The U.S. Justice Department has recently taken significant action against North Korean schemes involving IT workers infiltrating U.S. companies. These operations, which have persisted for several years, are part of a coordinated effort to exploit remote work opportunities for the North Korean regime’s benefit.
The Indictments Exposed
The recent indictments included charges against Chinese, Taiwanese, and even a U.S. citizen, Zhenxing “Danny” Wang of New Jersey. Wang, who was arrested, allegedly helped facilitate remote IT work at over 100 U.S. companies, including many Fortune 500 firms. From 2021 to 2024, the conspirators used compromised U.S. identities and shell companies to create the illusion of legitimate employment for North Korean IT workers. They exploited these fake identities to access U.S. laptops, enabling the remote workers to carry out IT tasks and avoid detection. The facilitators received almost $700,000 for their efforts, while the damage to the companies and the U.S. government was far greater, including over $3 million in legal fees and network remediation costs.
One particularly alarming aspect of the scheme was a North Korean IT worker gaining access to sensitive employer data, including source code related to AI technology used by a U.S. defense contractor. This raises serious concerns about national security risks and the potential for espionage via these cyberattacks.
In addition to these actions, the Justice Department indicted four North Korean nationals accused of stealing $900,000 in virtual currency through a scheme targeting blockchain research companies. They operated from the UAE, coordinating with firms in Atlanta and Serbia, before laundering the stolen funds.
Searches, Seizures, and Financial Actions Taken
In a show of force against these coordinated operations, U.S. authorities conducted searches of 29 known or suspected “laptop farms” across 16 states. These facilities were believed to be used as hiding spots for remote North Korean IT workers, evading identification and tracing efforts. The Justice Department also seized 29 financial accounts linked to laundering the illicit funds from the first scheme, as well as 21 fraudulent websites involved in the operation.
Leah Foley, U.S. Attorney for the District of Massachusetts, warned, “The threat posed by DPRK operatives is both real and immediate. Thousands of North Korean cyber operatives have been trained and deployed by the regime to blend into the global digital workforce and systematically target U.S. companies.” Foley’s comments underline the critical need for continued vigilance in cybersecurity.
Microsoft Takes Action: Suspended Accounts and Ongoing Monitoring
In response to the growing threat, Microsoft disclosed that it had suspended 3,000 consumer-grade Outlook and Hotmail accounts linked to suspected North Korean IT worker schemes. The company also alerted affected customers via Microsoft Entra ID Protection and Microsoft Defender XDR. Microsoft tracks this activity under the names Jasper Sleet (formerly known as Storm-0287), Storm-1877, and Moonstone Sleet, as the threat actors continue to target organizations worldwide.
Microsoft’s observations reveal a troubling trend where facilitators—often outside of North Korea—play a crucial role in validating fraudulent identities. These individuals manage logistics such as forwarding company hardware and creating profiles on freelance job websites to maintain the ruse of legitimate employment. As part of this process, workers are trained to use VPNs, proxy services, and remote management tools (RMM) to connect to devices housed in laptop farms located in countries where they can avoid detection.
AI and Technology in North Korean Fraud
As technology evolves, so do the tactics of cybercriminals. North Korean hackers are increasingly leveraging artificial intelligence (AI) to improve the efficacy of their fraudulent schemes. AI tools are used to refine fake resumes, manipulate worker images, and even generate convincing voice recordings. This innovation in social engineering tactics makes it even harder for companies to detect fraudulent activity and verify the authenticity of remote workers.
Microsoft explained that these state-backed fraudsters utilize AI to enhance their capabilities, making their attacks more sophisticated and convincing. From generating realistic resumes to altering digital identities, AI has become a crucial part of North Korea’s strategy to infiltrate the global workforce and target critical U.S. businesses.
Protecting Against North Korean IT Worker Schemes
The increasing sophistication of North Korean cyberattacks demands comprehensive security measures for businesses. Microsoft has compiled a list of investigation, monitoring, and remediation recommendations to help organizations protect themselves from these types of social engineering and IT worker infiltration.
For businesses operating in sectors where IT outsourcing or remote work is common, it is crucial to verify the identities of remote workers carefully. Enhanced monitoring of logins and network activity, along with strict authentication protocols, can prevent unauthorized access. Additionally, companies must ensure their cybersecurity teams are aware of the latest tactics and tools used by these threat actors, including VPNs, RMM tools, and AI-driven identity manipulation.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
In recent months, a surge in social engineering techniques has raised alarms across cybersecurity communities. Among these methods, ClickFix has gained attention as a relatively simple but highly effective way to exploit unsuspecting users. If you’re not familiar with ClickFix, it’s a social engineering attack that prompts users to unknowingly execute malicious commands, typically using the Windows Run Dialog (Windows Key + R). While this technique has been surprisingly successful, it heavily relies on the Run Dialog, which some might argue is too basic or impractical. But the effectiveness of ClickFix cannot be denied.
However, as cybersecurity experts continue to adapt to new threats, one researcher decided to explore an alternative method to achieve similar results without relying on the traditional Run Dialog. Enter FileFix, a clever variation of ClickFix that bypasses some of the browser’s restrictions and manipulates users into executing OS commands—without ever leaving their browser window.
What is FileFix?
The idea behind the FileFix attack is simple yet innovative. It takes advantage of a common functionality in most browsers—the file upload feature. Users are familiar with file uploads: clicking an “Upload” button, browsing to a file, and then selecting it for upload. This functionality is found everywhere, from job application portals to online email clients, making it a well-understood feature. But what many don’t realize is that the File Explorer Address Bar (the place where users usually type or paste file paths) can also be used to execute OS commands. This particular feature is typically ignored by browsers, which makes it an effective target for social engineering.
In this method, an attacker can convince a user to open File Explorer through a file upload button and paste a maliciously crafted command into the address bar. The command will then execute without the user’s knowledge, potentially giving the attacker access to the system. The attacker can hide their malicious code behind what appears to be a harmless file path, such as C:\company\internal-secure\filedrive\HRPolicy.docx, while in reality, the path is appended with a PowerShell command, like:
The attack takes advantage of a feature that many users aren’t aware of and could be incredibly difficult to detect using conventional security tools.
How Does FileFix Work?
The attack begins by creating a phishing page that prompts the user to interact with a file path. The phishing page will include an “Open File Explorer” button that, when clicked, triggers the File Explorer window to open. It also copies the malicious PowerShell command to the clipboard. When the user pastes the file path into File Explorer’s address bar, the command executes, and the attacker gains access.
Here’s the step-by-step breakdown:
User interaction: The attacker’s phishing page asks the user to open File Explorer and enter a file path.
Command hidden in plain sight: The file path is designed to look legitimate (e.g., C:\company\internal-secure\filedrive\HRPolicy.docx), but it secretly contains a PowerShell command after the file path (such as a command to ping an external server).
Execution through File Explorer: When the user pastes the path into the address bar and presses enter, the OS command executes, allowing the attacker to gain access to the system.
Blocking File Selection
An interesting part of the FileFix attack is the user’s ability to accidentally or intentionally select a file for upload, which could complicate matters for the attacker. However, in this case, the attacker has anticipated this by adding a script that blocks the file upload event. If the user selects a file, the attacker’s code will alert the user, clear the file input, and force the File Explorer window to reopen, thus ensuring the user doesn’t deviate from the intended steps.
Here’s the code snippet that blocks the file selection:
One critical aspect of the FileFix attack is that File Explorer can be used to execute commands without triggering security alerts in some cases. While this isn’t an entirely new concept, it’s certainly a new and creative way to leverage a well-known feature in a way that hasn’t been exploited as extensively before.
For instance, an attacker might attempt to download an executable file (such as payload.exe), copy its location to the clipboard, and then prompt the user to execute the command from the File Explorer address bar. This removes the “Mark of the Web” (MOTW) attribute that would usually appear for files downloaded from untrusted sources, making it more difficult for security tools to detect the file as malicious.
The Risks of FileFix
FileFix, much like ClickFix, is an attack that relies on social engineering. The attacker has to convince the user to follow seemingly innocent steps, such as opening File Explorer and pasting a file path. However, the attack could be much more effective if combined with other methods, such as phishing or malware delivery.
While this technique might seem fairly basic at first glance, its simplicity makes it a potent weapon in the arsenal of cybercriminals. And because it takes advantage of browser functionality that is generally trusted, it could bypass some of the security controls we commonly expect to be in place.
Mitigating the FileFix Attack
While there’s no foolproof way to prevent all social engineering attacks, there are some steps that can help minimize the risk of falling victim to FileFix:
Educate Users: Make sure employees or users understand the dangers of clicking on suspicious links or interacting with unknown websites. Cybersecurity training should include awareness of phishing tactics and how to recognize suspicious behavior.
Endpoint Security: Always ensure that endpoint protection tools are in place to detect and block malicious activities. These tools should be capable of recognizing suspicious PowerShell scripts or other abnormal processes running on a machine.
Monitor Suspicious Activities: Regularly monitor systems for unusual activity, especially with respect to File Explorer, browser behavior, and any attempts to execute commands outside of normal user activity.
Limit File Explorer Usage: Limit user access to File Explorer or restrict the use of browser-based file upload functionality to prevent unintended execution of commands.
Browser Configuration: Configure browsers to block or restrict the use of the File Explorer address bar for executing OS commands, and disable features that could be used for similar attacks.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Citrix Bleed 2: Over 1,200 Servers Vulnerable to Authentication Bypass Attack
APT28’s New Malware Campaign: Signal Chat Delivers BEARDSHELL and COVENANT to Ukraine
How can Netizen help?
Citrix Bleed 2: Over 1,200 Servers Vulnerable to Authentication Bypass Attack
On June 30, 2025, cybersecurity experts reported that more than 1,200 Citrix NetScaler ADC and NetScaler Gateway appliances exposed online remain unpatched against a critical vulnerability, CVE-2025-5777, which is believed to be actively exploited. This flaw, referred to as “Citrix Bleed 2,” allows threat actors to bypass authentication mechanisms and hijack user sessions by exploiting an out-of-bounds memory read vulnerability caused by insufficient input validation. Successful exploitation of this vulnerability could lead to attackers stealing session tokens, credentials, and other sensitive data from public-facing gateways and virtual servers, granting them access to restricted memory regions and enabling them to bypass multi-factor authentication (MFA).
Citrix previously experienced a similar issue, “CitrixBleed,” which was exploited in ransomware attacks in 2023, targeting government organizations and moving laterally across compromised networks. The newly discovered vulnerability, CVE-2025-5777, is of critical severity, and Citrix issued an advisory on June 17, 2025, urging customers to upgrade their appliances and terminate all active ICA and PCoIP sessions to block potential attacks.
Although Citrix has not yet confirmed public exploitation of CVE-2025-5777, security researchers from ReliaQuest assessed with medium confidence that the vulnerability is actively being exploited in targeted attacks. These attacks have shown indicators of post-exploitation activity, including hijacked Citrix web sessions, MFA bypass attempts, and suspicious LDAP queries linked to Active Directory reconnaissance. Additionally, security analysts from the Shadowserver Foundation discovered that over 2,100 Citrix NetScaler appliances were also unpatched against another critical vulnerability, CVE-2025-6543, which is currently being exploited in denial-of-service (DoS) attacks.
Both CVE-2025-5777 and CVE-2025-6543 are classified as critical severity vulnerabilities, prompting cybersecurity experts to advise administrators to immediately deploy the latest patches from Citrix to mitigate potential risks. Companies are also encouraged to review access controls and monitor their Citrix NetScaler appliances for unusual user sessions and activities to prevent further exploitation.
APT28’s New Malware Campaign: Signal Chat Delivers BEARDSHELL and COVENANT to Ukraine
The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert about a new cyber attack campaign carried out by the Russian-linked APT28 (also known as UAC-0001) threat group. This campaign utilizes Signal chat messages to distribute two previously undetected malware families, BEARDSHELL and COVENANT, targeting Ukrainian entities.
According to CERT-UA, BEARDSHELL is a C++-based malware that allows threat actors to download and execute PowerShell scripts. The malware also enables the upload of results back to a remote server via the Icedrive API. The malware first appeared in March-April 2024 during incident response efforts on a Windows machine. At the time, the exact infection method was unknown, but recent intelligence from ESET linked the malware to a breach of a “gov.ua” email account, likely indicating government-targeted attacks.
Further investigation led to the discovery of the malware framework COVENANT, which operates as part of a multi-layered attack. In the campaign, APT28 is using Signal messages to send malicious macro-laden Microsoft Word documents. These documents, when opened, deploy two payloads: a malicious DLL (“ctec.dll”) and a PNG image (“windows.png”). The embedded macro also makes Windows Registry changes to ensure the DLL is loaded when Windows File Explorer is next launched. The primary function of the DLL is to execute shellcode embedded in the PNG, triggering the COVENANT framework to execute.
COVENANT subsequently downloads two additional payloads that facilitate the execution of the BEARDSHELL backdoor on compromised systems. The BEARDSHELL backdoor provides persistent access to the infected systems, allowing threat actors to maintain long-term control.
The malware is delivered via Signal chat, exploiting the Signal app’s ability to distribute files securely, making the attack harder to trace. For those defending against this threat, CERT-UA recommends monitoring network traffic associated with domains like “app.koofr[.]net” and “api.icedrive[.]net,” which are used for communication with the malware’s command-and-control servers.
In parallel to this malware campaign, APT28 has been targeting outdated versions of the Roundcube webmail software used in Ukrainian organizations. Exploiting vulnerabilities like CVE-2020-35730, CVE-2021-44026, and CVE-2020-12641, APT28 is delivering malicious JavaScript payloads through phishing emails. These emails disguise themselves as news articles but, once opened, exploit the vulnerabilities to execute arbitrary JavaScript, exfiltrate user data, and install further malware on the victim’s system.
One of the scripts, “e.js,” creates a mailbox rule to redirect incoming emails to a third-party address, while exfiltrating session cookies and the victim’s address book. The second, “q.js,” exploits an SQL injection vulnerability in Roundcube to extract information from the Roundcube database. A third file, “c.js,” exploits another vulnerability to execute arbitrary commands on the mail server.
These vulnerabilities were leveraged in phishing emails sent to over 40 Ukrainian organizations, highlighting the group’s persistence and evolving tactics. CERT-UA continues to monitor these activities and urges organizations to patch vulnerabilities, implement robust email security filters, and monitor network traffic for any signs of compromise.
To defend against these threats, CERT-UA advises organizations to:
Ensure all systems are up to date with the latest patches.
Disable macros in Microsoft Word and other Office applications.
Monitor network traffic for unusual activity related to Icedrive and Koofr domains.
Regularly audit email systems for signs of compromise, particularly for suspicious redirection or exfiltration activity.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from June that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2024-54085
CVE-2024-54085 describes a critical authentication bypass vulnerability affecting American Megatrends International’s (AMI) SPx firmware, specifically within the Baseboard Management Controller (BMC). This flaw allows a remote attacker to bypass authentication mechanisms when interfacing through the Redfish Host Interface, enabling unauthorized access without user interaction or credentials. The vulnerability affects systems using AMI’s MegaRAC SPx firmware—commonly integrated into servers for out-of-band management—which magnifies its potential impact across enterprise environments and data centers.
The attack vector is particularly dangerous due to its placement at the firmware level. By abusing the Redfish API exposed by the BMC, an attacker can gain privileged access to critical server management functions. This includes the ability to issue power controls, flash firmware, or even wipe or reconfigure the host system remotely. Exploiting this interface requires no local access, no authentication, and no user interaction—only network reachability. As a result, the vulnerability poses a direct threat to the confidentiality, integrity, and availability of affected systems.
Reports published in June 2025 indicate that this flaw is being actively exploited in the wild. Attackers have used it to deploy destructive malware capable of bricking servers or persisting stealthily within BMC firmware. According to CISA and Eclypsium, exploitation campaigns have targeted thousands of vulnerable devices globally, and widespread scanning for exposed Redfish interfaces has been observed.
The vulnerability was officially assigned CVE-2024-54085 and carries maximum severity scores across CVSS v2 (10.0), v3.1 (9.8), and v4.0 (10.0), underscoring the total system compromise potential. Organizations with exposed or internet-facing BMC interfaces—especially those running outdated AMI SPx firmware—should prioritize patching and segmenting their management networks. Updates and mitigation guidance have been made available through vendors such as NetApp and advisories from national cybersecurity agencies. Given the nature of the vulnerability, immediate action is required to prevent exploitation and irreversible damage to critical infrastructure.
CVE-2025-6543
CVE-2025-6543, widely dubbed “Citrix Bleed 2,” is a critical memory overflow vulnerability affecting NetScaler ADC and NetScaler Gateway appliances. The flaw emerges when these appliances are configured in Gateway mode—specifically as a VPN virtual server, ICA Proxy, CVPN, RDP Proxy, or AAA virtual server. When exploited, it leads to unintended control flow and Denial of Service (DoS), allowing an unauthenticated attacker to crash affected services or cause unpredictable behavior.
This vulnerability was confirmed to be exploited as a zero-day prior to public disclosure. Its addition to CISA’s Known Exploited Vulnerabilities catalog and the subsequent emergency advisories from vendors and government agencies signal that threat actors moved quickly to abuse the flaw in the wild. Reports from June 2025 document the use of this bug in denial-of-service attacks targeting enterprise gateway infrastructure. The potential for remote exploitation without prior authentication makes it particularly attractive for both disruption campaigns and access footholds, depending on how it’s chained with other weaknesses.
While the CVSS v2 score appears moderate at 5.0 due to limited immediate impact on confidentiality and integrity, the CVSS v3 score is 7.5 and the CVSS v4 score reaches 9.2—highlighting how newer scoring systems better reflect real-world risks associated with denial-of-service on critical edge infrastructure. The low CVSSv2 score fails to capture the severity of an attack that can render VPN and remote access services unusable during business hours, or which could serve as a stepping stone in more complex intrusion paths.
Administrators running affected Citrix NetScaler versions are strongly urged to apply the emergency patches issued by Citrix and verify that public-facing services are not vulnerable. Beyond patching, affected organizations should review VPN and gateway logs for signs of repeated crashes or traffic anomalies beginning in mid-June 2025, which may indicate early-stage exploitation attempts or reconnaissance.
CVE-2024-0769
CVE-2024-0769 describes a critical path traversal vulnerability discovered in D-Link’s DIR-859 wireless router, version 1.06B01. The flaw lies in the HTTP POST request handler at the endpoint /hedwig.cgi, where the service parameter can be manipulated to perform directory traversal. By passing crafted input such as ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml, an unauthenticated remote attacker can access configuration files not intended to be publicly exposed, leading to unauthorized disclosure of sensitive system information.
The issue stems from a failure to properly sanitize input within the POST request handler. This allows external actors to bypass expected restrictions and reach arbitrary files within the router’s internal file system. The attacker does not require any special privileges or user interaction to exploit this flaw, and the attack can be conducted entirely over the network. Proof-of-concept code was made public and has been observed in use, suggesting this is an active risk for any remaining DIR-859 units still online.
This vulnerability is especially concerning due to the fact that the DIR-859 has reached end-of-life status. D-Link confirmed the device is no longer supported, meaning no firmware updates or patches will be released. As such, affected systems will remain perpetually vulnerable. Despite the CVSS v2 score being reported as only 5.0—likely due to its limited immediate impact on availability or integrity—the CVSS v3.1 score of 9.8 accurately reflects the true risk, as the flaw enables full remote file disclosure and potentially facilitates follow-on attacks.
The issue was published in January 2024 but updated in June 2025 after further analysis and public exploit activity. Due to its inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog and a high EPSS probability of exploitation, it is strongly recommended that users immediately decommission any exposed DIR-859 units. Replacement with actively supported hardware and isolation of outdated equipment from public networks should be prioritized to prevent compromise.
CVE-2019-6693
CVE-2019-6693 describes a cryptographic weakness present in certain versions of Fortinet’s FortiOS operating system, which is used across a variety of the company’s security appliances. The flaw results from the use of a hard-coded cryptographic key to encrypt sensitive information in configuration backup files. An attacker who obtains such a backup—either through access to a compromised system or a leaked file—could decrypt portions of the content without needing to brute force or guess passwords, since the cipher key is static and known.
The exposed information includes user account passwords (excluding the administrator password), passphrases used to protect private keys, and any High Availability (HA) configuration passwords, if set. Because the administrator password is exempt, the immediate risk of full system takeover from decrypting the file is somewhat reduced; however, the remaining credentials may still allow lateral movement, access to protected services, or reconstruction of internal secrets—especially in environments with poor account segmentation or where users share credentials across systems.
Although this vulnerability was originally published in 2019, it was added to CISA’s Known Exploited Vulnerabilities catalog in June 2025, indicating that it remains a viable attack vector in real-world scenarios. The renewed interest likely stems from threat actors targeting backup files exfiltrated through other means, then decoding them using the now-public encryption key. The CVSS v3.1 score of 6.5 reflects the fact that the issue requires prior access to the backup file and does not permit direct execution or privilege escalation on its own.
Nonetheless, organizations that maintain FortiOS appliances should audit their backup file storage and transfer mechanisms, implement encrypted transport layers and secure storage practices, and ensure they are not relying on outdated backup formats. Wherever possible, administrators should move to newer versions of FortiOS that remediate this flaw and remove reliance on insecure static key usage in cryptographic processes.
CVE-2025-5419
CVE-2025-5419 describes a high-severity vulnerability in the V8 JavaScript engine used by Google Chrome, prior to version 137.0.7151.68. The flaw stems from an out-of-bounds read and write condition that can be triggered through a crafted HTML page, potentially leading to heap corruption. This kind of memory error allows attackers to manipulate the memory layout of the running process, which can result in remote code execution under the context of the browser.
The vulnerability is notable for its low attack complexity and lack of user privileges required to exploit it. While user interaction is necessary (typically in the form of visiting a malicious web page), once triggered, the flaw can allow attackers to execute arbitrary code, access sensitive information, or crash the browser. It is particularly dangerous in targeted phishing or watering hole campaigns where crafted JavaScript payloads are embedded in compromised or maliciously hosted sites.
The CVSS v3 score of 8.8 reflects the severity of the potential impact on confidentiality, integrity, and availability, despite requiring user interaction. The older CVSS v2 system rates this flaw at a full 10.0, capturing the remote exploitation potential with no authentication needed. This disparity highlights the limitations of scoring systems when evaluating browser-based exploitation chains involving memory corruption.
This vulnerability was confirmed to have been exploited in the wild and was added to CISA’s Known Exploited Vulnerabilities catalog in June 2025. It is part of an ongoing pattern of attackers targeting the V8 engine, often chaining JavaScript engine flaws with sandbox escapes or privilege escalation vulnerabilities to compromise host systems. Organizations using Google Chrome in sensitive environments should prioritize updates to patched versions and consider implementing browser isolation or application sandboxing to reduce the risk from future JavaScript engine vulnerabilities.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Iranian Hackers Maintain Long-Term Access to Middle East CNI via VPN Exploits and Malware
Citrix Bleed 2 and SAP GUI Flaws: Critical Vulnerabilities Expose Sensitive Data
How can Netizen help?
Phish Tale of the Week
Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as an unnamed company. They’re sending us a text message, telling us that our Coinbase account was logged in from Belgium, and we need to call support. It seems both urgent and genuine, so why shouldn’t we? Luckily, there’s plenty of reasons that point to this being a scam.
Here’s how we can tell not to fall for this phish:
The first warning sign for this SMS is the context in which it was sent. When I recieved this SMS, I immediately knew not to click on the link due to the fact that I do not have a Coinbase account. On top of that, it’s very apparent that this message was blasted out to random numbers: the message doesn’t even include my name or attempt to provide any level of familiarity.
The second warning signs in this email is the messaging. This message tries to create a sense of urgency in order to get you to take action by using language such as “logging in from Belgium.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through SMS.
The final warning sign for this email is the wording; in our case the smisher suggests we call a random number, something that Coinbase support would never do. All of these factors point to the above being a smishing text, and a very unsophisticated one at that.
General Recommendations:
A phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages.
Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
Verify that the sender is actually from the company sending the message.
Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
Do not give out personal or company information over the internet.
Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.
Cybersecurity Brief
In this month’s Cybersecurity Brief:
Iranian Hackers Maintain Long-Term Access to Middle East CNI via VPN Exploits and Malware
In a report published on May 3, 2025, FortiGuard Incident Response (FGIR) team detailed a significant cyberattack campaign attributed to an Iranian state-sponsored hacker group. This campaign targeted a Middle Eastern Critical National Infrastructure (CNI) entity over a two-year period, from at least May 2023 to February 2025. The attack was marked by extensive espionage and strategic network prepositioning, often used to secure persistent access for future operations.
The threat actor behind the breach has been linked to the Iranian state-sponsored hacking group Lemon Sandstorm (also known as Rubidium, Parisite, Pioneer Kitten, and UNC757). This group has been active since at least 2017 and has targeted multiple sectors across the globe, including aerospace, oil and gas, water, and electricity infrastructure in the U.S., Europe, the Middle East, and Australia. The group’s modus operandi involves exploiting vulnerabilities in VPN technologies and deploying a variety of malware to maintain long-term access.
The cyberattack campaign made use of known vulnerabilities in popular VPN systems, including Fortinet, Pulse Secure, and Palo Alto Networks, to gain initial access to the target’s network. Once inside, the attackers deployed a series of backdoors and malware to maintain persistent access. According to the report, the attack unfolded in multiple stages:
Stage 1 (May 2023 – April 2024): The attackers established their foothold by using stolen login credentials to access the victim’s SSL VPN system. They dropped web shells on public-facing servers and deployed three backdoors—Havoc, HanifNet, and HXLibrary—for long-term access.
Stage 2 (April 2024 – November 2024): The attackers consolidated their access by planting more web shells and deploying an additional backdoor, NeoExpressRAT. The attackers used tools such as Plink and Ngrok to move deeper into the network, exfiltrating sensitive emails and conducting lateral movements to the virtualization infrastructure.
Stage 3 (November 2024 – December 2024): After the victim took containment measures, the attackers responded by deploying additional web shells and backdoors, including MeshCentral Agent and SystemBC.
Stage 4 (December 2024 – Present): The attackers attempted to infiltrate the network again by exploiting vulnerabilities in ZKTeco BioTime devices (CVE-2023-38950, CVE-2023-38951, and CVE-2023-38952). They also launched spear-phishing attacks targeting 11 employees to harvest Microsoft 365 credentials after the organization successfully removed the adversary’s access.
The attackers used several malware families throughout the intrusion, including both open-source tools and custom-built malware. Notable among them were:
Havoc: A C2 backdoor written in C++ and Golang that was injected into a newly created “cmd.exe” process. Havoc supports various commands to control compromised hosts and uses HTTP, HTTPS, and SMB protocols for communication with the C2 server.
HanifNet: A .NET executable used to retrieve and execute commands from the C2 server. First deployed in August 2023, it helped maintain control over compromised systems.
HXLibrary: A malicious IIS module that retrieves text files from Google Docs to connect to the C2 server. Deployed in October 2023, it was used to execute commands on the infected systems.
NeoExpressRAT: A backdoor deployed in August 2024 that retrieves a configuration from the C2 server, likely using Discord for follow-on communications.
MeshCentral Agent and SystemBC: Deployed as additional backdoors after initial containment efforts, used to maintain access and perform lateral movements within the network.
Other tools included CredInterceptor (for harvesting credentials), RemoteInjector (for loading next-stage payloads), and RecShell (a web shell used for reconnaissance).
A significant aspect of the attack was the targeting of the victim’s restricted Operational Technology (OT) network. While there is no evidence to suggest the OT network was breached, the adversary’s extensive reconnaissance indicates that it was a primary target. The threat actors’ careful, multi-stage exploitation of the network suggests a focused attempt to disrupt OT-adjacent systems that could have led to more severe impacts on the CNI infrastructure.
The attacker’s persistence and ability to avoid detection were notable. The report reveals that throughout the intrusion, the group used multiple proxies and custom implants to bypass network segmentation, a strategy commonly employed to ensure continued access to sensitive systems. In later stages of the attack, the attackers chained together several proxy tools to access internal network segments, demonstrating sophisticated techniques for maintaining long-term access.
In a follow-up report published on June 23, 2025, Fortinet provided additional details about the Havoc C2 framework. This backdoor, written in C++ and Golang, has a modular design that allows for the flexible execution of multiple commands. It supports a variety of functionalities, including process enumeration, lateral movement, and token manipulation. Havoc also enables attackers to inject shellcode into the memory of compromised systems, further enhancing its ability to control infected devices remotely.
Citrix Bleed 2 and SAP GUI Flaws: Critical Vulnerabilities Expose Sensitive Data
Oct 15, 2019 Santa Clara / CA / USA – Citrix offices in Silicon Valley; Citrix Systems, Inc. is an American software company that provides virtualization, networking, SaaS and cloud computing services
Two recently disclosed vulnerabilities—Citrix Bleed 2 and SAP GUI input history flaws—have raised alarms across the cybersecurity industry, putting sensitive data at risk.
Citrix has patched a critical vulnerability in its NetScaler ADC (Application Delivery Controller) and NetScaler Gateway, tracked as CVE-2025-5777. This flaw, rated CVSS 9.3, allows attackers to bypass authentication protections and potentially steal valid session tokens from memory through malformed requests. This vulnerability affects appliances configured as a Gateway or AAA virtual server.
Discovered by security researcher Kevin Beaumont, this flaw shares similarities with CVE-2023-4966, a high-profile vulnerability that resulted in widespread exploitation two years ago. Citrix has already issued patches for affected versions of NetScaler ADC and NetScaler Gateway, with the updates being available for versions 14.1-43.56 and later. The vulnerability also impacts older NetScaler ADC versions (13.1 and 12.1).
To mitigate the risks, Citrix recommends running commands to terminate all active ICA and PCoIP sessions after the patches have been applied. Additionally, users of unsupported versions (12.1 and 13.0) are urged to upgrade to a supported version, as these versions are now end-of-life (EOL) and no longer receive official support.
While there is no evidence that this vulnerability has been weaponized, Benjamin Harris, CEO at watchTowr, emphasized its severity, comparing it to Citrix Bleed, a vulnerability that caused significant damage in previous years. Harris noted that changes in the CVE description suggest that the vulnerability is more critical than initially understood.
In another cybersecurity alert, vulnerabilities discovered in SAP GUI for both Windows and Java have exposed sensitive information stored locally on devices. Tracked as CVE-2025-0055 and CVE-2025-0056, these vulnerabilities involve the insecure storage of SAP GUI input history. This feature, intended to enhance user efficiency by storing past inputs, inadvertently saved sensitive data, such as usernames, social security numbers, bank account numbers, and internal SAP table names, in an insecure manner.
The flaw exists because SAP GUI for Windows uses weak XOR encryption to store input history in SAPHistory.db files, making it easily decryptable. Meanwhile, SAP GUI for Java stores this information unencrypted as Java serialized objects. Both cases present significant risks, as an attacker with access to the victim’s directory could easily retrieve the sensitive data stored in these files.
The vulnerability is particularly dangerous for environments where attackers can gain administrative privileges or access the user directory, allowing them to exfiltrate valuable data. Pathlock researcher Jonathan Stross warned that data exfiltration can occur through USB Rubber Ducky (HID injection attacks) or phishing tactics.
In response, SAP issued patches in its January 2025 updates, addressing the flaws and recommending that organizations disable input history functionality and delete the historical data files to mitigate potential risks.
For Citrix users, upgrading to the latest supported versions is crucial, as CVE-2025-5777 poses a significant risk of session hijacking. Administrators should also follow Citrix’s recommendations to terminate existing sessions as part of the remediation process. For SAP GUI users, securing local machines and deleting unencrypted input history files is necessary to protect sensitive data from unauthorized access.
For detailed guidance on mitigating these vulnerabilities, organizations should consult Citrix and SAP’s official advisories and consider engaging in regular penetration testing and vulnerability scanning to identify and address security gaps in their infrastructure.
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
The Department of Homeland Security issued a National Terrorism Advisory Bulletin (NTAS) on June 22, 2025, warning about cyberattack risks related to recent tensions between the US and Iran. This alert follows U.S. airstrikes on June 21, 2025, which targeted key Iranian nuclear facilities, Fordow, Natanz, and Isfahan, under President Donald Trump’s orders, in an attempt to neutralize what he’s called “the nuclear threat posed by the world’s No. 1 state sponsor of terror.”
The DHS bulletin, set to expire on September 22, 2025, flagged the increased likelihood of low-level cyberattacks against U.S. networks by pro-Iranian hacktivists and potential actions from Iranian government-affiliated actors. “Low-level cyber attacks against U.S. networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against U.S. networks,” the alert stated.
Iran’s Longstanding Cyber Strategy
The DHS alert emphasized that Iranian-affiliated groups have a long history of targeting poorly secured U.S. networks and internet-connected devices for disruptive cyberattacks, primarily through DDoS attacks. Brian Harrell, former DHS assistant secretary, has also pointed out the increase in Iran’s capabilities. “Iran’s cyber strategy is likely [in] cooperation with Russia, which, given current tensions, could be a real possibility,” Harrell noted, referencing the 2012 Shamoon virus that crippled over 30,000 computers in major energy companies.
In 2024, Iranian-backed cyber actors breached U.S. water infrastructure in response to Israel’s military actions against Iran. The bulletin warned that similar tactics might be used to retaliate against U.S. airstrikes on Iran’s nuclear sites.
Growing Use of Social Engineering
The DHS bulletin also noted Iran’s increasing use of social engineering tactics. Shortly after the U.S. airstrikes, an Iranian hacker group claimed responsibility for a DDoS attack on Trump’s social media platform, Truth Social. This attack, which briefly took the platform offline, followed Trump’s announcement of the strikes on Iran’s nuclear facilities.
Additionally, Iranian-backed groups have utilized artificial intelligence tools for spreading disinformation, as explained in a previous OpenAI blog. The report detailed how Iranian actors used fake news websites to influence U.S. voters during the 2024 election cycle. Although the campaign failed to gain significant traction, it demonstrated the persistence of Iranian information warfare tactics.
Risk of Retaliatory Violence
The DHS alert also addressed the risk of physical violence in the U.S., noting that Iranian supporters and extremist groups might mobilize in response to the ongoing conflict. The alert warned that the threat of hate crimes or attacks against individuals perceived as Jewish, pro-Israel, or linked to the U.S. government or military could increase.
“The conflict could also motivate violent extremists and hate crime perpetrators seeking to attack targets perceived to be Jewish, pro-Israel or linked to the U.S. government or military in the homeland,” the DHS added.
Preventative Measures and Public Awareness
Given the increased risks from Iranian-linked cyber actors, DHS advises U.S. businesses, government agencies, and individuals to follow cybersecurity best practices and stay vigilant. The department recommends employing DDoS mitigation strategies and monitoring for signs of data exfiltration or any unauthorized access attempts. Organizations are encouraged to report suspicious activities to local law enforcement, or the FBI through the National Suspicious Activity Reporting Initiative.
Comments on Ceasefire Talks
Meanwhile, on June 24, 2025, President Trump publicly voiced his frustration with the ongoing conflict between Iran and Israel in spite of initiatives to broker a ceasefire. “These guys got to calm down. Ridiculous,” Trump remarked after a missile attack from Iran targeted Israel, escalating tensions. Trump had earlier brokered a ceasefire between the two nations, but the violence continued, with Israel confirming a missile strike that killed four people in Israel.
The rising tensions between Israel and Iran have already contributed to heightened threat assessments across global security environments. The DHS alert also noted that if Iranian leadership issues a religious ruling calling for retaliatory violence, there could be an increase in extremist actions within the U.S.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Google Strengthens GenAI Security with Multi-Layered Defenses to Combat Prompt Injection Attacks
Scattered Spider Behind Cyberattacks on M&S and Co-op, Causing Up to $592M in Damages
How can Netizen help?
Google Strengthens GenAI Security with Multi-Layered Defenses to Combat Prompt Injection Attacks
In response to the growing threat of prompt injection attacks, Google has unveiled a series of robust security measures designed to safeguard its generative AI models, particularly Gemini, from evolving exploitation techniques. The latest vulnerabilities—referred to as indirect prompt injections—pose significant risks as malicious actors exploit external data sources, like emails and calendar invites, to manipulate AI systems into performing dangerous or unauthorized actions. These attacks circumvent traditional defense mechanisms by embedding harmful instructions within trusted data sources, tricking the AI into executing them.
To mitigate these risks, Google has implemented a layered defense strategy aimed at raising the difficulty and cost of launching successful attacks. These defenses include prompt injection content classifiers to filter out harmful instructions, the reinforcement of security through special markers placed in untrusted data, and markdown sanitization to block external malicious URLs. Additionally, the company has introduced a user confirmation framework, requiring approval before risky actions are executed, and integrated end-user notifications to alert users about potential prompt injections.
Despite these improvements, Google acknowledged that the threat landscape is shifting. Malicious actors are increasingly utilizing adaptive attacks, deploying automated red-teaming tools to circumvent these defenses. The vulnerability underscores the challenges AI models face in distinguishing between legitimate user instructions and manipulative commands embedded within data. According to Google DeepMind, addressing these issues will require continuous advancements in AI system security, incorporating defenses at each layer—from the model’s core understanding to the application and hardware infrastructure.
Researchers from institutions like ETH Zurich and Carnegie Mellon University, along with Google’s own DeepMind, have highlighted the dangers posed by AI systems vulnerable to prompt injections. These models are capable of generating harmful content, including weapon instructions, phishing schemes, and even polymorphic malware. As AI agents continue to evolve, their ability to unlock new attack vectors for adversaries, such as extracting personally identifiable information (PII) or launching tailored attacks, becomes increasingly alarming.
The insights gathered from ongoing stress tests and red-teaming benchmarks indicate that while AI models excel at prompt injection attacks, they still struggle with system exploitation and model inversion tasks. However, the efficiency with which AI agents solve challenges compared to human operators emphasizes the transformative potential these systems have in improving security workflows.
Scattered Spider Behind Cyberattacks on M&S and Co-op, Causing Up to $592M in Damages
In April 2025, a series of cyberattacks targeted two of the U.K.’s most prominent retailers, Marks & Spencer (M&S) and Co-op, causing significant disruption and financial damage. According to the Cyber Monitoring Centre (CMC), these attacks have been classified as a “single combined cyber event” due to the timing, similar tactics, and a threat actor’s claim of responsibility for both incidents.
The breach, which has been classified as a “Category 2 systemic event,” is estimated to have cost between £270 million ($363 million) and £440 million ($592 million). The security breach, which focused on IT help desks through advanced social engineering tactics, has caused a deep impact on the two companies and their partners. CMC continues its attribution efforts but strongly suspects the notorious cybercrime group, Scattered Spider (also known as UNC3944), is behind the attacks.
The group, previously affiliated with The Com, is known for its advanced social engineering techniques, particularly in impersonating IT staff to gain unauthorized access. The consequences of this breach extend beyond M&S and Co-op, with ripple effects for their suppliers, partners, and service providers.
In addition, Scattered Spider’s attacks are no longer limited to the retail sector. The Google Threat Intelligence Group (GTIG) has recently warned that the group has shifted its focus to U.S. insurance companies, using similar social engineering tactics to target help desks and call centers. This shift in targets highlights the growing concern surrounding Scattered Spider’s evolving strategies and growing impact.
While Marks & Spencer’s supplier Tata Consultancy Services (TCS) has publicly confirmed that its systems were not compromised in the attack, internal investigations continue to explore the possibility of TCS’s systems being used as a stepping stone for the breach.
The increase in attacks from groups like Scattered Spider, combined with the shift toward more sophisticated techniques like those seen in Qilin ransomware operations, has prompted heightened alertness across critical industries. These developments underscore the escalating threats posed by cybercriminals targeting high-profile sectors, making it imperative for organizations to reinforce their cybersecurity defenses.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Multi-Factor Authentication (MFA) has become an essential security measure in protecting sensitive data and ensuring that only authorized individuals gain access to digital assets. While a password alone may have once been sufficient to grant access, it’s no longer enough in today’s increasingly complex cyber threat landscape. MFA introduces an additional layer of protection by requiring users to provide two or more verification factors before accessing their accounts or systems. This article explores how MFA works, why it is so important, and the various methods used to implement it.
What is Multi-Factor Authentication (MFA)?
MFA is a security process that requires users to provide multiple forms of verification when logging into an account or system. The idea behind MFA is simple: even if an attacker successfully obtains a user’s password, they would still need additional forms of identification to gain access. These forms of identification are categorized into three primary factors: something you know, something you have, and something you are. Combining these factors makes it exponentially harder for attackers to impersonate legitimate users, adding layers of defense against unauthorized access.
In today’s world, a single password is no longer enough to secure accounts. Commonly used passwords are vulnerable to attacks such as brute-force cracking, phishing, and credential stuffing. By introducing additional authentication methods, MFA significantly reduces the chances of an attacker bypassing security measures. Whether for personal use or for enterprises handling sensitive data, MFA has become a must-have for securing accounts and protecting information.
The Three Factors of MFA
The three factors used in MFA are designed to authenticate users by leveraging different aspects of their identity. The first factor, something you know, refers to knowledge-based authentication, such as a password or PIN. This is the most familiar factor, and it remains a critical piece of the MFA puzzle. However, relying solely on a password is no longer enough due to the frequency with which passwords are compromised.
The second factor, something you have, involves physical items like a mobile device, hardware token, or smartcard. This factor helps to secure access by ensuring that even if an attacker knows the password, they would still need to possess the physical item used for authentication. For example, if a user has a smartphone with an authentication app, they will need to enter a code generated by the app in addition to their password. This significantly raises the bar for attackers.
Finally, the third factor, something you are, pertains to biometric authentication, which uses unique characteristics of the user to verify their identity. Examples of biometric authentication include fingerprint scans, facial recognition, and iris scanning. Because these traits are unique to the individual, they are extremely difficult for attackers to replicate, making them an incredibly secure form of authentication.
How MFA Works: Step-by-Step Process
MFA works by adding a second or third step in the process of logging into an account or system. Once the user enters their password (the first factor), they will be prompted to provide one or more additional factors. This could be a temporary code sent via SMS, generated by an app, or a biometric scan. Once all factors are successfully verified, the user is granted access.
For example, a user may enter their username and password as usual. Once this information is verified, they will be prompted to input a one-time passcode (OTP) generated by an authenticator app or sent via SMS. Only after entering the correct passcode is the user allowed to proceed. In some cases, a biometric scan, such as a fingerprint or facial recognition, may also be required. This multi-step process makes it much harder for attackers to impersonate legitimate users, even if they have obtained the user’s password.
Types of MFA Methods
MFA can be implemented in a variety of ways, depending on the level of security required and the preferences of the organization or user. One of the most common methods is SMS-based authentication, where a user receives a one-time passcode (OTP) on their phone via text message. Although this method is widely used, it is vulnerable to attacks such as SIM swapping and interception of messages. As such, it is considered less secure than other forms of MFA.
A more secure method involves the use of authenticator apps like Google Authenticator or Authy. These apps generate time-sensitive codes that are valid for a short period, typically around 30 seconds. Unlike SMS-based authentication, these codes are not susceptible to interception, making them a more reliable option. Authenticator apps can be used across various platforms, from email accounts to online banking systems, providing added flexibility.
Another popular form of MFA is push notifications. With this method, a user receives a prompt on their mobile device asking them to approve or deny a login attempt. This method is user-friendly and quick, as it does not require the user to manually enter a code. However, it still provides an additional layer of security by confirming that the user is in control of the device.
For those seeking the highest level of security, hardware tokens are an ideal option. Devices such as YubiKeys generate one-time passcodes or require physical interaction (e.g., tapping the device) to authenticate. These tokens are highly secure because they are not vulnerable to remote attacks and require physical access to the device. This makes them particularly effective for high-risk environments, such as financial institutions or government agencies.
Why MFA Matters
In today’s modern landscape, MFA provides critical protection against a wide range of attacks. Phishing, for example, remains one of the most common attack methods used by cybercriminals. With MFA in place, even if an attacker successfully obtains a user’s password through phishing, they would still need to bypass the additional authentication factors to gain access. Similarly, brute-force attacks and credential stuffing are made much more difficult when MFA is used, as attackers would need to obtain multiple factors to successfully authenticate.
Moreover, MFA plays a key role in regulatory compliance. Many industries, such as healthcare and finance, require organizations to implement MFA to protect sensitive data and meet compliance standards like HIPAA, PCI DSS, and GDPR. By using MFA, organizations can ensure that they are taking the necessary steps to safeguard their data and meet legal requirements.
Challenges of MFA
While MFA significantly enhances security, it is not without its challenges. One of the main hurdles is user resistance. Some users may find MFA inconvenient, especially if it requires them to use multiple devices or take extra steps during the login process. This is particularly true for methods that involve entering time-sensitive codes or using hardware tokens, which may seem cumbersome compared to traditional password-based logins.
Another challenge is implementation costs. While MFA solutions are becoming more affordable, organizations must still invest in the necessary infrastructure to support them. This includes purchasing hardware tokens, implementing software for authenticator apps, or integrating MFA into existing authentication systems.
Finally, there is the issue of backup methods. Users who lose access to their MFA device—whether through a lost phone or hardware token—may struggle to regain access to their accounts. Organizations need to have effective recovery processes in place to ensure that users can recover their accounts without compromising security.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
For years, vulnerability management has been a cornerstone of an organization’s cybersecurity posture. However, despite regular patching and continuous monitoring, vulnerabilities still exist. The reason is often simple: attackers target security gaps that are overlooked or unknown. External Attack Surface Management (EASM) is one of the latest solutions designed to help close these gaps and extend the capabilities of traditional vulnerability management.
What Is Vulnerability Management?
Vulnerability management is the process of identifying, assessing, and remediating security flaws within an organization’s IT infrastructure. This process is generally centered around scanning known assets—whether they are physical servers, virtual machines, cloud services, or software applications—for known vulnerabilities. These vulnerabilities are typically cataloged in public databases like CVE (Common Vulnerabilities and Exposures), which helps security teams prioritize the remediation of the most critical flaws.
Vulnerability management is crucial, as it helps security teams continuously patch and address flaws in software, hardware, and network configurations. However, it is limited by what is already known. If assets aren’t properly documented or if systems slip through the cracks, they become blind spots in the organization’s cybersecurity posture.
EASM: Extending Beyond Vulnerability Management
External Attack Surface Management (EASM) goes beyond traditional vulnerability management by identifying risks and exposures that may be hidden from view. EASM tools continuously scan for internet-facing assets, including shadow IT, and provide organizations with visibility into assets that security teams may not even know exist. EASM solutions are designed to be proactive, helping organizations identify external vulnerabilities before they become critical threats.
While vulnerability management primarily operates within known environments and asset inventories, EASM actively seeks out unknown or mismanaged resources. It doesn’t just scan for vulnerabilities within known systems—it uncovers blind spots by providing a comprehensive view of the external attack surface.
Key Differences
Scope: Vulnerability management focuses on known assets, continuously scanning for recognized threats and vulnerabilities within an established inventory. EASM, on the other hand, takes a broader approach by scanning for all internet-facing assets, including shadow IT and unregistered systems, providing visibility into unknown and unmanaged assets.
Continuous Discovery: One of the critical features of EASM is continuous discovery. While vulnerability management tools typically scan on a periodic basis (weekly, monthly, etc.), EASM tools continuously scan environments in real time. This ensures that organizations always have up-to-date information on their external attack surface, even as it changes over time.
Visibility of Unmanaged Assets: Traditional vulnerability management relies on what is known and documented, leaving out unmanaged assets or those that are overlooked. EASM, however, identifies assets that may have been forgotten, misclassified, or never registered in the first place. This gives security teams a fuller picture of the organization’s potential risks.
Contextual Prioritization: EASM solutions provide contextual prioritization of vulnerabilities based on asset criticality, traffic patterns, and exposure. This means organizations can focus on securing their most sensitive or high-value assets. Vulnerability management tools, on the other hand, tend to prioritize based solely on the severity of known vulnerabilities, without factoring in contextual risk factors like asset exposure.
Integration with Other Security Tools: EASM solutions work seamlessly with existing security stacks, including vulnerability management platforms. By feeding new findings into the vulnerability remediation workflow, EASM ensures that previously unrecognized risks are addressed and that security teams are better equipped to handle evolving threats.
Why EASM Is Necessary
As organizations continue to expand and move more resources to the cloud, security teams face increasing complexity in managing their attack surface. Many companies today operate in multi-cloud environments, with assets scattered across different cloud providers. In such environments, asset mismanagement or oversight can easily lead to security vulnerabilities. EASM helps mitigate this risk by offering a unified and automated approach to continuous discovery, visibility, and risk identification.
The increasing prevalence of shadow IT—where employees use unsanctioned cloud services or devices—further compounds the problem. In fact, Gartner reports that shadow IT accounts for 30-40% of IT spending in large organizations, with many employees intentionally bypassing security measures. EASM solutions help detect and mitigate these threats, providing real-time insights and preventing these systems from becoming potential entry points for attackers.
The Shortcomings of Vulnerability Management
Vulnerability management is a critical component of an organization’s security posture, but it has inherent limitations. As previously mentioned, vulnerability management operates within the boundaries of a known asset inventory. If an asset isn’t registered or is misclassified, it becomes a blind spot, which is exactly what attackers are looking for. Many organizations rely on internal Configuration Management Databases (CMDBs) to track assets, but human error, process drift, and rapid infrastructure changes can lead to missing or outdated entries.
This lack of visibility often leads to gaps in security, where systems are left unpatched, orphaned, and vulnerable. A known vulnerability could be left unaddressed simply because the system was not included in the asset inventory.
How EASM Fills the Gaps
EASM provides a more complete view of an organization’s attack surface, helping to identify the assets that may have slipped through the cracks. Some of the key features of EASM include:
Continuous Discovery: EASM tools continuously monitor and map out the organization’s entire internet-facing infrastructure, ensuring no asset is left unseen.
Real-Time Alerts: As soon as a vulnerability is identified, EASM tools send alerts to security teams, ensuring immediate action can be taken.
Simulated Attack Scenarios: EASM solutions simulate real-world attack scenarios to uncover potential risks and expose assets that may be vulnerable to exploitation.
External Validation: EASM solutions validate which discovered assets are actually vulnerable by simulating attacker reconnaissance. This helps security teams to better prioritize remediation efforts.
Five Key Use Cases for EASM
Continuous Monitoring: Unlike periodic penetration tests, which are resource-intensive and disruptive, EASM tools automatically scan continuously, giving security teams constant visibility.
Asset Reconciliation: EASM solutions can reconcile CMDBs and IT asset inventories by discovering assets that are missed or misclassified in traditional systems, creating a comprehensive view of the environment.
Prioritizing Critical Assets: By analyzing asset exposure and risk, EASM helps security teams focus on high-value or critical assets that are most at risk.
Closing the Loop on Vulnerability Management: By integrating with vulnerability management systems, EASM ensures that newly discovered vulnerabilities are added to the remediation process, closing the loop on security efforts.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Cloud Security Posture Management (CSPM) is an automated software tool designed to scan cloud deployments for security misconfigurations, potential vulnerabilities, and compliance violations that can lead to data breaches. It acts as a security system inspector, scanning a cloud infrastructure—whether it is Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS), containers, or serverless systems—for weaknesses and risks. CSPM tools provide organizations with a comprehensive view of their cloud security, helping to identify and address security gaps that can result in exposure or unauthorized access.
Why CSPM is Necessary
The cloud offers numerous advantages but also introduces new risks, especially due to its direct connection to the internet, making cloud infrastructure vulnerable to a broad range of threats. Unlike traditional networks, cloud infrastructure is often complex and distributed across various services and remote data centers. This complexity makes it difficult for organizations to ensure security, especially when certain components of the cloud service, like security configurations, are not directly managed by the service provider.
CSPM tools are built to address these challenges by automating the process of identifying and managing security misconfigurations, reducing the manual effort involved in securing cloud deployments.
How CSPM Works
CSPM tools continuously scan cloud environments, searching for misconfigurations, compliance violations, and vulnerabilities. They provide real-time alerts and generate reports detailing security risks, enabling security teams to take immediate action. The system also maps an organization’s entire cloud infrastructure to expose previously unknown risks. CSPM solutions help teams stay on top of security issues, offering a clear overview of the cloud ecosystem to prevent exposure and unauthorized access.
What is a Cloud Security Misconfiguration?
A cloud security misconfiguration refers to an error or flaw in the configuration of cloud services that leaves data exposed or vulnerable to attack. Misconfigurations often occur during the initial setup phase of cloud services. For example, leaving an AWS S3 storage bucket publicly accessible can lead to significant data breaches. CSPM tools automatically detect such issues and help organizations fix them before they become a serious problem.
How CSPM Helps with Regulatory Compliance
CSPM tools also assist with regulatory compliance, which is increasingly important for organizations operating in industries like healthcare, finance, and retail. Many regulations, such as HIPAA, GDPR, and the CCPA, require organizations to ensure that sensitive data is properly protected and access to it is strictly controlled. CSPM tools automatically detect potential compliance violations—such as excessive access rights or missing encryption—and alert organizations to take corrective action.
By automating compliance checks, CSPM reduces the burden on security teams and helps ensure that the organization remains in compliance with industry regulations.
How CSPM Provides Visibility of Cloud Infrastructure
As organizations expand their cloud environments, visibility becomes a major challenge. Assets may be misconfigured or left unsecured during migration between cloud providers, and shadow IT (unauthorized use of cloud services by employees) may further complicate visibility. CSPM tools provide a centralized view of all cloud assets, ensuring that security teams can monitor the entire infrastructure effectively. They also help ensure that teams don’t lose track of critical assets, preventing potential security gaps in the organization’s attack surface.
Other CSPM Capabilities
In addition to misconfiguration detection, many CSPM solutions offer other essential capabilities:
Vulnerability identification: Identifying flaws in cloud software that could be exploited by attackers.
Incident response: Some CSPM tools can fix issues automatically or provide remediation steps for security teams.
As cloud security continues to evolve, CSPM remains a crucial component of any cloud security strategy, enabling organizations to maintain a strong security posture in complex, dynamic environments.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Netizen Blog and News 
You must be logged in to post a comment.