-200K range) but acknowledges competitors offer $20-50K more plus bonuses for similar positions.

• Current workload includes multiple security functions (threat hunting, logging, forensics, pen testing) with nightly logging fixes that often fail by morning, suggesting unsustainable work patterns.

AI & SECURITY

AI Workloads Grow 500% While Reducing Public Exposure by 38%

• Organizations are increasingly adopting AI technologies, with workloads using AI/ML packages growing by 500% over the past year.

• Despite this massive growth, public exposure of AI workloads decreased by 38%, indicating that organizations are prioritizing security in their AI implementations.

• The adoption of GenAI security tools is accelerating, with 45% of Sysdig customers enabling their AI security analyst within four months of its release, primarily used by SecOps teams for alert triage and investigation.

HiddenLayer Reports Rising AI Security Threats and Governance Challenges

• 74% of IT leaders confirmed AI breaches in 2024 (up from 67% last year), with 87% able to identify the source, while 45% of companies have concealed AI security incidents due to potential public backlash.

• Organizations face significant governance challenges with 72% acknowledging shadow AI issues (up from 61%), while only 32% deploy technology solutions to address AI threats and just 16% secure models with red teaming.

• Despite concerns, positive trends include 96% of companies implementing formal AI security frameworks, 81% establishing AI governance committees, and 95% increasing their budgets for AI security in 2025.

GitHub Copilot and Cursor Vulnerable to "Rules File Backdoor" Attack

• Pillar Security researchers discovered a new supply chain attack vector that allows hackers to inject malicious instructions into configuration files used by AI coding assistants, manipulating them to generate compromised code.

• The attack exploits hidden Unicode characters in rule files that remain invisible during code reviews, effectively weaponizing the AI assistant itself as an attack vector that can silently propagate through projects.

• With 97% of enterprise developers using AI coding tools, this vulnerability creates significant risk as neither GitHub nor Cursor consider this their responsibility, leaving organizations to implement their own mitigation strategies like rule file validation.

MARKET UPDATES

Google to Acquire Cybersecurity Firm Wiz for $32 Billion in Record Deal

• Google has agreed to purchase cloud security startup Wiz for $32 billion in an all-cash transaction, marking the largest acquisition in Google's 26-year history and the biggest-ever cybersecurity deal.

• The acquisition aims to strengthen Google Cloud division, which has seen significant growth with revenue jumping 64% to $43.2 billion last year, as the company competes with Microsoft and Amazon in the AI-driven cloud computing market.

• The deal faces potential regulatory scrutiny amid Google's ongoing antitrust battles, including a recent ruling that its search engine is an illegal monopoly, with both companies expecting the acquisition to close in 2026.

Orion Security Raises $6M to Combat Data Exfiltration with Context-Aware AI

• Orion Security's platform creates a comprehensive map of organizational data flows, using AI to distinguish between legitimate business activities and potential risks, addressing the growing threat of data exfiltration.

• The startup's approach moves beyond traditional manual policies and rigid rules-based systems, using proprietary reasoning algorithms and LLM-powered classification to understand the context of data movement.

• Data exfiltration has become increasingly costly (averaging $5 million per breach) and sophisticated, with threats ranging from North Korean hackers posing as contractors to accidental leaks through generative AI tools.

VulnCheck secures $12M Series A funding to enhance exploit intelligence platform

• VulnCheck raised $12 million in Series A funding led by Ten Eleven Ventures, bringing total funding to nearly $20 million for international expansion and platform enhancement after achieving 3x year-over-year ARR growth.

• The company's 2024 Trends in Exploitation Report revealed 768 vulnerabilities were publicly reported as exploited in the wild, a 20% increase over 2023, with 23.6% of known exploited vulnerabilities being exploited on or before CVE disclosure.

• VulnCheck's platform collects data from nearly 500 channels and over 400 million records across all CVEs, refreshing every eight hours to help security teams prioritize and remediate critical vulnerabilities before attackers strike.

TOOLS

Upstream Security

The Upstream Security Platform is a cloud-based solution for monitoring and securing connected vehicles and mobility IoT devices, offering features such as cybersecurity detection, API protection, and fraud detection.

TrojAI

TrojAI is an AI security platform that detects vulnerabilities in AI models and defends against attacks on AI applications.

Cyera

Cyera is a data security platform that discovers, classifies, and secures sensitive data across various environments, offering features such as DSPM, identity data access, and data privacy compliance.

Before you go

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity leadership insights and tips, follow me on LinkedIn, BlueSky and Mastodon.

Best, 
Nikoloz