According to an IBM report, 82% of breaches involved data stored in the cloud. What's your data recovery plan? Join us for Virtual Camp Rubrik: AWS Cloud Protection to:

- Protect AWS workloads, Amazon EC2, Amazon RDS, and Amazon EBS
- Recover and restore your AWS data and workloads
- Discuss the current state of the cloud threat landscape

Welcome to another_secpro!

Life is never easy for security professionals, but it might now become a whole lot more difficult if rumours around the withdrawal of funding for CVE. Be vigilant for what might become a bigger problem in the next few months (or, if you're a bug hunter, count your blessings)! We're continuing our series on the MITRE ATT&CK framework and the Top Ten threats over the last year. Check it out below! This week, we look at #5: 1562.

And then, of course, we've got our usual news, tools, and conference venues roundup. In the editor's spotlight this week, I advise you to all read Picus Security'sRed Report 2025!

Are you attending the upcoming RSA Conference at the end of the month? Keep an eye out for our Packt writers, their stalls, and what they've got to share at the event! If you have an insight, highlight, or story that you want to share with the readership, reply to this email or reach out to the _secpro team.

Cheers!
Austin Miller
Editor-in-Chief

Bruce Schneier - Cryptocurrency Thefts Get Physical: Longstoryof a $250 million cryptocurrency theft that, in a complicated chain events, resulted in a pretty brutal kidnapping.

Bruce Schneier - New Linux Rootkit: "The company has released a working rootkit called “Curing” that uses io_uring, a feature built into the Linux kernel, to stealthily perform malicious activities without being caught by many of the detection solutions currently on the market. At the heart of the issue is the heavy reliance on monitoring system calls, which has become the go-to method for many cybersecurity vendors. The problem? Attackers can completely sidestep these monitored calls by leaning on io_uring instead. This clever method could let bad actors quietly make network connections or tamper with files without triggering the usual alarms."

Bruce Schneier - Regulating AI Behavior with a Hypervisor: As AI models become more embedded in critical sectors like finance, healthcare, and the military, their inscrutable behavior poses ever-greater risks to society. To mitigate this risk, we propose Guillotine, a hypervisor architecture for sandboxing powerful AI models—models that, by accident or malice, can generate existential threats to humanity. Although Guillotine borrows some well-known virtualization techniques, Guillotine must also introduce fundamentally new isolation mechanisms to handle the unique threat model posed by existential-risk AIs.

Krebs on Security - Whistleblower: DOGE Siphoned NLRB Case Data: "A security architect with the National Labor Relations Board (NLRB) alleges that employees from Elon Musk‘s Department of Government Efficiency (DOGE) transferred gigabytes of sensitive data from agency case files in early March, using short-lived accounts configured to leave few traces of network activity."

Krebs on Security - DOGE Worker’s Code Supports NLRB Whistleblower: "A whistleblower at the National Labor Relations Board (NLRB) alleged last week that denizens of Elon Musk’s Department of Government Efficiency (DOGE) siphoned gigabytes of data from the agency’s sensitive case files in early March. The whistleblower said accounts created for DOGE at the NLRB downloaded three code repositories from GitHub."

JPCERT CC - DslogdRAT Malware Installed in Ivanti Connect Secure: "Ina previous article of JPCERT/CC Eyes, we reported on SPAWNCHIMERA malware, which infects the target after exploiting the vulnerability in Ivanti Connect Secure. However, this is not the only malware observed in recent attacks. This time, we focus on another malware DslogdRAT and a web shell that were installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024."

ReliaQuest - ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaver: On April 22, 2025, ReliaQuest published details of our investigation into exploitation activity targeting SAP NetWeaver systems that could enable unauthorized file uploads and execution of malicious files. On April 24, 2025, SAP disclosed "CVE-2025-31324," a critical vulnerability in SAP NetWeaver Visual Composer with the highest severity score of 10.

SecureList - Operation SyncHole: Lazarus APT goes back to the well: "The campaign, dubbed “Operation SyncHole”, has impacted at least six organizations in South Korea’s software, IT, financial, semiconductor manufacturing, and telecommunications industries, and we are confident that many more companies have actually been compromised. We immediately took action by communicating meaningful information to the Korea Internet & Security Agency (KrCERT/CC) for rapid action upon detection, and we have now confirmed that the software exploited in this campaign has all been updated to patched versions."

MalwareArchaeology/ATTACK - These Cheat Sheets are provided for you to use in your assessments and improvements of your security program and so that you may customize them to your unique environment.

nshalabi/ATTACK-Tools - This repository contains the following: ATT&CK™ Data Model: a relational data model for ATT&CK™ and ATT&CK™ View: an adversary emulation planning tool.

mdecrevoisier/EVTX-to-MITRE-Attack - A set of EVTX samples mapped to MITRE ATT&CK tactic and techniques to measure your SIEM coverage or developed new use cases.

Here are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!

RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.

CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.

DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.

Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.

Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.