Happy Sunday!
I hope this Brief finds you well and ready to tackle the week ahead.
In this week's edition, I am covering:
- RansomHub ransomware's impact on critical infrastructure sectors
- Anthropic's launch of Claude Enterprise with expanded capabilities
- A new tool for CISOs to effectively communicate cyber-risk
Your feedback shapes Mandos Brief and I'd love to hear your thoughts about the content I share.
Now, let's get started with this week's most relevant updates...
INDUSTRY NEWS
RansomHub Ransomware Targets 210 Victims Across Critical Infrastructure Sectors
-
The U.S. government reports that RansomHub, a ransomware-as-a-service (RaaS) variant, has encrypted and exfiltrated data from at least 210 victims across various critical infrastructure sectors since February 2024.
-
RansomHub, formerly known as Cyclops and Knight, has attracted high-profile affiliates from other prominent variants like LockBit and ALPHV, and is responsible for 14.2% of all ransomware attacks observed by ZeroFox in Q3 2024.
-
Affiliates gain initial access by exploiting known vulnerabilities in various devices, conduct reconnaissance using tools like Mimikatz, move laterally through the network, and employ intermittent encryption to speed up the process before exfiltrating data.
North Korean Threat Actor Exploits Chromium Zero-Day Vulnerability
-
Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium (CVE-2024-7971) to gain remote code execution.
-
The threat actor, attributed to Citrine Sleet, targeted the cryptocurrency sector for financial gain using the FudModule rootkit.
-
CVE-2024-7971 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine, impacting Chromium versions prior to 128.0.6613.84.
Cryptographic Flaw in YubiKey 5 Allows Cloning When Attackers Gain Physical Access
-
Researchers from NinjaLab discovered a side channel vulnerability in the ECDSA implementation of Infineon's cryptographic library used in YubiKey 5 series, allowing attackers to clone the hardware token when they gain temporary physical access.
-
The attack requires about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering, making it likely to be carried out only by nation-states or entities with comparable resources in highly targeted scenarios.
-
Yubico issued an advisory confirming all YubiKeys running firmware prior to version 5.7 are vulnerable, and updating key firmware is not possible, leaving affected YubiKeys permanently vulnerable unless additional user authentication protections like PINs or biometrics are used.
Researchers Discover Vulnerability in Airport Security System Allowing Unauthorized Cockpit Access
-
Security researchers Ian Carroll and Sam Curry discovered a SQL injection vulnerability in FlyCASS, a third-party service used by some airlines to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS).
-
By exploiting the vulnerability, the researchers could log in as an administrator, add a fictitious employee, and grant them access to bypass security screening and access commercial airliner cockpits.
-
The researchers disclosed the vulnerability to the Department of Homeland Security (DHS), leading to FlyCASS being disconnected from the KCM/CASS system and the vulnerability being fixed, but the Transportation Security Administration (TSA) denied the impact of the vulnerability.
New Cicada3301 Ransomware Shares Similarities with BlackCat Operation
-
Morphisec researchers have analyzed the inner workings of a new ransomware variant called Cicada3301, which targets SMBs and shares similarities with the now-defunct BlackCat operation.
-
Written in Rust, Cicada3301 can target both Windows and Linux/ESXi hosts, and it embeds compromised user's credentials to run PsExec for remote execution.
-
The ransomware shares overlaps with BlackCat, including the use of ChaCha20 for encryption, stopping locally deployed VMs, and targeting 35 specific file extensions during the encryption process.
LEADERSHIP INSIGHTS
Proximity Resilience Graph Helps CISOs Communicate Cyber-Risk Effectively
-
According to FTI Consulting, over half of CISOs struggle to effectively communicate cyber-risk to leadership due to competing business risks, ineffective traditional risk communication tools, and high stakes with the average data breach cost reaching $4.88 million in 2024.
-
The proximity resilience graph is a powerful visual tool that transforms abstract risk data into an engaging, actionable narrative by plotting resilience (Y-axis) against attack proximity (X-axis) and tracking movement of five key risk impacts: Operational Disruption, Brand Impairment, Financial Fraud, Competitive Disadvantage, and Legal or Compliance Failure.
-
Using the proximity resilience graph, CISOs can tell a complex story in a single visualization, enhance leaders' risk comprehension and engagement, boost confidence in cybersecurity investments, and improve perceptions of the security team's value.
Aligning Cybersecurity Strategies with Organizational Risk Tolerance
-
CrowdStrike's recent outage highlights the need for CISOs to align cybersecurity strategies with organizational risk tolerance, according to the IANS State of the CISO 2024 Benchmark Report.
-
To lead the risk conversation, CISOs should quantify cyber risk, develop mature risk reporting practices, and use scenario analysis to assess the financial impact of potential incidents.
-
Forming risk committees and engaging in business discussions can help CISOs better understand and address risks associated with new technologies and initiatives, supporting the organization's overall strategy.
Security Budgets Plateau in 2024 Amid Economic Uncertainty
-
IANS Research and Artico Search survey reveals CISOs are facing flat or modestly increasing security budgets in 2024 due to global economic and geopolitical uncertainty, resulting in slower staff hiring.
-
The average security budget growth rose from 6% in 2023 to 8% in 2024, significantly lower than the 16-17% growth rates during the Covid-19 pandemic years when digital transformation drove spending.
-
Security spending as a percentage of IT budget continues to grow, reaching 13.2% in 2024, indicating a larger share of resources being allocated to security compared to other functions.
CAREER DEVELOPMENT
Burp Suite Penetration Testing Workflow Tutorials Released
-
Portswigger has published a series of tutorials on using Burp Suite for penetration testing. The tutorials cover mapping the target application, analyzing the attack surface, and testing for various vulnerabilities.
-
The tutorials can be completed as stand-alone exercises or used to learn a typical penetration testing workflow. Some tutorials require using Portswigger's deliberately vulnerable website or Web Security Academy labs.
-
The tutorials cover testing authentication mechanisms, session management, access controls, input validation, clickjacking, SSRF, WebSockets, and working with GraphQL. Certain tools used are only available in Burp Suite Professional.
Microsoft Sentinel Level 400 Training: Become a Sentinel Ninja
-
Ofer Shezaf published a comprehensive Microsoft Sentinel level 400 training to help readers become Sentinel masters.
-
The training is divided into five parts following a typical SOC lifecycle: Overview, Architecting & Deploying, Creating Content, Operating, and Advanced Topics.
-
Key modules cover KQL, analytics, SOAR, incident management, hunting, UEBA, extending Sentinel with APIs, and bringing your own machine learning.
Soft Skills and Business Acumen Key to Higher Cybersecurity Salaries
-
According to cybersecurity professionals on Reddit, while technical skills are important, those with strong soft skills can earn significantly more, up to $160,000 or higher.
-
Understanding how security enables the business and aligns with its mission is crucial for higher earning potential, more so than just technical expertise alone.
-
Key soft skills mentioned include leadership, strategic thinking, adaptability, public speaking, and active listening, which can lead to salaries north of $300,000 for roles like SecDevOps.
AI & SECURITY
Anthropic Introduces Claude Enterprise with Expanded Context Window and GitHub Integration
-
Anthropic announces the launch of Claude for Enterprise, enabling secure collaboration with Claude across entire organizations without the need for training on chats or files.
-
The Enterprise plan offers an expanded 500K context window, equivalent to hundreds of sales transcripts, dozens of 100+ page documents, or a medium-sized project or application, allowing for deep organizational knowledge.
-
Anthropic introduces a native GitHub integration in beta for early Enterprise plan users, enabling engineering teams to sync repositories with Claude, iterate on new features, debug issues, and onboard new engineers alongside their codebase.
AI in Healthcare Cybersecurity: Best Practices and Use Cases
-
In an interview, Mass General Brigham CISO David Heaney discusses best practices for securing AI in healthcare, emphasizing the importance of getting the basics right, such as risk assessments, business associate agreements, and restrictions against using unapproved applications.
-
Heaney highlights the significance of curiosity among his security team members in staying up-to-date with AI and cybersecurity, encouraging them to explore and learn about the technology independently, as it changes faster than formal training can keep up.
-
At Mass General Brigham, various AI-driven cybersecurity platforms are employed, including endpoint protection tools that identify malicious behavior, identity governance suites that detect potential access risks, and generative AI to accelerate tasks like script writing and query creation, enabling analysts to be more efficient and effective.
AI-Generated Cloud Infrastructure Code Contains Serious Security Flaws
-
Scott Piper, an AWS security consultant, demonstrates how AI-based tools like ChatGPT and Claude readily provide cloud infrastructure provisioning code with terrible security properties, such as using hard-coded passwords and suggesting non-random "random" passwords.
-
When asked to generate password generation code, both ChatGPT and Claude provide solutions that use Python's insecure
randommodule instead of the more securesecretsmodule, making it trivial to generate all possible passwords the script could have made. -
Cloud providers should work to identify and block the bad patterns and hard-coded credentials suggested by AI tools, while LLM vendors should consider making it more difficult for users to accidentally generate cloud infrastructure code with glaring security problems.
MARKET ANALYSIS
HackerOne Launches PartnerOne Channel Program to Expand Global Access to Human-Powered Cybersecurity Solutions
-
HackerOne has launched its first channel partner program, PartnerOne, to expand global access to its human-powered cybersecurity solutions, including vulnerability disclosure, AI red teaming, Pentesting-as-a-Service, and regulatory compliance.
-
Key partners include GuidePoint Security, Softcat, APNT, and BlueFort Security, who will simplify enterprise access to HackerOne's security researcher community and offer streamlined access to HackerOne's solutions with transparent pricing and support.
-
John Addeo, VP of Global Channels at HackerOne, leads the program, which aims to help partners and customers address increasingly complex cybersecurity challenges and adapt to the rapidly evolving threat landscape.
Hypernative Secures $16M to Enhance Web3 Security with AI
-
Hypernative, a real-time monitoring platform for Web3 security, has raised $16 million in a Series A funding round led by Boldstart Ventures, bringing its total funding to $27 million.
-
The platform, which launched in September 2022, aims to detect and counter threats instantly, protecting over 100 Web3 projects, including Balancer, Chainlink, and Uniswap.
-
With the new funding, Hypernative plans to expand its security solutions, enter new markets, and improve its threat detection capabilities, which reportedly caught 99.5% of attacks in the past year with minimal false alarms.
Absolute Software Acquires Syxsense to Enhance Endpoint Security and Management
-
Absolute Software Corp. has acquired Syxsense Inc., a provider of automated endpoint and vulnerability management solutions, for an undisclosed amount.
-
Syxsense's platform offers real-time monitoring, automated patch management, and threat detection, supporting various industries such as healthcare, education, finance, and government.
-
The acquisition will allow Absolute to integrate Syxsense's capabilities into its offerings, providing customers with enhanced endpoint security, visibility, control, and self-healing for applications and security controls.
TOOLS
PII Crawler
PII Crawler is a data scanning tool designed to identify and locate Personally Identifiable Information (PII) within various file types and databases.
Security Trails
SecurityTrails API offers robust APIs and data services for security teams, providing access to a vast repository of historical DNS lookups, WHOIS records, hostnames, and domains
Acronis Cyber Protect
Acronis Cyber Protect is an integrated cybersecurity and data protection platform that provides zero-day malware and ransomware protection, backup, and forensic investigations for managed service providers, IT teams, and home users
Before you go
If you found this newsletter useful, I'd really appreciate if you could forward it to your community and share your feedback below!
For more frequent cybersecurity leadership insights and tips, follow me on LinkedIn, BlueSky and Mastodon.
Best,
Nikoloz
