Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • ShinyHunters: Evolution of a Data Theft Syndicate

    ShinyHunters: Evolution of a Data Theft Syndicate

    ShinyHunters first appeared in 2020 as a financially motivated cybercriminal group. Their early operations revolved around large-scale credential theft and database exploitation. The group gained immediate notoriety by targeting major platforms like Tokopedia (91 million records), Wishbone, Microsoft’s GitHub repositories, and Wattpad (270 million records). By selling stolen information on underground forums, they quickly became one of the most active players in the data-breach economy.

    ShinyHunters were also linked to leaks from services like Pluto TV, Nitro PDF, Pixlr, Animal Jam, and more. Beyond breaches, they held influence in the cybercriminal ecosystem by running iterations of BreachForums, one of the most prominent platforms for trading stolen data.

    Expansion into High-Value Targets

    Between 2021 and 2024, ShinyHunters scaled their operations, moving beyond consumer platforms and into critical service providers. Notable victims included AT&T Wireless (affecting over 110 million customers), Santander Bank, and Ticketmaster. Their association with the Snowflake data-theft campaign cemented their reputation as a group willing to target enterprise systems and supply chains to maximize impact.

    By late 2024, law enforcement pressure intensified. Several members and associates were arrested in France and Morocco, leading to speculation that the group had been disrupted. Yet, ShinyHunters re-emerged in 2025 with significantly more sophisticated tactics.

    2025 Salesforce Campaign

    The group’s most ambitious operation to date surfaced in 2025, with a sweeping attack campaign against Salesforce CRM platforms. This campaign impacted global enterprises such as Google, Adidas, Cisco, Qantas Airways, Allianz Life, and LVMH subsidiaries (Louis Vuitton, Dior, Tiffany & Co.).

    Attack Methodology

    1. Initial Access via Vishing
      ShinyHunters shifted focus from pure technical exploits to social engineering. Using spoofed calls, fake IT personas, and urgency tactics, they tricked employees into granting access to Salesforce connected apps.
    2. OAuth Abuse
      Victims were guided into authorizing malicious Salesforce connected apps disguised as tools like “My Ticket Portal.” These apps requested elevated API permissions, granting ShinyHunters persistent access tokens that bypassed multi-factor authentication.
    3. API Exploitation and Data Theft
      Using Salesforce REST APIs, attackers ran bulk SOQL queries, pulling customer records, PII, and business intelligence data at scale. Logs show that their malicious apps consistently retrieved data volumes of ~2.3 MB per request, evading detection by blending with normal traffic.
    4. Obfuscation
      Data exfiltration traffic was routed through Mullvad VPN and Tor, frustrating forensic investigations and complicating attribution.
    5. Lateral Movement
      Compromised credentials and OAuth tokens were leveraged to pivot into other integrated platforms, including Okta, Microsoft 365, and Meta Workplace. This expanded the scope of stolen data beyond Salesforce.

    Collaboration with Scattered Spider

    Evidence suggests a tactical partnership between ShinyHunters and Scattered Spider (UNC3944/Octo Tempest). Both groups are tied to a larger collective known as “The Com,” which specializes in social engineering, SIM swapping, and large-scale fraud. Infrastructure overlaps, phishing domain patterns, and stylistic similarities in vishing scripts indicate close collaboration.

    Impact on Victims

    The campaign had wide-ranging consequences:

    • Google confirmed theft of small and medium business contact information from its Salesforce instance.
    • Qantas Airways reportedly paid a ransom of 4 Bitcoin (~$400,000) to prevent data leakage.
    • LVMH luxury brands saw their customer databases compromised, highlighting attackers’ focus on high-value industries.
    • Other enterprises like Adidas, Cisco, Allianz Life, and Chanel also confirmed or investigated breaches.

    Monetization and Extortion

    ShinyHunters employ a delayed extortion model. After exfiltrating data, ransom demands—ranging from $400,000 to $2.3 million—are issued weeks later. While some companies resisted, others paid to prevent public leaks. Analysts warn that ShinyHunters may soon launch a dedicated leak site to escalate pressure.

    Enterprises using SaaS platforms like Salesforce must harden their defenses with OAuth governance, behavioral monitoring, phishing-resistant MFA, and employee training to mitigate these advanced campaigns.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Netizen: Monday Security Brief (9/15/2024)

    Netizen: Monday Security Brief (9/15/2024)

    Today’s Topics:

    • Hackers Leak 600 GB of Data on China’s Great Firewall
    • FBI Warns of Hackers Targeting Salesforce to Steal Corporate Data
    • How can Netizen help?

    Hackers Leak 600 GB of Data on China’s Great Firewall

    On September 11, 2025, what is being described as the largest leak tied to the Great Firewall of China surfaced online. Nearly 600 GB of data, including source code, internal communications, work logs, and technical documentation, was published by the hacktivist group Enlace Hacktivista, the same collective linked to the Cellebrite data leak.

    The leaked material is believed to come from Geedge Networks and the MESA Lab at the Chinese Academy of Sciences’ Institute of Information Engineering, two organizations central to developing and maintaining China’s censorship infrastructure. Geedge was founded in 2018 under Fang Binxing, widely known as the “Father of the Great Firewall,” and has worked closely with MESA researchers to advance censorship capabilities.

    The data, distributed via BitTorrent and direct links, includes a massive 500 GB archive of an RPM packaging server, as well as compressed document sets from Geedge and MESA. These contain thousands of internal reports, project descriptions, and technical proposals. Analysts have already flagged filenames such as BRI.docx and CPEC.docx that suggest ties to Belt and Road Initiative projects and international collaborations.

    Project management records, communication drafts, and even routine administrative files point to the scale and bureaucracy of the censorship effort. The repository of software packages shows that the Great Firewall operates much like any large enterprise software system, with packaging servers and code repositories supporting day-to-day operations.

    According to the documents, the reach of these programs extends well beyond China. The leaked files suggest that censorship and surveillance technologies have been exported to governments in Myanmar, Pakistan, Ethiopia, Kazakhstan, and other countries connected to the Belt and Road Initiative.

    The material also offers a timeline of how MESA grew after its 2012 founding through talent programs, research grants, and contracts. By 2016, it was handling projects worth tens of millions of yuan annually. When Geedge was launched in 2018, it quickly became a key partner to Chinese authorities and an exporter of surveillance solutions.

    The scale of this breach is unusual. Unlike prior leaks that involved small sets of emails or whistleblower documents, this trove is an extensive collection of raw operational data that tracks years of development. Experts note it will take months to analyze the source code, but even the project records already confirm long-suspected details about how China’s censorship system is built, maintained, and expanded abroad.

    Hacktivists caution that anyone examining the archives should do so in isolated environments due to the possibility of embedded malware or tracking mechanisms. For researchers and rights groups, though, the leak provides an unprecedented opportunity to study how the Great Firewall functions and how its influence extends internationally.

    Analysts at Net4People and the GFW Report are continuing to examine the source code and documents. More findings are expected in the coming weeks. For now, this leak represents a rare, large-scale glimpse into one of the world’s most sophisticated censorship systems and its export to partners abroad.

    FBI Warns of Hackers Targeting Salesforce to Steal Corporate Data

    The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations’ Salesforce environments to steal sensitive data and extort victims.

    According to the advisory, both groups have recently used different techniques to infiltrate Salesforce platforms, enabling them to exfiltrate corporate information. The FBI shared indicators of compromise (IOCs), including suspicious user agent strings, IP addresses, and URLs, to help defenders identify malicious activity and strengthen security controls.

    The first cluster, UNC6040, was originally disclosed by Mandiant in June 2025. Since late 2024, these actors have relied heavily on vishing and social engineering tactics, impersonating IT support staff to trick employees into connecting malicious Salesforce Data Loader OAuth apps to company accounts. One variant, branded “My Ticket Portal,” provided attackers with persistent access once authorized.

    With OAuth permissions in place, the attackers were able to mass-exfiltrate Salesforce data, primarily the “Accounts” and “Contacts” tables that store customer information. The stolen data was later leveraged by the ShinyHunters extortion group, which attempted to pressure victims into ransom payments.

    High-profile companies including Google, Adidas, Cisco, Allianz Life, Qantas, Louis Vuitton, Dior, and Tiffany & Co. were among those impacted by these early campaigns.

    A newer wave of activity, tracked as UNC6395, surfaced in August 2025. In these intrusions, attackers leveraged stolen Salesloft Drift OAuth and refresh tokens to access Salesforce instances and extract support case data. Investigators say this campaign likely ran between August 8 and 18.

    Support cases often contained highly sensitive information such as AWS keys, Snowflake tokens, and customer passwords. By extracting this data, attackers could pivot into other cloud environments for deeper compromise.

    Salesloft confirmed that its GitHub repositories were breached as far back as March, allowing attackers to steal Drift OAuth tokens. In response, Salesforce and Salesloft revoked all active Drift tokens and required customers to reauthenticate.

    The campaign also involved misuse of Drift Email tokens, which allowed access to a small number of Google Workspace email accounts.

    Well-known security and tech companies, including Cloudflare, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Nutanix, Qualys, Rubrik, Cato Networks, and Palo Alto Networks, were among those reportedly affected.

    While the FBI did not formally attribute the campaigns, members of ShinyHunters told BleepingComputer they were involved, along with actors identifying as “Scattered Lapsus$ Hunters.” These groups claim to have overlap with Lapsus$ and Scattered Spider, two cybercrime gangs known for aggressive extortion.

    On Thursday, the hackers announced via a BreachForums-linked domain that they planned to “go dark” and stop publicizing operations on Telegram. However, in a final post, they claimed to have accessed the FBI’s E-Check background check system and Google’s Law Enforcement Request system, publishing screenshots as proof.

    If authentic, this level of access could allow impersonation of law enforcement and unauthorized retrieval of sensitive records.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Understanding Your CUI Boundary for CMMC Compliance

    Understanding Your CUI Boundary for CMMC Compliance

    As CMMC requirements begin appearing in defense contracts, organizations, particularly small and mid-sized businesses, face the difficult task of preparing for audits by a Certified Third-Party Assessor Organization (C3PAO). Compliance requires a serious reevaluation of how data, systems, and people interact across the enterprise. One of the most important steps before scheduling an audit is defining your Controlled Unclassified Information (CUI) boundary. Without this, your organization risks falling short before the assessment even begins.

    Defining Scope

    Before a CMMC Level 2 assessment, your organization must define and document the systems and services within scope. This step goes well beyond creating a simple inventory. It requires demonstrating an understanding of what CUI you have, where it is stored, how it is processed, where it flows across your environment, and who has access to it at every stage. In practice, this means creating a map of your information environment that shows how critical data moves, who touches it, and what technologies safeguard it.

    Your boundary must encompass every part of the environment that interacts with CUI. This includes physical infrastructure, cloud platforms, virtual systems, identity and access management tools, and any other services that handle sensitive information. Organizations should also take time to classify assets. These include systems that store CUI directly, technologies that defend or monitor CUI systems, specialized devices such as OT or IoT equipment that cannot easily be isolated, and systems that are truly out of scope. This classification allows you to make defensible scoping decisions and gives auditors confidence that your assessment will be accurate.

    It is during this stage that many organizations make mistakes. For example, contractors sometimes assume email servers are out of scope even though they transmit CUI, or they overlook a managed service provider that backs up data containing CUI. Others may ignore IoT or OT devices that cannot easily be patched or segmented. These oversights can derail an assessment quickly, which is why scoping must be both thorough and well-documented.

    What is CUI?

    Controlled Unclassified Information (CUI) refers to government-related data that requires safeguarding but does not meet the threshold for classification. It can include personally identifiable information, critical infrastructure data, proprietary business details, blueprints, and technical specifications. The CUI Registry defines the categories, but each organization must identify the exact types of CUI it handles and show how that information moves through its systems. A diagram of CUI flow is particularly valuable, since it highlights how information enters, where it is stored, how it is processed, and where it exits the organization.

    Including Cloud and Managed Service Providers

    Your CUI boundary should not be limited to systems under direct control. Many organizations rely on cloud service providers (CSPs) or managed service providers (MSPs), and these third parties are always in scope if they touch CUI or affect its security. Any CSP hosting or transmitting CUI must either hold a FedRAMP Moderate authorization or demonstrate equivalency. Similarly, any MSP with remote access, control over configurations, responsibility for backups, or other influence over the confidentiality, integrity, or availability of CUI must be included in your System Security Plan (SSP).

    It is also important to understand the shared responsibility model when working with these providers. A CSP may be FedRAMP authorized, but your organization is still responsible for how user accounts, access controls, and monitoring are configured. If these responsibilities are not clearly defined in your SSP, auditors may find gaps that count against your organization.

    Equally important is verifying the compliance posture of these partners. If an MSP has not passed a third-party audit, their shortcomings will count against your own assessment. Even changes in their toolsets or systems can trigger the need for reassessment, introducing both cost and delay.

    Segmentation and Boundary Protections

    Once your CUI boundary is established, you must also demonstrate how it is protected. This often means implementing network segmentation to isolate CUI systems from general IT environments, enforcing strict access controls, and monitoring points where CUI enters or leaves the network. Without these safeguards, a well-drawn boundary can still fail under scrutiny.

    Documentation and Evidence

    Defining a boundary is not enough on its own, auditors expect detailed documentation. At a minimum, this includes a System Security Plan (SSP) with diagrams of CUI flow, asset inventories, classification justifications, and network maps showing segmentation. These artifacts provide evidence that your scoping decisions are defensible and help teams maintain compliance as environments evolve.

    Next Steps

    Defining your CUI boundary is one of the earliest and most decisive steps in preparing for CMMC compliance. A weak or incomplete scope almost guarantees failure in front of auditors, while a thorough, well-documented one establishes the foundation for a smoother assessment.

    Organizations that succeed at this step do so by taking the time to map their information flow, account for every system and provider that touches CUI, classify assets in a way that supports defensible decisions, and document how the boundary is both defined and protected. They also recognize that scoping is not a one-time exercise. Major changes in infrastructure, vendors, or toolsets require re-scoping to remain compliant.

    Getting this right ensures the rest of your compliance journey is built on solid ground and positions your business to compete for defense contracts without avoidable setbacks.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and delivers innovative cybersecurity and technology solutions for government, defense, and commercial clients worldwide. Our mission is to transform complex security and compliance challenges into strategic advantages by safeguarding and optimizing digital infrastructure. One example is our “CISO-as-a-Service” offering, which enables organizations of any size to access executive-level cybersecurity expertise at a fraction of the cost of hiring internally.

    Netizen operates a state-of-the-art 24x7x365 Security Operations Center (SOC) and provides a full suite of services including vulnerability assessments, penetration testing, software assurance, managed detection and response, and compliance advisory. For organizations preparing for CMMC, we currently provide CMMC pre-assessments to help contractors evaluate their readiness, map gaps against requirements, and build a remediation roadmap before undergoing a third-party audit. This proactive approach allows companies to address deficiencies early and approach certification with greater confidence.

    Our organization holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC certifications, demonstrating the maturity of our own operations. We are also a Service-Disabled Veteran-Owned Small Business (SDVOSB) recognized by the U.S. Small Business Administration, and we’ve been named to the Inc. 5000 and Vet 100 lists of the fastest-growing private companies in the nation. Netizen has been recognized as a national “Best Workplace” by Inc. Magazine and is a multi-year recipient of the U.S. Department of Labor’s HIRE Vets Platinum Medallion for veteran hiring and retention.

    If your organization is preparing for CMMC compliance, Netizen can help you start with a clear picture of your current state. Our pre-assessments provide the guidance needed to plan effectively, reduce risks of failed audits, and ensure long-term alignment with DoD cybersecurity requirements.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • The History of CMMC

    The History of CMMC

    The Cybersecurity Maturity Model Certification (CMMC) has become one of the most significant compliance requirements for companies operating within the Defense Industrial Base (DIB). Contractors across the supply chain are now being asked not only if they are compliant, but how quickly they can prove it. Understanding where CMMC came from and how it has evolved provides valuable context for organizations preparing to meet the latest requirements.

    Early Foundations

    The roots of CMMC stretch back to 2010, when Executive Order 13556 formally established the concept of Controlled Unclassified Information (CUI). The order defined what constitutes CUI and laid the groundwork for consistent handling requirements across government and industry.

    By 2017, defense contractors were already expected to comply with NIST SP 800-171, a set of 110 security controls designed to protect CUI. Under this model, contractors could self-attest to their compliance, but it quickly became clear that self-attestation did not provide the level of assurance the Department of Defense (DoD) required.

    The Birth of CMMC

    In 2019, the DoD announced the Cybersecurity Maturity Model Certification as a way to strengthen accountability and verification. The idea was to move beyond self-attestation and introduce third-party assessments where necessary.

    The first formal version, CMMC 1.0, arrived in November 2020 alongside an interim DFARS rule that added new clauses (252.204-7019 and 252.204-7020). These required contractors to post their NIST SP 800-171 self-assessment scores in the Supplier Performance Risk System (SPRS). CMMC 1.0 included five maturity levels ranging from Basic to Advanced Cyber Hygiene. While Level 1 was intended for contractors handling only Federal Contract Information (FCI), higher levels applied to organizations dealing with CUI.

    Streamlining to CMMC 2.0

    By November 2021, the DoD responded to industry feedback by introducing CMMC 2.0. The model reduced complexity by consolidating the five levels down to three:

    • Level 1 (Foundational): Focused on protecting FCI with basic practices, allowing for annual self-assessment and affirmation.
    • Level 2 (Advanced): Built directly on the 110 NIST SP 800-171 requirements. Depending on the solicitation, this level may require either a self-assessment or a third-party assessment by a Certified Third-Party Assessor Organization (C3PAO).
    • Level 3 (Expert): Intended for the most sensitive defense programs, this level requires controls beyond NIST 800-171 and audits performed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

    Rulemaking and Finalization

    The DoD began the formal rulemaking process in 2023 under Title 32 and Title 48 of the Code of Federal Regulations. After extensive reviews and public feedback, the final program rule for CMMC was published on October 15, 2024, and became effective on December 16, 2024. This rule formally codified the structure of CMMC 2.0.

    A second rule followed on September 10, 2025, when the DoD published a final DFARS rule making CMMC a contractual requirement. That DFARS rule is scheduled to take effect on November 10, 2025. Beginning then, solicitations can include DFARS clauses such as 252.204-7021 and 252.204-7025, specifying the CMMC level required. Contractors that cannot meet the designated level at the time of award risk being deemed ineligible.

    What Has Changed for Contractors

    Under the most recent rules, CMMC requirements will be phased into contracts over a three-year period, with gradual expansion until full application across the DIB. The rule also introduces the option for Plans of Action and Milestones (POA&Ms) at Levels 2 and 3. Contractors can achieve conditional certification while closing gaps, but remediation must be completed within 180 days or the certification will lapse.

    Service providers remain in scope of a contractor’s audit if they process, store, transmit, or can affect the security of CUI systems. While these providers may not be required to hold independent certification in every case, contractors are strongly advised to work with C3PAO-validated partners. If a provider lacks sufficient security controls, it can still impact the outcome of the contractor’s assessment.

    Looking Ahead

    CMMC has evolved from an idea in 2019 into a fully codified requirement now tied directly to DoD contracting. What began as a five-level model has been streamlined to three, but the intent remains the same: to enforce stronger protection of CUI and Federal Contract Information across the entire defense supply chain.

    For contractors, the path forward is clear. Compliance is no longer optional, and preparation must begin well before contracts are awarded. Mapping CUI boundaries, documenting controls, engaging with accredited C3PAOs, and selecting trustworthy service providers are now baseline requirements for maintaining eligibility in the defense market.

    CMMC’s history shows how quickly compliance expectations can shift. Its future will continue to shape the way the defense industrial base approaches cybersecurity, risk management, and trust with the Department of Defense.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and delivers innovative cybersecurity and technology solutions for government, defense, and commercial clients worldwide. Our mission is to transform complex security and compliance challenges into strategic advantages by safeguarding and optimizing digital infrastructure. One example is our “CISO-as-a-Service” offering, which enables organizations of any size to access executive-level cybersecurity expertise at a fraction of the cost of hiring internally.

    Netizen operates a state-of-the-art 24x7x365 Security Operations Center (SOC) and provides a full suite of services including vulnerability assessments, penetration testing, software assurance, managed detection and response, and compliance advisory. For organizations preparing for CMMC, we currently provide CMMC pre-assessments to help contractors evaluate their readiness, map gaps against requirements, and build a remediation roadmap before undergoing a third-party audit. This proactive approach allows companies to address deficiencies early and approach certification with greater confidence.

    Our organization holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC certifications, demonstrating the maturity of our own operations. We are also a Service-Disabled Veteran-Owned Small Business (SDVOSB) recognized by the U.S. Small Business Administration, and we’ve been named to the Inc. 5000 and Vet 100 lists of the fastest-growing private companies in the nation. Netizen has been recognized as a national “Best Workplace” by Inc. Magazine and is a multi-year recipient of the U.S. Department of Labor’s HIRE Vets Platinum Medallion for veteran hiring and retention.

    If your organization is preparing for CMMC compliance, Netizen can help you start with a clear picture of your current state. Our pre-assessments provide the guidance needed to plan effectively, reduce risks of failed audits, and ensure long-term alignment with DoD cybersecurity requirements.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Hidden Prompts in Images Threaten Gemini, Vertex AI, and Other Platforms

    Hidden Prompts in Images Threaten Gemini, Vertex AI, and Other Platforms

    Researchers at Trail of Bits have unveiled a novel attack that leverages image downscaling artifacts to perform hidden prompt injections against large language models (LLMs). The attack embeds malicious instructions into high-resolution images that appear harmless to the human eye but become visible when the image is downscaled, a process most AI systems perform automatically for efficiency.

    This allows attackers to execute prompt injections without the user’s knowledge, potentially leading to data exfiltration, unauthorized tool execution, or manipulation of outputs across AI platforms.

    How the Attack Works

    When users upload images into AI systems, the images are often downscaled using algorithms like nearest neighbor, bilinear, or bicubic interpolation. These resampling methods unintentionally introduce aliasing artifacts, which attackers can exploit by carefully crafting pixel arrangements.

    In practice:

    • The full-resolution image looks benign.
    • Once downscaled, hidden instructions appear (for example, dark areas shifting to red and text appearing in black).
    • The AI model interprets the hidden text as part of the user’s instructions and executes it.

    Trail of Bits demonstrated this by exfiltrating Google Calendar data via Gemini CLI using Zapier MCP with trust=True. The attack required no user confirmation since the tool calls were automatically approved.

    Affected Platforms

    The researchers confirmed that their attack is feasible against multiple production AI systems, including:

    • Google Gemini CLI
    • Vertex AI Studio (Gemini backend)
    • Gemini’s web interface and API
    • Google Assistant (Android)
    • Genspark

    To aid reproducibility, they released Anamorpher, an open-source tool capable of generating crafted images for different downscaling algorithms.

    Why This Works: The Image-Scaling Blind Spot

    This attack builds on earlier academic research (2020, TU Braunschweig) that described the possibility of image-scaling attacks in machine learning. While originally focused on computer vision, Trail of Bits weaponized the idea for multi-modal prompt injection.

    The vulnerability arises because:

    1. AI systems enforce fixed image sizes, making downscaling inevitable.
    2. Interpolation creates predictable patterns that attackers can reverse-engineer.
    3. Users see the high-resolution input, but the LLM sees the downscaled version, creating a mismatch between perception and processing.

    Security Implications

    The attack is particularly dangerous because it exploits a fundamental preprocessing step in AI pipelines rather than relying on a single bug. It highlights:

    • A mismatch between what the user sees and what the model processes.
    • The risk of silent prompt injection hidden inside non-textual data.
    • The potential for cross-system exploitation, as the same crafted image may work against multiple AI systems using similar algorithms.

    This expands the attack surface for AI, particularly in multi-modal systems that handle both text and images.

    Mitigation Strategies

    Trail of Bits recommends several defensive measures:

    1. Avoid automatic downscaling when possible; enforce fixed input dimensions instead.
    2. Preview the downscaled image to users so they can see what the model sees.
    3. Require explicit confirmation for sensitive tool calls, especially if hidden text is detected within images.
    4. Adopt secure design patterns that mitigate prompt injection across modalities, rather than patching single attack vectors.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Microsoft September 2025 Patch Tuesday Fixes 81 Flaws, Two Publicly Disclosed Zero-Days

    Microsoft September 2025 Patch Tuesday Fixes 81 Flaws, Two Publicly Disclosed Zero-Days

    Microsoft’s September 2025 Patch Tuesday delivers fixes for 81 vulnerabilities, including two publicly disclosed zero-days. Nine flaws are classified as critical, with five involving remote code execution, one tied to information disclosure, and two to elevation of privilege.

    Breakdown of Vulnerabilities

    • 41 Elevation of Privilege vulnerabilities
    • 22 Remote Code Execution vulnerabilities
    • 16 Information Disclosure vulnerabilities
    • 2 Security Feature Bypass vulnerabilities
    • 3 Denial of Service vulnerabilities
    • 1 Spoofing vulnerability

    These totals do not include earlier fixes for three Azure flaws, one Dynamics 365 FastTrack Implementation Assets flaw, two Mariner bugs, five Microsoft Edge issues, and one Xbox vulnerability. Non-security updates released this month include Windows 11 KB5065426 and KB5065431, and Windows 10 KB5065429.

    Zero-Day Vulnerability

    CVE-2025-55234 | Windows SMB Elevation of Privilege Vulnerability

    This vulnerability can be exploited through relay attacks. Depending on configuration, an attacker could relay SMB sessions and gain elevated privileges. Microsoft recommends enabling SMB Server Signing and Extended Protection for Authentication (EPA) to mitigate risk, though both may introduce compatibility issues with older devices. September updates introduce new auditing capabilities to help administrators assess client compatibility with SMB hardening.

    CVE-2024-21907 | Newtonsoft.Json Denial of Service Vulnerability in SQL Server

    This flaw arises from mishandling exceptional conditions in Newtonsoft.Json prior to version 13.0.1. Passing crafted data to the JsonConvert.DeserializeObject method can trigger a StackOverflow exception, causing denial of service. Updates for SQL Server now integrate the patched Newtonsoft.Json library. This vulnerability was originally disclosed in 2024.

    Other Critical Vulnerabilities

    Microsoft also patched multiple remote code execution flaws across Windows components and Microsoft Office, as well as high-severity information disclosure and privilege escalation vulnerabilities. These issues remain attractive targets for attackers and should be prioritized in patching schedules.

    Adobe and Other Vendor Updates

    Other vendors issuing security updates in September 2025 include:

    • Adobe: Patched a Magento flaw called “SessionReaper” impacting eCommerce sites
    • Argo: Fixed an Argo CD bug allowing low-privileged tokens to access repository credentials
    • Cisco: Released updates for WebEx, Cisco ASA, and related products
    • Google: Issued September Android updates addressing 84 flaws, including two zero-days under active exploitation
    • SAP: Released updates across multiple products, including a maximum-severity command execution flaw in NetWeaver
    • Sitecore: Addressed an actively exploited zero-day tracked as CVE-2025-53690
    • TP-Link: Confirmed a zero-day in certain router models, with patches in development for US customers

    Recommendations for Users and Administrators

    Organizations should prioritize applying patches for systems using SMB Server and SQL Server given the public disclosure of both zero-days. Administrators are advised to test and enable SMB Server Signing and EPA where possible and use the new auditing capabilities to prepare for enforcement. SQL Server deployments should be updated to versions incorporating Newtonsoft.Json 13.0.1 or later.

    Security teams should also review vendor advisories from Adobe, Cisco, Google, SAP, and Sitecore, particularly where vulnerabilities are confirmed to be under active attack.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Netizen: Monday Security Brief (9/8/2024)

    Netizen: Monday Security Brief (9/8/2024)

    Today’s Topics:

    • Not Just Research: Threat Actors Are Weaponizing AI for Ransomware
    • CVE-2025-42957: Critical SAP S/4HANA Code Injection Vulnerability Actively Exploited
    • How can Netizen help?

    Not Just Research: Threat Actors Are Weaponizing AI for Ransomware

    AI-powered ransomware is no longer a distant possibility. Although the recently surfaced PromptLock turned out to be a research prototype created at NYU Tandon School of Engineering, attackers are already using tools like Claude Code to automate reconnaissance, exploitation, and extortion in the wild. What began as an academic demonstration of “Ransomware 3.0” has already been mirrored by real threat actors targeting healthcare, defense, and financial organizations

    When PromptLock samples first appeared on VirusTotal in August 2025, security researchers suspected a new form of ransomware. Analysis by ESET showed it relied on OpenAI’s GPT-OSS:20b model, dynamically generating Lua scripts to perform reconnaissance and execute malicious actions. Soon after, academics confirmed that PromptLock was in fact a controlled proof-of-concept. Their goal was to demonstrate how large language models could coordinate an entire ransomware chain, from surveying a victim’s environment to deploying customized payloads and even writing tailored extortion notes. The research highlighted how easily a benign-looking AI utility could conceal hidden instructions, making detection increasingly difficult.

    The fact that PromptLock was only a lab project does not mean the threat is hypothetical. Anthropic’s August 2025 threat intelligence report revealed real-world misuse of its Claude Code agent. According to the report, attackers were able to use the tool for reconnaissance, lateral movement, and large-scale data theft, embedding their preferred tactics and playbooks into configuration files so the assistant would respond in ways that supported their campaign. The same system generated ransom notes, packaged malware with evasion techniques, and analyzed stolen data to set extortion demands, some of which exceeded half a million dollars. Victims ranged from a defense contractor to financial institutions and healthcare providers, with stolen material including social security numbers, banking details, patient records, and ITAR-controlled documentation.

    Anthropic responded by banning the malicious accounts and working to strengthen its detection capabilities. Security experts stress that although the core techniques of ransomware have not changed, AI drastically lowers the barrier to entry and accelerates every phase of an attack. As Exabeam’s Steve Povolny observed, what once required teams of skilled operators can now be achieved faster and cheaper through modular, AI-driven tasks, in the same way non-coders now build enterprise applications with AI assistance.

    PromptLock itself may be only a proof-of-concept, but its design reflects tactics that are already active in the wild. The lesson for defenders is clear: AI is now serving attackers not just as a consultant, but as an operator, compressing the time it takes to plan and launch ransomware campaigns. Security teams will need to assume that adversaries can rapidly construct large-scale, tailored attacks with the same ease that businesses now adopt AI to streamline development and operations.

    CVE-2025-42957: Critical SAP S/4HANA Code Injection Vulnerability Actively Exploited

    A newly confirmed wave of exploitation is targeting CVE-2025-42957, a critical code injection flaw in SAP’s S/4HANA ERP platform. First disclosed and patched in SAP’s August 2025 security updates, the vulnerability was discovered by SecurityBridge and carries a CVSS v3 score of 9.9. The issue affects both on-premises and private cloud deployments of S/4HANA and is now being abused in the wild, with exploitation attempts spiking after the release of SAP’s patch.

    The vulnerability allows attackers with only low-privileged user access to inject ABAP code into the system, ultimately giving them complete control of both the SAP environment and the host operating system. Although a valid account is required, the complexity of the attack is minimal and can be carried out remotely over the network. According to SecurityBridge, the patch is relatively easy to reverse engineer, which means attackers can quickly develop working exploits.

    Reports from both SecurityBridge and Pathlock confirm that malicious actors are already testing and abusing this flaw. Once exploited, an attacker could directly manipulate or delete corporate data in the SAP database, create persistent backdoor accounts with administrative privileges, steal hashed passwords, and extend control into the host operating system. The fact that a single compromised user account can lead to full system compromise makes this vulnerability especially dangerous.

    SAP customers are strongly urged to apply the August 2025 patches without delay. Beyond patching, SecurityBridge advises enabling the Unified Connectivity framework (UCON) to restrict remote function call (RFC) usage, and monitoring logs carefully for unusual RFC activity or newly created administrative accounts. Organizations should also audit privileged accounts and system activity to ensure attackers have not already established persistence.

    CVE-2025-42957 highlights how attackers continue to focus on SAP environments as high-value targets. The vulnerability requires little effort to exploit, provides complete system access, and has already been weaponized in real-world attacks. Organizations that delay remediation face the risk of data theft, operational disruption, and potentially long-lasting compromise.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • What is ISO 27001 and How Can It Benefit Your Organization?

    What is ISO 27001 and How Can It Benefit Your Organization?

    Cybersecurity leaders know that technical defenses alone are not enough. To truly safeguard sensitive information, organizations need a structured framework that brings together people, processes, and technology. That’s where ISO/IEC 27001 comes in. As the most widely recognized international standard for information security management, ISO 27001 helps organizations build a resilient Information Security Management System (ISMS) that reduces risk, ensures compliance, and inspires trust across clients and partners.

    For companies operating in highly regulated sectors such as healthcare, finance, and defense, ISO 27001 certification has quickly become a prerequisite for doing business. But even beyond compliance, the standard offers strategic advantages that extend well into daily operations.

    Understanding ISO 27001

    ISO 27001 establishes a clear framework for managing information security by requiring organizations to identify risks, implement controls, and continuously refine their defenses. At its foundation is the CIA triad:

    • Confidentiality – protecting sensitive information from unauthorized access.
    • Integrity – ensuring that data remains accurate and unaltered.
    • Availability – guaranteeing that systems and data are accessible when needed.

    Certification requires more than paperwork; it demands organizational commitment, executive buy-in, and third-party audits to confirm that security is not just documented but operationalized.

    Why ISO 27001 Matters

    Strengthened Security and Reduced Breach Risk

    The structured risk assessments required by ISO 27001 uncover blind spots in existing security programs and ensure that controls evolve alongside new threats. This makes breaches less likely and less damaging when they occur.

    Increased Trust With Clients and Partners

    Certification demonstrates to customers that their data is handled responsibly. In a climate where supply chain security is under constant scrutiny, ISO 27001 signals maturity and accountability.

    Competitive Advantage in the Marketplace

    For many contracts, particularly in government and critical infrastructure, ISO 27001 is not optional. Organizations without certification risk being sidelined, while certified entities gain a competitive edge.

    Cost Savings Through Prevention

    Data breaches are expensive, with costs extending well beyond regulatory fines. By reducing the likelihood and impact of incidents, ISO 27001 helps organizations protect both reputation and bottom line.

    Streamlined Compliance Across Frameworks

    Because ISO 27001 aligns closely with frameworks like NIST CSF, GDPR, and SOC 2, certification can reduce the burden of overlapping audits and improve efficiency for compliance teams.

    Building a Culture of Security

    One of ISO 27001’s most impactful benefits is cultural. By embedding information security into every layer of operations, organizations move beyond check-the-box compliance and foster a security-first mindset. Employees receive ongoing training, human error is reduced, and decision-making increasingly considers risk alongside business goals.

    How Netizen Can Help

    Achieving ISO 27001 certification requires expertise and sustained effort, but you don’t have to go it alone. Netizen has guided government, defense, and commercial organizations through complex compliance initiatives, helping them align security programs with business objectives.

    Our CISO-as-a-Service offering gives organizations of any size access to executive-level expertise, while our 24x7x365 Security Operations Center (SOC) provides continuous monitoring and incident response. From compliance gap assessments to audit readiness, penetration testing, and security engineering, Netizen delivers the capabilities needed to not only meet ISO 27001 requirements but exceed them.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • ClickFix Attack Uses AI Summaries to Spread Malware

    ClickFix Attack Uses AI Summaries to Spread Malware

    Researchers have detailed a new proof-of-concept attack showing how adversaries can use AI-generated summaries to push ransomware and other malicious commands directly to unsuspecting users.

    How ClickFix Works

    The tactic, called ClickFix, manipulates victims into running self-sabotaging commands under the guise of resolving an error or fixing an issue. In past incidents, attackers impersonated Booking.com or injected fake reCAPTCHA prompts, tricking users into pasting commands into the Windows Run prompt. In one campaign, over 100 automotive dealership websites briefly displayed malicious instructions to visitors.

    The new proof-of-concept from CloudSEK takes ClickFix a step further by abusing AI summarization tools. Researchers showed how attackers could embed malicious instructions into HTML content using techniques like invisible white-on-white text, zero-width characters, tiny font sizes, and off-screen text placement. While these elements remain invisible to a human reader, they dominate an AI model’s context window, surfacing prominently in generated summaries.

    When an AI assistant, browser extension, or email summarizer processes the content, the summary may end up displaying the hidden payload as if it were legitimate advice. CloudSEK demonstrated how such a summary could instruct a victim to paste a PowerShell command into the Run prompt, initiating a ransomware infection. Because the instructions appear to come from the AI summarizer itself, not an external attacker, the victim is far less likely to question them.

    CSS Obfuscation and Prompt Overload

    The success of this attack relies on a blend of CSS obfuscation and what researchers call “prompt overdose.” By repeating hidden payloads multiple times in the HTML, the attacker ensures that the malicious instructions outweigh legitimate context during summarization.

    This manipulation effectively turns the AI tool from a passive summarizer into an active participant in the social engineering chain. What looks like a harmless article, blog post, or email to a human user may, once summarized, output only the attacker’s malicious instructions.

    Defensive Recommendations

    CloudSEK’s guidance for defenders focuses on improving how AI pipelines preprocess and handle content:

    • Summarizers should normalize or strip suspicious CSS attributes before processing inputs.
    • Enterprises should implement prompt sanitizers that filter hidden payloads before they reach summarization models.
    • Detection rules should be created for repeated, hidden text patterns that could dominate AI outputs.
    • Organizations deploying internal AI summarizers should enforce strict preprocessing policies at gateways, content systems, and browser extensions.

    Most importantly, researchers emphasize the need for enterprise-level AI policy enforcement and secure design patterns that prevent AI outputs from triggering sensitive actions without explicit user approval.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Netizen: August 2025 Vulnerability Review

    Netizen: August 2025 Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from August that should be immediately patched or addressed if present in your environment. Detailed writeups below:

    CVE-2025-7775

    CVE-2025-7775 describes a critical memory overflow vulnerability affecting NetScaler ADC and NetScaler Gateway when configured in several modes, including Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy), AAA virtual server, and load balancing virtual servers bound with IPv6 services or DBS IPv6 servers, as well as CR virtual servers of type HDX. The vulnerability arises from improper memory handling that can be triggered remotely, allowing an attacker to achieve remote code execution or denial of service depending on the exploitation path. With network-based access, an attacker could craft malicious packets targeting exposed NetScaler services, leading either to the execution of arbitrary code on the device or the crash and disruption of critical VPN and proxy services.

    This flaw is particularly dangerous in enterprise and cloud environments where NetScaler appliances serve as critical access gateways, since exploitation could result in full compromise of infrastructure, service outages, and lateral movement into internal networks. The vulnerability has been assigned a CVSS v3 base score of 9.8, with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting its low attack complexity, lack of required privileges, and ability to compromise confidentiality, integrity, and availability. Under CVSS v4, the score remains severe at 9.2, further underscoring the risk in production environments. Public reporting confirms that this issue has already been exploited as a zero-day, with CISA adding it to the Known Exploited Vulnerabilities (KEV) catalog and multiple security researchers tracking widespread attacks. Reports indicate that over 28,000 NetScaler appliances remained exposed to the flaw at the time of disclosure, amplifying the urgency for remediation.

    Citrix addressed CVE-2025-7775 in emergency updates released on August 26, 2025, as part of a security bulletin that also included two additional NetScaler vulnerabilities. Organizations running affected versions of NetScaler ADC and Gateway should immediately apply the patches provided by Citrix, or implement compensating controls such as disabling IPv6 bindings and restricting external exposure of management and gateway interfaces until patching is complete. Exploitation of this flaw can grant attackers direct access to internal systems by hijacking critical VPN or load balancing infrastructure, making rapid patching and hardening of NetScaler environments an operational priority. More detailed guidance and official mitigation steps are available from Citrix’s advisory and the CISA KEV catalog.

    CVE-2025-53771

    CVE-2025-53771 describes a medium-severity improper authentication vulnerability in Microsoft Office SharePoint that allows an unauthorized attacker to perform spoofing attacks over a network. The flaw stems from insufficient validation within SharePoint’s authentication mechanisms, which permits a malicious actor to manipulate requests and impersonate legitimate users or services. By exploiting this weakness, an attacker could craft specially designed network requests to trick SharePoint into granting them access under a falsified identity, undermining the trust model of the platform. This can allow further exploitation when chained with other vulnerabilities, particularly in the ToolShell exploit chain where spoofing was used to bypass protections and gain entry into sensitive administrative interfaces.

    The vulnerability poses a significant risk in enterprise environments because SharePoint often serves as a central hub for collaboration, document storage, and workflow automation. Spoofing attacks targeting SharePoint can compromise the confidentiality of business-critical data and may facilitate privilege escalation or lateral movement if an attacker manages to impersonate privileged users. While this issue requires network access, the attack complexity is low and no user interaction is necessary, meaning it can be reliably executed once the attacker identifies a vulnerable system. The vulnerability has been assigned a CVSS v3 base score of 6.5 with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, highlighting the impacts to confidentiality and integrity but not availability. Under CVSS v2 scoring, the base score is listed at 7.5 due to differences in weighting methodology.

    Microsoft patched CVE-2025-53771 in July 2025 as part of updates addressing the ToolShell exploit chain, which included several interlinked SharePoint flaws. The vulnerability is actively monitored in security advisories and was quickly added to exploitation watchlists because of its role in enabling bypasses of earlier mitigations. Organizations running affected SharePoint environments should apply Microsoft’s July 2025 security updates without delay and ensure that their SharePoint instances are not directly exposed to the internet. CISA and Microsoft advisories emphasize the importance of restricting external access, applying network segmentation, and enabling strict authentication controls to reduce the impact of any spoofing attempts. Since this flaw fits into broader exploit chains, especially those demonstrated during Pwn2Own and later expanded by attackers in the wild, administrators should consider it a priority to patch and monitor for signs of exploitation.

    CVE-2025-54948

    CVE-2025-54948 is a critical command injection vulnerability affecting the Trend Micro Apex One on-premises management console. The flaw allows a pre-authenticated remote attacker to upload malicious code and execute arbitrary commands on affected systems. Since this vulnerability does not require prior authentication, exploitation is trivial once an attacker can reach the exposed management console, making it particularly dangerous for organizations that have not restricted external access. Exploitation can lead to full compromise of the endpoint security platform, granting adversaries administrative control over large fleets of protected systems.

    Trend Micro confirmed that this vulnerability, alongside CVE-2025-54987, was exploited in the wild as zero-days in August 2025. Reports indicated active targeting of enterprises, with attackers leveraging the flaw to gain persistence, disable defenses, and deploy secondary payloads. Security researchers and CISA flagged the issue as part of the Known Exploited Vulnerabilities (KEV) catalog, further underscoring its active use in attacks. Temporary mitigation tools were released by Trend Micro to limit exposure until full security patches could be applied, but these mitigations should be treated only as stopgaps.

    The vulnerability has been assigned a CVSS v3 base score of 9.8 (vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its critical nature across confidentiality, integrity, and availability. Under CVSS v2, the vulnerability carries a base score of 10. The EPSS probability sits at 0.18488, indicating a significant likelihood of widespread exploitation.

    Organizations using Apex One should immediately apply Trend Micro’s latest patches or, at minimum, deploy the mitigation tools provided while restricting console access to trusted networks. Network monitoring for suspicious uploads, reviewing Apex One administrative activity logs, and implementing compensating controls such as firewall rules and intrusion prevention signatures are recommended until systems are fully remediated. Given its exploitation in the wild, unpatched instances remain high-value targets and should be prioritized for immediate remediation.

    CVE-2025-8088

    CVE-2025-8088 is a high-severity path traversal vulnerability in the Windows version of WinRAR that enables attackers to execute arbitrary code by crafting malicious archive files. Discovered by security researchers Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET, the flaw was confirmed to be exploited in the wild before disclosure, which led to its addition to the CISA Known Exploited Vulnerabilities (KEV) catalog.

    The attack vector relies on specially crafted archive files that bypass WinRAR’s intended directory restrictions. When a user extracts such a file, the embedded payload can overwrite critical files or be executed outside the intended extraction path. Because WinRAR is widely used to handle compressed files, especially in enterprise environments where email attachments and downloads are common, this flaw presents a strong opportunity for attackers to distribute malware, gain persistence, or escalate access within targeted networks. Social engineering campaigns could easily weaponize the vulnerability by disguising malicious archives as legitimate content, tricking users into extraction.

    The vulnerability has been rated as critical under CVSS v2 with a score of 10, while CVSS v3 assigned it a high score of 8.8 (vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Under the updated CVSS v4 framework, it carries a score of 8.4, with the primary risk centered on confidentiality, integrity, and availability impacts through unauthorized code execution. EPSS data places its exploitation probability at 0.05624, underscoring that active use has been observed and further exploitation is likely.

    Organizations should prioritize mitigation by ensuring they are running patched versions of WinRAR and restricting the use of outdated builds. Since exploitation requires users to interact with malicious archives, endpoint detection and monitoring of suspicious archive extraction behavior should also be employed. Where possible, implementing application control, disabling automatic script execution, and limiting the use of WinRAR in high-risk environments can reduce exposure. Security advisories also suggest deploying Windows Software Restriction Policies (SRP) or Image File Execution Options (IFEO) to mitigate exploitation attempts until full remediation is in place.

    CVE-2025-21479

    CVE-2025-21479 describes a high-severity memory corruption vulnerability affecting Qualcomm GPU micronodes, where unauthorized command execution during the processing of a specific sequence of GPU instructions can lead to code execution. This flaw allows an attacker to trigger memory corruption by exploiting improperly validated GPU command streams, potentially resulting in arbitrary command execution within the GPU environment. Since GPUs are heavily leveraged for both graphics rendering and compute workloads, exploitation could allow an attacker to interfere with trusted processes, inject malicious operations, or escalate their control over the device.

    The attack vector is local in nature, as exploitation requires the attacker to execute crafted GPU command sequences on a vulnerable system. This can occur through malicious applications distributed via app stores or sideloaded APKs on Android devices. Once executed, the malicious commands can corrupt GPU memory structures, allowing an attacker to achieve code execution in the context of GPU processes, which can then be leveraged for persistence or to escape into higher-privilege components of the operating system. Reports have confirmed that this vulnerability has been actively exploited in the wild, leading to its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring the likelihood of targeted attacks against Android and other Qualcomm-powered devices.

    The vulnerability carries a CVSS v3 base score of 8.6 (vector: AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), reflecting its high impact across confidentiality, integrity, and availability once triggered. Under CVSS v2, it is rated 7.2, with exploitation requiring local access but relatively low complexity. EPSS data places the probability of exploitation at 0.12787, reinforcing the fact that attackers are already using it against exposed devices.

    Google addressed the flaw in the August 2025 Android security bulletin, patching affected devices through firmware updates. Qualcomm also issued fixes for impacted Adreno GPU drivers and urged OEMs to push updates to their devices as quickly as possible. Organizations and end-users are strongly encouraged to apply the latest Android security updates immediately, as devices running outdated GPU firmware remain at significant risk. Mitigations such as restricting the installation of untrusted apps and monitoring for abnormal GPU behavior should be applied until patches are fully deployed.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.