Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Threat Intelligence Sharing & Trust Frameworks Post-CISA Expiry

    Threat Intelligence Sharing & Trust Frameworks Post-CISA Expiry

    The expiration of the Cybersecurity Information Sharing Act (CISA) marks a defining shift in how organizations share threat intelligence and coordinate with federal partners. For nearly a decade, the Act provided a legal foundation for companies to exchange indicators of compromise (IOCs) and collaborate with government agencies under structured liability protections. Its expiration introduces new uncertainty for both the public and private sectors, as long-standing sharing frameworks and automated systems are now being reassessed.

    Legal and Policy Shifts

    The expiration of CISA removed key legal protections that had shielded organizations from privacy, antitrust, and liability concerns when sharing cybersecurity information. Programs such as the Automated Indicator Sharing (AIS) network once allowed for rapid, voluntary collaboration between private firms and federal entities. With these safeguards gone, organizations must now evaluate every intelligence exchange under a patchwork of state privacy laws, contractual obligations, and sector-specific regulations.

    Legal teams are reexamining data-sharing clauses in vendor agreements and memorandums of understanding with federal partners. Many organizations have begun implementing additional review processes to prevent sensitive information, such as customer metadata, from being disclosed inadvertently. The absence of a federal liability shield means that even unintentional data exposure could lead to regulatory investigations or civil claims.

    Congressional discussions about reauthorization remain ongoing, but no replacement framework has yet been enacted. Some policymakers support reinstating limited liability protections, while others propose embedding sharing mechanisms into existing federal programs. Until legislative clarity is achieved, private entities must rely on internal governance to balance the operational benefits of sharing with the new legal risks it presents.

    Operational Impacts on Threat Intelligence

    Operationally, the expiration of CISA is reshaping how Security Operations Centers (SOCs) and Computer Emergency Response Teams (CERTs) collect and exchange threat data. Many organizations have reduced the volume and frequency of their outbound indicator sharing to minimize exposure. This creates gaps in detection and response, as fewer signals circulate across trusted networks.

    Automation pipelines that once delivered indicators directly into SIEM or EDR platforms now require additional validation layers. Security teams must manually inspect or sanitize data before it leaves the organization, which slows the pace of response and increases workloads. To maintain efficiency, some organizations are prioritizing the sharing of high-confidence indicators, such as known malicious domains or verified hash values, while filtering out lower-value telemetry.

    Vendor integrations are also evolving. Companies that use platforms like Splunk, Palo Alto Networks, or CrowdStrike are revising configurations to include tighter controls around external feeds. These adjustments preserve operational visibility while reducing dependence on automated federal sharing networks.

    Technical and Privacy Engineering Requirements

    From a technical standpoint, the lapse of CISA necessitates privacy engineering practices that can protect sensitive data during threat intelligence exchanges. Organizations are introducing schema-based redaction, pseudonymization, and tagging mechanisms to ensure that shared indicators exclude personally identifiable information or unnecessary metadata.

    Security architects are emphasizing provenance tracking and encryption for all shared data. Each indicator now carries information about its source, confidence level, and retention policy, allowing for greater accountability and auditability. These technical safeguards are critical for maintaining trust with both government partners and commercial vendors.

    SIEM and EDR vendors have responded with product updates that enable private threat intelligence repositories, restricted access models, and local enrichment capabilities. These features allow organizations to perform correlation and analysis without exposing sensitive logs or indicators to external systems. Privacy and provenance are now central design pillars for any enterprise-level intelligence-sharing architecture.

    Market and Vendor Adaptations

    The cybersecurity market is moving quickly to address the new post-CISA landscape. Vendors are rebranding and expanding their offerings to focus on privacy-first sharing models and enhanced contractual assurances. Palo Alto Networks and Check Point have released configuration guidance for telemetry restriction, while Trend Micro and McAfee have updated compliance templates for customers managing international data transfers.

    Procurement teams are requiring greater transparency in vendor contracts, demanding clarity on how shared threat data is processed, stored, and disclosed. Many organizations are also asking vendors to demonstrate auditable redaction controls and to commit to bilateral data-sharing agreements rather than relying on public or open exchanges.

    This increased scrutiny has encouraged innovation. Vendors now compete on their ability to provide secure, compliant data-sharing tools that still allow for actionable intelligence. At the same time, security budgets are shifting toward internal enrichment and detection capabilities, reducing dependence on external data streams that carry potential legal risk.

    Governance and the Path Forward

    The end of CISA greatly shows the need for unified governance between legal, technical, and security teams. Maintaining collaboration without a federal liability framework requires formal policies, well-documented review processes, and transparent data-handling practices. Organizations are conducting internal audits to identify where sensitive information may flow during threat sharing, implementing automated redaction systems, and updating vendor terms to reflect the current regulatory landscape.

    Investing in privacy-by-design architectures ensures that organizations can continue contributing to collective defense without exposing themselves to unnecessary risk. Governance frameworks that clearly define who can share, what can be shared, and how it is reviewed are now essential for maintaining both security and compliance.

    Outlook: Sustaining Trust Without a Statute

    While the expiration of the Cybersecurity Information Sharing Act complicates collaboration, it also presents an opportunity to modernize how threat intelligence is shared and trusted. The next phase of cyber defense will depend less on statutory immunity and more on transparent engineering, responsible data handling, and contractual integrity.

    Organizations that build trust through technical precision and operational discipline will be best positioned to sustain effective intelligence sharing. By embedding privacy controls, provenance metadata, and accountability into every exchange, they can preserve the benefits of collective defense even in the absence of formal federal protections.

    How Netizen Supports Secure Collaboration

    Founded in 2013, Netizen is an award-winning cybersecurity firm that provides comprehensive solutions for government, defense, and commercial clients. Our services include 24x7x365 Security Operations Center (SOC) monitoring, compliance audits, penetration testing, vulnerability management, and our CISO-as-a-Service program, which offers executive-level cybersecurity expertise to organizations of all sizes.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC certifications, reflecting a commitment to technical excellence and operational maturity. As a Service-Disabled Veteran-Owned Small Business (SDVOSB), Netizen delivers trusted support in highly regulated industries, ensuring compliance and resilience against emerging threats.

    We help organizations modernize their threat intelligence workflows, implement privacy-aware data-sharing practices, and align their governance models with evolving federal and state requirements. To learn how Netizen can strengthen your organization’s cybersecurity collaboration and compliance posture, start the conversation today.

  • Netizen: Monday Security Brief (11/3/2025)

    Netizen: Monday Security Brief (11/3/2025)

    Today’s Topics:

    • Organized Cybercriminals Use Legitimate Remote Tools to Hijack Freight Operations
    • OpenAI Introduces Aardvark: A GPT-5 Agent That Detects and Fixes Code Vulnerabilities Automatically
    • How can Netizen help?

    Organized Cybercriminals Use Legitimate Remote Tools to Hijack Freight Operations

    A new wave of cyberattacks is targeting the trucking and logistics industry through the abuse of legitimate remote monitoring and management tools. Proofpoint researchers Ole Villadsen and Selena Larson reported that since June 2025, organized criminal groups have been working with cyber actors to infiltrate companies and steal physical cargo, primarily food and beverage products. Once stolen, these goods are often resold online or shipped overseas for profit.

    The attackers use a mix of phishing campaigns and compromised email accounts to impersonate freight brokers, carriers, and logistics coordinators. They post fraudulent listings on load boards using hacked accounts and send follow-up emails with malicious links to carriers who inquire about shipments. These links lead to installers for legitimate remote management software such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. In some cases, PDQ Connect has been used to deploy ScreenConnect and SimpleHelp together, giving attackers multiple layers of access to a victim’s network.

    After gaining remote access, the intruders perform system reconnaissance and deploy credential-stealing utilities like WebBrowserPassView to harvest passwords stored in browsers. This allows them to deepen access into the company’s infrastructure. In at least one confirmed case, the attackers used their control to delete existing bookings, block dispatcher notifications, and insert their own devices into the communications system. They then scheduled new shipments under the compromised company’s name, effectively hijacking legitimate freight operations to steal cargo.

    The use of remote monitoring software provides a strategic advantage to attackers. These tools are trusted within enterprise environments and are rarely flagged by antivirus programs. Their installers are signed, legitimate payloads distributed through malicious means, allowing criminals to operate quietly and without the need for custom malware. As Proofpoint noted earlier this year, the legitimacy of these applications lowers suspicion among users and helps attackers avoid detection.

    This emerging pattern reflects a shift from traditional data theft toward cyber-enabled physical theft. By blending digital compromise with operational fraud, attackers are managing to turn network access into real-world profit. Logistics and freight companies, particularly smaller carriers, remain vulnerable due to limited cybersecurity oversight and reliance on third-party platforms. Experts recommend tightening control over the use of RMM software, enforcing multifactor authentication on all dispatch and communication systems, and actively monitoring for unusual remote connections. Continuous monitoring and logging remain critical to identifying unauthorized sessions before they result in financial loss or disruption.

    OpenAI Introduces Aardvark: A GPT-5 Agent That Detects and Fixes Code Vulnerabilities Automatically

    OpenAI has introduced Aardvark, an autonomous GPT-5–powered agent designed to operate as an “AI security researcher” capable of detecting, validating, and patching software vulnerabilities without direct human intervention. The company describes Aardvark as an embedded security companion for development teams, running continuously within code repositories to analyze changes, assess risks, and generate targeted fixes.

    According to OpenAI, Aardvark integrates directly into software development pipelines, monitoring commits and new code pushes to detect security flaws as they emerge. Once it identifies a possible weakness, the system attempts to exploit it in a sandboxed environment to confirm its validity before drafting a patch using Codex, OpenAI’s coding assistant. These patches are designed to be human-reviewable, allowing developers to maintain oversight while benefiting from automated triage and remediation.

    The tool builds on GPT-5’s deeper reasoning capabilities and real-time model routing, allowing it to analyze large codebases more intelligently. OpenAI says that the agent not only detects vulnerabilities but also creates a dynamic threat model for each project, adjusting its assessments as new updates are made. In internal testing and limited external trials, Aardvark has already helped identify at least ten CVEs in open-source projects.

    Aardvark joins a growing wave of AI-driven code security initiatives. Earlier in October, Google announced CodeMender, an agent that autonomously detects and rewrites vulnerable code to prevent recurring flaws. Other systems, such as XBOW, focus on continuous exploit validation and automated patching. Together, these technologies represent an accelerating push toward embedding artificial intelligence directly into DevSecOps workflows.

    While automation offers significant benefits, some developers have voiced concerns about what’s being called “vibe coding,” the over-reliance on AI-generated code that often prioritizes syntactic correctness over architectural soundness or long-term maintainability. Critics warn that if agents like Aardvark are deployed without proper oversight, they could unintentionally reinforce flawed coding patterns or introduce subtle logic errors.

    Despite those concerns, OpenAI maintains that Aardvark was built to complement, not replace, human security researchers. The company frames it as a “defender-first” model that works in tandem with developers by continuously protecting code as it evolves. OpenAI’s goal, they say, is to expand access to expert-level security analysis and reduce the time between vulnerability discovery and remediation, strengthening software defenses without disrupting innovation.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Netizen: October 2025 Vulnerability Review

    Netizen: October 2025 Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from October that should be immediately patched or addressed if present in your environment. Detailed writeups below:

    CVE-2025-59287

    CVE-2025-59287 is a critical deserialization vulnerability in Microsoft’s Windows Server Update Services (WSUS) that allows an unauthenticated, remote attacker to execute arbitrary code across a network. The flaw lies in the way WSUS processes serialized input data sent during communication with update clients or administrative tools. When crafted malicious data is sent to the vulnerable component, WSUS improperly deserializes the input without sufficient validation, enabling attackers to inject and execute arbitrary code in the context of the WSUS service. Because the service typically runs with high privileges, successful exploitation provides full control of the underlying Windows Server.

    This vulnerability is particularly dangerous in enterprise and government environments where WSUS acts as a central patch management hub. By compromising the update service itself, an attacker could distribute malicious payloads masquerading as legitimate Microsoft updates, undermining the integrity of the entire patching process. The attack requires no authentication or user interaction, making it a prime candidate for remote exploitation campaigns. Once exploited, adversaries could use the WSUS system as a stepping stone to deploy malware across all connected endpoints, modify update metadata, or disrupt update delivery through denial-of-service actions.

    The vulnerability carries a CVSS v3 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), emphasizing its ease of exploitation and severe potential impact on confidentiality, integrity, and availability. It was published on October 14, 2025, and updated on October 28, 2025, after Microsoft confirmed active exploitation attempts in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-59287 to its Known Exploited Vulnerabilities (KEV) catalog, urging immediate remediation. Proof-of-concept exploit code is already publicly available, as noted in repositories such as the one maintained by Hawktrace, suggesting that exploitation could spread quickly beyond targeted attacks.

    Organizations using WSUS should apply Microsoft’s security update immediately or, if patching is temporarily unfeasible, restrict network access to the WSUS server, disable external connections, and monitor for anomalous serialized traffic. Given WSUS’s role in distributing software updates, exploitation of this vulnerability could enable a widespread supply-chain compromise similar in nature to earlier enterprise-level patching system attacks.

    CVE-2025-61882

    CVE-2025-61882 is a critical vulnerability in Oracle E-Business Suite’s Concurrent Processing product, specifically within the BI Publisher Integration component. Versions 12.2.3 through 12.2.14 are affected. The flaw can be exploited remotely without authentication through HTTP requests, allowing attackers to completely compromise Oracle Concurrent Processing. Because this component controls job scheduling and report generation, successful exploitation could lead to total system takeover, giving attackers the ability to access or alter sensitive enterprise data.

    This vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its ease of exploitation and severe potential for impact across confidentiality, integrity, and availability. It was first published on October 5, 2025, and updated on October 27, 2025, after evidence of active exploitation surfaced. Reports indicate that the Cl0p ransomware group exploited this zero-day along with CVE-2025-61884 to breach unpatched Oracle E-Business Suite systems. Once inside, attackers leveraged the BI Publisher interface to inject commands into concurrent manager processes, gaining administrative control over databases and report workflows.

    The Exploit Prediction Scoring System (EPSS) lists this vulnerability with a probability of 0.80291, indicating a high likelihood of exploitation. Given the centrality of Oracle E-Business Suite in enterprise operations—handling ERP, HR, and financial data—successful attacks could have significant operational and financial consequences.

    Organizations should apply Oracle’s official security patch immediately and ensure that external network access to E-Business Suite administrative functions is tightly restricted. Logging and alerting should be configured to monitor for unusual BI Publisher activity or unauthorized concurrent processing jobs.

    CVE-2025-41244

    CVE-2025-41244 is a high-severity local privilege escalation vulnerability affecting VMware Aria Operations and VMware Tools. The issue arises when a virtual machine running VMware Tools is managed by Aria Operations with the Software Defined Monitoring Platform (SDMP) feature enabled. In such configurations, a local, non-administrative user can exploit improper permission handling to escalate privileges to root on the same virtual machine.

    This flaw is particularly concerning in enterprise environments where SDMP is widely deployed for monitoring and telemetry collection across multiple virtual machines. Because exploitation requires only local access, it may serve as a key post-compromise technique within larger intrusion campaigns. Once elevated, an attacker could modify system configurations, install persistent malware, or pivot to adjacent hosts within the virtual infrastructure.

    The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting the high potential for system takeover once access is gained. While exploitation requires some initial foothold, the attack complexity is low, and the resulting control is complete. Reports from multiple cybersecurity outlets, including The Hacker News and SecurityWeek, indicate that Chinese state-linked threat actor UNC5174 has already exploited this zero-day in targeted attacks against organizations in North America and Europe.

    CISA added CVE-2025-41244 to its Known Exploited Vulnerabilities (KEV) catalog on October 31, 2025, urging all organizations using VMware Aria Operations to apply available patches or disable SDMP until updates are deployed. Broadcom, which now owns VMware, faced criticism for not immediately disclosing active exploitation despite internal awareness of the issue, delaying defensive action for many enterprises.

    Administrators should verify whether their VMware Tools and Aria Operations deployments are running vulnerable builds and prioritize patching on high-value systems. Logging should be enabled to monitor privilege escalation events and anomalous Aria Operations activity. Isolation of management VMs from general workloads is strongly recommended to prevent lateral movement following potential exploitation.

    CVE-2025-6205

    CVE-2025-6205 is a critical missing authorization vulnerability affecting Dassault Systèmes’ DELMIA Apriso manufacturing execution platform from Release 2020 through Release 2025. The flaw allows a remote attacker to gain unauthorized privileged access to the application without prior authentication. This means that attackers can potentially take administrative control of the system, manipulate production processes, access sensitive manufacturing data, or disrupt connected industrial operations.

    The vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on October 28, 2025, after reports confirmed active exploitation targeting organizations in manufacturing and industrial automation sectors. According to advisories from multiple security researchers, attackers have been leveraging this flaw to infiltrate factory control systems tied to DELMIA Apriso environments, particularly those connected to wider enterprise networks. Because the vulnerability lies in authorization checks, exploitation requires no user interaction and can be triggered directly over a network via HTTP requests.

    With a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), the vulnerability poses a severe threat to data confidentiality and system integrity. While the primary impact centers on unauthorized access and data manipulation, the lack of availability impact suggests attackers are focused on persistence and control rather than outright disruption. Its CVSS v2 score of 9.4 and an EPSS likelihood of 0.42044 indicate both ease of exploitation and ongoing attacker interest.

    SecurityWeek and The Hacker News report that exploitation campaigns have been attributed to threat groups with a focus on industrial espionage, including actors linked to prior intrusions against manufacturing firms. These operations often leverage DELMIA Apriso’s integration with ERP systems, allowing attackers to pivot laterally into supply chain management environments or exfiltrate intellectual property.

    Organizations using affected versions should immediately apply the latest vendor patches or follow CISA’s mitigation guidance if immediate patching is not feasible. Network segmentation between operational technology (OT) and IT systems, alongside close monitoring of HTTP traffic targeting Apriso management interfaces, can help reduce exposure. Unusual administrative activity, particularly involving configuration or workflow changes, may indicate ongoing compromise attempts.

    CVE-2025-24893

    CVE-2025-24893 is a critical remote code execution vulnerability in XWiki Platform, an open-source enterprise wiki and application development framework. The flaw exists in the SolrSearch component, which fails to properly sanitize user-supplied input before passing it to server-side code evaluation routines. This allows an unauthenticated attacker to execute arbitrary Groovy code on the affected instance simply by sending a specially crafted HTTP request to the /xwiki/bin/get/Main/SolrSearch endpoint.

    The vulnerability impacts all XWiki installations that expose their SolrSearch endpoint without authentication, giving remote actors the ability to compromise the confidentiality, integrity, and availability of the entire system. Exploitation does not require prior access or complex techniques, an attacker can inject Groovy code directly through the request parameter. If the server returns an RSS feed containing the string “Hello from search text:42” after sending the proof-of-concept payload, it confirms that the instance is vulnerable and executing attacker-supplied code.

    This issue affects XWiki versions prior to 15.10.11, 16.4.1, and 16.5.0RC1. The developers have patched the flaw by modifying the Main.SolrSearchMacros file to enforce proper content-type handling and sanitize user input in the rawResponse macro, preventing direct code interpretation.

    The CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates a near-total compromise potential with low attack complexity and no authentication required. It also has one of the highest Exploit Prediction Scoring System (EPSS) ratings, 0.94117, signifying widespread attacker interest and active exploitation.

    CISA added CVE-2025-24893 to the Known Exploited Vulnerabilities (KEV) catalog on October 31, 2025, following reports of real-world exploitation. Threat intelligence sources, including The Hacker News and Security Affairs, revealed that attackers have hijacked vulnerable XWiki servers to deploy cryptocurrency mining malware and establish persistent backdoors. Since the flaw is reachable without authentication, compromised XWiki instances can also be leveraged for lateral movement across networks or for hosting malicious payloads disguised as legitimate documentation pages.

    Administrators should immediately update to a patched version or apply the provided mitigation by editing SolrSearchMacros.xml and restricting public access to /xwiki/bin/get/Main/SolrSearch. Continuous monitoring for unusual Groovy script execution or high CPU load may also help identify compromised instances.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Netizen Cybersecurity Bulletin (October 30th, 2025)

    Netizen Cybersecurity Bulletin (October 30th, 2025)

    Overview:

    • Phish Tale of the Week
    • CISA Orders Federal Agencies to Patch VMware Tools Vulnerability Exploited by Chinese State Hackers
    • YouTube Ghost Network: 3,000 Malware-Infested Videos Used to Spread Credential Stealers Across Compromised Channels
    • How can Netizen help?

    Phish Tale of the Week

    Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this text message, the actors are appearing as the USPS and informing you that action needs to be taken regarding your package’s delivery. The message politely explains that “USPS” is holding our package that we ordered at “the warehouse,” and that we just need to confirm our address in order to get it delivered. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.

    Here’s how we can tell not to click on this smishing link:

    1. The first warning sign for this SMS is the fact that it includes a URL in the message. Typically, companies will send notifications like this through SMS, but they’ll end with a call to action within an already trusted environment, for example the statement “check your tracking details for more information.” Always be sure to think twice and check “urgent” statuses like this one through a trusted environment, and never click on links sent through an SMS from an unknown number.
    2. The second warning signs in this text is the messaging. This message tries to create a sense of urgency and get you to take action by using language such as “Within the next 12 hours” and “Please confirm.” Phishing and smishing scams commonly attempt to create a sense of urgency in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link sent through SMS.
    3. The final warning sign for this email is the style of the link. After a quick look at the address, one can quickly deduce that we’ve been sent a phishing link. Trusted companies like USPS typically will use a simple, standardized domain as their website. For example, USPS’s official website is simply “usps.com.” Threat actors typically will utilize message-related words in the links they send you. After taking one quick look at the URL, “uspz.usspaob.top,” it’s very obvious that this text is an attempt at a smish.


    General Recommendations:

    smishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

    1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    2. Verify that the sender is actually from the company sending the message.
    3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    4. Do not give out personal or company information over the internet.
    5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many smishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any SMS requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this month’s Cybersecurity Brief:

    CISA Orders Federal Agencies to Patch VMware Tools Vulnerability Exploited by Chinese State Hackers

    The Cybersecurity and Infrastructure Security Agency has ordered federal agencies to patch a high-severity vulnerability in Broadcom’s VMware Aria Operations and VMware Tools after confirming that it is being exploited by Chinese hackers. The flaw, tracked as CVE-2025-41244, allows a local attacker with limited privileges to gain root access on a virtual machine managed by Aria Operations when SDMP is enabled.

    CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, which lists security flaws known to be used in real-world attacks. Federal Civilian Executive Branch agencies have until November 20 to apply patches as required under Binding Operational Directive 22-01. The agency warned that unpatched systems remain exposed to ongoing attacks and urged organizations outside the federal government to also apply updates as soon as possible.

    Broadcom patched the issue one month ago following reports from security researcher Maxime Thiebaut at NVISO, who discovered that a Chinese state-sponsored actor identified as UNC5174 had been exploiting it since October 2024. Thiebaut released proof-of-concept code showing how an attacker could use the vulnerability to escalate privileges on both Aria Operations and VMware Tools installations, granting full control over the affected virtual machine.

    UNC5174, which Google Mandiant has described as a contractor for China’s Ministry of State Security, has been involved in several major intrusions over the past two years. The group was observed selling access to compromised U.S. defense contractors, British government entities, and Asian institutions after exploiting other high-profile vulnerabilities such as CVE-2023-46747 in F5 BIG-IP, CVE-2024-1709 in ConnectWise ScreenConnect, and CVE-2025-31324 in SAP NetWeaver.

    Since the beginning of 2025, Broadcom has released patches for three other VMware zero-days and addressed two additional high-severity issues in VMware NSX reported by the National Security Agency. These repeated discoveries highlight the growing focus of advanced threat actors on virtualization platforms, which serve as gateways to large numbers of sensitive systems once compromised.

    CISA’s latest directive emphasizes that these vulnerabilities remain a common path for intrusions into government networks and that patching is the most effective mitigation. Agencies and private organizations using affected VMware products are advised to follow Broadcom’s guidance, verify their environments for exposure, and apply available fixes without delay.

    To read more about this article, click here.

    YouTube Ghost Network: 3,000 Malware-Infested Videos Used to Spread Credential Stealers Across Compromised Channels

    A new report from Check Point has revealed a widespread campaign that weaponized YouTube to distribute malware at scale. Dubbed the “YouTube Ghost Network,” the operation involved more than 3,000 videos published across hundreds of compromised channels, many of which had been active since 2021. These videos masqueraded as legitimate tutorials for pirated software or gaming cheats but instead directed users to malware downloads.

    The malicious uploads, often disguised with convincing visuals, likes, and comments, were designed to appear trustworthy. Some received well over 200,000 views before being removed. The network relied heavily on hacked accounts whose original content was replaced with fake installation guides for cracked software. Victims were lured to download supposed installers from file-sharing platforms such as MediaFire or Dropbox, or from phishing pages hosted on Google Sites and Blogger. Each of these locations contained hidden payloads leading to information-stealing malware.

    Researchers found that the operation was built on a structured, role-based system that assigned functions to different account types. “Video accounts” uploaded the infected videos and pinned download links. “Post accounts” promoted those same links through YouTube’s community tab. “Interact accounts” boosted engagement by liking and commenting on the videos to create a false sense of credibility. This setup allowed the operators to replace banned or removed accounts quickly without disrupting the campaign, maintaining a continuous presence across YouTube.

    The network’s organization made it difficult for automated moderation systems to shut it down completely. Even after Google removed a majority of the videos, new ones continued to appear through replacement accounts. Some evidence suggests that the network might operate as a form of “distribution-as-a-service,” meaning multiple groups could be leasing access to it to spread different strains of malware.

    Malware families linked to the Ghost Network include Lumma Stealer, Rhadamanthys Stealer, RedLine Stealer, StealC, and Phemedrone. These tools are designed to harvest browser credentials, cryptocurrency wallets, and authentication tokens from infected devices. One hijacked channel with over 120,000 subscribers was caught hosting a fake Adobe Photoshop installer that deployed Hijack Loader, which in turn downloaded Rhadamanthys.

    Check Point noted that the growth of this network mirrors a broader shift in cybercrime tactics toward using legitimate platforms as delivery systems. Attackers exploit engagement metrics and user trust rather than relying solely on traditional phishing emails or malicious ads. By embedding malware campaigns within well-known services, they gain both reach and credibility.

    The report emphasized that the success of operations like the YouTube Ghost Network demonstrates how cybercriminals are adapting to new content ecosystems. By leveraging social media features such as likes, comments, and community posts, they are able to scale attacks while maintaining the appearance of legitimacy.

    Google confirmed that it has removed most of the identified malicious content and continues to work with security researchers to track and disrupt these activities. Still, the campaign shows that large-scale content networks can be turned into malware delivery systems when trust mechanisms are abused, and that vigilance from both platforms and users remains the only reliable defense against such evolving tactics.

    To read more about this article, click here.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Aisuru Botnet Shifts From DDoS to Residential Proxies

    Aisuru Botnet Shifts From DDoS to Residential Proxies

    Aisuru, the botnet known for unleashing several record-breaking DDoS attacks this year, has shifted focus. Instead of flooding networks with traffic, its operators are now renting out infected Internet of Things (IoT) devices as residential proxies. This move turns a once-destructive campaign into a profitable, quieter business model. The infected devices now serve as relays for customers seeking to hide their online activity, blending malicious traffic with that of everyday home users.

    From Massive Attacks to Silent Rentals

    The botnet first appeared in August 2024 and has since compromised at least 700,000 IoT systems, including routers, digital video recorders, and security cameras. At its peak, Aisuru was capable of generating attacks exceeding 30 terabits per second. In June, it launched a 6.3-terabit-per-second assault against KrebsOnSecurity, one of the largest attacks Google’s mitigation network had ever recorded.

    Such attacks did more than target single websites, they caused collateral damage across entire Internet service providers. When Aisuru’s nodes were used for outbound DDoS traffic, the resulting data floods sometimes reached over a terabit per second per provider, overloading routers and affecting legitimate customers. Federal authorities and major ISPs in both the United States and Europe have since begun cooperating to identify and block the botnet’s infrastructure.

    The Rise of the Residential Proxy Economy

    Recent updates to Aisuru’s malware turned its infected devices into part of the residential proxy market. Proxy services lease access to these devices, letting customers mask their online traffic as if it came from legitimate household connections. While proxies have valid business uses such as price monitoring or web analytics, they are often abused to disguise cybercrime operations including ad fraud, credential stuffing, and large-scale scraping.

    This market has grown explosively. Data collected from monitoring services indicates that hundreds of millions of residential IPs are now available for rent. Much of this surge is likely tied to botnets like Aisuru, which provide a steady influx of compromised devices. The abundance of residential proxies has become a valuable resource for data harvesting operations supporting artificial intelligence projects, particularly those training large language models on scraped content.

    Exploiting SDKs for Bandwidth and Profit

    Many proxy networks expand their reach through software development kits bundled into mobile or desktop apps. These SDKs often claim user consent but can quietly convert a device into a traffic relay. Infected devices under Aisuru’s control may be forced to install such SDKs automatically, allowing the botmasters to profit each time bandwidth from those devices is sold to proxy services.

    Researchers have linked parts of this ecosystem to companies in China operating under collective brands like HK Network. These entities manage multiple proxy services that resell bandwidth among themselves, complicating efforts to track their true ownership and size. The structure allows them to market large proxy pools under different names while remaining largely anonymous.

    Impact on the Internet and AI Infrastructure

    This shift from DDoS to proxy operations has significant consequences. Instead of causing short-lived outages, the infrastructure now supports long-term, large-scale data scraping that burdens websites, APIs, and open-source projects. Some maintainers report that nearly all of their incoming traffic now comes from automated crawlers feeding AI systems.

    The strain has grown so severe that companies like Cloudflare are testing “pay-per-crawl” systems to let website owners charge AI bots for access. Others, like Reddit, have begun legal action against proxy providers accused of enabling large-scale scraping in violation of platform policies.

    Implications for Security Teams

    For security operations centers and network defenders, this evolution demands new detection methods. Malicious traffic now originates from residential IPs, making it far harder to distinguish from legitimate user activity. Traditional blocklists and data-center IP reputation checks no longer suffice. Behavioral indicators—such as simultaneous long-duration sessions, abnormal bandwidth usage, or repetitive access patterns—are now key signals.

    Monitoring outbound flows from IoT networks, enforcing segmentation, and maintaining strict firmware update policies are critical steps in preventing internal devices from being hijacked into proxy networks. Collaboration with ISPs and intelligence-sharing groups will also be vital as these hybrid proxy-botnets continue to expand.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Netizen: Monday Security Brief (10/27/2025)

    Netizen: Monday Security Brief (10/27/2025)

    Today’s Topics:

    • Chrome Zero-Day Exploited Through Spyware Built by Hacking Team Successor
    • Persistent Hidden Commands Found in ChatGPT Atlas Browser Memory
    • How can Netizen help?

    Chrome Zero-Day Exploited Through Spyware Built by Hacking Team Successor

    ZERO-DAY text and binary code concept from the desktop computer screen,ZERO-DAY vulnerability concept (also known as a 0-day)A zero-day vulnerability is a flaw in software or hardware.

    A zero-day vulnerability in Google Chrome has been tied to a spyware operation run by Memento Labs, the rebranded successor of the notorious Hacking Team. The flaw, identified as CVE-2025-2783, was discovered by Kaspersky researchers earlier this year and used in a campaign known as Operation ForumTroll. The attackers targeted both government and private sector organizations in Russia and Belarus, deploying a spyware tool called Dante.

    After the 2015 breach that exposed Hacking Team’s internal files and source code, many believed the company was finished. In 2019, it was acquired by IntheCyber Group and relaunched under a new name: Memento Labs. By 2023, the company unveiled Dante, a new surveillance platform that analysts now say is a direct evolution of the old Remote Control Systems (RCS) spyware.

    Kaspersky’s report revealed that despite claims of a clean restart, Dante contains striking similarities to Hacking Team’s earlier work. This finding highlights how the commercial spyware industry has persisted through name changes and acquisitions, continuing to supply tools for government-linked surveillance.

    The attacks began through targeted phishing messages containing short-lived links. Once clicked, they delivered a Chrome exploit that used an unusual quirk in Windows to bypass browser sandboxing. Boris Larin, principal security researcher at Kaspersky, explained that the vulnerability involved how Windows handles pseudo handles, or constant values representing objects inside privileged processes.

    By exploiting this flaw, attackers managed to disable Chrome’s sandbox protections and execute malicious code without triggering alarms. Larin described the exploit as one of the most unusual sandbox escapes Kaspersky has ever encountered, warning that the same logic flaw might exist in other Windows services or applications. He also called the DuplicateHandle API a dangerous function that should reject pseudo handles altogether to prevent privilege escalation.

    The spyware behind the campaign, Dante, was heavily protected by VMProtect, an obfuscation tool that makes reverse engineering difficult. Every string within the code was encrypted, though once decrypted, researchers found unmistakable indicators that tied the program to Memento Labs.

    According to Kaspersky, the spyware was not directly observed in Operation ForumTroll but was linked to other attacks involving the same infrastructure and coding patterns. These overlaps suggest that Memento’s spyware ecosystem has been active since at least 2022, operating quietly through multiple campaigns.

    The case demonstrates how commercial spyware vendors continue to drive zero-day exploitation across widely used platforms such as Chrome and iOS. Companies like Memento Labs operate under the guise of providing lawful surveillance tools, yet their products often end up in politically motivated campaigns that target journalists, activists, and foreign government entities.

    Public exposure and company rebranding have done little to slow this market. Despite the downfall of Hacking Team a decade ago, its descendants continue to build and sell advanced intrusion frameworks. Each reappearance underscores the difficulty of dismantling the commercial spyware ecosystem, which thrives on the global demand for offensive cyber capabilities.

    Persistent Hidden Commands Found in ChatGPT Atlas Browser Memory

    Security researchers have disclosed a vulnerability in OpenAI’s ChatGPT Atlas browser that can let attackers inject persistent, hidden instructions into the assistant’s memory and trigger arbitrary code execution. LayerX Security reported the flaw after demonstrating how a cross-site request forgery exploit can write attacker-supplied instructions into ChatGPT memory. Those instructions can survive across devices and sessions and execute when a user later interacts with the assistant.

    LayerX co-founder and CEO Or Eshed described the threat as capable of infecting systems with malicious code, elevating attacker privileges, or deploying malware. Michelle Levy, head of security research at LayerX, said their tests showed that once memory was tainted, normal user prompts sometimes triggered code fetches, privilege escalations, or data exfiltration without obvious safeguards activating.

    The problem hinges on two features. First, memory, introduced by OpenAI in February 2024, is meant to persist helpful user details between chats so responses feel more personalized. Second, the Atlas browser’s current defenses against phishing and web-based attacks appear weaker than those of established browsers, which makes it easier for an authenticated user to be tricked into a harmful action. LayerX’s testing against more than 100 real-world web threats found that Edge blocked 53 percent, Chrome blocked 47 percent, and Dia blocked 46 percent. In comparison, Perplexit’s Comet and ChatGPT Atlas blocked only 7 percent and 5.8 percent respectively.

    The attack scenario LayerX demonstrated follows a simple chain. A logged-in user is socially engineered into visiting a malicious page. That page issues a CSRF call that writes hidden instructions into ChatGPT’s persistent memory. Later, when the user asks ChatGPT to assist with a legitimate task, the assistant consults the tainted memory and may act on the hidden instructions. LayerX withheld some low-level details while sharing proof-of-concept behavior with reporters.

    The implications extend beyond single sessions. Because the poisoned memory can travel with the user profile, any device where that profile is active may inherit the compromise. This creates opportunities for attackers to contaminate development workflows or automated tasks by slipping commands into code suggestions or prompt templates. NeuralTrust and others have already shown how prompt injection and malicious URLs can break an agent’s expected behavior; the Atlas memory flaw adds a lasting persistence vector.

    Enterprises that rely on AI agents integrated into browser workflows should treat this class of issue as an operational risk. Developers and security teams can take several practical steps. Turn off persistent memory for high-risk accounts or for users who handle sensitive code and data. Limit ChatGPT access to segmented accounts that do not carry privileged credentials. Add monitoring for unexpected outbound code fetches and unusual command patterns originating from AI-assisted requests. Apply stricter phishing defenses, use browser isolation for AI browsing sessions, and require re-authentication for memory writes or other sensitive actions.

    OpenAI and security vendors have both been notified of the findings. LayerX called out Atlas’s relative lack of anti-phishing protections as a major factor that increases exposure compared with mainstream browsers. Until browser vendors and AI platform operators add explicit controls to protect persistent memory, users should assume that any feature that stores instructions across sessions can be abused and should be treated with caution.

    Security teams, product owners, and developers who integrate agentic browsers into workflows must evaluate how persistent memory is used and whether that usage can be hardened. Small configuration changes and stricter access controls can reduce immediate exposure, while longer term fixes will require design changes that separate stored user preferences from executable instructions and that prevent remote sources from silently modifying memory.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Why SMBs Can’t Afford to Ignore the Growing Threat of Initial Access Brokers

    Why SMBs Can’t Afford to Ignore the Growing Threat of Initial Access Brokers

    Initial Access Brokers (IABs) have become a cornerstone of the modern cybercrime economy. Instead of carrying out attacks themselves, these actors specialize in breaking into corporate networks and then selling that access to other criminals. By outsourcing the hardest part of the intrusion, getting inside, they allow ransomware operators, data thieves, and other malicious groups to move straight to exploitation. This division of labor lowers risk for IABs while fueling the speed and scale of attacks across industries.

    Why IABs Are Rising

    The growth of Ransomware-as-a-Service (RaaS) has created a perfect market for IABs. Affiliates can launch attacks almost immediately once they purchase valid access, cutting down the time it takes to deploy ransomware. In many cases, IABs now work directly with RaaS affiliates rather than advertising on dark web forums, which reduces visibility to law enforcement. This tighter collaboration benefits both sides: ransomware operators scale their operations more quickly, and IABs secure steady demand for their services.

    Shifting Targets

    The targeting patterns of IABs show how flexible and opportunistic this market has become. In 2023, business services dominated the victim pool, accounting for nearly a third of all observed compromises. By 2024, that dominance shrank to about 13 percent as brokers broadened their focus. Industries across the board are now at risk, with the United States continuing to be the top target due to its economic weight, followed by Brazil and France. The trend indicates that smaller and mid-sized organizations are no longer overlooked; they are now prime targets thanks to the volume-based sales strategy of IABs.

    The Economics of Access

    Pricing illustrates the strategic change. In 2023, access listings ranged from $500 to $3,000, with an average of around $1,979 but a median closer to $1,000. By 2024, most listings, roughly 58 percent, fell under $1,000. Only a small fraction (7 percent) were high-value sales, though those skewed the overall average upward to about $2,047. The drop in price for most access points signals a pivot toward selling more accounts in bulk, trading individual high-ticket sales for volume. The result is that cybercriminals can launch more attacks for less, increasing both the number of victims and the potential damage.

    What’s Next

    IABs are expected to remain a key player in cybercrime. Their ability to provide pre-packaged access lowers barriers for less skilled attackers and accelerates timelines for ransomware groups. With prices trending downward and more industries falling into scope, the threat surface is expanding quickly.

    Organizations that once assumed they were too small or too obscure to be targeted should reconsider that assumption. As access becomes cheaper and more plentiful, even modest businesses are at greater risk.

    What SOC Teams Need to Know

    Security teams should treat IAB-driven intrusions as a high-likelihood precursor to ransomware. Early detection of credential misuse, unusual remote access activity, and privilege escalation attempts is critical. SOC analysts should focus on:

    • Monitoring for abnormal VPN, RDP, and Citrix activity, particularly logins from unexpected geographies or at odd times.
    • Expanding visibility into cloud and SaaS platforms, since stolen access is often resold for these environments.
    • Using threat intelligence to track IAB offerings, which often surface on closed forums before access is sold to ransomware affiliates.
    • Ensuring credential hygiene, MFA enforcement, and rapid offboarding of stale accounts to shrink the attack surface available to brokers.

    By aligning detection and response efforts around the tactics IABs use, SOC teams can catch compromises earlier in the kill chain, before ransomware or data theft occurs.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Why SNMPv1 and v2c Put Your Network at Risk (and Why You Should Upgrade)

    Why SNMPv1 and v2c Put Your Network at Risk (and Why You Should Upgrade)

    The Simple Network Management Protocol (SNMP) has long been the backbone of network monitoring. Routers, switches, servers, and even printers rely on SNMP to relay information about performance, status, and availability to a central monitoring system. This setup makes life easier for administrators, allowing for automated discovery, mapping, and alerts across the network.

    However, the protocol was designed in a time when perimeter defenses were considered sufficient. That assumption no longer holds true. Today, SNMP, particularly in its earlier versions, is a potential entry point for attackers. Understanding the weaknesses of SNMP, how it can be exploited, and what steps can be taken to mitigate risk is essential for modern network security.

    How SNMP Works and Where the Risks Begin

    SNMP relies on an agent embedded in each device and a manager that issues requests. The manager sends Get requests that contain a community string, which serves as an identifier or password. These requests allow the agent to pull data from the device and send it back to the manager for monitoring.

    The problem arises because in SNMPv1 and SNMPv2c, community strings are transmitted in plain text. Attackers can intercept them with a packet sniffer, steal credentials, and then either eavesdrop or make unauthorized changes to devices. From there, they can escalate into denial-of-service attacks or even command injection on vulnerable systems.

    Versions of SNMP: Strengths and Weaknesses

    • SNMPv1: The original version, simple to deploy but protected only by a community string that is visible in plain text.
    • SNMPv2c: Added 64-bit counters and improved error handling but still left community strings exposed without encryption.
    • SNMPv3: Introduced authentication, encryption, and better access control. This version significantly improves security, although it is more complex to configure and maintain.

    Documented Vulnerabilities and Exploits

    The risks of older SNMP versions are well documented in the CVE database. A few examples include:

    • CVE-2002-0012 and CVE-2002-0013: Exploitable flaws in SNMPv1 that allow attackers to flood targets with requests, leading to denial-of-service or privilege escalation.
    • Command Injection Attacks: Certain GE Industrial Solutions UPS adapters and older Symantec Web Gateway versions with outdated firmware allow remote command execution through SNMP-enabled services.

    Even SNMPv3 has known issues. Researchers have demonstrated that its discovery mechanism can be manipulated to weaken encryption and authentication if not properly configured.

    How Attackers Exploit SNMP

    Attackers often scan for SNMP services, particularly on UDP ports 161 and 162. Tools like Nmap can brute-force community strings and quickly identify weakly configured devices. Once inside, attackers can flood networks with requests, change configurations, or passively intercept communications to extract sensitive information.

    Best Practices to Secure SNMP

    Securing SNMP does not mean abandoning it. It means configuring it carefully and minimizing exposure. Some best practices include:

    1. Disable SNMP on hosts where it is not required.
    2. Replace default community strings like “public” and “private” with strong, unique values.
    3. Restrict access using Access Control Lists (ACLs).
    4. Block or monitor ports 161 and 162 at the firewall.
    5. Use read-only mode whenever possible.
    6. Regularly update firmware and software.
    7. Adopt SNMPv3 and configure it with encryption and authentication.
    8. Avoid using NoAuthNoPriv mode, which does not encrypt transmissions.
    9. Limit access to specific OIDs and performance data using SNMP views.

    Are SNMP Vulnerabilities Still a Threat?

    Yes. Even though ransomware and phishing dominate the headlines, SNMP misconfigurations can still lead to serious data leaks or costly downtime. Attackers continue to exploit legacy systems and overlooked services. Given that downtime can cost thousands of dollars per minute, it is risky to ignore SNMP security.

    Conclusion: Choose SNMPv3, Harden Configurations

    SNMP remains an indispensable tool for administrators. Versions 1 and 2c are outdated and insecure, and should no longer be used. SNMPv3 is the most secure option available, but it requires careful setup. With proper configuration, authentication, and encryption, organizations can significantly reduce the risk of SNMP-based attacks while still benefiting from its monitoring capabilities.

    How Netizen Can Help

    Netizen specializes in helping organizations address vulnerabilities like those found in SNMP environments. Our team performs detailed security assessments and pre-assessments to identify gaps in network security configurations and highlight misconfigurations before attackers exploit them. By aligning your SNMP setup with industry best practices, we help you reduce the risk of downtime, unauthorized access, and data exposure.

    Netizen is a Service-Disabled Veteran-Owned Small Business with ISO 27001, ISO 20000-1, ISO 9001, and CMMI Level III certifications. We operate a 24×7 Security Operations Center and provide advisory services to organizations across defense, government, and commercial sectors. If your business relies on network monitoring tools, our experts can help ensure they are properly secured, updated, and configured to withstand today’s threats.

    Looking to strengthen your defenses and prevent overlooked vulnerabilities from becoming serious problems? Start the conversation with Netizen today.

  • Building Strong Compliance Management Systems with ISO 37301

    Building Strong Compliance Management Systems with ISO 37301

    ISO 37301 is an international Type A management system standard that sets requirements and provides guidance for establishing, implementing, and improving a compliance management system (CMS). A CMS gives organizations a structured approach to meeting both mandatory obligations such as laws, regulations, and licenses, as well as voluntary commitments including internal policies, codes of conduct, and industry standards.

    The standard applies to organizations of all sizes and sectors. It is built on principles of integrity, good governance, transparency, accountability, proportionality, and sustainability. Since ISO 37301 follows the ISO High-Level Structure (HLS), it can operate as a standalone framework or integrate smoothly with other standards such as ISO 27001 for information security or ISO 9001 for quality management.

    How It Differs from ISO 19600

    In 2014, ISO released ISO 19600, a guideline for compliance management systems. ISO 37301 builds on that foundation by adding the option of third-party certification. This makes compliance efforts auditable and verifiable, providing stronger credibility. Organizations that previously followed ISO 19600 already have a head start toward alignment with ISO 37301.

    Why It Matters for Organizations

    Adhering to compliance obligations is no longer a choice but a necessity for organizations that want sustainable growth and resilience. ISO 37301 equips leadership with policies, processes, and controls that help detect, prevent, and respond to noncompliance. By adopting it, organizations demonstrate diligence to regulators and business partners, protect their reputation, and reduce exposure to legal and financial penalties.

    Key Features

    ISO 37301 emphasizes leadership commitment, requiring governing bodies and executives to set the tone for compliance through clear policies, resource allocation, and visible support. It is risk-based, meaning organizations must identify and manage compliance risks as part of normal business planning. The standard also requires competence and awareness at all levels so that compliance is not just a function of policy but part of organizational culture. Continuous evaluation and improvement are built in, ensuring the CMS evolves as regulations and operations change.

    Training and Certification

    Individuals can pursue training to strengthen their role in compliance management. Options include foundation courses for entry-level staff, lead implementer training for professionals responsible for designing and rolling out a CMS, and lead auditor training for those conducting independent assessments. Specialized courses also exist for those transitioning from ISO 19600 or seeking introductory knowledge.

    Benefits of Implementation

    Organizations adopting ISO 37301 gain the ability to undergo independent certification, build a compliance culture that demonstrates accountability, and strengthen relationships with regulators and partners. They are better positioned to prevent legal violations, protect customer trust, and maintain long-term sustainability. By documenting compliance policies and ensuring staff understand their roles, organizations create a strong framework that can withstand scrutiny and adapt to change.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Turning Human Error Into Human Defense

    Turning Human Error Into Human Defense

    Phishing remains the single most persistent attack vector in cybersecurity. Despite two decades of progress in technical defenses, attackers continue to bypass firewalls, endpoint protections, and advanced monitoring tools by exploiting the one constant across every organization: people.

    Recent research, including Verizon’s Data Breach Investigations Report, shows that roughly 60% of breaches involve human factors such as clicking a malicious link or opening an infected attachment. Add to this another 20% to 30% linked to credential reuse, and the picture becomes clear: the vast majority of intrusions succeed because of human behavior, not because of unpatched software alone.

    The Human Element at the Core of Cyber Risk

    Phishing is no longer confined to crude “Nigerian prince” scams. Threat actors today are highly skilled at exploiting trust, urgency, and authority. Especially with the advent of AI, their lures are hyper-personalized, drawing on data scraped from social media, corporate directories, or past breaches. They extend far beyond email, with SMS-based smishing and phone-based vishing becoming increasingly common. Attackers also time campaigns to coincide with global events, financial anxieties, or even corporate announcements, amplifying the chances of success.

    At the higher end of the spectrum, Business Email Compromise (BEC) attacks now use detailed impersonation of executives, vendors, or partners. These schemes often bypass technical controls because they appear entirely legitimate until the financial loss is already complete.

    Industry-Specific Exposure

    Attackers adjust their tactics depending on the industry. In healthcare and education, the combination of diverse users and high-pressure environments makes organizations particularly prone to mistakes. In finance and professional services, attackers mimic legitimate client requests to trigger unauthorized fund transfers. In critical infrastructure and manufacturing, phishing campaigns are tailored to disrupt operations or steal valuable intellectual property.

    No sector is immune, but industries with high-value data or complex supply chains present especially tempting targets.

    Building a Human-Centric Defense

    Addressing human risk does not mean blaming employees. Instead, it requires creating conditions that make secure behavior easier and second nature. Organizations can build resilience through:

    • Security awareness training that is frequent, relevant, and interactive. Outdated annual training must be replaced by micro-learning, simulations, and role-specific content that evolves alongside threat tactics.
    • Phishing simulations that provide real-world practice. These tests should be designed as educational opportunities, giving immediate feedback rather than punishing mistakes.
    • Encouraging reporting by building a culture where employees feel comfortable flagging suspicious emails or messages without fear of retribution. Every reported phishing attempt is one less chance for attackers to succeed.
    • Layered technical defenses including AI-driven email security, multifactor authentication, zero trust architectures, password managers, and web filtering. While people remain the target, these technologies act as critical safeguards when mistakes happen.
    • Visible leadership support where executives not only mandate security initiatives but also model good behavior and reinforce that cybersecurity is a business priority, not just an IT concern.

    From Weakness to Strength

    A strong security culture depends on both people and technology working together, and that is where Netizen can help. Our team specializes in building environments where employees are supported by clear policies, meaningful training, and advanced monitoring solutions that reduce the chances of human mistakes becoming costly breaches.

    From our 24x7x365 Security Operations Center to services like CISO-as-a-Service, penetration testing, and compliance support, Netizen provides organizations with the tools, expertise, and guidance to make people part of the defense, not the weakness. For agencies and businesses in highly regulated industries, we bring proven experience in strengthening resilience and aligning with frameworks that emphasize human factors as much as technical safeguards.

    Your employees are already your first line of defense, Netizen helps ensure they are also your strongest. Start the conversation with us today and see how we can help turn your human error into human defense.