Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Netizen: September 2025 Vulnerability Review

    Netizen: September 2025 Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from September that should be immediately patched or addressed if present in your environment. Detailed writeups below:

    CVE-2025-20352

    CVE-2025-20352 describes a high-severity stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software. The flaw arises from improper handling of SNMP packets, which makes the SNMP process vulnerable to memory corruption when it processes a crafted request. Exploitation requires an attacker to have access to an SNMPv2c community string or SNMPv3 credentials, but the impact varies based on the attacker’s privilege level. A remote attacker with only low-privileged SNMP access can send specially crafted packets that trigger a denial-of-service condition by forcing the affected device to reload, disrupting availability. More critically, a remote attacker with high-privileged credentials, such as administrative or privilege 15 rights, can exploit the same flaw to execute arbitrary code with root privileges on the underlying IOS XE device, granting them complete control. The attack vector is network-based and does not require user interaction, which broadens the exposure for organizations with SNMP enabled over IPv4 or IPv6 on internet-facing Cisco devices. Since this vulnerability affects all versions of SNMP on IOS and IOS XE, any unpatched system configured with SNMP is at risk.

    This vulnerability has been assigned a CVSS v3 base score of 7.7 with a vector of AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H, reflecting its high impact on availability and potential for privilege escalation when combined with high-level credentials. Cisco acknowledged that exploits were already active in the wild at the time of disclosure in September 2025, with millions of routers and switches potentially exposed. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to apply Cisco’s security updates immediately, as successful exploitation could either cripple network availability through repeated reboots or allow takeover of critical infrastructure systems. Cisco’s advisory provides the patched releases and mitigations, and organizations running IOS or IOS XE should prioritize updates without delay to reduce the risk of both denial-of-service and full system compromise.

    CVE-2025-10035

    CVE-2025-10035 is a critical deserialization vulnerability discovered in the License Servlet of Fortra’s GoAnywhere Managed File Transfer (MFT). The issue arises from the way the application handles license validation responses. An attacker who can forge a valid license response signature is able to feed the servlet with arbitrary, attacker-controlled objects. This unsafe deserialization pathway can be exploited to achieve command injection on the affected system, granting the attacker the ability to execute arbitrary code. Because the attack is carried out over the network and does not require prior authentication, it poses an especially high risk to exposed GoAnywhere MFT deployments.

    The attack vector centers on the forged license response. By manipulating the serialized data contained within the response, the adversary can cause the server to interpret crafted objects as trusted inputs. Once deserialized, these malicious objects enable execution of arbitrary commands with the privileges available to the GoAnywhere MFT process. Since GoAnywhere is often deployed as a mission-critical platform for secure file transfers across enterprise and government environments, the consequences of successful exploitation extend far beyond the compromise of a single server. Attackers could use this flaw to gain persistence, steal sensitive data in transit, or pivot deeper into corporate networks.

    This vulnerability has been assigned the maximum CVSS v3 base score of 10.0 with a vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, reflecting its low complexity, lack of prerequisites, and full impact on confidentiality, integrity, and availability. The CVSS v2 base score is also rated at 10.0, underscoring the severity of the flaw. Published on September 19, 2025, the issue was quickly classified as a vulnerability of interest by Tenable and has an Exploit Prediction Scoring System (EPSS) rating of 0.00231, signaling active monitoring of exploitation potential. Given the history of GoAnywhere being targeted in high-profile attacks, organizations running vulnerable versions should immediately apply the latest vendor patches or mitigations. More details and technical analysis are provided in the advisory and exploit breakdown published by WatchTowr Labs, which highlighted real-world exploitation scenarios for this bug.

    CVE-2025-10585

    CVE-2025-10585 is a high-severity vulnerability in Google Chrome’s V8 JavaScript engine. The flaw stems from a type confusion issue, which occurs when V8 misinterprets the type of an object during execution. In this case, the vulnerability allowed a crafted HTML page to trigger heap corruption, potentially leading to remote code execution. Google rated the issue as “High” under Chromium’s severity scale, but its real-world risk is elevated by the fact that it was exploited as a zero-day in active attacks before being patched.

    The vulnerability was fixed in Chrome version 140.0.7339.185, released in mid-September 2025. This release was pushed as an emergency update after reports of in-the-wild exploitation. The attack surface is broad since exploitation requires nothing more than convincing a victim to visit a malicious or compromised webpage. Attackers were observed using this flaw as part of targeted campaigns, and it was quickly added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, mandating patching across federal civilian agencies.

    From a scoring standpoint, the flaw carries a CVSS v3 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting its network accessibility, low attack complexity, and high potential impact across confidentiality, integrity, and availability. CVSS v2 rated it even higher, with a critical score of 10. Given Chrome’s dominance as a browser, this vulnerability represents a significant target for threat actors—especially those relying on drive-by-download or watering hole campaigns.

    Security researchers have pointed out that this was the sixth actively exploited Chrome zero-day patched by Google in 2025, underscoring the sustained targeting of browser vulnerabilities. Organizations are strongly advised to verify their endpoints are running Chrome 140.0.7339.185 or later and to ensure automatic updates are enabled. Since this flaw affects V8, other Chromium-based browsers like Microsoft Edge and Brave may also require updates to stay protected.

    CVE-2025-53691

    CVE-2025-53691 describes a high-severity deserialization of untrusted data vulnerability in Sitecore’s Experience Manager (XM) and Experience Platform (XP). The flaw exists in multiple supported versions—XM from 9.0 through 9.3 and 10.0 through 10.4, as well as XP across the same ranges. An attacker with limited privileges over the network could exploit the deserialization process to execute arbitrary code on the affected server, escalating their access and potentially taking full control of the Sitecore environment.

    The risk posed by this vulnerability is significant given how widely Sitecore is used for enterprise content management and digital experience delivery. Exploitation could enable attackers to manipulate business-critical data, compromise sensitive information, and pivot to additional systems integrated with the platform. Researchers at WatchTowr Labs demonstrated how cache poisoning could be used as an entry point to trigger the deserialization pathway, chaining it into remote code execution. This highlights not only the technical severity of the bug but also how attackers can pair it with creative attack vectors to achieve a deeper compromise.

    According to the National Vulnerability Database (NVD), CVE-2025-53691 carries a CVSS v3 base score of 8.8 (vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), placing it firmly in the high-risk category. The older CVSS v2 rating is even higher at 9.0, with an attack vector requiring only network access and low complexity. The Exploit Prediction Scoring System (EPSS) currently sits at 0.0028, suggesting limited but possible exploitation attempts are being tracked. While public exploit availability has not yet been confirmed, advisories and research articles emphasize the urgency of applying the vendor patches. Sitecore has published security guidance in its knowledge base (KB1003667), urging customers to upgrade to patched versions to prevent compromise.

    CVE-2025-4428

    CVE-2025-4428 is a high-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) up to version 12.5.0.0. The flaw lies in the API component, where crafted API requests allow an authenticated attacker to execute arbitrary code remotely. Because exploitation requires only valid credentials with limited privileges, the barrier to entry for attackers is relatively low once they achieve access. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming its use in real-world intrusions.

    Reports from CISA and several security researchers show that this vulnerability has been actively leveraged by advanced persistent threat (APT) groups, including China-linked operators such as UNC5221. Attackers chained CVE-2025-4428 with other Ivanti flaws like CVE-2025-4427 in multi-step compromises of government agencies and enterprises across the U.S. and Europe. Once exploited, adversaries deployed custom malware kits—referred to in analysis reports as BadSuccessor—to maintain persistence, exfiltrate data, and facilitate further lateral movement. The vulnerability has proven to be especially dangerous when combined with Ivanti’s role in managing mobile and endpoint access for large organizations, giving attackers deep footholds into sensitive infrastructure.

    From a risk perspective, the vulnerability carries a CVSS v3 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and an EPSS rating of 0.37092, which is notably high, indicating a substantial likelihood of exploitation. The scope of the impact spans confidentiality, integrity, and availability—meaning successful attacks can lead to full compromise of affected systems. For defenders, mitigations require upgrading to patched versions of EPMM and reviewing all API-related access logs for indicators of suspicious behavior. Given the consistent exploitation of Ivanti flaws across 2023–2025, organizations running Ivanti EPMM should treat this as a priority patching issue and also consider applying compensating controls like strict API request monitoring and additional authentication layers where possible.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Netizen Cybersecurity Bulletin (September 25th, 2025)

    Netizen Cybersecurity Bulletin (September 25th, 2025)

    Overview:

    • Phish Tale of the Week
    • UNC5221 Deploys BRICKSTORM Backdoor Against U.S. Legal and Technology Sectors
    • Shai-Hulud Worm Compromises 180+ NPM Packages
    • How can Netizen help?

    Phish Tale of the Week

    Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as Coinbase. They’re sending us a text message, telling us that our Coinbase account was logged into, and we need to call support if it wasn’t us. It seems both urgent and genuine, so why shouldn’t we? Luckily, there’s plenty of reasons that point to this being a scam.

    Here’s how we can tell not to call this number:

    1. The first warning sign for this SMS is the context in which it was sent. When I recieved this SMS, I immediately knew not to click on the link due to the fact that I do not have a Coinbase account. On top of that, it’s very apparent that this message was blasted out to random numbers: the message doesn’t even include my name or attempt to provide any level of familiarity.
    2. The second warning signs in this email is the messaging. This message tries to create a sense of urgency in order to get you to take action by using language such as “If this was not you.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through SMS.
    3. The final warning sign for this email is the wording; in our case the smisher suggests we call a random number, something that Coinbase support would never do. All of these factors point to the above being a smishing text, and a very unsophisticated one at that.


    General Recommendations:

    smishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

    1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    2. Verify that the sender is actually from the company sending the message.
    3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    4. Do not give out personal or company information over the internet.
    5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many smishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any SMS requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this month’s Cybersecurity Brief:

    UNC5221 Deploys BRICKSTORM Backdoor Against U.S. Legal and Technology Sectors

    A newly detailed cyber-espionage campaign is drawing attention for its persistence and precision. Mandiant and Google’s Threat Intelligence Group (GTIG) have attributed recent intrusions in the United States to UNC5221, a China-aligned threat actor deploying the BRICKSTORM backdoor. The group has been active across multiple high-value industries, including legal services, business process outsourcing firms, technology companies, and SaaS providers, with activity stretching back more than a year.

    At the heart of the campaign is BRICKSTORM, a Go-based backdoor engineered to establish covert access and resist detection. Once deployed, it can masquerade as a web server, manipulate the file system, transfer data, execute arbitrary shell commands, and even act as a SOCKS relay to tunnel traffic. Communication with command-and-control servers is carried out over WebSockets, helping the malware blend into ordinary network behavior. In some cases, newer variants have included a “delay” feature, waiting months before contacting their operators to avoid being discovered during initial remediation efforts.

    UNC5221 has paired BRICKSTORM with other stealth tools, most notably BRICKSTEAL, a malicious Apache Tomcat filter designed to capture vCenter credentials. Unlike traditional deployments, which require configuration changes and service restarts, this filter was injected directly in memory through a custom dropper. This approach eliminates the need for restarts, reduces visibility, and demonstrates the group’s emphasis on stealth. Another component, a JSP web shell known as SLAYSTYLE or BEEFLUSH, provides a means of executing operating system commands delivered through simple HTTP requests. These capabilities highlight the group’s preference for living quietly within environments rather than deploying noisy, off-the-shelf malware.

    Persistence has been a recurring theme in these intrusions. Investigators have observed modifications to startup files such as init.d, rc.local, and systemd services on compromised appliances, ensuring BRICKSTORM survives reboots. On VMware infrastructure, UNC5221 has gone further by cloning Windows Server virtual machines tied to critical systems like domain controllers and identity providers, giving them an alternate path back in even if initial access is cut off. This long-haul approach has translated into dwell times averaging 393 days, underscoring how effective their operational security has been.

    The targeting patterns fit within established Chinese cyber-espionage objectives. Legal firms and technology companies hold sensitive information tied to national security and trade, while SaaS providers act as gateways into downstream customer environments. By compromising administrators, developers, and technical staff, UNC5221 gains access to not only valuable communications but also the infrastructure needed to conduct research into new zero-day vulnerabilities. This dual motive, espionage and cyber capability development, represents a serious threat to both national and commercial interests.

    Detection has proven difficult because many of the appliances and systems compromised do not support traditional endpoint detection and response tooling. That gap has left defenders struggling to spot lateral movement or credential theft until long after the damage has been done. Google has since released a shell script scanner to help organizations check Linux and BSD appliances for BRICKSTORM indicators, but the campaign illustrates just how much of today’s enterprise environment exists outside standard monitoring tools.

    Charles Carmakal, CTO of Mandiant Consulting, summed up the challenge by pointing out that access gained by UNC5221 allows them to pivot into downstream customer networks and potentially discover exploitable flaws in enterprise technologies. The ability to remain in place for over a year, while quietly stealing data and expanding access, highlights just how sophisticated and determined these operators are.

    For defenders, the message is clear. Security visibility cannot stop at endpoints alone. Infrastructure such as VPN appliances, VMware environments, and SaaS integrations must be subject to the same level of scrutiny as workstations and servers. Credential hygiene, startup script audits, and continuous hunting for stealthy backdoors are becoming necessary steps in responding to advanced campaigns of this nature. The BRICKSTORM activity shows that highly skilled adversaries will continue exploiting blind spots in enterprise monitoring, and the cost of overlooking these areas is long-term undetected compromise.and PCoIP profiles.

    To read more about this article, click here.

    Shai-Hulud Worm Compromises 180+ NPM Packages

    A new malware outbreak has shaken the open-source ecosystem, with security researchers warning that more than 187 JavaScript packages on the NPM registry were infected by a fast-moving, self-replicating worm. The malware, dubbed Shai-Hulud after the giant sandworms in Frank Herbert’s Dune, has been stealing developer credentials and publishing them to public GitHub repositories.

    The worm is unusual in both its aggressiveness and its propagation method. Every time a developer installs an infected package, the malware hunts for NPM authentication tokens stored in the environment. If it finds them, Shai-Hulud modifies the 20 most popular packages tied to that token, implants itself into their code, and pushes a new version of those libraries to NPM. The result is a chain reaction: one infected package leads to dozens of others being compromised, creating the potential for exponential growth.

    The outbreak is the latest in a string of incidents affecting NPM, which acts as a critical hub for the global JavaScript ecosystem. Just weeks earlier, phishing campaigns spoofing NPM logins attempted to trick developers into updating their multi-factor authentication settings, while another breach involving the “nx” toolkit planted malware that stole authentication tokens. That attack did not self-propagate, but it foreshadowed the worm-like mechanics of Shai-Hulud.

    Researchers at Aikido and StepSecurity found that the worm uses the open-source tool TruffleHog to scan for additional secrets on infected machines, including credentials for GitHub, AWS, Azure, and Google Cloud. The malware then publishes those secrets in newly created GitHub repositories marked with “Shai-Hulud,” where the information is exposed to anyone who stumbles across it.

    The worm targets Linux and macOS environments but deliberately skips Windows systems. This focus on developer platforms reflects its intent: compromise the ecosystem at the source, rather than the end users.

    Among the victims were several NPM packages associated with CrowdStrike, a leading security vendor. Security platform Socket.dev reported that at least 25 of CrowdStrike’s open-source packages were briefly compromised. CrowdStrike confirmed the intrusion but stressed that its Falcon endpoint detection platform was unaffected. The company said it quickly removed the malicious packages, rotated keys in public registries, and launched an investigation alongside NPM.

    Charlie Eriksen of Aikido described the worm as behaving almost like a biological virus. “Once the first person got compromised, there was no stopping it,” he said. “I still see package versions popping up once in a while, but no new packages have been compromised in the last several hours. That could change quickly if another developer inadvertently triggers the spread.”

    The worm’s infrastructure appears to have been partially disrupted—researchers noted that the attacker’s data exfiltration endpoint was throttled by rate limits. Still, the worm’s ability to replicate autonomously means the risk of resurgence remains high, especially if “super-spreader” developers with access to widely used packages are compromised.

    Experts say the attack shows a great structural weakness in open-source package repositories. Nicholas Weaver of the International Computer Science Institute described it as “a supply chain attack that conducts a supply chain attack.” Weaver urged NPM and similar registries to enforce stricter publishing controls, particularly the use of phish-resistant two-factor authentication for every publication request.

    “Allowing automated systems to publish code updates without explicit human verification has become a proven recipe for disaster,” Weaver said. He warned that without systemic changes, attacks like Shai-Hulud will only grow more frequent and disruptive.

    To read more about this article, click here.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Netizen: Monday Security Brief (9/22/2024)

    Netizen: Monday Security Brief (9/22/2024)

    Today’s Topics:

    • Microsoft Patches Critical Entra ID Flaw Enabling Global Admin Impersonation Across Tenants
    • EDR-Freeze: New Tool Exploits Windows Error Reporting to Suspend Antivirus and EDR
    • How can Netizen help?

    Microsoft Patches Critical Entra ID Flaw Enabling Global Admin Impersonation Across Tenants

    Microsoft has patched a critical vulnerability in Entra ID (formerly Azure Active Directory) that could have allowed attackers to impersonate any user, including Global Administrators, across all tenants worldwide.

    The flaw, tracked as CVE-2025-55241, received the maximum CVSS score of 10.0. Security researcher Dirk-jan Mollema reported the issue on July 14, 2025. It was patched by Microsoft on July 17, with the company noting that there is no evidence of active exploitation and no customer action required.

    The issue stemmed from the use of legacy actor tokens issued by the Access Control Service (ACS) in combination with a validation failure in the deprecated Azure AD Graph API (graph.windows.net). Because the API did not properly validate the tenant source of tokens, attackers could create tokens in their own environments and use them to impersonate Global Administrators in other tenants.

    Once in place, an attacker could access Entra ID user information, group and role assignments, application permissions, tenant settings, and even device information and BitLocker keys. The lack of API-level logging meant exploitation could take place without leaving a trace.

    The impersonation of a Global Administrator could have resulted in complete compromise of an Entra tenant. Attackers could create new accounts, grant themselves permissions across Azure subscriptions, exfiltrate sensitive data from services such as SharePoint Online and Exchange Online, and bypass security controls like multi-factor authentication and Conditional Access. Cloud security firm Mitiga noted that the flaw effectively allowed for a silent full-tenant compromise.

    Microsoft classified the flaw as an instance of high-privileged access, where an application or service can impersonate users without proof of user context. The company reminded customers that the Azure AD Graph API was officially retired on August 31, 2025, and urged all applications to migrate to Microsoft Graph. Applications that continue relying on the legacy API will stop functioning after early September 2025.

    The Entra ID flaw comes amid a wave of cloud security incidents and disclosures. Recent findings have included OAuth misconfigurations in Entra ID, OneDrive Known Folder Move exploitation, the exposure of Azure AD application credentials in appsettings.json files, and cross-tenant API connection abuse in Azure Resource Manager. Other reports have shown how misconfigurations in AWS and Azure identity systems allow attackers to persist in cloud environments without deploying malware, simply by abusing trust policies, temporary credentials, or misconfigured IAM roles.

    Although the patch is already in place, CVE-2025-55241 highlights how legacy systems can undermine cloud security at scale. Organizations should review their applications for dependencies on deprecated APIs, monitor token usage closely, and ensure that third-party and internal applications are aligned with modern identity services. Regular audits of cloud configurations and service dependencies remain an important part of reducing exposure, particularly as attackers continue to focus on identity systems as the most direct route to compromise.

    EDR-Freeze: New Tool Exploits Windows Error Reporting to Suspend Antivirus and EDR

    A researcher posting under the handle Zero Salarium has released details of a proof-of-concept tool called EDR-Freeze, which can suspend Endpoint Detection and Response (EDR) and antivirus processes, effectively putting them into a coma state without crashing the system.

    The technique does not rely on the common Bring Your Own Vulnerable Driver (BYOVD) approach, which requires attackers to install and execute third-party drivers. Instead, EDR-Freeze abuses a feature already present in Windows: the MiniDumpWriteDump function used by the Windows Error Reporting service.

    MiniDumpWriteDump is designed to create a snapshot of a process for debugging purposes. To ensure consistency, it suspends all threads in the target process while the dump is written. Zero Salarium’s approach turns that behavior into an advantage: by forcing a race condition during the dump, the target process can be left suspended indefinitely.

    The method uses WerFaultSecure.exe, a Windows component that runs with Protected Process Light (PPL) protection at the WinTCB level, to trigger MiniDumpWriteDump against security processes. By suspending WerFaultSecure at the precise moment it suspends the target, the victim process remains frozen without being resumed.

    The tool also takes advantage of the ability to run WerFaultSecure with elevated protection using CreateProcessAsPPL, while OpenProcess with PROCESS_SUSPEND_RESUME privilege and the undocumented NtSuspendProcess API are used to suspend and manage processes.

    EDR-Freeze automates the sequence of actions required to put a target process into a coma state. It requires two parameters: the process ID (PID) of the target program and the duration for which it should be suspended.

    In a proof-of-concept demonstration, the researcher successfully suspended MsMpEng.exe, the Windows Defender antimalware process, for several seconds on Windows 11 24H2. During that time, monitoring and detection functions were paused, allowing potential high-risk actions to occur without interruption.

    The GitHub project hosting the tool (https://github.com/TwoSevenOneT/EDR-Freeze) provides the code and usage examples.

    This research highlights a different approach from the increasingly common BYOVD attacks. BYOVD requires shipping and loading vulnerable drivers, which creates instability and leaves more forensic traces. By contrast, EDR-Freeze exploits functionality already built into Windows, making the attack surface harder to eliminate.

    For defenders, the key detection opportunity is in WerFaultSecure execution parameters. If the service is observed targeting critical processes such as LSASS, antivirus engines, or EDR agents, it should be treated as highly suspicious and investigated immediately.

    EDR-Freeze is currently positioned as a red team and research tool, but it underscores how attackers continue to look for creative ways to blind or disable security tools without crashing systems. Monitoring process creation events involving WerFaultSecure, CreateProcessAsPPL, and unusual use of PROCESS_SUSPEND_RESUME privileges will be critical for detection.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Why Every Small Business Should Care About CMMC 2.0

    Why Every Small Business Should Care About CMMC 2.0

    For many years, cybersecurity requirements in the defense sector were often seen as a burden for large prime contractors. Small and mid-sized businesses (SMBs) supplying parts, services, or technology to those contractors were rarely expected to meet the same level of scrutiny. That has changed. With the rollout of CMMC 2.0, the Department of Defense’s Cybersecurity Maturity Model Certification, every business in the defense supply chain is now accountable for how it protects sensitive data.

    For decision-makers, the question is no longer if CMMC 2.0 applies to your organization, but how soon it will affect your ability to compete for contracts.

    What CMMC 2.0 Actually Is

    CMMC 2.0 is the DoD’s updated framework for securing both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It replaces a system of self-attestation that too often failed to protect sensitive defense data with a tiered certification model requiring proof of compliance.

    The framework has three levels:

    • Level 1 (Foundational): Designed for companies that only handle FCI. Requires implementation of basic cyber hygiene practices (think access control, antivirus, and patching) and annual self-assessment.
    • Level 2 (Advanced): Required for companies that handle CUI. Maps directly to all 110 controls in NIST SP 800-171. Contracts will specify whether a third-party audit (via a C3PAO) is required or if a self-assessment is sufficient.
    • Level 3 (Expert): Reserved for the most sensitive programs. Goes beyond NIST 800-171 and requires direct audits by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

    The new DFARS rule, effective November 10, 2025, allows CMMC requirements to begin appearing in contracts. A three-year phased rollout will expand coverage until nearly all defense contracts handling FCI or CUI require CMMC compliance.

    Why Small Businesses Can’t Ignore It

    For SMBs, the impact is significant. Prime contractors are now legally required to flow down compliance obligations to subcontractors. That means even if your business is a tier-two or tier-three supplier, such as a machining shop, a staffing provider, or a managed IT firm, you will still need to demonstrate compliance.

    Failure to comply will not just risk penalties; it will likely disqualify your business from new defense contracts and may cause prime contractors to avoid working with you. In a competitive environment, compliance is rapidly becoming a baseline requirement to stay in the supply chain.

    Even outside defense, the trend is clear: industries from finance to healthcare increasingly look for partners that can prove compliance with recognized standards. Achieving CMMC alignment positions your business as a trusted partner, opening doors beyond DoD contracting.

    Business Risks of Non-Compliance

    For decision-makers weighing the cost of implementation, consider the risk profile of inaction:

    • Lost Revenue: Non-compliance will mean disqualification from DoD contracts. For many SMBs, even losing a single defense customer could be financially devastating.
    • Legal and Regulatory Exposure: Mishandled CUI can lead to False Claims Act liability, contract clawbacks, or suspension from government contracting.
    • Reputational Damage: Data breaches involving defense-related information attract media and regulatory attention. Demonstrating CMMC compliance shows diligence to customers and partners.
    • Operational Disruption: Breaches aren’t just theoretical—they can halt production, expose customer data, and lead to long recovery times. Compliance reduces this risk.

    The Cost of Compliance

    Implementing CMMC 2.0 is not just about buying new tools. It requires policies, processes, documentation, and cultural change. Even small businesses with limited IT staff must address:

    • Access Controls: Who can see what, and why?
    • Asset Management: A complete inventory of systems and data that touch CUI.
    • Incident Response: Documented and tested plans for handling breaches.
    • Configuration Management: Ensuring systems are patched, hardened, and monitored.
    • Vendor Oversight: Third-party providers must also meet compliance expectations.

    These investments can feel heavy for SMBs, but the alternative, lost contracts and higher risk exposure, carries far greater cost.

    Practical Next Steps for Small Business Leaders

    Decision-makers should treat CMMC 2.0 as a board-level priority, not just an IT issue. Steps to take now include:

    1. Identify Scope: Determine whether your organization handles FCI, CUI, or both. This defines which CMMC level applies.
    2. Map Data Flows: Document where sensitive information resides, who accesses it, and how it moves across systems and networks.
    3. Conduct a Pre-Assessment: Engage a qualified provider to identify gaps against NIST SP 800-171 and CMMC requirements. This prevents surprises during an official audit.
    4. Budget for Remediation: Allocate funds not just for technology, but also for policy development, staff training, and ongoing monitoring.
    5. Choose Trusted Partners: If you rely on Managed Service Providers (MSPs) or cloud services, ensure they can demonstrate compliance at the level required by your contracts.

    Why Acting Early Matters

    With the phased rollout, some SMBs may assume they can wait. That is a mistake. Early adopters will have a competitive advantage, demonstrating readiness to primes and contracting officers. Those who wait risk scrambling to close gaps under tight deadlines, often at far higher cost.

    How Netizen Can Help with your CMMC Readiness

    Meeting the requirements of CMMC 2.0 can feel overwhelming, especially for small and mid-sized businesses that don’t have dedicated compliance teams. Netizen helps bridge that gap by providing CMMC pre-assessments that give your organization a clear picture of where you stand today. Our process identifies gaps against NIST SP 800-171 and CMMC requirements, maps data flows, and delivers a prioritized remediation roadmap so you can address issues before an official audit.

    As an ISO 27001, ISO 20000-1, ISO 9001, and CMMI Level III certified Service-Disabled Veteran-Owned Small Business, Netizen combines technical depth with proven compliance expertise. We’ve built a reputation for guiding organizations in government, defense, and commercial sectors through complex regulatory landscapes with practical, actionable recommendations.

    If your business is preparing for CMMC, partnering with Netizen ensures you take the right first step. Start the conversation today and approach compliance with confidence.

  • Lessons Learned From the Largest Software Supply Chain Incidents

    Lessons Learned From the Largest Software Supply Chain Incidents

    The software supply chain has become one of the most attractive targets for attackers, and organizations must take special care to safeguard it. The risks are no longer theoretical, several of the largest breaches in the past decade demonstrate how vulnerable modern development and delivery pipelines can be.

    Increasing Attack Surface

    Today, industries from finance to healthcare, logistics to defense, depend on software at every layer of their operations. But with the speed and scale of software production increasing, so too does the attack surface.

    The pressure to innovate has led organizations to adopt cloud-first architectures, CI/CD pipelines, and open-source code at record pace. This acceleration has made the supply chain a prime target for attackers who can exploit trust at any link to achieve widespread compromise.

    Case Studies of Supply Chain Incidents

    The SolarWinds Orion Compromise (2020)

    The SolarWinds attack remains one of the most significant software supply chain breaches on record. Between March and June 2020, attackers inserted a backdoor known as SUNBURST (or Solorigate) into updates for SolarWinds’ Orion IT management platform. Those updates were digitally signed and distributed to as many as 18,000 customers.

    The backdoor lay dormant for nearly two weeks after installation before quietly communicating with attacker infrastructure. Once active, it enabled lateral movement and data theft.

    Although thousands of customers downloaded the tainted updates, U.S. officials later confirmed that nine federal agencies, including the Departments of Treasury, Commerce, and Homeland Security, and around 100 private-sector organizations were directly compromised.

    The attack highlighted how trust in routine software updates could be turned into a global espionage campaign. It also prompted CISA to issue Emergency Directive 21-01, ordering federal agencies to disconnect compromised Orion instances immediately.

    Equifax (2017)

    The Equifax breach, which exposed sensitive data of nearly 150 million Americans, stemmed from a failure to patch a known Apache Struts vulnerability. Though not a supply chain attack in the classic sense, it proved the devastating impact of lagging software maintenance and patching across widely used components.

    Okta Support System Breach (2023)

    Okta’s 2023 incident reinforced the dangers of third-party exposure. Attackers accessed its Support Case Management system, leading to compromises of customer data. For many organizations, this raised alarms about how much risk lies not just in their own development processes but in the services and vendors they depend on.

    Why Supply Chains Are Attractive Targets

    Attackers understand that compromising one link can provide access to hundreds, or thousands, of downstream victims. Updates and open-source packages come with an implicit assumption of trust. Once attackers weaponize that trust, the scale of compromise can far exceed traditional intrusion methods.

    Modern pressures, such as widespread adoption of generative AI coding assistants, are introducing fresh risks. While GenAI accelerates development, it also creates blind spots in code provenance and quality, another layer attackers may exploit.

    Safeguarding the Software Supply Chain

    Vendor vetting: Organizations must conduct ongoing reviews of their vendors, including software bills of materials (SBOMs) and third-party security practices. This should extend to GenAI coding tools, which must be assessed for transparency, data usage, and quality of generated code.

    Careful use of open source: Open-source projects should be evaluated against frameworks like the OpenSSF Scorecard, SPDX, or OpenVEX to ensure security hygiene. Automated Software Composition Analysis (SCA) tools are vital for detecting known vulnerabilities and malicious packages.

    Secure CI/CD pipelines: Embedding security throughout design, development, testing, and deployment prevents vulnerabilities from slipping downstream. Automated scans, access controls, and continuous monitoring of CI/CD pipelines reduce the risk of widespread compromise.

    Preparedness: Organizations need playbooks for rapid patching and incident response. As SolarWinds showed, delays in reacting to supply chain intrusions can magnify the damage significantly.

    How Netizen Can Help Strengthen Your Software Supply Chain

    The recent surge in supply chain incidents like SolarWinds highlights that even the most trusted systems can become conduits for attackers. Protecting against these threats requires more than patch management—it demands continuous monitoring, vendor oversight, and integrated defenses across development pipelines.

    Netizen delivers these capabilities through our 24x7x365 Security Operations Center, advanced vulnerability assessments, and compliance-driven security engineering. Through these offerings, we help government, defense, and commercial organizations build resilience against the evolving supply chain threat landscape.

    As an ISO 27001, ISO 20000-1, ISO 9001, and CMMI Level III certified Service-Disabled Veteran-Owned Small Business, we provide both technical depth and compliance assurance. Our “CISO-as-a-Service” offering gives organizations executive-level cybersecurity expertise at a fraction of the cost of hiring in-house, ensuring you stay ahead of both regulatory requirements and emerging attack techniques.

    If you’re looking to secure your software supply chain and protect your business from cascading risks, partner with Netizen. Start the conversation today and gain the confidence that your security is built in, not bolted on.

  • NETIZEN EARNS 2025 EXCELLENCE IN INTERNSHIPS AWARD FROM NORTHAMPTON COMMUNITY COLLEGE (NCC)

    NETIZEN EARNS 2025 EXCELLENCE IN INTERNSHIPS AWARD FROM NORTHAMPTON COMMUNITY COLLEGE (NCC)

    Allentown, PA: Netizen Corporation, an ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level 3 certified Veteran-Owned provider of cybersecurity and related solutions for defense, government, and commercial customers worldwide, has been awarded the 2025 Excellence in Internships Award by Northampton Community College (NCC) at a special Employer Appreciation and Engagement Breakfast event in Bethlehem, PA. This award recognizes the extraordinary degree of internship, job shadowing, and career placement opportunities that Netizen has created for NCC students over the past several years through a unique industry partnership program.

    Netizen takes great pride in its relationships with NCC and other partners in higher education around the country. Specialized work-study internships and jointly created market-based educational programs with such institutions ensure students receive relevant career guidance and paid work experience while simultaneously completing their programs of classroom study. This creates a pipeline of highly qualified talent which companies can leverage to bridge current hiring and skill gaps in the job market. Additionally, exploratory activities such as job shadowing and career panels inform prospective students on the benefits of various academic programs and give a sense of what to expect working for a company like Netizen upon graduation.

    Jill Tobin, Director of Experiential Leaning and Internships at NCC, stated that “Netizen has been an outstanding employer partner. I could tell you how wonderful they are, but I’ll let the numbers to speak for themselves. Since 2022, Netizen had 46 students apply for internships, 8 of them were selected, and 4 were hired and continue working there today. They also hosted 13 job shadow participants, participated in all our job fairs since 2023, and have participated in mock interviews on campus. These numbers speak volumes to the support and opportunities Netizen has provided for NCC students.”

    Michael Hawkins, Netizen’s CEO, added “this award means a lot to us as it is proof that such partnerships benefit both the employer and the institution immensely. At Netizen, we aim to provide market-oriented educational opportunities for entry level training and continuous learning in technology fields by collaborating with institutions like NCC. Here we have paid interns at various stages of completion in their academic programs treated as regular employees working under the direct mentorship and close supervision of industry experts. They receive hands-on experience with actual customers, tools, processes, and systems as part of a structured professional development plan that is unique in its melding of classroom learning, career advisory, and on-the-job training.” He also stated that community colleges like NCC are among the most cost effective, relevant, and expeditious routes for people seeking employment or advancement in high-demand information technology roles, regardless of their current background.

    About Netizen Corporation:
    Founded in September 2013, Netizen is a highly specialized provider of cybersecurity and related technology solutions. The company, a Small Business Administration (SBA) certified Service-Disabled Veteran Owned Business (SDVOSB), is headquartered in Allentown, PA with additional offices and staff locations in Virginia (DC Metro), South Carolina (Charleston), and Florida. Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of its operations.

    In addition to being recognized as one of the fastest-growing businesses in the U.S. three times by Inc. Magazine in their annual “Inc. 5000” list of the nation’s most successful companies, Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for Veteran hiring and training, a Greater Lehigh Valley Chamber of Commerce Business of the Year and Veteran-Owned Business of the Year, and a recipient of dozens of other awards for innovation, community involvement, and growth.

    Netizen operates a state-of-the-art 24x7x365 Security Operations Center (SOC) in Allentown, PA that delivers comprehensive cybersecurity monitoring solutions for both government and commercial clients. Their service portfolio also includes cybersecurity assessments and advisory, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. They specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Their proven track record in these domains positions them as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Learn more at https://www.Netizen.net.  

    About Northampton Community College (NCC):
    Since its establishment in 1967, Northampton Community College is where area residents turn to earn a degree, access workforce training, learn new leisure activities and bring their children for enrichment. NCC prides itself on its expansive breadth of programs and commitment to student success and access. It offers a highly engaging, collaborative and entrepreneurial environment to learn and develop.More than 20,000 students a year are served by NCC through for-credit, community and professional education offerings. These programs provide students with the education and training they need to enter and advance in the workforce, earn their degree or to continue their studies at a four-year college or university.

    Learn more at https://www.northampton.edu/

    FOR IMMEDIATE RELEASE:                              POINT OF CONTACT:
    September 18, 2025                                              Tristan Boheim
                                                                                   Account Executive
                                                                                   Phone: 1-800-450-1773  
                                                                                   Email:   press@Netizen.net

  • Cybersecurity Risks of AI-Generated Code: What You Need to Know

    Cybersecurity Risks of AI-Generated Code: What You Need to Know

    Could AI be your next security blind spot? As artificial intelligence continues to reshape software development, tools that generate code from natural language prompts are speeding up delivery timelines and lowering barriers for non-developers. But beneath the surface lies a growing problem: AI-generated code often introduces hidden cybersecurity risks. If left unchecked, these vulnerabilities can create backdoors into production systems, putting sensitive data and compliance obligations at risk.

    Why AI-Generated Code Poses Security Challenges

    Traditional secure coding practices rely on peer review, static analysis, and developer expertise. AI code generation bypasses much of this process, pulling from massive datasets that may contain outdated, insecure, or non-compliant code. This creates three primary challenges: lack of transparency in where code comes from, limited accountability for security flaws, and the rapid spread of insecure coding patterns across environments.

    Organizations adopting AI in software development often find that productivity gains are quickly offset by security weaknesses if code is not audited against standards like OWASP ASVS or NIST SSDF.

    Common Cybersecurity Risks in AI-Generated Code

    Insecure Defaults

    AI models tend to generate code that prioritizes ease of execution over secure configuration. This often results in weak cryptographic choices, open ports, and missing input validation—all of which attackers can exploit.

    Reproduction of Known Vulnerabilities

    Since AI is trained on publicly available code, it can unknowingly replicate vulnerable functions that already exist in CVE databases. This reintroduces old risks into new systems, creating exploitable weaknesses.

    Compliance Gaps

    Code suggested by AI rarely aligns with regulatory frameworks like PCI DSS, HIPAA, or FedRAMP. Without human oversight, organizations risk deploying software that violates compliance requirements and audit expectations.

    Supply Chain and Fileless Risks

    AI-generated utilities and scripts can seamlessly blend into production environments, evading detection. If integrated into supply chains, insecure dependencies spread across multiple systems, amplifying the attack surface.

    Mitigation Strategies for Secure AI Development

    Enforce Rigorous Code Review

    Every piece of AI-generated code should be reviewed with the same rigor as human-written code. Manual review, combined with static and dynamic analysis tools, can catch unsafe defaults and misconfigurations before deployment.

    Adopt AI-Aware Security Testing

    Organizations should expand testing to cover AI-specific risks. This includes fuzzing, vulnerability scans, and targeted penetration testing aimed at logic flaws that AI-generated code may introduce.

    Apply Secure Coding Standards in CI/CD

    Integrating frameworks like OWASP ASVS and NIST SSDF into CI/CD pipelines helps flag weak AI-generated code before it reaches production. This reduces reliance on manual checks and standardizes security across teams.

    Train Developers on AI Risks

    Secure coding training should now include modules on AI-generated code. Developers need to understand both the benefits and risks of AI tools, and how to critically evaluate outputs for hidden flaws.

    Building a Security-First AI Development Culture

    The future of AI in software engineering will not be defined by speed alone. Organizations that prioritize security culture—embedding AI cybersecurity practices into every stage of development—will be better positioned to balance innovation with safety. AI can accelerate development timelines, but without structured oversight, it risks embedding systemic vulnerabilities into business-critical systems.

    Companies that align AI adoption with DevSecOps practices, compliance frameworks, and proactive security validation can gain the benefits of AI without exposing themselves to avoidable breaches.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • ShinyHunters: Evolution of a Data Theft Syndicate

    ShinyHunters: Evolution of a Data Theft Syndicate

    ShinyHunters first appeared in 2020 as a financially motivated cybercriminal group. Their early operations revolved around large-scale credential theft and database exploitation. The group gained immediate notoriety by targeting major platforms like Tokopedia (91 million records), Wishbone, Microsoft’s GitHub repositories, and Wattpad (270 million records). By selling stolen information on underground forums, they quickly became one of the most active players in the data-breach economy.

    ShinyHunters were also linked to leaks from services like Pluto TV, Nitro PDF, Pixlr, Animal Jam, and more. Beyond breaches, they held influence in the cybercriminal ecosystem by running iterations of BreachForums, one of the most prominent platforms for trading stolen data.

    Expansion into High-Value Targets

    Between 2021 and 2024, ShinyHunters scaled their operations, moving beyond consumer platforms and into critical service providers. Notable victims included AT&T Wireless (affecting over 110 million customers), Santander Bank, and Ticketmaster. Their association with the Snowflake data-theft campaign cemented their reputation as a group willing to target enterprise systems and supply chains to maximize impact.

    By late 2024, law enforcement pressure intensified. Several members and associates were arrested in France and Morocco, leading to speculation that the group had been disrupted. Yet, ShinyHunters re-emerged in 2025 with significantly more sophisticated tactics.

    2025 Salesforce Campaign

    The group’s most ambitious operation to date surfaced in 2025, with a sweeping attack campaign against Salesforce CRM platforms. This campaign impacted global enterprises such as Google, Adidas, Cisco, Qantas Airways, Allianz Life, and LVMH subsidiaries (Louis Vuitton, Dior, Tiffany & Co.).

    Attack Methodology

    1. Initial Access via Vishing
      ShinyHunters shifted focus from pure technical exploits to social engineering. Using spoofed calls, fake IT personas, and urgency tactics, they tricked employees into granting access to Salesforce connected apps.
    2. OAuth Abuse
      Victims were guided into authorizing malicious Salesforce connected apps disguised as tools like “My Ticket Portal.” These apps requested elevated API permissions, granting ShinyHunters persistent access tokens that bypassed multi-factor authentication.
    3. API Exploitation and Data Theft
      Using Salesforce REST APIs, attackers ran bulk SOQL queries, pulling customer records, PII, and business intelligence data at scale. Logs show that their malicious apps consistently retrieved data volumes of ~2.3 MB per request, evading detection by blending with normal traffic.
    4. Obfuscation
      Data exfiltration traffic was routed through Mullvad VPN and Tor, frustrating forensic investigations and complicating attribution.
    5. Lateral Movement
      Compromised credentials and OAuth tokens were leveraged to pivot into other integrated platforms, including Okta, Microsoft 365, and Meta Workplace. This expanded the scope of stolen data beyond Salesforce.

    Collaboration with Scattered Spider

    Evidence suggests a tactical partnership between ShinyHunters and Scattered Spider (UNC3944/Octo Tempest). Both groups are tied to a larger collective known as “The Com,” which specializes in social engineering, SIM swapping, and large-scale fraud. Infrastructure overlaps, phishing domain patterns, and stylistic similarities in vishing scripts indicate close collaboration.

    Impact on Victims

    The campaign had wide-ranging consequences:

    • Google confirmed theft of small and medium business contact information from its Salesforce instance.
    • Qantas Airways reportedly paid a ransom of 4 Bitcoin (~$400,000) to prevent data leakage.
    • LVMH luxury brands saw their customer databases compromised, highlighting attackers’ focus on high-value industries.
    • Other enterprises like Adidas, Cisco, Allianz Life, and Chanel also confirmed or investigated breaches.

    Monetization and Extortion

    ShinyHunters employ a delayed extortion model. After exfiltrating data, ransom demands—ranging from $400,000 to $2.3 million—are issued weeks later. While some companies resisted, others paid to prevent public leaks. Analysts warn that ShinyHunters may soon launch a dedicated leak site to escalate pressure.

    Enterprises using SaaS platforms like Salesforce must harden their defenses with OAuth governance, behavioral monitoring, phishing-resistant MFA, and employee training to mitigate these advanced campaigns.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Netizen: Monday Security Brief (9/15/2024)

    Netizen: Monday Security Brief (9/15/2024)

    Today’s Topics:

    • Hackers Leak 600 GB of Data on China’s Great Firewall
    • FBI Warns of Hackers Targeting Salesforce to Steal Corporate Data
    • How can Netizen help?

    Hackers Leak 600 GB of Data on China’s Great Firewall

    On September 11, 2025, what is being described as the largest leak tied to the Great Firewall of China surfaced online. Nearly 600 GB of data, including source code, internal communications, work logs, and technical documentation, was published by the hacktivist group Enlace Hacktivista, the same collective linked to the Cellebrite data leak.

    The leaked material is believed to come from Geedge Networks and the MESA Lab at the Chinese Academy of Sciences’ Institute of Information Engineering, two organizations central to developing and maintaining China’s censorship infrastructure. Geedge was founded in 2018 under Fang Binxing, widely known as the “Father of the Great Firewall,” and has worked closely with MESA researchers to advance censorship capabilities.

    The data, distributed via BitTorrent and direct links, includes a massive 500 GB archive of an RPM packaging server, as well as compressed document sets from Geedge and MESA. These contain thousands of internal reports, project descriptions, and technical proposals. Analysts have already flagged filenames such as BRI.docx and CPEC.docx that suggest ties to Belt and Road Initiative projects and international collaborations.

    Project management records, communication drafts, and even routine administrative files point to the scale and bureaucracy of the censorship effort. The repository of software packages shows that the Great Firewall operates much like any large enterprise software system, with packaging servers and code repositories supporting day-to-day operations.

    According to the documents, the reach of these programs extends well beyond China. The leaked files suggest that censorship and surveillance technologies have been exported to governments in Myanmar, Pakistan, Ethiopia, Kazakhstan, and other countries connected to the Belt and Road Initiative.

    The material also offers a timeline of how MESA grew after its 2012 founding through talent programs, research grants, and contracts. By 2016, it was handling projects worth tens of millions of yuan annually. When Geedge was launched in 2018, it quickly became a key partner to Chinese authorities and an exporter of surveillance solutions.

    The scale of this breach is unusual. Unlike prior leaks that involved small sets of emails or whistleblower documents, this trove is an extensive collection of raw operational data that tracks years of development. Experts note it will take months to analyze the source code, but even the project records already confirm long-suspected details about how China’s censorship system is built, maintained, and expanded abroad.

    Hacktivists caution that anyone examining the archives should do so in isolated environments due to the possibility of embedded malware or tracking mechanisms. For researchers and rights groups, though, the leak provides an unprecedented opportunity to study how the Great Firewall functions and how its influence extends internationally.

    Analysts at Net4People and the GFW Report are continuing to examine the source code and documents. More findings are expected in the coming weeks. For now, this leak represents a rare, large-scale glimpse into one of the world’s most sophisticated censorship systems and its export to partners abroad.

    FBI Warns of Hackers Targeting Salesforce to Steal Corporate Data

    The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations’ Salesforce environments to steal sensitive data and extort victims.

    According to the advisory, both groups have recently used different techniques to infiltrate Salesforce platforms, enabling them to exfiltrate corporate information. The FBI shared indicators of compromise (IOCs), including suspicious user agent strings, IP addresses, and URLs, to help defenders identify malicious activity and strengthen security controls.

    The first cluster, UNC6040, was originally disclosed by Mandiant in June 2025. Since late 2024, these actors have relied heavily on vishing and social engineering tactics, impersonating IT support staff to trick employees into connecting malicious Salesforce Data Loader OAuth apps to company accounts. One variant, branded “My Ticket Portal,” provided attackers with persistent access once authorized.

    With OAuth permissions in place, the attackers were able to mass-exfiltrate Salesforce data, primarily the “Accounts” and “Contacts” tables that store customer information. The stolen data was later leveraged by the ShinyHunters extortion group, which attempted to pressure victims into ransom payments.

    High-profile companies including Google, Adidas, Cisco, Allianz Life, Qantas, Louis Vuitton, Dior, and Tiffany & Co. were among those impacted by these early campaigns.

    A newer wave of activity, tracked as UNC6395, surfaced in August 2025. In these intrusions, attackers leveraged stolen Salesloft Drift OAuth and refresh tokens to access Salesforce instances and extract support case data. Investigators say this campaign likely ran between August 8 and 18.

    Support cases often contained highly sensitive information such as AWS keys, Snowflake tokens, and customer passwords. By extracting this data, attackers could pivot into other cloud environments for deeper compromise.

    Salesloft confirmed that its GitHub repositories were breached as far back as March, allowing attackers to steal Drift OAuth tokens. In response, Salesforce and Salesloft revoked all active Drift tokens and required customers to reauthenticate.

    The campaign also involved misuse of Drift Email tokens, which allowed access to a small number of Google Workspace email accounts.

    Well-known security and tech companies, including Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, and Palo Alto Networks, were among those reportedly affected.

    While the FBI did not formally attribute the campaigns, members of ShinyHunters told BleepingComputer they were involved, along with actors identifying as “Scattered Lapsus$ Hunters.” These groups claim to have overlap with Lapsus$ and Scattered Spider, two cybercrime gangs known for aggressive extortion.

    On Thursday, the hackers announced via a BreachForums-linked domain that they planned to “go dark” and stop publicizing operations on Telegram. However, in a final post, they claimed to have accessed the FBI’s E-Check background check system and Google’s Law Enforcement Request system, publishing screenshots as proof.

    If authentic, this level of access could allow impersonation of law enforcement and unauthorized retrieval of sensitive records.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Understanding Your CUI Boundary for CMMC Compliance

    Understanding Your CUI Boundary for CMMC Compliance

    As CMMC requirements begin appearing in defense contracts, organizations, particularly small and mid-sized businesses, face the difficult task of preparing for audits by a Certified Third-Party Assessor Organization (C3PAO). Compliance requires a serious reevaluation of how data, systems, and people interact across the enterprise. One of the most important steps before scheduling an audit is defining your Controlled Unclassified Information (CUI) boundary. Without this, your organization risks falling short before the assessment even begins.

    Defining Scope

    Before a CMMC Level 2 assessment, your organization must define and document the systems and services within scope. This step goes well beyond creating a simple inventory. It requires demonstrating an understanding of what CUI you have, where it is stored, how it is processed, where it flows across your environment, and who has access to it at every stage. In practice, this means creating a map of your information environment that shows how critical data moves, who touches it, and what technologies safeguard it.

    Your boundary must encompass every part of the environment that interacts with CUI. This includes physical infrastructure, cloud platforms, virtual systems, identity and access management tools, and any other services that handle sensitive information. Organizations should also take time to classify assets. These include systems that store CUI directly, technologies that defend or monitor CUI systems, specialized devices such as OT or IoT equipment that cannot easily be isolated, and systems that are truly out of scope. This classification allows you to make defensible scoping decisions and gives auditors confidence that your assessment will be accurate.

    It is during this stage that many organizations make mistakes. For example, contractors sometimes assume email servers are out of scope even though they transmit CUI, or they overlook a managed service provider that backs up data containing CUI. Others may ignore IoT or OT devices that cannot easily be patched or segmented. These oversights can derail an assessment quickly, which is why scoping must be both thorough and well-documented.

    What is CUI?

    Controlled Unclassified Information (CUI) refers to government-related data that requires safeguarding but does not meet the threshold for classification. It can include personally identifiable information, critical infrastructure data, proprietary business details, blueprints, and technical specifications. The CUI Registry defines the categories, but each organization must identify the exact types of CUI it handles and show how that information moves through its systems. A diagram of CUI flow is particularly valuable, since it highlights how information enters, where it is stored, how it is processed, and where it exits the organization.

    Including Cloud and Managed Service Providers

    Your CUI boundary should not be limited to systems under direct control. Many organizations rely on cloud service providers (CSPs) or managed service providers (MSPs), and these third parties are always in scope if they touch CUI or affect its security. Any CSP hosting or transmitting CUI must either hold a FedRAMP Moderate authorization or demonstrate equivalency. Similarly, any MSP with remote access, control over configurations, responsibility for backups, or other influence over the confidentiality, integrity, or availability of CUI must be included in your System Security Plan (SSP).

    It is also important to understand the shared responsibility model when working with these providers. A CSP may be FedRAMP authorized, but your organization is still responsible for how user accounts, access controls, and monitoring are configured. If these responsibilities are not clearly defined in your SSP, auditors may find gaps that count against your organization.

    Equally important is verifying the compliance posture of these partners. If an MSP has not passed a third-party audit, their shortcomings will count against your own assessment. Even changes in their toolsets or systems can trigger the need for reassessment, introducing both cost and delay.

    Segmentation and Boundary Protections

    Once your CUI boundary is established, you must also demonstrate how it is protected. This often means implementing network segmentation to isolate CUI systems from general IT environments, enforcing strict access controls, and monitoring points where CUI enters or leaves the network. Without these safeguards, a well-drawn boundary can still fail under scrutiny.

    Documentation and Evidence

    Defining a boundary is not enough on its own, auditors expect detailed documentation. At a minimum, this includes a System Security Plan (SSP) with diagrams of CUI flow, asset inventories, classification justifications, and network maps showing segmentation. These artifacts provide evidence that your scoping decisions are defensible and help teams maintain compliance as environments evolve.

    Next Steps

    Defining your CUI boundary is one of the earliest and most decisive steps in preparing for CMMC compliance. A weak or incomplete scope almost guarantees failure in front of auditors, while a thorough, well-documented one establishes the foundation for a smoother assessment.

    Organizations that succeed at this step do so by taking the time to map their information flow, account for every system and provider that touches CUI, classify assets in a way that supports defensible decisions, and document how the boundary is both defined and protected. They also recognize that scoping is not a one-time exercise. Major changes in infrastructure, vendors, or toolsets require re-scoping to remain compliant.

    Getting this right ensures the rest of your compliance journey is built on solid ground and positions your business to compete for defense contracts without avoidable setbacks.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and delivers innovative cybersecurity and technology solutions for government, defense, and commercial clients worldwide. Our mission is to transform complex security and compliance challenges into strategic advantages by safeguarding and optimizing digital infrastructure. One example is our “CISO-as-a-Service” offering, which enables organizations of any size to access executive-level cybersecurity expertise at a fraction of the cost of hiring internally.

    Netizen operates a state-of-the-art 24x7x365 Security Operations Center (SOC) and provides a full suite of services including vulnerability assessments, penetration testing, software assurance, managed detection and response, and compliance advisory. For organizations preparing for CMMC, we currently provide CMMC pre-assessments to help contractors evaluate their readiness, map gaps against requirements, and build a remediation roadmap before undergoing a third-party audit. This proactive approach allows companies to address deficiencies early and approach certification with greater confidence.

    Our organization holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC certifications, demonstrating the maturity of our own operations. We are also a Service-Disabled Veteran-Owned Small Business (SDVOSB) recognized by the U.S. Small Business Administration, and we’ve been named to the Inc. 5000 and Vet 100 lists of the fastest-growing private companies in the nation. Netizen has been recognized as a national “Best Workplace” by Inc. Magazine and is a multi-year recipient of the U.S. Department of Labor’s HIRE Vets Platinum Medallion for veteran hiring and retention.

    If your organization is preparing for CMMC compliance, Netizen can help you start with a clear picture of your current state. Our pre-assessments provide the guidance needed to plan effectively, reduce risks of failed audits, and ensure long-term alignment with DoD cybersecurity requirements.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.