Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Netizen: Monday Security Brief (4/28/2024)

    Netizen: Monday Security Brief (4/28/2024)

    Today’s Topics:

    • WooCommerce Users Hit by Fake Security Patch Campaign Distributing Backdoors
    • Over 1,200 SAP NetWeaver Servers Vulnerable to Actively Exploited CVE-2025-31324 Flaw
    • How can Netizen help?

    WooCommerce Users Hit by Fake Security Patch Campaign Distributing Backdoors

    Cybersecurity researchers have uncovered a widespread phishing campaign targeting WooCommerce users, using fake security alerts to trick site administrators into installing malware. Instead of delivering a legitimate patch, the attackers deploy a backdoor plugin that grants them complete control over compromised WordPress websites.

    The campaign, identified by WordPress security company Patchstack, closely resembles an attack from December 2023 where threat actors used a fake CVE vulnerability to lure victims. Researchers believe the new wave is either the work of the same group or a highly skilled copycat mimicking the earlier tactics.

    According to security researcher Chazz Wolcott, the phishing emails claim the targeted WooCommerce sites are vulnerable to a fictitious “Unauthenticated Administrative Access” flaw. Victims are urged to click a link that directs them to a phishing website designed to closely resemble the legitimate WooCommerce Marketplace page. The attackers rely on an IDN homograph trick—substituting the letter “e” with a visually similar special character “ė”—to disguise their domain as “woocommėrce[.]com.”

    Once on the fake page, victims are prompted to download a ZIP file named “authbypass-update-31297-id.zip,” which they are instructed to install like a standard WordPress plugin. However, installing this plugin triggers several malicious activities:

    • A new administrator account is silently created with a hidden username and randomized password.
    • A cron job is scheduled to run every minute, ensuring persistence.
    • Details about the new admin account and the compromised website are sent to a remote server at “woocommerce-services[.]com/wpapi.”
    • A second-stage payload is downloaded from domains such as “woocommerce-help[.]com/activate” or “woocommerce-api[.]com/activate.”
    • After decoding the payload, multiple web shells like P.A.S.-Fork, p0wny, and WSO are deployed to the server.
    • The rogue plugin hides itself from the WordPress plugin list, and the attacker-created admin account is also concealed from view.

    The end goal is full remote access to the infected websites. Attackers can inject spam, display malicious advertisements, redirect visitors to fraudulent sites, conscript the servers into botnets for distributed denial-of-service (DDoS) attacks, or even encrypt server files in ransomware-style extortion schemes.

    Website administrators are urged to immediately scan their WordPress instances for unknown plugins or suspicious administrator accounts. It’s also critical to ensure that WooCommerce and WordPress installations, along with all plugins and themes, are kept fully updated to mitigate the risk of such attacks.

    Over 1,200 SAP NetWeaver Servers Vulnerable to Actively Exploited CVE-2025-31324 Flaw

    More than 1,200 SAP NetWeaver instances exposed to the internet are vulnerable to an actively exploited, maximum-severity file upload flaw that enables remote attackers to hijack servers without authentication.

    SAP NetWeaver serves as an application server and development platform connecting SAP and non-SAP applications across multiple technologies. It plays a critical role in large enterprises worldwide.

    Last week, SAP disclosed CVE-2025-31324, a high-severity unauthenticated file upload vulnerability in the NetWeaver Visual Composer’s Metadata Uploader component. The flaw allows attackers to upload arbitrary executable files on vulnerable servers, leading to remote code execution and full system compromise.

    Multiple cybersecurity firms, including ReliaQuest, watchTowr, and Onapsis, have confirmed that CVE-2025-31324 is already being exploited in the wild. Threat actors are reportedly deploying web shells to maintain persistent access to affected servers.

    SAP responded by releasing a temporary workaround on April 8, 2025, and a full security patch on April 25. A spokesperson for SAP told BleepingComputer they are aware of exploitation attempts but have not seen evidence of customer data breaches or impacted systems so far.

    Recent scans have revealed a significant number of vulnerable systems online. The Shadowserver Foundation identified 427 exposed SAP NetWeaver servers globally, warning about the vast attack surface.

    The top affected countries include:

    • United States: 149 servers
    • India: 50 servers
    • Australia: 37 servers
    • China: 31 servers
    • Germany: 30 servers
    • Netherlands: 13 servers
    • Brazil: 10 servers
    • France: 10 servers

    However, the situation appears even more serious based on data from cyber defense platform Onyphe, which reported 1,284 vulnerable servers online — with 474 already compromised by web shells.

    “Something like 20 Fortune 500/Global 500 companies are vulnerable, and many of them are already compromised,” Onyphe CTO Patrice Auffret told BleepingComputer.

    Attackers are primarily dropping web shells named “cache.jsp” and “helper.jsp,” although researchers from Nextron Research noted that random filenames are also being used to evade detection.

    While the total number of affected servers may not seem massive, the presence of vulnerable SAP NetWeaver systems in large enterprises and multinational corporations poses a severe security risk.

    SAP customers are strongly urged to apply the latest security update following the vendor’s advisory. If immediate patching is not possible, organizations should take the following mitigation actions:

    • Restrict access to the /developmentserver/metadatauploader endpoint.
    • Disable the Visual Composer component if not in use.
    • Forward server logs to a SIEM and scan for unauthorized files in the servlet path.

    Additionally, RedRays has released a scanner tool specifically for CVE-2025-31324, helping administrators identify vulnerable systems across large environments.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Netizen: April 2025 Vulnerability Review

    Netizen: April 2025 Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from April that should be immediately patched or addressed if present in your environment. Detailed writeups below:

    CVE-2025-29824

    CVE-2025-29824 is a high-severity use-after-free vulnerability in the Windows Common Log File System (CLFS) Driver that allows an authorized attacker to elevate privileges locally. This vulnerability was disclosed as part of Microsoft’s April 2025 Patch Tuesday, where the company addressed 121 CVEs, including one zero-day that had already been exploited in the wild.

    Exploitation of CVE-2025-29824 could enable attackers to gain higher-level system privileges, providing them with the ability to execute arbitrary code, alter system configurations, or move laterally across a compromised network. Security researchers reported that ransomware gangs have actively exploited this flaw, making it a serious concern for enterprise environments, especially those running unpatched Windows systems.

    Given its active exploitation and the significant risk of privilege escalation, organizations are strongly urged to apply the April 2025 security updates without delay. In addition to patching, it is advisable to review system logs for signs of suspicious activity related to CLFS operations and implement endpoint protection solutions capable of detecting post-exploitation behaviors. Addressing this vulnerability promptly is critical to defending against ransomware attacks and broader system compromise.

    CVE-2025-22457

    CVE-2025-22457 is a critical stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways. The flaw exists in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2, and it allows a remote unauthenticated attacker to achieve remote code execution.

    This vulnerability has drawn serious concern due to its active exploitation by threat actors, including groups linked to Chinese espionage operations. Security researchers have reported that thousands of Ivanti VPN appliances were left exposed and vulnerable, leading to widespread targeting. Exploitation can result in full control over the affected device, enabling attackers to deploy malware, steal sensitive information, or establish persistent access for further attacks.

    Organizations using vulnerable versions of Ivanti products are strongly urged to update immediately to the patched versions released by Ivanti. Delaying remediation could leave critical infrastructure and sensitive networks exposed to sophisticated threat actors. It is also recommended to monitor network traffic for signs of compromise, restrict access to administrative interfaces, and apply strict segmentation and access controls around critical systems to minimize potential impact.

    CVE-2025-31200

    CVE-2025-31200 is a high-severity memory corruption vulnerability affecting multiple Apple operating systems, including iOS, iPadOS, macOS Sequoia, tvOS, and visionOS. The flaw was caused by improper bounds checking when processing audio streams in maliciously crafted media files. Successful exploitation of this vulnerability could allow an attacker to achieve arbitrary code execution on a target device.

    Apple addressed the issue in iOS 18.4.1, iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, and visionOS 2.4.1. Reports indicated that the flaw had been exploited in highly sophisticated attacks targeting specific individuals, particularly on iOS devices. Given the nature of the exploitation, it is suspected that the attacks were part of carefully crafted, state-sponsored campaigns aimed at high-value targets.

    Due to the potential for serious impact, users and organizations are urged to update their Apple devices to the latest patched versions as soon as possible. Special attention should be given to high-risk users who may be subject to targeted threats. In addition to applying updates, users should exercise caution when handling unknown or suspicious media files, particularly from untrusted sources.

    CVE-2024-53150

    CVE-2024-53150 is a high-severity vulnerability in the Linux kernel related to the ALSA (Advanced Linux Sound Architecture) USB-audio driver. The issue stems from a lack of proper validation when traversing USB clock descriptors, specifically failing to check the bLength field of each descriptor. This oversight could allow an out-of-bounds read when a device provides a malformed descriptor with a shorter-than-expected length, potentially leading to memory corruption or unexpected behavior.

    The vulnerability was resolved by introducing sanity checks during the clock descriptor traversal process. The updated code now verifies that descriptor lengths match the expected sizes before processing, and skips any invalid descriptors. Special attention was given to clock selector descriptors for UAC2 and UAC3 devices, which include dynamic array fields and required additional checks beyond simple size comparisons.

    This flaw was highlighted as part of Google’s Android security updates in April 2025, indicating that it had been actively exploited in attacks targeting Android devices. Given its potential for exploitation and the fact that Linux kernel vulnerabilities often impact a wide range of platforms, users and organizations should apply patches that address this vulnerability as soon as they are available. Updating kernel versions, especially for systems running Android or Linux-based distributions that use ALSA drivers, is critical to preventing potential exploitation through malicious USB devices or corrupted media handling.

    CVE-2024-53197

    CVE-2024-53197 is a high-severity vulnerability affecting the Linux kernel’s USB-audio subsystem, specifically impacting devices like Extigy and Mbox. The issue stems from a scenario where a malicious or faulty USB device provides a bNumConfigurations value that exceeds the amount initially allocated for dev->config during usb_get_configuration. This discrepancy can lead to out-of-bounds accesses later during operations such as usb_destroy_configuration, potentially resulting in memory corruption or system instability.

    The vulnerability was addressed by introducing proper validation checks to ensure that configuration values provided by devices do not exceed the allocated memory bounds. This fix was included in kernel patches released in early 2025 and was highlighted as part of the broader Android security updates in April 2025, suggesting that exploitation was observed in real-world attacks targeting Android systems and Linux-based environments.

    Given the nature of the flaw and the risks associated with memory corruption vulnerabilities, organizations and users running affected Linux or Android systems should apply the available security patches as soon as possible. Keeping systems updated and being cautious about connecting unknown or untrusted USB devices can help mitigate the risk of exploitation related to this vulnerability.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen Cybersecurity Bulletin (April 24th, 2025)

    Netizen Cybersecurity Bulletin (April 24th, 2025)

    Overview:

    • Phish Tale of the Week
    • Iranian Hackers Deploy MURKYTOUR Malware in Fake Job Campaign Targeting Israel
    • Curing: New io_uring Linux Rootkit Evades System Call-Based Detection
    • How can Netizen help?

    Phish Tale of the Week

    Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as an unnamed company. They’re sending us a text message, telling us that we should join some sort of stock trading group where they share “trusted analyst signals.” It seems both urgent and genuine, so why shouldn’t we? Luckily, there’s plenty of reasons that point to this being a scam.

    Here’s how we can tell not to fall for this phish:

    1. The first warning sign for this SMS is the context in which it was sent. When I recieved this SMS, I immediately knew not to click on the link due to the fact that I did not recently sign up for any information regarding a “Daily Exchange Trend Overview.” On top of that, it’s very apparent that this message was blasted out to random numbers: the message doesn’t even include my name or attempt to provide any level of familiarity.
    2. The second warning signs in this email is the messaging. This message tries to create a sense of opportunity and urgency in order to get you to take action by using language such as “Typical daily income: 1K-5K.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through SMS.
    3. The final warning sign for this email is the wording; in our case the smisher uses the incomplete sentence “Daily Exchange Trend Overview Mitigate your risks.” All of these factors point to the above being a smishing text, and a very unsophisticated one at that.


    General Recommendations:

    phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

    1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    2. Verify that the sender is actually from the company sending the message.
    3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    4. Do not give out personal or company information over the internet.
    5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this month’s Cybersecurity Brief:

    Iranian Hackers Deploy MURKYTOUR Malware in Fake Job Campaign Targeting Israel

    Iran-linked hacking group UNC2428 has been implicated in a highly targeted phishing campaign that delivered a new backdoor malware, MURKYTOUR, under the guise of a job opportunity with a major Israeli defense contractor. The social engineering operation, observed in October 2024, is part of an ongoing series of cyber-espionage attacks that leverage deception and custom-built malware to compromise victims in Israel.

    According to Google-owned threat intelligence firm Mandiant, the Iranian threat actor UNC2428 orchestrated a multi-stage attack by posing as recruiters from Rafael Advanced Defense Systems, a prominent Israeli defense company. The group directed victims to a fake website mimicking Rafael’s legitimate domain and asked them to download an application tool—RafaelConnect.exe—which appeared to facilitate the job application process.

    In reality, RafaelConnect.exe was a trojanized installer called LONEFLEET. It featured a realistic-looking graphical user interface (GUI) that requested personal information and a résumé upload. Behind the scenes, it executed MURKYTOUR, a custom malware implant that provided persistent access to the victim’s system. Mandiant confirmed the use of LEAFPILE, a launcher used to initiate MURKYTOUR silently while keeping the victim engaged with the fake application.

    “The use of legitimate-looking GUIs helps these Iranian threat actors reduce suspicion during installation,” Mandiant stated in its 2025 M-Trends report. “By mimicking the exact look and feel of recruitment portals, the malware deployment becomes seamless.”

    The techniques used by UNC2428 closely resemble tactics previously attributed to Black Shadow, a group linked to Iran’s Ministry of Intelligence and Security (MOIS). Israel’s National Cyber Directorate has associated Black Shadow with multiple campaigns targeting sectors such as finance, healthcare, transportation, academia, and government services.

    Mandiant emphasizes that UNC2428 is just one of several Iran-backed hacking clusters targeting Israeli interests throughout 2024.

    Other Active Iranian Threat Groups in 2024

    One notable Iranian threat group, Cyber Toufan, emerged with a wiper malware named POKYBLIGHT, used against Israeli-based systems. The wiper campaign appeared to focus on data destruction and operational disruption.

    Mandiant also tracked UNC3313, another Iran-affiliated espionage group, which distributed malware like JELLYBEAN and CANDYBOX through phishing lures themed around training and webinars. UNC3313 is known to rely heavily on remote monitoring and management (RMM) tools—nine different ones to date—to maintain access while evading traditional detection mechanisms.

    These tactics mirror those of MuddyWater (aka Static Kitten), a well-known Iranian cyber-espionage group with similar infrastructure and techniques.

    In a separate campaign observed in July 2024, Mandiant discovered that Iranian hackers distributed a .NET-based backdoor dubbed CACTUSPAL by disguising it as a legitimate installer for Palo Alto Networks’ GlobalProtect VPN software. Once launched, the malware stealthily verified its process and connected to a command-and-control (C2) server, establishing persistent access.

    Meanwhile, UNC1549—another Iranian threat actor—has adapted its tactics by embedding malicious infrastructure into cloud-based environments. Hosting C2 nodes and payloads on popular cloud platforms, they have been able to disguise malicious activity as normal enterprise traffic.

    “These methods allow Iranian APTs to fly under the radar by blending into enterprise network behavior,” said Mandiant. “Typosquatting and domain reuse are now combined with advanced cloud-native deception.”

    The group APT42, also known as Charming Kitten, is notorious for credential harvesting. They create highly convincing fake login pages for platforms like Google, Yahoo, and Microsoft, often redirecting users through services such as Google Sites and Dropbox to create credible landing pages. Their phishing tactics often involve rapport-building with victims, posing as trusted contacts or employers.

    Across all Iranian operations documented by Mandiant in 2024, over 20 unique malware families were identified—including custom backdoors, droppers, and downloaders. Among these, DODGYLAFFA and SPAREPRIZE have been used by APT34 (also known as OilRig) in operations aimed at Iraqi government systems.

    Iran-backed cyber operations are intensifying in scale and technical sophistication, particularly against Israeli interests. These operations demonstrate an evolving threat model, one that blends stealthy malware, deception, and cloud-based infrastructure.

    Mandiant warns that organizations operating in the region should remain on high alert. “Iran-nexus threat actors will continue adjusting their strategies to align with geopolitical interests,” the firm stated. “Defenders should expect more sophisticated lures, stealthier malware, and faster deployment cycles in 2025 and beyond.”

    To read more about this article, click here.

    Curing: New io_uring Linux Rootkit Evades System Call-Based Detection

    Programmer or developer typing on a laptop computer keyboard for HTML, appllication coding, software programming, and java script.

    A new proof-of-concept Linux rootkit called Curing reveals a dangerous blind spot in many popular runtime security tools by abusing the Linux io_uring interface to operate without triggering system calls. This evasion tactic highlights a growing risk for Linux environments relying on syscall-based monitoring for threat detection.

    Introduced in Linux kernel 5.1 in 2019, io_uring is an asynchronous I/O mechanism designed to improve performance by reducing context switches. It enables communication between user space and the kernel through shared submission and completion queues, allowing applications to perform I/O without the overhead of traditional system calls.

    While this boosts performance, it also presents a security problem: actions executed through io_uring can avoid detection from tools that rely on system call hooks.

    The Curing rootkit, developed as a proof-of-concept by security researchers at ARMO, establishes a backchannel with a command-and-control (C2) server and executes commands entirely through io_uring. This allows it to avoid generating system calls altogether, making its activity invisible to tools that depend on syscall-based detection.

    According to ARMO, this represents a major visibility gap in Linux runtime security.

    “This mechanism allows a user application to perform various actions without using system calls,” ARMO explained. “As a result, security tools relying on system call monitoring are blind to rootkits working solely on io_uring.”

    Popular Linux runtime security tools such as Falco and Tetragon are not equipped to detect threats like Curing. These tools rely on system call hooks to monitor runtime behavior, and because io_uring operations do not use system calls, they go unnoticed.

    This limitation underscores the need for more advanced detection methods that go beyond syscall monitoring and incorporate deeper visibility into kernel-level operations.

    Google previously flagged io_uring as a potential security concern. In 2023, the company began restricting its use across Android, ChromeOS, and internal production systems due to its ability to support powerful exploitation techniques.

    Traditional rootkits often rely on intercepting system calls or modifying kernel modules. Curing demonstrates that attackers no longer need to use these techniques to remain stealthy. By using io_uring, malware can operate entirely outside the detection scope of many current endpoint security tools.

    “System calls aren’t always guaranteed to be invoked,” said ARMO’s Head of Security Research Amit Schendel. “io_uring, which can bypass them entirely, is a great example. It represents a powerful tool for attackers and a blind spot for defenders.”

    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • AI Drastically Accelerates Exploit Development for CVE-2025-32433

    AI Drastically Accelerates Exploit Development for CVE-2025-32433

    Artificial intelligence is no longer a passive analytical tool—it has become an active threat amplifier. The case of CVE-2025-32433, a critical vulnerability in the Erlang SSH library, showcases how modern AI systems can drastically accelerate the timeline from vulnerability disclosure to working exploit. What once required days or weeks of reverse engineering and development can now be compressed into a matter of hours.

    A Single Evening to Full Exploitation

    This point was proven by Matthew Keeley, a security researcher at ProDefense, who challenged himself to see how far generative AI could go in converting a fresh CVE into a functional proof-of-concept exploit. Inspired by research from Horizon3.ai noting the exploitability of CVE-2025-32433, Keeley used GPT-4 and Claude Sonnet 3.7 to orchestrate the process.

    The initial task for GPT-4 was setting up a fuzzing environment—generating Docker containers, configuring a vulnerable Erlang SSH server, and creating basic testing scaffolding. This in itself was impressive: AI wasn’t just writing code—it was provisioning infrastructure for dynamic analysis. While fuzzing didn’t immediately yield an exploit, the foundation was laid.

    Once Keeley fed the model diff files from the patched version of the code, GPT-4 was able to compare the fixed and vulnerable implementations, identify the root cause, and generate a detailed explanation of the vulnerability: improper handling of unauthenticated SSH messages.

    From there, the model drafted a working PoC, and with additional refinement using Cursor (an AI-enhanced development environment powered by Claude Sonnet 3.7), Keeley had a successful exploit by the end of the night.

    Weaponization Is Now a Race Against the Clock

    The defensive window between CVE disclosure and public weaponization is collapsing. Security teams can no longer treat “patching within a few days” as acceptable. In many cases, attackers with access to the same models may already be building or sharing usable exploits on private channels.

    “What used to take skilled researchers a week now takes less than a day,” Keeley said. “With the right prompt engineering, you can move from a GitHub diff to a working exploit with AI writing 80% of the code.”

    This isn’t just theory. In 2024, the time from vulnerability disclosure to exploitation dropped significantly for critical flaws like CitrixBleed and regreSSHion. CVE-2025-32433 now joins the growing list of vulnerabilities where AI-assisted exploit development outpaces traditional defensive cycles.

    The Broader Trend: Volume and Velocity

    According to NIST data, CVE publication volume increased by 38% from 2023 to 2024. But the bigger issue is velocity—how quickly attackers can exploit new flaws. Adversaries are increasingly using shared tooling and automated development pipelines to mass-deploy new attacks. Keeley’s test shows that even well-documented but niche vulnerabilities can now be turned into reliable attack vectors within hours of public disclosure.

    This dynamic creates cascading risk across industries. A vulnerability discovered on Tuesday might be exploited globally by Wednesday. Patching cycles, software validation, and risk prioritization systems built around slower exploit timelines are quickly becoming obsolete.

    What Defenders Need to Do Now

    Organizations must assume that every publicly disclosed vulnerability is potentially already being exploited. That means moving from passive vulnerability monitoring to proactive, rapid patch deployment. Security teams need automation and orchestration tools capable of pushing fixes across environments within hours—not days.

    Equally important, vulnerability management strategies must evolve to include real-time telemetry, exploit prediction, and AI-driven prioritization. If adversaries are using AI to weaponize flaws, defenders must leverage AI for triage, threat modeling, and even anticipatory patching based on exploit likelihood.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Phishers Abuse Google DKIM Replay and Sites to Deliver Signed Credential-Stealing Emails

    Phishers Abuse Google DKIM Replay and Sites to Deliver Signed Credential-Stealing Emails

    A new phishing campaign is exploiting a loophole in Google’s email authentication system, allowing attackers to send DKIM-signed emails that appear to come from legitimate Google addresses. These messages pass all standard authentication checks—including SPF, DKIM, and DMARC—and are delivered to Gmail inboxes without warning, often grouped with real Google security alerts.

    The campaign was first flagged by Nick Johnson, lead developer of the Ethereum Name Service (ENS), who received one of these spoofed messages claiming that law enforcement had issued a subpoena for his Google account data.

    Google Sites Used to Host Phishing Pages

    The phishing message contains a link to a page hosted on sites.google.com, a legacy web hosting platform that still supports arbitrary script embeds. The linked page mimics Google’s support portal and includes options such as “upload documents” or “view case,” which redirect victims to a fraudulent Google login page designed to steal credentials.

    “Sites.google.com is a legacy platform that still allows user-generated content with embedded scripts,” Johnson explained. “That makes it an easy vector for hosting lookalike phishing pages on a trusted domain.”

    DKIM Replay Attack Enables Email Spoofing

    The core technique used in this campaign is a DKIM replay attack. The attackers first register a new domain and create a Google account in the form of me@domain.com. Then, they craft a Google OAuth application and assign the entire phishing message as its name.

    When that OAuth app is granted access to the email account, Google automatically sends a security alert to the inbox of me@domain.com. Since this alert is generated by Google, it carries a valid DKIM signature and passes all authentication checks.

    The attacker then forwards this message to their victims, using mail relays that preserve the DKIM headers—making the email appear legitimate even under scrutiny. Because Gmail treats me@ as shorthand for the recipient’s address, the phishing email appears even more convincing.

    Mail Routing Obscures Origin

    EasyDMARC and Johnson both confirmed that attackers use infrastructure like Jellyfish SMTP and Namecheap’s PrivateEmail service to relay the phishing messages while preserving their authentication headers. This allows attackers to mask the true origin and still pass security checks.

    “The success of the attack relies on the fact that Gmail prioritizes message headers and DKIM-signed content for trust—not the original envelope sender,” said EasyDMARC CEO Gerasim Hovhannisyan.

    Google Responds to the Abuse

    In a statement to The Hacker News, Google acknowledged the campaign and confirmed that it has rolled out fixes to block this avenue of abuse.

    “We’re aware of this class of targeted attack and have deployed protections to shut down this pathway,” a Google spokesperson said. “We encourage all users to enable two-factor authentication or passkeys to further secure their accounts.”

    Google also reiterated that it does not ask for account passwords or verification codes by email.

    Rise in SVG-Based Phishing Campaigns

    The DKIM replay scam arrives amid a broader rise in phishing attacks using SVG file attachments. These files contain embedded JavaScript that redirects users to spoofed login pages—commonly imitating Microsoft or Google services.

    Kaspersky reported that more than 4,100 phishing emails using malicious SVG attachments have been observed in 2025 alone, highlighting a growing trend in highly targeted phishing methods.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Netizen: Monday Security Brief (4/21/2024)

    Netizen: Monday Security Brief (4/21/2024)

    Today’s Topics:

    • Phishers Exploit Google OAuth to Send DKIM-Valid Spoofed Emails
    • Microsoft Entra Admins Hit by Widespread Lockouts Linked to New Credential Detection App
    • How can Netizen help?

    Phishers Exploit Google OAuth to Send DKIM-Valid Spoofed Emails

    Hackers have found a way to exploit Google’s OAuth infrastructure to send fake emails that pass DKIM authentication—making them appear legitimate even when they point to malicious phishing pages hosted on Google’s own services.

    The attack centers around what’s known as a DKIM replay, where a legitimate, signed email generated by Google is forwarded to a victim after being crafted to include deceptive content. Security researcher Nick Johnson, lead developer of Ethereum Name Service (ENS), detailed the scheme after receiving a suspicious Google security alert claiming his account data was requested by law enforcement. The message passed all authentication checks and was filed alongside real security notifications in his inbox.

    What made the email suspicious was its link to a “support portal” hosted on Google Sites—not the expected accounts.google.com domain. The page was an exact replica of Google’s login interface, built to harvest credentials. Its presence on a trusted Google domain made it harder for users to detect the fraud.

    The real trick was how the email passed DKIM verification. Johnson discovered that the attacker had created a Google account under the address me@[attacker-domain] and then built a deceptive OAuth app. The app’s name contained the entire phishing message, padded with whitespace to hide Google’s security alert about the app being granted inbox access. When the attacker authorized the app, Google automatically emailed a notification to their own inbox. That alert—signed with Google’s DKIM keys—was then forwarded to victims.

    Because DKIM only validates the message body and headers (not the SMTP envelope), the forged email appeared to come from no-reply@google.com and passed standard email security checks like SPF and DKIM. Johnson noted that Gmail’s UI showed the email as if it were sent to the victim directly, due to the clever use of the “me@” username format.

    Email security firm EasyDMARC later confirmed the technical details of the attack and labeled it a textbook example of how DKIM replay can be abused.

    This isn’t the first instance of the tactic. In March, BleepingComputer reported a similar scheme using PayPal’s infrastructure. In that case, the attacker abused the “gift address” field when linking an alternate email to a PayPal account. They inserted the phishing message into a second field, prompting PayPal to send a legitimate confirmation message that was then forwarded to a list of potential victims.

    Initially, Google claimed that the behavior was working as designed. However, after further review, the company acknowledged the abuse potential and has since begun working on mitigations to prevent this kind of OAuth-based spoofing from continuing.

    Microsoft Entra Admins Hit by Widespread Lockouts Linked to New Credential Detection App

    A sudden wave of account lockouts across Microsoft Entra ID environments is being tied to the rollout of a new security feature called MACE Credential Revocation. Starting on the evening of April 18, Windows administrators began reporting mass lockouts affecting user accounts across numerous tenants, with no evidence of actual compromise.

    Microsoft Entra ID, formerly Azure Active Directory, serves as Microsoft’s cloud identity and access platform. It underpins user authentication and access control for millions of organizations. However, a recent behind-the-scenes update to its credential leak detection functionality appears to have caused serious disruptions for IT teams and managed service providers (MSPs) worldwide.

    According to a fast-growing Reddit thread, organizations received hundreds or even thousands of “leaked credentials” alerts from Microsoft Entra, locking out affected users automatically. The volume and timing of the notifications led many to suspect a misfire.

    “About 1/3 of our accounts got locked out about ~1 hour ago,” wrote one MSP admin. “We’re a MSP so I’m assuming this is happening to our clients as well.”

    Despite Microsoft’s systems flagging leaked credentials, administrators reported no corresponding signs of compromise—no suspicious login attempts, no credential reuse, and no matches in external breach notification tools like Have I Been Pwned. Many of the locked accounts were protected by multifactor authentication (MFA), adding to the suspicion that the alerts were false positives.

    One managed detection and response (MDR) provider said they received more than 20,000 leaked credential alerts from Microsoft overnight, all stemming from various customer tenants.

    Several admins who reached out to Microsoft were told the issue stemmed from the rollout of a new Microsoft Entra Enterprise Application: MACE Credential Revocation.

    “Just got off with [a Microsoft] engineer. It is Tenant Lockout due to this MACE ninja rollout they did. No signs of compromise,” wrote one affected user. “It was Error Code: 53003 for conditional access policy.”

    Multiple admins confirmed that the MACE Credential Revocation app appeared in their tenants shortly before the lockouts began. MACE is designed to detect leaked credentials—such as those discovered on the dark web—and enforce account protections automatically, including revocation of access and credential resets.

    The problem appears to lie not with the goal of MACE, but in the accuracy of its detection logic during rollout. The sudden spike in lockouts—with no corresponding threat telemetry—suggests a faulty integration or misconfigured detection threshold.

    As of April 20, Microsoft has not issued an official statement about the incident. Administrators are urging caution and advising others to verify any credential alerts before assuming compromise, especially if the alerts arrived in bulk.

    While security teams are generally advised to treat any leaked credential notification seriously, the volume and context of these alerts have led many to classify the event as a Microsoft-driven incident rather than a coordinated attack.

    Until Microsoft clarifies the situation, admins are left relying on peer reports and case-by-case escalations to Microsoft support.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Understanding Software Keygens: A Comprehensive Guide

    Understanding Software Keygens: A Comprehensive Guide

    Software keygens (key generators) are tools designed to generate valid license keys or serial numbers to unlock and register software, often for illegal use (piracy). Understanding how they work involves examining the underlying system used by legitimate software to create and validate these keys, as well as the methods used by keygens to mimic or bypass this process. Let’s break down the questions:

    How Does the Key System Work in Software?

    Software usually employs a licensing system to validate a product key. This process involves several methods:

    1. Secret Key Generation:
      • Typically, the software developer creates a secret key (a long, complex string) known only to them.
      • To generate a unique key for each user, the program often combines the user’s details (like name, email, or machine identifier) with the secret key and hashes the result using an algorithm (like SHA1 or MD5).
      • The result is then formatted as an alphanumeric string that serves as the product key.
    2. Validation:
      • When the user inputs their key, the software will repeat the same process (concatenating the user details and secret key, and hashing it). It then compares the generated hash with the key entered by the user.
      • If the hashes match, the software grants access. If not, the program rejects the key.

    Where Does the Key Generation and Validation Occur?

    In most cases, key generation doesn’t require encrypted files. The process is handled either within the software or through a central server for online validation:

    1. Local Validation:
      • The product key is validated locally by the software itself. In this case, no external encrypted file is needed, and the key is generated using the same hash algorithm implemented within the software.
    2. Online Validation:
      • More advanced systems use online activation. In this case, the software communicates with a remote server where the key is verified against a central database of valid keys. This system makes it much harder for pirates to generate valid keys, as they would need access to the server or the correct algorithm for validation.

    How Do Companies Encrypt Product Keys?

    To ensure the security of product keys, companies typically do the following:

    1. Encrypting Stored Keys:
      • If the software needs to store a user’s key locally (for example, during installation), it may use encryption techniques such as AES (Advanced Encryption Standard) to store the key securely. This prevents attackers from easily accessing the key from the file system.
    2. Digital Signatures:
      • Some companies sign the key itself with a digital signature, which uses asymmetric encryption to verify that the key hasn’t been tampered with. The digital signature can also be checked by the software using the public key embedded within the application.

    How Do Keygens Work?

    Keygens work by reverse engineering the key generation algorithm used by the software:

    1. Reverse Engineering:
      • The keygen’s creator analyzes the software to discover the underlying algorithm responsible for key generation. This can be done through techniques like disassembling the binary or debugging the program to trace the execution path that leads to key validation.
      • Once the keygen understands how the key is generated, it can replicate this process and generate valid keys for any user.
    2. Brute Force or Pattern Recognition:
      • In some cases, keygens use brute-force methods or recognize patterns in the key generation algorithm to generate valid keys instantly. These methods are highly efficient if the algorithm is weak or the range of possible keys is narrow.

    Why Do Keygens Generate Keys Instantly?

    The reason keygens can generate keys quickly, as opposed to password-cracking tools like Cain & Abel, is due to the differences in the approach and complexity:

    1. Brute Force vs. Algorithm Recreation:
      • Password-cracking tools often rely on brute force (trying every possible combination) or dictionary-based methods, which can take a long time, especially for complex passwords.
      • Keygens, however, directly recreate the key generation algorithm, meaning they don’t need to try all possibilities. Instead, they just use the algorithm to generate a valid key on the fly. This makes the process very quick.

    What Measures Can Companies Take to Prevent Keygen Use?

    While no method is entirely foolproof, companies can implement several measures to prevent the use of keygens:

    1. Online Activation:
      • Online activation significantly reduces piracy by requiring the software to contact a remote server for validation. This makes it harder for attackers to bypass the activation mechanism without a valid server response.
    2. Digital Signatures and Encryption:
      • Using digital signatures or encrypting product keys ensures that even if a keygen generates a key, it will not be accepted if it is tampered with.
    3. Frequent Updates:
      • Regular updates to the software can disrupt keygens by changing the validation mechanism or introducing new algorithms that render old keys invalid.
    4. Hardware-based Licensing:
      • Some software companies use hardware-based licensing (such as dongles or TPM chips), where the key is tied to specific hardware. This makes it much harder to pirate the software, as the key cannot easily be extracted and used on another machine.

    Conclusion

    In conclusion, while understanding how keygens function can be valuable for security professionals and developers, it’s important to note that we do not support or condone piracy in any form. Piracy undermines the hard work of software developers, violates intellectual property laws, and compromises the integrity of digital ecosystems. Companies invest significant resources into creating and securing their software, and respecting their licensing and activation systems is crucial for fostering a fair and sustainable tech environment. It is always best to support legitimate software purchases to ensure continued innovation and protection for all users.

  • Funding Crisis Threatens CVE Program—New Foundation Steps In to Maintain Operations

    Funding Crisis Threatens CVE Program—New Foundation Steps In to Maintain Operations

    The Common Vulnerabilities and Exposures (CVE) program—a cornerstone of global cybersecurity infrastructure—is facing major changes after its longtime operator, MITRE, announced that federal funding had lapsed as of April 16, 2025. The lapse prompted widespread concern from cybersecurity professionals, software vendors, and government officials who depend on CVE data to identify and manage software and hardware vulnerabilities.

    What Is CVE and Why It Matters

    The CVE program, developed and managed by MITRE under contract with the U.S. Department of Homeland Security (DHS), assigns unique identifiers to newly discovered security flaws in software and firmware. These identifiers—such as CVE-2024-43573—allow vendors, defenders, and researchers to speak a common language about vulnerabilities across platforms and tools.

    The CVE database supports a broader ecosystem of cybersecurity capabilities, including patch management, security scanning, intrusion detection, and threat intelligence. As former CISA Director Jen Easterly once described it, CVE functions as “the Dewey Decimal System for cybersecurity,” providing consistency and clarity across the industry.

    MITRE’s Contract Expiration and Warning Letter

    On April 15, MITRE Vice President Yosry Barsoum sent a letter to the CVE Board warning that the organization’s contract to manage and modernize the CVE program would expire the following day. The letter cited potential disruptions to vulnerability coordination, threat advisories, automated patching tools, and incident response processes if the service were to be interrupted.

    “If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” the letter stated.

    MITRE also clarified that while the CVE website would remain live, no new CVE identifiers would be issued until further funding or a structural alternative was in place.

    Industry Reaction: Alarm and Urgency

    The response from the cybersecurity community was swift and vocal. Security researchers expressed concern about the potential fragmentation of vulnerability tracking and the increased difficulty of coordinating patch cycles without a standardized system like CVE.

    John Hammond, principal researcher at Huntress, said the potential shutdown felt like losing “the language and lingo we use to address problems in cybersecurity.” Others noted that the lapse could force organizations to rely on vendor-specific disclosures, increasing confusion and slowing down response times to emerging threats.

    “This isn’t just an inconvenience,” said Matt Tait, COO at Corellium. “Without CVE, patch prioritization becomes more difficult, security tools lose consistency, and risk managers have to monitor multiple fragmented sources to track vulnerabilities.”

    A Rapid Turnaround: The CVE Foundation Is Born

    Just hours after the funding lapse, the CVE Board announced the formation of a new nonprofit, The CVE Foundation, to continue the program’s operations independently of the U.S. government. The foundation’s mission will be to maintain and evolve CVE as a global public good, free from reliance on a single federal sponsor.

    “While the program has grown tremendously under U.S. government support, its dependence on a single funding stream has created long-standing concerns about sustainability and neutrality,” the board wrote in a press release. “The foundation model allows us to address those concerns directly.”

    The foundation’s website, thecvefoundation.org, is now live, though at present it contains only the press announcement. More information on the foundation’s governance structure, membership, and transition plan is expected in the coming days.

    Interim Support from MITRE

    Later in the day on April 16, MITRE issued a separate statement confirming that it had secured “incremental funding” to keep the CVE and CWE (Common Weakness Enumeration) programs operational in the short term.

    “We appreciate the overwhelming support expressed by the global cyber community, industry, and government,” the statement read. “MITRE remains committed to CVE and CWE as global resources, and we continue to work with the government and stakeholders to support a smooth transition.”

    What’s Next?

    The transition to a nonprofit foundation marks a significant shift in how one of the most relied-upon cybersecurity standards is managed. While the continuity of operations has been preserved for now, the episode has raised important questions about how critical cybersecurity infrastructure is funded and governed.

    With the cybersecurity threat landscape continuing to evolve rapidly—and with CVEs playing a central role in everything from enterprise patch management to national critical infrastructure defense—how the foundation scales and sustains its operations will be closely watched.

    The creation of the CVE Foundation may ultimately prove to be a necessary and overdue modernization of a program that has become too important to rely on year-to-year contract renewals. But for now, the cybersecurity community is breathing a cautious sigh of relief.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • March 2025: Trump Administration Advances AI Strategy, Tightens Restrictions on DeepSeek

    March 2025: Trump Administration Advances AI Strategy, Tightens Restrictions on DeepSeek

    On March 15, the White House concluded a public comment period on its upcoming AI Action Plan. The Office of Science & Technology Policy (OSTP), alongside the National Science Foundation’s Networking and Information Technology Research and Development (NITRD) office, had issued a formal Request for Information (RFI) in February as required by President Trump’s AI Executive Order.

    The RFI invited input across 20 broad topic areas, including AI-related data privacy, safety standards, technical infrastructure, and government procurement. In total, 8,755 comments were submitted by stakeholders, ranging from nonprofit organizations and academia to industry groups and private companies.

    The finalized AI Action Plan is expected to be released by July 2025.

    NIST Expands AI Standards and Evaluation Efforts

    Throughout March, the National Institute of Standards and Technology (NIST) launched several initiatives to bolster AI safety, reliability, and standards development:

    • GenAI Image Challenge (March 19):
      NIST invited researchers and developers to participate in a benchmarking challenge evaluating generative AI systems—specifically image generators and image discriminators. The challenge aims to improve methods of detecting AI-generated visual content.
    • Adversarial ML Report (March 24):
      NIST published its final report, Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (NIST AI 100-2e2025). The guidance defines attack types across the AI lifecycle and offers voluntary mitigations for securing predictive and generative systems. The report warns that adversarial attacks in real-world settings are growing more sophisticated and damaging.
    • AI Standards “Zero Drafts” Pilot (March 25):
      NIST announced a new standard-setting model where it will publish preliminary “zero draft” AI standards for community feedback before passing them to formal standards-developing organizations (SDOs). The pilot will begin with four topic areas:
      1. Transparency and documentation
      2. TEVV (Testing, Evaluation, Verification, and Validation)
      3. System architecture and terminology
      4. Reducing synthetic content risks

    NIST is soliciting stakeholder input on these priorities. No submission deadline has been set.

    Senate Confirms Michael Kratsios to Lead OSTP

    On March 25, Michael Kratsios was confirmed by the Senate (74-25 vote) as Director of the White House Office of Science & Technology Policy. Kratsios previously served in the Trump Administration as U.S. CTO and played a central role in the 2020 rollout of AI guidance for federal agencies.

    In written responses to the Senate Commerce Committee, Kratsios emphasized a sector-specific, risk-based approach to AI regulation and pledged to collaborate with the Department of Commerce on shaping the U.S. AI Safety Institute.

    The following day, President Trump issued a formal letter to Kratsios outlining three directives:

    1. Accelerate research to maintain U.S. technological supremacy in AI and related emerging technologies.
    2. Reduce regulatory barriers and revitalize the American science and technology base.
    3. Ensure that innovation drives broad economic benefits for all Americans.

    DeepSeek Draws Increased Scrutiny from Federal and State Leaders

    In response to national security concerns tied to Chinese AI firm DeepSeek, Congress and state officials increased pressure to restrict the company’s products from government environments.

    • Congressional Action:
      On March 3, Reps. Josh Gottheimer (D-NJ) and Darin LaHood (R-IL) sent letters to 47 state governors and the DC mayor urging bans on DeepSeek products on government devices. This follows their introduction of H.R. 1121, the No DeepSeek on Government Devices Act.
    • Attorneys General Back Federal Ban:
      On March 6, Montana Attorney General Austin Knudsen—joined by 20 other AGs—formally supported the bill, citing data privacy and national security concerns.
    • New State-Level Bans:
      South Dakota banned use of DeepSeek on state-issued devices on March 4. Oklahoma followed suit on March 21, prohibiting use or download of DeepSeek on government-owned systems and banning the input of state data into any product built on DeepSeek’s platform.

    These actions add to previously announced bans in New York, Virginia, Iowa, and Pennsylvania. In his announcement, Oklahoma Governor Kevin Stitt cited security risks, adversarial AI concerns, and regulatory compliance issues as driving factors behind the decision.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Understanding EDR, MDR, and XDR for Cyber Defense

    Understanding EDR, MDR, and XDR for Cyber Defense

    As ransomware and cyber extortion campaigns grow more complex, organizations are rethinking how they protect digital assets across endpoints, networks, and cloud infrastructure. In this changing threat landscape, three terms are appearing frequently: EDR (Endpoint Detection and Response), MDR (Managed Detection and Response), and XDR (Extended Detection and Response). While they share a common goal—detecting and stopping malicious activity—they differ significantly in scope, implementation, and suitability for various organizations.

    At a glance, EDR offers direct, granular control over endpoint security. MDR adds a human element, delivering security monitoring and response as a service. XDR takes a broader approach by integrating multiple telemetry sources to identify threats across environments.

    Understanding the Core of EDR

    EDR tools are focused on the devices that sit at the edge of your network—laptops, desktops, servers, and mobile endpoints. These tools continuously monitor device activity to catch and respond to suspicious behavior. In practical terms, that means if a developer opens a compromised file while working remotely, EDR software might flag unexpected registry changes or executable behavior, then isolate the machine to prevent spread.

    This approach is particularly helpful for mid-sized organizations with skilled security teams that prefer hands-on oversight. However, EDR platforms often generate high alert volumes, which can be overwhelming without dedicated staff.

    How MDR Takes Pressure Off In-House Teams

    MDR builds on EDR but wraps it in managed services, giving organizations access to expert analysts who monitor threats 24/7. For startups or businesses lacking a full security operations center, MDR fills a crucial gap. If attackers strike in the middle of the night, an MDR provider will detect, investigate, and respond before anyone in-house is even aware something went wrong.

    This approach is more costly than EDR alone but dramatically reduces the internal workload and expertise requirements. It’s especially helpful for teams suffering from alert fatigue or those trying to scale security efforts without building out a SOC from scratch.

    XDR’s Broader Scope for Complex Environments

    XDR goes beyond endpoint-level protection by correlating signals across multiple domains, including network traffic, cloud workloads, identity services, and endpoints. In organizations with hybrid environments—on-prem infrastructure mixed with SaaS platforms and cloud VMs—XDR offers an aggregated view of threats, helping security teams piece together the full picture of an attack.

    Rather than just alerting based on activity on a single endpoint, XDR can detect coordinated intrusions, lateral movement, and multi-stage malware infections that span devices and environments. However, the broader scope also brings challenges with deployment and integration, especially in large-scale IT environments.

    Comparing Their Strengths and Weaknesses

    Each of these tools comes with trade-offs. EDR is ideal for teams with technical depth who want visibility and control but can handle their own alerts. MDR outsources much of the effort, offering expert help at the cost of some customizability. XDR offers the richest telemetry and the most context, but its success depends on how well it integrates with your infrastructure.

    Cost also scales accordingly. EDR is often the least expensive but resource-intensive. MDR is priced higher due to the inclusion of human services. XDR tends to be the most expensive and powerful, best suited for large or mature organizations with a diverse attack surface.

    So, What’s the Right Fit?

    If your organization already has in-house cybersecurity expertise and needs high-fidelity visibility into endpoint activity, EDR is likely a good fit. If you’re struggling with resource limitations or lack dedicated staff for around-the-clock response, MDR offers a practical and effective middle ground. If your infrastructure spans multiple systems and you need centralized threat visibility, XDR provides the best situational awareness—particularly valuable in highly targeted or regulated sectors.

    Regardless of the approach, these solutions are not mutually exclusive. Some organizations combine EDR for granular control, MDR for expert oversight, and XDR for cross-environment threat correlation. The key is to match your decision to your organization’s risk exposure, IT complexity, and available internal resources.

    As cyber threats continue evolving, so too must your defense strategy. Choosing the right mix of detection and response tools can mean the difference between a quick containment and a costly breach.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact