Mandos
Brief

Brief #97: Oracle Cloud Breach Confirmed, Kubernetes 18-Minute Attack Window, AI-Generated Threat Models

Nikoloz Kokhreidze

Nikoloz Kokhreidze

9 min read

FBI alerts on malware via document converters. Research shows only 2-5% of security alerts need immediate action. Wiz launches searchable cloud vulnerability database

mandos brief newsletter for cyebrsecurity leaders and professionals

Happy Sunday!

Hope you're enjoying a bit of downtime this weekend. While you were busy wrapping up your week, I've gathered some interesting security developments that caught my attention:

  • FBI is warning about a clever malware distribution scheme using fake document converter websites that actually work (while secretly installing malware)
  • Kubernetes clusters are now being probed by attackers in as little as 18 minutes after deployment - dramatically faster than last year
  • Research shows teams with at least 30% women experience 40% fewer security incidents, yet women still make up only 24% of the global cybersecurity workforce

There's plenty more to explore below, including AI security developments, market updates, and useful tools to check out.

Let's dive in!

Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.
Sponsor

đź“Ł Never Chase Outdated Cyber Stats Again

While everyone quotes outdated statistics, you need fresh, validated facts for strategic decisions. CyberSecStats delivers a curated directory of nearly 6,000 verified cybersecurity statistics that search engines miss. Stop building your security leadership strategy on questionable data that's already obsolete.

Reach 1,000+ cybersecurity leaders - sponsor the next issue.

INDUSTRY NEWS

FBI Warns of Malware Distribution Through Fake Online Document Converters

  • The FBI Denver Field Office has issued a warning about cybercriminals creating websites that advertise free document converters but actually distribute malware, potentially leading to ransomware attacks.

  • While these fake tools do convert documents as advertised, they simultaneously install hidden malware that can provide remote access to infected devices or scrape sensitive information from uploaded documents.

  • Security researchers have confirmed these threats, identifying specific fake converter sites that distribute malicious executables and JavaScript files like Gootloader, which can deploy banking trojans and post-exploitation tools used in ransomware campaigns.

Oracle Cloud Data Breach Confirmed Valid by Multiple Customers

  • Multiple companies have verified the authenticity of data samples shared by threat actor 'rose87168', contradicting Oracle's denial of a breach affecting 6 million users.

  • Evidence suggests the attacker exploited a vulnerability (CVE-2021-35587) in Oracle Fusion Middleware 11g on the login.us2.oraclecloud.com server, which has since been taken offline.

  • The threat actor demonstrated server access by creating files on Oracle's infrastructure and claims the stolen data includes authentication information that could be used to decrypt SSO and LDAP passwords.

Wiz Launches Comprehensive Cloud Vulnerability Database for Security Teams

  • The new Wiz Vulnerability Database provides a searchable resource for monitoring high-profile vulnerabilities specifically in cloud environments, allowing filtering by CVE ID, technology, or component name.

  • The database categorizes vulnerabilities as "High Profile" and "Most Recent," with detailed information including severity scores, affected technologies, exploitation status, and fix availability.

  • Beyond the database, Wiz offers complementary resources including a Cloud Vulnerability DB, Cloud Threat Landscape intelligence, and the PEACH framework for modeling tenant isolation in SaaS and PaaS environments.

LEADERSHIP INSIGHTS

Kubernetes Clusters Remain Prime Targets with 18-Minute Attack Window

  • Malicious probing attempts begin in as little as 18 minutes after AKS clusters are initially staged—dramatically faster than last year's response times (28 minutes for EKS, 1 hour 15 minutes for GKE), highlighting the need for immediate protections upon cluster creation.

  • Security maturity is improving, with the proportion of vulnerabilities in exposed pods decreasing by 50% between 2023-2024, and fewer pods running with high Kubernetes privileges (down from 8% to 6%) or container escape capabilities.

  • Despite AWS introducing EKS Access Management over a year ago, 81% of clusters still exclusively use the deprecated CONFIG_MAP authentication mode, demonstrating that adoption of new security features remains extremely slow.

95% of AppSec Fixes Don't Reduce Risk

  • New research analyzing 101 million security findings reveals only 2-5% of application security alerts require immediate action.

  • Known Exploited Vulnerabilities (KEV) make up the largest portion of critical issues (1.71%), followed by secrets exposure (1.62%), highlighting where security teams should focus remediation efforts.

  • Organizations face an average of 569,354 security alerts that can be reduced to just 11,836 through context-based prioritization, demonstrating the severe impact of alert fatigue on security teams.

Google's Security Approach: Scaling Through Design, Automation, and Culture

  • Google's security strategy focuses on secure-by-design principles, embedding security directly into technical infrastructure rather than relying on growing security teams proportionally with assets and threats.

  • To eliminate toil, Google applies Site Reliability Engineering practices, leveraging automation and AI to reduce manual processes, while implementing security invariants and "security as code" approaches to maintain consistent control points.

  • Google cultivates a security culture where security is everyone's responsibility, maintaining a bottom-up engineering approach that values good ideas regardless of origin, while treating security as a first-class engineering discipline.

đź“–
Discover my collection of industry reports, guides and cheat sheets in ‣ Cyber Strategy OS.

CAREER DEVELOPMENT

Diverse Cybersecurity Teams with 30% Women Experience 40% Fewer Security Incidents

  • Organizations with at least 30% women on cybersecurity teams see significantly fewer security incidents, yet women make up only 24% of the global cybersecurity workforce, with minimal improvement over time despite industry growth.

  • Female representation in leadership remains extremely low with women accounting for less than 17% of Fortune 500 CISOs and just 3% of UK CISOs, while facing a 15% pay gap despite often having higher qualifications than male counterparts.

  • Persistent barriers for women include the "confidence gap," work-life balance challenges, and "bro culture" with 19% of women reporting gender-based incidents compared to just 1% of men in the industry.

Security Analyst Struggles with Client Communication Despite Technical Knowledge

  • Social anxiety is preventing a security analyst from effectively explaining vulnerabilities to clients and executives, despite having strong technical understanding of the issues.

  • Experts recommend focusing on business impact rather than technical details when communicating with executives - translate vulnerabilities into terms of risk, potential financial loss, and customer data exposure.

  • Practical improvement strategies include preparation before meetings, using simple language, practicing regularly, and developing confidence by remembering that executives are just people making decisions based on the information you provide.

HR Filters Blocking Qualified Cybersecurity Candidates from Reaching Hiring Managers

  • Multiple cybersecurity professionals with 10+ years of experience report their resumes are being filtered out by ATS systems before reaching hiring managers, despite being perfect matches for positions.

  • Hiring managers who discovered qualified candidates in "discard piles" expressed frustration with HR departments, with one manager stating they "wasted nearly a year" trying to fill a position while ideal candidates were being automatically rejected.

  • Job seekers report extreme competition, with one director-level candidate applying to 549 positions over a year resulting in only 7 interviews, while another experienced professional with 13+ years in cybersecurity received zero interviews from 50 applications.

AI & SECURITY

AI-Powered Threat Modeling: Researcher Generates 1000 Security Documents Using Gemini 2.0

  • A security researcher successfully created a pipeline to automatically generate threat models and security documentation at scale using Google's Gemini 2.0 Flash Thinking model.

  • The approach evolved from single complex prompts to a multi-step conversation strategy, generating four document types: threat models, security checklists, security requirements, and security test plans for various frameworks and libraries.

  • The experiment revealed that AI-generated security documentation can serve as valuable starting points, with the quality varying based on the complexity of the analyzed systems and the AI's familiarity with specific technologies.

Model Context Protocol (MCP) introduces security challenges for AI system integrations

  • The MCP standard enables AI applications to connect with various data sources and tools through a client-server architecture, creating defined boundaries where security controls can be implemented.

  • Key security concerns include unmonitored access to sensitive data, lack of built-in approval workflows, limited audit capabilities, and privilege management challenges across multiple MCP servers.

  • Implementation requires robust security measures including standardized authentication protocols, proper data encryption, comprehensive input validation, and explicit user consent mechanisms for all data access operations.

OpenAI and Supabase Used to Build Permissions-Aware RAG Chatbot with Oso Cloud

  • The article demonstrates how to create a RAG chatbot that only shares information users are authorized to see, using Oso Cloud for authorization, Supabase for vector database storage, and OpenAI for embeddings and responses.

  • The implementation includes a complete data model with teams, folders, documents, and blocks, where authorization filters ensure users only receive context from documents they have permission to access.

  • The chatbot follows a six-step process: identifying the user, converting prompts to embeddings, getting authorization filters, retrieving authorized context, generating responses, and displaying results - all demonstrated with a working CLI application.

MARKET UPDATES

Cybersecurity asset management firm Axonius raises $20m in Series B funding

  • Axonius secured $20 million in Series B funding led by OpenView, following a $13 million Series A round earlier in 2019, to expand their sales, marketing, and product development.

  • The company helps organizations track all assets on their network—including clouds, computers, and devices—enabling them to enforce security policies on both corporate and guest devices.

  • Axonius serves notable clients including The New York Times, Schneider Electric, and several Fortune 500 companies, focusing on the premise that effective security requires complete visibility of network assets.

AI Security Startup Straiker Launches with $21 Million Funding

  • Straiker introduced two AI-native modules: Ascend AI for attack simulation and Defend AI for protecting applications against security and safety threats.

  • The platform analyzes intelligence across all layers of the AI stack (user, models, applications, agents, identity, data) to provide precise assessment and runtime protection beyond prompt-level threats.

  • Already serving customers including People.ai, Coupa Software, and DirecTV, Straiker is backed by a dedicated STAR team that researches emerging AI threats and adversary techniques.

Island Technology raises $250M, reaching $4.8B valuation for Enterprise Browser

  • Island's Chromium-based browser embeds security capabilities directly without plugins, providing features like web filtering, isolation, exploit prevention, and zero-trust access while maintaining a familiar user experience.

  • The Series E funding round led by Coatue Management brings Island's total external funding to approximately $730M from investors including Sequoia Capital, Insight Partners, and Cyberstarts.

  • Since launching in 2022, Island has grown to 500 employees and secured over 450 customers across various industries, including Fortune 1000 companies, government agencies, and educational institutions.

TOOLS

EvoMaster

EvoMaster is an AI-driven tool for automatically generating system-level test cases for web and enterprise applications. It focuses on fuzzing Web APIs, including REST, GraphQL, and RPC (e.g., gRPC and Thrift).

The Hive (StrangeBee)

TheHive is a Security Case Management Platform designed for Security Operation Centers (SOCs), Computer Emergency Response Teams (CERTs), and Computer Security Incident Response Teams (CSIRTs).

Arkime

Arkime is an open-source network capture and analysis tool designed to augment existing security infrastructure. It stores and indexes network traffic in standard PCAP format, offering full network visibility to security teams.

Before you go

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity leadership insights and tips, follow me on LinkedInBlueSky and Mastodon.

Best, 
Nikoloz

Share With Your Network

Check out these related posts

cybersecurity leadership newsletter mandos, week 12 of 2025

Brief #96: Apache Tomcat RCE Exploit, Google's $32B Wiz Acquisition, Copilot and Cursor Coding Backdoors
mandos brief cybersecurity newsletter by nikoloz kokhreidze

Brief #95: GitHub Action Backdoor, Microsoft Zero-Days, GitGuardian's Secrets Report
mandos cybersecurity leadership newsletter issue for week 10 of 2025

Brief #94: ESXi Server Attacks, Webcam-Based Ransomware, Google's AI Red Team Path