Welcome to the fifth edition of the Cyber Threats Newsletter. The goal is to deliver weekly updates with the latest in cyber threats, to help accelerate innovation and collaboratively build a more secure future!

We spent this weekend at HackBCN'24 and built Security Agents for AWS GuardDuty alerts

I've just arrived in Barcelona a week ago, and I've already participated in HackBCN, the city's first AI Hackathon. Nico and team did an excellent job organizing the event!

The challenge

The hackathon's brief was open: "build something cool with AI." With such a broad scope, we decided to focus on a specific pain point in cloud security. Anyone who's used AWS GuardDuty knows the challenge that analyzing numerous alerts can be time consuming and often tedious. We set out to change that.

What did we build in only 30h?

We created AI agents to automate the work typically done by cloud security engineers:

1. Alert Triage: An agent to quickly assess the severity and urgency of incoming alerts.

2. Data Enrichment: We integrated external APIs like AbuseIPDB, SecurityTrails, and ExaAI to gather additional context for each alert.

3. Correlation and Analysis: An agent to connect the dots between different data points and identify patterns.

4. Remediation Suggestions: Using RAG (Retrieval Augmented Generation) with AWS Playbooks for Incident Response, we created an agent to recommend actionable steps.

5. Report Generation: Finally, an agent to compile all findings into a comprehensive, easy-to-understand report.

We used both Mistral and GPT-4o models, but GPT-4o performed much better for our agents, thanks to its speed and larger context window.

Next Steps

Looking ahead, we plan to:

• Expand dynamically our RAG database

• Add more use cases

• Extend support to multiple cloud platforms (Azure and GCP)

The hackathon was an exciting experience, showing the potential of Barcelona and its people.

Here you can see the demo presentation:

And if you like these types of projects, you can take a look at the OpenAI Cybersecurity Grant Program that aims to empower defenders by highlighting innovative research and AI integration in cybersecurity

Week in review

14 Million OpenSSH Servers Potentially Vulnerable to “regreSSHion” Bug

Qualys Threat Research Unit (TRU) has identified a severe remote unauthenticated code execution (RCE) vulnerability in OpenSSH's server (sshd) affecting glibc-based Linux systems, with a potential to compromise over 14 million instances globally.

The vulnerability, now tracked as CVE-2024-6387 and dubbed “regreSSHion,” allows unauthenticated, remote attackers to execute code as root on affected systems, posing a significant security risk.

New Mac Stealer ‘Poseidon’ Spreads via Arc Browser Google Ads

A new Mac stealer named “Poseidon” is being distributed via malicious Google ads targeting people looking to download the popular Arc browser, according to a report by Malwarebytes. The stealer, developed by a cybercriminal known as Rodrigo4, is designed to exfiltrate sensitive information from infected devices and is actively being promoted on underground forums.

Polyfill.io JavaScript supply chain attack impacts over 100K sites

Cybersecurity company Sansec warned that the polyfill.io domain and service was purchased earlier this year by a Chinese company named 'Funnull' and the script has been modified to introduce malicious code on websites in a supply chain attack.

Interesting Interviews, Tools and More

Sandwich Attack: Multi-language Mixture Adaptive Attack on LLMs

"we introduce a new black-box attack vector called the Sandwich Attack: a multi-language mixture attack, which manipulates state-of-theart LLMs into generating harmful and misaligned responses"

Is it safe to let your password manager autofill your password?

Struggling to keep track of all your passwords? You’re not the only one. Password managers(new window) exist because it’s difficult to keep track of hundreds of logins and all their various passwords.

ChatGPT 4 can exploit 87% of one-day vulnerabilities

During the study, the team used 15 one-day vulnerabilities that occurred in real life. One-day vulnerabilities refer to the time between when an issue is discovered and the patch is created, meaning it’s a known vulnerability. Cases included websites with vulnerabilities, container management software and Python packages. Because all the vulnerabilities came from the CVE database, they included the CVE description.

Thanks for reading. If you want to be up to date with the last threats and news in the cybersecurity world, subscribe!