Brief #98: PostgreSQL Cryptominer Attack, Google's Sec-Gemini Launch, Cybersecurity Job Market Shifts

Happy Sunday!

Hope you're enjoying a bit of downtime this weekend. While you were busy wrapping up your week, there have been some interesting developments in the security world I thought you'd want to know about:

• A fileless cryptominer campaign is targeting PostgreSQL servers with weak credentials, affecting over 1,500 victims - a good reminder to check those database configurations
• Google launched Sec-Gemini v1, their experimental AI model for cybersecurity that's outperforming competitors by at least 11% on threat intelligence benchmarks
• The job market is shifting significantly with governance roles growing 40% while traditional technical positions continue to decline - might be time to brush up on those GRC skills

There's plenty more to unpack this week, including Deloitte's new AI governance framework and some interesting new security tools hitting the market.

Let's dive in!

Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.

Reach 1,000+ cybersecurity leaders - sponsor the next issue.

INDUSTRY NEWS

Fileless Cryptominer Campaign Targets Exposed PostgreSQL Servers, Affecting 1,500+ Victims

• Threat actor JINX-0126 is exploiting misconfigured PostgreSQL instances with weak credentials to deploy filelessly executed XMRig-C3 cryptominers, using evasion techniques including unique hash generation per target.

• Analysis of three different crypto wallets linked to the campaign suggests over 1,500 victims, with nearly 90% of cloud environments self-hosting PostgreSQL and one-third having at least one instance publicly exposed to the internet.

• The attack chain includes initial access via weak credentials, followed by deploying obfuscated Golang binaries ("postmaster" and "cpu_hu") that establish persistence through cronjobs and privileged user creation before executing the cryptominer.

Tax-themed phishing campaigns target US taxpayers ahead of April 15 deadline

• Microsoft observed multiple phishing campaigns using tax-related lures to deliver malware including BruteRatel C4, Latrodectus, Remcos RAT, and AHKBot through PDF attachments with QR codes and URL shorteners.

• Threat actors employ sophisticated redirection techniques and abuse legitimate services like Dropbox, Google Business pages, and DocuSign to evade detection while targeting primarily US organizations in engineering, IT, and consulting sectors.

• The campaigns use social engineering tactics including rapport-building emails specifically targeting CPAs and accountants, with some attacks using the RaccoonO365 phishing-as-a-service platform to steal credentials through fake Microsoft 365 login pages.

China-linked Earth Alux APT Group Targets APAC and Latin America with VARGEIT Backdoor

• Earth Alux primarily exploits vulnerable services in exposed servers to gain initial access, then deploys web shells like GODZILLA to deliver its backdoors VARGEIT and COBEACON.

• The group employs sophisticated evasion techniques including DLL sideloading, anti-API hooking, and timestomping via tools like RAILLOAD and RAILSETTER to maintain persistence in government and technology sectors.

• VARGEIT backdoor uses multiple communication channels with the Outlook channel (utilizing Graph API) being predominant, allowing attackers to control systems and exfiltrate data through fileless operations via mspaint processes.

LEADERSHIP INSIGHTS

Deloitte Releases Comprehensive AI Governance Framework

• The report outlines a dual approach to AI governance through Quality Management Systems (QMS) for AI providers and Risk Management Systems (RMS) for AI deployers, addressing the entire AI lifecycle.

• Deloitte highlights the EU AI Act's risk-based categorization system, which classifies AI systems as Unacceptable Risk (forbidden), High Risk (regulated), or Non-High Risk (unregulated), with specific governance requirements for each.

• Effective AI governance requires integration across four pillars: Structures (committees, roles), Practices (oversight, skills), Processes (approvals, testing), and Systems (automation platforms) - all designed to be efficient enough to preserve AI's productivity benefits.

Global Cybersecurity Spending to Grow 12.2% in 2025, Reaching $377B by 2028

• Security software will lead the market in 2025, representing over half of worldwide security spending with 14.4% growth, driven by CNAPP, identity management, and security analytics solutions.

• While the U.S. and Western Europe will maintain 70% of global security spending, regions like Latin America and Middle East & Africa are experiencing the fastest growth due to digital transformation initiatives.

• Small and medium-sized businesses are increasingly investing in security despite large enterprises dominating spending, though experts warn that technology alone won't solve security challenges without proper implementation and processes.

Dragos 2025 OT/ICS Report Reveals 87% Increase in Ransomware Attacks Against Industrial Organizations

• Vulnerability analysis shows 70% of vulnerabilities reside deep within networks, while 22% are network exploitable and perimeter facing, with 39% potentially causing both loss of view and control in industrial systems.

• Ransomware attacks against industrial organizations surged 87% compared to the previous year, with 69% of attacks targeting manufacturing entities across 26 subsectors, and Dragos tracking 60% more ransomware groups impacting OT/ICS.

• The report identifies a concerning trend of lowering barriers to entry for OT/ICS attacks, with adversaries increasingly recognizing industrial systems as effective attack vectors despite using relatively unsophisticated techniques against internet-exposed devices.

CAREER DEVELOPMENT

Cybersecurity Job Market Shifts: Governance Roles Rise While Technical Positions Decline

• The cybersecurity job landscape shows significant disruption with Governance, Risk, and Compliance (GRC) positions growing 40% for Cybersecurity/Privacy Attorneys, while traditional technical roles like Security Engineers and Analysts continue to decline.

• Organizations are increasingly turning to outsourcing and AI-driven security automation, causing a 43% drop in Cloud Security Engineer positions since 2022 as companies integrate these functions into broader IT teams.

• Professionals seeking to remain competitive should focus on upskilling in governance, compliance, and automation-driven security operations as the industry shifts toward policy, risk management, and strategic leadership roles.

ATS Systems Failing to Deliver Qualified Cybersecurity Candidates to Hiring Managers

• Multiple cybersecurity professionals with extensive experience (including one with 13+ years) report applying to dozens or hundreds of positions with virtually no interviews, only to later discover their resumes never reached hiring managers despite being qualified candidates.

• Several hiring managers confirmed finding qualified candidates in "discard piles" or completely missing from their applicant pools, suggesting widespread dysfunction in automated applicant tracking systems that are filtering out ideal candidates.

• The problem appears systemic across the industry, with one professional documenting 549 applications resulting in only 7 interviews, while others report that networking and directly contacting hiring managers has proven more effective than traditional application processes.

80 Cybersecurity Professionals Laid Off, Replaced by AI They Trained for 2 Years

• A team of 80 cybersecurity professionals at a large US company (300,000 employees) has been laid off after unknowingly training their AI replacement for the past two years.

• The original poster expressed concerns about the future of cybersecurity as companies seek cost-cutting measures, with many industry professionals in the comments confirming their organizations are pursuing AI for operational efficiencies in security operations.

• While some companies claim AI implementation is about repurposing talent rather than reducing headcount, security experts warn that current AI solutions are not yet sophisticated enough to fully replace human expertise in security operations centers.

AI & SECURITY

Google Launches Sec-Gemini v1, An Experimental AI Model For Cybersecurity

• Sec-Gemini v1 combines Gemini's reasoning capabilities with near real-time cybersecurity knowledge and tooling to help defenders combat the asymmetric nature of security challenges.

• The model outperforms competitors by at least 11% on the CTI-MCQ benchmark and 10.5% on the CTI-Root Cause Mapping benchmark, leveraging integrations with Google Threat Intelligence and OSV database.

• Google is making Sec-Gemini v1 freely available to select organizations, institutions, professionals, and NGOs for research purposes, with applications available through an online form.

RunReveal Launches MCP Server for AI-Powered Log Analysis

• RunReveal's Model Context Protocol Server enables security teams to analyze logs 100x faster with accuracy while leveraging AI models like Claude to provide clear explanations of findings.

• Customers are using the tool for multiple security operations including threat hunting in AWS, investigating GuardDuty alerts in K8s containers, and tuning detection rules - all completed in under a minute versus hours of manual work.

• The platform normalizes and enriches security data on ingest, storing it in LLM-friendly formats that enable comprehensive investigations at minimal cost (pennies per query) compared to traditional query-based approaches.

OpenAI Expands Cybersecurity Program with $100,000 Bug Bounties and New Research Grants

• OpenAI has significantly increased its maximum bug bounty payout from $20,000 to $100,000 for critical security findings, while expanding their Cybersecurity Grant Program to fund research in software patching, model privacy, and agentic security.

• The company is leveraging its own AI technology to enhance cyber defenses, partnering with SpecterOps for continuous red team assessments, and implementing specialized security measures for emerging AI agents like Operator.

• OpenAI is proactively monitoring for threats targeting their systems, sharing intelligence about attacks with other AI labs, and building security foundations for next-generation projects like Stargate with zero-trust architectures and hardware-backed security solutions.

MARKET UPDATES

Wiz Launches Defend Platform for Cloud-Native Threat Detection and Response

• Wiz Defend unifies runtime signals, cloud telemetry, and threat intelligence to provide complete visibility across cloud environments, reducing detection time by 10x with many customers reporting MTTRs under an hour.

• The platform bridges gaps between SecOps, cloud security, and development teams by providing shared context and automated investigation capabilities through features like Investigation Graph and Incident Timeline.

• Wiz Defend offers end-to-end protection with capabilities including behavioral analytics, pre-built containment playbooks, and one-click remediation that traces threats back to source code for comprehensive cloud defense.

OpenAI Makes First Cybersecurity Investment in Adaptive Security's $43M Series A

• Adaptive Security, co-led by OpenAI and Andreessen Horowitz, simulates AI-generated social engineering attacks to train employees to recognize threats like spoofed calls, texts, and emails from executives.

• The New York-based startup focuses on human-targeted hacks that have caused significant financial damage, such as the Axie Infinity breach that resulted in over $600 million in losses from a fake job offer scheme.

• With over 100 customers since its 2023 launch, Adaptive Security will use the funding primarily for engineering talent to stay ahead in the AI arms race against increasingly sophisticated threat actors.

Yrikka AI Launches API for Automated Red-Teaming After $1.5M Funding

• Yrikka AI Inc. has released an API that uses AI agents to assist in red-teaming processes, helping identify vulnerabilities in AI systems through simulated attacks and prompt injection testing.

• The platform enables "human-AI teaming" to reduce model validation time from months to minutes, continuously monitoring for drift and adversarial attacks after deployment.

• Founded by Dr. Kia Khezeli and John Kalantari (former ML leaders at Google, Intel, NASA), Yrikka has secured a $1.9M contract with the U.S. Department of Defense for automating computer vision model testing.

TOOLS

Wald

Wald.ai is an AI security platform that provides enterprise access to multiple AI assistants while ensuring data protection and regulatory compliance.

A-Lign

A-LIGN provides cybersecurity compliance audits and certifications, offering a range of services including SOC 2, ISO 27001, HITRUST, and FedRAMP, along with a technology platform for audit management.

Unbound Security

Unbound is a cybersecurity tool designed to manage and secure the use of generative AI applications within enterprises.

Before you go

If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!

For more frequent cybersecurity leadership insights and tips, follow me on LinkedIn, BlueSky and Mastodon.

Best, 
Nikoloz