Happy Sunday!
I hope this Brief finds you well and ready to tackle the week ahead. In this edition, I am covering:
- FBI's successful takedown of a massive China-backed botnet
- A comprehensive guide for choosing the right Security Operations Center model
- The importance of skills-based hiring in addressing the AppSec talent gap
And much more.
Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.
INDUSTRY NEWS
FBI and Partners Thwart China-Backed 260,000-Device Botnet
-
FBI Director Christopher Wray revealed that a China-backed group called Flax Typhoon had built a 260,000-device botnet since 2021, targeting US critical infrastructure, government, and academics.
-
The FBI's Cyber National Mission Force (CNMF) and the NSA took control of the botnet's command and control servers, withstanding a DDoS attack and preventing the Chinese team from regaining control, ultimately leading to the botnet's abandonment.
-
The botnet utilized customized Mirai malware to exploit vulnerabilities in internet-connected devices, with an SQL database containing 1.2 million records on compromised devices and over 80 subdomains linked to the command-and-control servers.
SolarWinds Patches Critical RCE Flaw in Access Rights Manager
-
SolarWinds has released patches for two vulnerabilities in its Active Directory and Azure AD user provisioning tool Access Rights Manager, including a critical CVE-2024-28991 (CVSS score 9.0) that could allow remote code execution.
-
Trend Micro's Zero Day Initiative, which reported the issues, explains that CVE-2024-28991 is a deserialization of untrusted data flaw allowing an authenticated attacker to execute code as SYSTEM and bypass authentication.
-
The second vulnerability, CVE-2024-28990, is a hardcoded credential flaw that could allow an attacker to bypass authentication and access the RabbitMQ management console.
Malware Abuses Browser Kiosk Mode to Steal Google Credentials
-
OALABS researchers discovered a malware campaign that locks users in their browser's kiosk mode on Google's login page, blocking the "ESC" and "F11" keys, to frustrate them into entering and saving their Google credentials.
-
Once credentials are saved, the StealC information-stealing malware steals them from the credential store and sends them back to the attacker. This attack method has been used in the wild since at least August 22, 2024, mainly by Amadey, a malware loader, info-stealer, and system reconnaissance tool.
-
To exit the kiosk mode, users should avoid entering sensitive information and try hotkey combos like 'Alt + F4', 'Ctrl + Shift + Esc', 'Ctrl + Alt +Delete', 'Alt +Tab', or perform a hard reset. Running a full antivirus scan in Safe Mode is recommended to remove the malware.
CloudImposer: Potential RCE Vulnerability in Google Cloud Platform
-
Tenable Research discovered an RCE vulnerability dubbed CloudImposer that could have allowed attackers to run code on millions of Google Cloud Platform (GCP) servers and customer servers, potentially leading to a massive supply chain attack.
-
The affected GCP services include App Engine, Cloud Function, and Cloud Composer. Documentation from GCP and the Python Software Foundation could have put customers at risk of a dependency confusion attack.
-
Supply chain attacks in the cloud are exponentially more harmful than on-premises, as one malicious package can be deployed to millions of users. Users should analyze their package installation process, specifically the "--extra-index-url" argument in Python, to prevent breaches.
Zero-Click Vulnerability Chain in macOS Calendar Allows Access to Sensitive Photos Data
-
Security researcher Mikko Kenttälä discovered a zero-click vulnerability in macOS Calendar that allows an attacker to add or delete arbitrary files within the Calendar sandbox environment.
-
By exploiting the vulnerability during a macOS version upgrade process, an attacker can gain remote code execution (RCE) capabilities without any user interaction by injecting malicious files via calendar invites.
-
The exploit chain abuses the Photos app configuration to gain access to the user's sensitive iCloud Photos data, bypassing TCC protections, and demonstrating the potential impact of the vulnerabilities.
LEADERSHIP INSIGHTS
Choosing a Security Operations Center: In-House, Hybrid, or Outsourced
-
I have written a guide to help cybersecurity leaders decide between in-house, hybrid, or outsourced Security Operations Center (SOC) models, covering 7 major steps.
-
Key steps include conducting a risk assessment to understand the environment, threats and potential business impact, defining security goals around monitoring, compliance, response time and user training, and evaluating costs of different SOC models.
-
In this guide I also recommend assessing the skills required for an effective SOC, including cyber threat analysis, incident response, threat hunting, network and cloud security, security engineering, automation and scripting abilities.
Secure by Design Whitepaper Highlights Key Considerations for Building Secure Products
-
SANS Institute whitepaper "Building Security from the Ground up with Secure by Design" explores how to integrate Secure by Design (SbD) principles into product development to mitigate vulnerabilities early and recognize security as a core business requirement.
-
Key considerations include integrating SbD into the software development lifecycle (SDLC), supporting SbD with automation, reinforcing defense-in-depth, applying SbD to artificial intelligence (AI), identifying threats early with threat modeling, using SbD to simplify compliance, and establishing a culture of security.
-
The whitepaper provides five action items to help organizations get started on the journey to SbD, which is an iterative process that aims to reduce the cybersecurity burden by developing foundationally secure products from the ground up.
Boards Need to Understand Their Role in Cybersecurity Governance
-
Julie Ragland, former CIO of Navistar, says boards often fall into the trap of thinking cybersecurity is a purely technical issue, focusing too much on tools and protections while missing key areas of responsibility.
-
Ragland emphasizes that boards need to understand their role in investment prioritization and incident response behaviors, which are not technical but critical for effective cybersecurity governance.
-
To educate boards, CIOs should provide external assessments of cyber recovery plans, penetration testing results, and focus on business risks and how IT contributes to protecting the organization, rather than giving technical presentations.
CAREER DEVELOPMENT
Skills-Based Hiring Key to Filling AppSec Talent Gap
-
Tanya Janca, an AppSec program director, says many companies still require college degrees for entry-level positions, despite calls for skills-based hiring from the National Cyber Director.
-
Entry-level AppSec job postings often list impossible requirements like CISSP certification, which requires five years of security experience, creating misaligned expectations.
-
Companies struggle to accurately define AppSec roles, covering areas from tools and architecture to monitoring and incident response, leading to hiring freezes until they determine their focus.
Must-Read Books for Cybersecurity Professionals
-
Cliff Stoll's "The Cuckoo's Egg" is widely considered essential reading for cybersecurity professionals, according to Reddit users.
-
Other highly recommended books include "Security Engineering" by Ross Anderson, "How to Measure Anything" by Douglas W. Hubbard, and "This Is How They Tell Me the World Ends" by Nicole Perlroth, which delves into the history of zero-days.
-
Books by Kevin Mitnick, such as "The Art of Invisibility", "The Art of Deception", and "Ghost in the Wires", are also popular suggestions, with Mitnick being referred to as "The OG" of cybersecurity.
Cisco Conducts Second Round of Layoffs in 2024, Impacting Thousands
-
Cisco, the U.S. tech giant, has announced its second layoff of 2024, letting go of approximately 5,600 employees, or 7% of its workforce.
-
The company refused to disclose who was affected by the layoffs until September 16, creating a "toxic environment" according to one employee, and the layoffs also impacted the Talos Security unit.
-
Despite Cisco citing 2024 as its "second strongest year on record" with nearly $54 billion in annual revenue, and CEO Chuck Robbins earning close to $32 million in 2023, the company stated that the layoffs would allow for investment in "key growth opportunities" and drive "efficiencies."
AI & SECURITY
LinkedIn Opts Users into AI Training Without Consent, Offers Opt-Out
-
LinkedIn has opted accounts into training generative AI models without asking, according to reports from 404Media and TechCrunch, before updating its privacy policy.
-
The updated policy states that LinkedIn may use personal data to improve, develop, and provide products and services, develop and train AI models, and gain insights with the help of AI, automated systems, and inferences.
-
Users can opt out of having their data used for generative AI training by turning off the "Data for Generative AI Improvement" toggle in their account settings, but this does not affect training that has already taken place or other machine learning tools used for personalization and moderation.
XBOW Releases Unique Benchmarks to Test AI Offensive Capabilities
-
Nico Waisman, Head of Security at XBOW, discusses the challenges CISOs face in evaluating security products amidst inflated claims and hype, especially in the AI domain.
-
XBOW engaged pentesting companies to develop 104 novel benchmarks that closely replicate various classes of real-life vulnerabilities, such as SQL Injections, IDOR, and SSRF, ensuring the AI system generates new ideas instead of regurgitating memorized examples.
-
The benchmarks, designed for testing both offensive tools and human experts, revealed that XBOW achieved an impressive 85% success rate, equivalent to an experienced pentester's performance within a week, and are now being made public for others to utilize and build upon while respecting the included canary string.
Security Lake and Amazon Q Enable Generative AI for Security Observability
-
AWS announced a serverless solution for querying security data in Amazon Security Lake using natural language with Amazon Q in QuickSight, enabling use cases like generating visualizations and querying vulnerability data.
-
Security Lake centralizes security data from AWS, SaaS, on-premises, and cloud sources into a data lake stored in your AWS account, converting it to Apache Parquet format and the Open Cybersecurity Schema Framework (OCSF).
-
The solution architecture uses Security Lake for ingestion, Athena views for defining interesting fields, QuickSight datasets for analysis, and Amazon Q topics for natural language querying, requiring specific prerequisites and IAM permissions.
MARKET ANALYSIS
Sedric AI Secures $18.5M Series A to Expand AI-Powered Compliance Platform
-
Sedric AI, a New York-based regtech, has raised $18.5 million in a Series A funding round led by Foundation Capital, with participation from existing investors StageOne Ventures and The Garage, and new investor Amex Ventures.
-
The Sedric platform uses large language models (LLMs) to help financial institutions manage regulatory compliance, risk, and communication monitoring across multiple channels and customer touchpoints.
-
With a total of $22 million in funding, Sedric plans to develop its AI lab in Tel Aviv and expand its global go-to-market teams, having seen a fivefold increase in revenue over the last 12 months.
SASE Market Growth Slows, Impacting Cybersecurity Stocks
-
According to a report by Dell'Oro Group, the Secure Access Service Edge (SASE) market growth has slowed down in the June quarter, climbing 9.7% to $2.3 billion compared to a 37% jump in the year-earlier period.
-
Despite the slowdown due to economic uncertainty, Dell'Oro analyst Mauricio Sanchez anticipates a rebound in the coming year as enterprises shift focus to long-term investments in cloud-based security and networking solutions, with single-vendor SASE solutions emerging as a clear winner.
-
The SASE market, which combines Security Service Edge (SSE) and SD-WAN technologies, has major players including Zscaler, Palo Alto Networks, Cisco Systems, Broadcom, Fortinet, and Netskope, with their stocks being impacted by the market slowdown.
CrowdStrike, AWS, and NVIDIA Launch Cybersecurity Startup Accelerator Program
-
CrowdStrike, in partnership with Amazon Web Services (AWS) and NVIDIA, announced the launch of their second annual Cybersecurity Startup Accelerator program to support disruptive startups in the U.S. and EMEA with mentorship, technical expertise, funding, and go-to-market opportunities.
-
Selected startups will participate in a free eight-week program offering mentorship from industry experts, access to global cybersecurity investors, up to $25,000 in AWS Activate credits, and the opportunity to present at an in-person Demo Day during the RSA Conference in April 2025.
-
The program aims to cultivate the next generation of cloud security companies by leveraging the expertise of market-leading cybersecurity (CrowdStrike), cloud (AWS), and AI (NVIDIA) providers, with potential funding from the CrowdStrike Falcon Fund for winning presentations.
TOOLS
PacketStreamer
High-performance remote packet capture and collection tool used for forensic analysis in cloud workloads.
CredStash
CredStash is a tool used for managing and securely storing credentials, requiring installation of dependencies and setup of a key in AWS KMS, with specific Linux installation instructions available.
AirIAM
AirIAM is an AWS IAM to least privilege Terraform execution framework that compiles AWS IAM usage and leverages that data to create a least-privilege IAM Terraform that replaces the exiting IAM management method.
Before you go
If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!
For more frequent cybersecurity leadership insights and tips, follow me on LinkedIn, BlueSky and Mastodon.
Best,
Nikoloz
