What caught my attention this week?

On Threat Vector This Week: The Dangers From Cloud Misconfigurations

This week on Threat Vector, Margaret Kelly and I pulled back the curtain on how cloud misconfigurations are making life way too easy for cyber attackers—nation-states included. Takeaway: Secure your control plane. Tighten permissions. Treat cloud misconfigurations like a ticking time bomb—because they are.

China Hacks U.S. Treasury: A Supply Chain Alarm

Chinese state-sponsored hackers exploited a vulnerability in BeyondTrust to breach the U.S. Treasury, accessing unclassified documents and networks. This wasn’t a smash-and-grab; it was a calculated move showcasing the risks of supply chain dependencies.

Why It Matters: Third-party vulnerabilities are the soft underbelly of cybersecurity. For leaders, the Treasury hack is a blunt reminder: harden your defenses against third-party and cloud-based threats. Tools like network segmentation and credential rotation aren’t just helpful—they’re essential.

AI Deepfakes + Election Interference: A Dangerous Duo

The U.S. just sanctioned Russian and Iranian entities for running disinformation campaigns using AI-generated deepfakes to meddle in the 2024 elections. These aren’t just troll farms anymore; they’re AI-driven operations designed to fracture trust and sow chaos.

Why It Matters: AI is transforming disinformation into a weapon of mass confusion. Cybersecurity teams must focus on detection tools and educating users to counteract these emerging threats.

Hijacked Chrome Extensions: Your Browser’s a Backdoor

Legitimate Chrome extensions—including one from Cyberhaven—were compromised to steal browser cookies and authentication tokens. Hackers turned these trusted tools into silent data thieves.

Why It Matters: Even tools you trust can be turned against you. Regular audits of third-party integrations are no longer a “nice-to-have”—they’re a critical part of securing your attack surface.

In this week’s podcast, the link between the Treasury breach and our discussion on cloud security couldn’t have been clearer. It’s a call to action: misconfigurations and third-party gaps aren’t just IT problems—they’re existential risks. Let’s stay ahead of the game.

What caught my attention this week?

On Threat Vector This Week: Research on North Korean Threat Actor TTPs

In this week’s podcast, I spoke to Assaf Dahan, and we discussed why North Korean hackers have become so formidable. Their motivations span financial gain, sabotage, espionage, and influence. These tactics resonate with the Silent Skimmer findings and what Dark Reading noted—layered, stealthy operations are the new normal.

Silent Skimmer Campaign Unveiled: Sneaky Credit Card Data Theft in E-commerce

My colleagues at Unit 42 uncovered Silent Skimmer, a crafty threat targeting online retailers. This malware hides behind legitimate-looking web scripts, siphoning payment data undetected. Unlike the noisier tools of the past, this campaign is focused on invisibility and persistence, making it a serious threat to digital storefronts.

Why It Matters: The rise of stealth tactics demands stronger web supply chain security. Retailers must scrutinize third-party scripts closely—one overlooked line of code can lead to thousands of compromised credit cards

Germany's New Law: A Win for Security Researchers

Germany is proposing a landmark law to protect security researchers who responsibly disclose vulnerabilities. This move addresses the ambiguity that has historically deterred ethical hackers from reporting flaws, potentially risking legal backlash.

Why It Matters: Why it matters: This shift sets a strong example for other nations, emphasizing the importance of safe, responsible vulnerability disclosure. If your organization participates in or relies on ethical hacking programs, this type of legislation could change the game for global cybersecurity practices.

Outmaneuvering Advanced Threats: Proactive Defenses Required

A recent analysis in Dark Reading detailed how attackers, especially nation-state actors, layer multiple techniques—phishing, credential theft, and data exfiltration—to avoid detection. The emphasis was on the importance of proactive threat hunting and anomaly detection to spot these sophisticated campaigns.

Why It Matters: If your defenses are reactive, you're already behind. Integrating threat intelligence and anomaly detection isn't just ideal—it’s essential for anticipating and countering advanced adversaries.

Canadian Authorities Arrest Snowflake Data Thief

Canadian law enforcement recently apprehended an individual connected to the theft of data from Snowflake, a major cloud-based data company. The incident underscores the risks tied to internal security weaknesses, regardless of the provider's strong external safeguards.

Why It Matters: Insider threats remain a significant vulnerability. This breach is a reminder to continuously assess and tighten user access controls. Ensuring employees' access is strictly necessary and monitored can prevent devastating data exposure.

What caught my attention this week?

On Threat Vector This Week: War Room Best Practices

This week on Threat Vector, I got a front-row seat to the latest in war room best practices with insights from Kyle Wilhoit, Director of Threat Research at Unit 42, and Michal Goldstein, Director of Security Architecture and Research at Palo Alto Networks. Our conversation unpacked how modern threat response is adapting to today’s complex cyber landscape—where speed, intelligence, and flexibility make or break a team’s response to emerging threats.

Spotlight on Iran’s Cyber Playbook: From Deepfakes to Disinformation

Iran's recent use of AI-driven deepfakes, doxing, and psychological warfare reveals just how crucial these adaptable war room strategies are. Iranian threat actors are blurring lines between traditional cyberattacks and public influence operations, meaning that our incident response plans must cover both technical defenses and real-time assessments of disinformation. **As AI-powered manipulation grows, the challenge to contain hybrid threats will only intensify.**

Why It Matters: This evolution in cyber tactics shows how adversaries are advancing their disinformation and social engineering capabilities. For security teams, it's a call to shift from reactive response to proactive monitoring of complex, blended threats.

North Korea’s Ransomware Offensive: A New State-Backed Threat Vector

North Korea’s pivot to ransomware, like the PLAY variant, demonstrates a chilling trend: nation-states turning to ransomware to fund their agendas and mask their tracks. This approach complicates attribution and pressures defenses, emphasizing the need for agile war room setups that can handle both political and financial attacks.

Why It Matters: When nation-states adopt criminal tools, it muddies the waters of attribution and raises the stakes for incident response. Security leaders should prepare for rising attacks that merge the tactics of crime with the goals of espionage. In two week I will share a conversation I had with Assaf Dehan on the research him and the Cortex team have produced on North Korean activity.

Salt Typhoon and the Art of Stealthy Espionage

China’s Salt Typhoon (APT5) continues its cyber espionage spree, targeting sectors critical to national security. The advanced persistence of these intrusions demands that war rooms are not just reactive but also geared for long-term monitoring. Threat intelligence must focus on identifying stealthy, drawn-out attacks that could otherwise slip by under routine monitoring.

Why It Matters:As cyber espionage escalates, especially around sensitive industries, our war room readiness needs to reflect the patience and stealth of these persistent threats. Salt Typhoon reminds us to be vigilant for prolonged attacks that prioritize sensitive, strategic data.

Macron’s Strava Slip: Fitness Apps as a Security Concern

President Macron’s jogging routes were exposed on Strava, highlighting the hidden privacy risks of fitness apps. While these apps seem harmless, they carry real security implications, especially for high-profile individuals.

Why It Matters: Tracking apps may pose serious privacy and security risks. For those who are especially at risk, it’s time for a digital hygiene check. War room teams and cybersecurity leaders should reiterate safe app usage to prevent unintended exposure.

What caught my attention this week?

On Threat Vector This Week: Crisis Leadership Lessons from Chris Scott

This week we will publish an episode with Christopher Scott, a veteran in crisis leadership, about handling cybersecurity incidents under intense pressure. Scott’s advice? Be decisive even when data is sparse, balance technical and business priorities, and practice incident drills regularly. With the SEC’s recent crackdown on SolarWinds-related disclosures, Scott’s insights on honest communication during crises resonate even more. His take is clear: transparency isn’t just about compliance—it’s a critical tool to maintain trust within your organization and with regulators.

What got my attention this week?

New Windows Driver Bypass Opens Door for Kernel Rootkits

Microsoft’s latest vulnerability could open up a nightmare scenario for security teams: a new driver signature bypass that allows attackers to push malicious drivers directly to the kernel. This flaw could allow kernel rootkit installations to bypass even the most advanced endpoint defenses, giving attackers a stealthy way to deploy hard-to-detect malware.

Why it matters: Kernel-level rootkits are no joke—they give attackers deep system access to hide malicious activity right under your nose. Security leaders need to stay sharp, prioritize monitoring kernel activity, and scrutinize any suspicious drivers to stay ahead of this sophisticated threat.

SEC Fines Firms Millions for SolarWinds Incident Downplay

The SEC’s latest action sends a loud message: mislead stakeholders about cyber incidents, and you’ll pay. Firms were fined millions for downplaying the SolarWinds breach, highlighting how essential transparency is in cybersecurity. Holding back on breach disclosures can cost not only millions in penalties but also trust from stakeholders and the public.

Why it matters: With the SEC cracking down, the regulatory landscape around breach disclosures is more intense than ever. CISOs, take note: prioritize clear, honest communication during incidents to avoid the hefty fines and reputational damage that follow misleading responses.

Senator Probes Domain Registrars Over Russian Disinformation Sites

U.S. Senator Mark Warner is pressuring domain registrars for allowing Russian-linked disinformation sites to proliferate, claiming that lax oversight supports the spread of content that can destabilize democratic processes. This probe could lead to stricter regulations on registrars to clamp down on disinformation.

Why it matters: With geopolitical tensions in focus, this probe calls out the critical role of tech intermediaries in stemming disinformation. CISOs should consider that digital assets tied to under-regulated or laxly managed platforms may face scrutiny, especially in politically charged contexts.

What caught my attention this week?

New Tactics to Jailbreak AI: The Risk of Camouflage and Distraction

A recent Unit 42 investigation reveals how malicious actors can bypass large language model (LLM) safeguards through a clever technique called "Deceptive Delight." By embedding harmful prompts within benign topics, attackers trick AI systems into generating unsafe content. This highlights a significant vulnerability in AI models that needs to be addressed to prevent misuse. Read more about how this tactic works and the steps needed to strengthen LLM security here.

Tricking CAPTCHAs: Lumma Stealer Malware on the Rise

Cybercriminals are using Lumma Stealer malware to bypass CAPTCHA protections, allowing them to steal sensitive data, such as login credentials and financial information. This development weakens one of the basic online security measures, making it easier for attackers to compromise accounts. Strengthening security defenses is crucial as these threats evolve. Read more in the full article here. For additional insights on cyber threats, explore Unit 42 research here.

Bumblebee Malware Returns with a Vengeance

Bumblebee malware has made a comeback, more potent and harder to detect than before. Used by threat actors for ransomware attacks and data theft, this revamped version highlights the adaptability of cybercriminals. Organizations must stay vigilant as botnet-driven threats evolve. Cyber defenses should be strengthened to counteract these persistent threats.

For more details, check out the full article here.

We had a busy week recording new episodes of Threat Vector.

I was thrilled to have had Dr. Daniel Ford join to record an episode of Threat Vector! His insights on cyber hygiene and cyber literacy have been rattling around my head since all week. His insights on who takes the risk vs. who experiences the risk (hint: security teams take the risk, you and I experience the risk) changed my perception of my relationships with security teams.

I also had a chance to go deep into IoT Security with Dr. May Wang. I can’t wait to release it - I think May named this one during the episode “The ABCs of IoT Security. This episode struck a great balance between security insights and forward-looking strategy. Plus, it’s always great to share the mic with a fellow nerd (her words! though I am right there with her).

Early in the week, I was able to get Meerah Rajavel and Niall Browne to talk to me about the relationship they have as Palo Alto Networks CIO and CISO. Meerah and Nial discussed the importance of integrating security into software development and emphasizing designing frictionless security early in processes. They also shared how they foster a culture of security at Palo Alto Networks. I know this episode will resonate with executives who are looking to drive speed and innovation.

Allie Mellen from Forrester and I also recorded an episode. It's supposedly about XDR and The Forrester Wave™: Extended Detection And Response Platforms, Q2 2024, but we went off script. Allie answered some deeper, tough questions and was absolutely wonderful to chat with. This will be a totally different episode of Threat Vector, and I am all for it.

Finally, I had Richu Channakeshava on to talk about Quantum Security. She did a fantastic job as a guest and an advocate for our listeners. At the end of the conversation, she called me out. Her observations were spot on, I was stiff and ran the interview as a Q&A. Quantum is such a big topic that I didn't want to let my ignorance get in the way, but as she pointed out, we need the conversation to flow, and when I don't know something, it’s better to ask (I keep learning that lesson). So, we will rerecord it in the style of What Roman Mars Can Learn About ConLaw, one of my favorite pods and podcasters. As soon as we redo this one, we will release it.