Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Netizen: Monday Security Brief (7/14/2024)

    Netizen: Monday Security Brief (7/14/2024)

    Today’s Topics:

    • Fortinet Issues Critical Patch for SQL Injection Flaw in FortiWeb (CVE-2025-25257)
    • Critical eSIM Vulnerability in Kigen’s eUICC Cards Exposes Billions of IoT Devices to Security Risks
    • How can Netizen help?

    Fortinet Issues Critical Patch for SQL Injection Flaw in FortiWeb (CVE-2025-25257)

    Fortinet has released a security patch addressing a critical SQL injection vulnerability identified in its FortiWeb product. Tracked as CVE-2025-25257, the flaw poses a severe risk to affected versions of FortiWeb, potentially allowing unauthenticated attackers to execute arbitrary database commands on vulnerable instances. This issue carries a CVSS score of 9.6 out of 10, making it one of the most significant vulnerabilities discovered in recent times for the platform.

    The vulnerability stems from improper neutralization of special elements used in SQL commands, known as SQL injection (CWE-89). An attacker can exploit this weakness by crafting specially designed HTTP or HTTPS requests to inject malicious SQL code into FortiWeb. If successfully executed, this attack could allow the attacker to execute unauthorized SQL commands on the system, leading to the potential compromise of the database.

    The flaw specifically impacts several versions of FortiWeb, including:

    • FortiWeb 7.6.0 through 7.6.3 (upgrade to 7.6.4 or above)
    • FortiWeb 7.4.0 through 7.4.7 (upgrade to 7.4.8 or above)
    • FortiWeb 7.2.0 through 7.2.10 (upgrade to 7.2.11 or above)
    • FortiWeb 7.0.0 through 7.0.10 (upgrade to 7.0.11 or above)

    The vulnerability is tied to a function named get_fabric_user_by_token, which is associated with FortiWeb’s Fabric Connector component. This function is called by another function, fabric_access_check, which is triggered from multiple API endpoints. In particular, the endpoints /api/fabric/device/status, /api/v[0-9]/fabric/widget/[a-z]+, and /api/v[0-9]/fabric/widget are directly affected.

    The issue arises because attacker-controlled input, passed via a Bearer token Authorization header in specially crafted HTTP requests, is directly fed into an SQL query without proper sanitization. As a result, attackers can inject malicious SQL code, allowing them to manipulate or access sensitive data in the database.

    Furthermore, the vulnerability can be extended into a remote code execution attack. This is possible by exploiting the fact that the query is run as the “mysql” user, allowing attackers to insert a SELECT ... INTO OUTFILE statement, which writes a malicious payload to a file in the operating system. The payload could then be executed via Python, escalating the attack.

    Fortinet responded promptly to the discovery, issuing patches that replace the vulnerable query structure with prepared statements, mitigating the risk of SQL injection. This fix is a crucial improvement, as it directly addresses the core issue of inadequate input sanitization, which is the root cause of the flaw.

    The vulnerability was discovered by Kentaro Kawane from GMO Cybersecurity, who had previously reported a set of critical flaws in Cisco’s Identity Services Engine (ISE). His findings have been acknowledged in Fortinet’s advisory, further underlining the importance of vigilance in identifying such risks in widely used cybersecurity tools.

    As Fortinet has rolled out patches in versions 7.6.4, 7.4.8, 7.2.11, and 7.0.11, users are strongly advised to upgrade to these versions immediately to close the vulnerability. For those unable to apply the patches promptly, Fortinet recommends disabling the HTTP/HTTPS administrative interface as a temporary measure to mitigate the risk of exploitation.

    This vulnerability is particularly concerning given the history of exploitation of Fortinet products by threat actors in the past. The critical nature of this flaw, combined with its potential for remote code execution, makes it imperative that users act swiftly to update their systems and protect against potential attacks.

    Fortinet’s patch for CVE-2025-25257 addresses a severe vulnerability in its FortiWeb platform, one that could lead to unauthorized SQL command execution and potentially remote code execution. With a CVSS score of 9.6, this flaw poses a significant security risk to affected organizations, particularly those relying on FortiWeb for web application security. It is crucial that users upgrade to the latest versions or apply temporary mitigation measures to prevent exploitation.

    Critical eSIM Vulnerability in Kigen’s eUICC Cards Exposes Billions of IoT Devices to Security Risks

    A newly discovered vulnerability in eSIM technology has raised serious concerns about the security of billions of Internet of Things (IoT) devices, particularly those relying on Kigen’s eUICC (embedded Universal Integrated Circuit Cards) technology. The flaw, identified by Security Explorations, exposes devices to potential hacking attacks that could lead to unauthorized access, data theft, and malicious control over communications.

    The eSIM, or embedded SIM, is a digital SIM card embedded directly into devices, enabling users to activate cellular plans remotely without the need for a physical SIM card. The eUICC chip facilitates this process by allowing users to change operator profiles and remotely manage SIM data. However, a critical vulnerability has been found in the Kigen eUICC card’s implementation of the GSMA TS.48 Generic Test Profile, versions 6.0 and earlier.

    This vulnerability allows attackers to install non-verified, malicious applets on the eUICC, which could be used to tamper with operator profiles and extract sensitive information. The flaw is linked to an outdated version of the GSMA TS.48 standard, which is primarily used for radio compliance testing in eSIM products. Although GSMA released an updated version (v7.0) to mitigate this issue, previous versions remain widely used, exposing devices to security risks.

    Exploitation of this vulnerability requires physical access to the targeted eUICC and the use of publicly known keys. Once the attacker gains access, they can install a malicious JavaCard applet that can bypass security measures. The vulnerability enables the attacker to extract the Kigen eUICC’s identity certificate, which could allow them to download arbitrary mobile network operator (MNO) profiles in cleartext. This could result in unauthorized access to operator secrets, profile tampering, and even complete control over the eSIM profiles without raising red flags.

    Security Explorations, which reported the findings, further connected the vulnerability to previous research on Oracle’s Java Card technology. Earlier flaws, including a persistent backdoor issue in Gemalto SIM cards, also relied on Java Card technology, potentially creating a broader risk across various IoT devices.

    Though executing such an attack may seem complex, it is within the capabilities of advanced nation-state threat actors. Exploiting this vulnerability could allow attackers to deploy a stealthy backdoor within an eSIM card, intercepting all communications and compromising the device’s integrity. With control over the eSIM profile, attackers could even block remote access for the operator, falsify the profile’s state, or monitor all activity without detection.

    In some cases, the vulnerability could lead to a situation where the operator loses control of the profile, with no ability to disable or invalidate it. Such breaches would undermine the security and reliability of mobile network operators, making them more susceptible to ongoing attacks or data theft.

    In response to the findings, Kigen has released a patch addressing the issue in the latest GSMA TS.48 version 7.0, which restricts the use of the vulnerable test profile. However, devices running earlier versions of the standard remain exposed. The security of billions of IoT devices, including vehicles and consumer electronics, is now under scrutiny as manufacturers work to implement the necessary updates.

    While Kigen has made strides in addressing the vulnerability, the discovery raises broader concerns about the security of eSIM technology across the IoT ecosystem. Given the rapid proliferation of IoT devices and the growing reliance on eSIM technology for remote provisioning, it’s clear that comprehensive security measures need to be implemented to safeguard against similar vulnerabilities in the future.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • How PerfektBlue Bluetooth Exploits Could Compromise Vehicle Systems and User Data

    How PerfektBlue Bluetooth Exploits Could Compromise Vehicle Systems and User Data

    A set of four critical vulnerabilities discovered in OpenSynergy’s BlueSDK Bluetooth stack, dubbed “PerfektBlue,” has exposed millions of vehicles from multiple manufacturers to the risk of remote code execution (RCE). These vulnerabilities, identified by cybersecurity researchers at PCA Cyber Security, could potentially allow attackers to exploit infotainment systems in vehicles from major automakers like Mercedes-Benz, Volkswagen, and Skoda, along with a fourth unnamed original equipment manufacturer (OEM). The vulnerabilities, which can be chained together, allow attackers to take control of vehicles by leveraging Bluetooth connections.

    The Vulnerabilities

    The PerfektBlue vulnerabilities target the Bluetooth stack’s memory management and communication protocols, allowing attackers to exploit flaws in the system to gain unauthorized access. The vulnerabilities identified include:

    • CVE-2024-45434 (CVSS score: 8.0): A Use-After-Free issue in the AVRCP service
    • CVE-2024-45431 (CVSS score: 3.5): Improper validation of an L2CAP channel’s remote CID
    • CVE-2024-45433 (CVSS score: 5.7): Incorrect function termination in RFCOMM
    • CVE-2024-45432 (CVSS score: 5.7): Function call with incorrect parameters in RFCOMM

    Once an attacker successfully exploits these vulnerabilities, they can gain remote access to the In-Vehicle Infotainment (IVI) system, enabling them to track GPS coordinates, record audio, access contact lists, and potentially even execute lateral movements within the vehicle’s internal network. If additional vulnerabilities are present, the attacker could escalate their access to critical vehicle systems, including control over the engine and other essential functions.

    How the Exploits Work

    The attack requires that the attacker be within Bluetooth range of the vehicle and that the vehicle’s infotainment system is either actively pairing with a Bluetooth device or in pairing mode. The attacker can exploit the vulnerabilities to access the system and issue commands, taking control of audio functions or accessing private information. While no vehicle safety systems—such as steering, brakes, or driver assistance systems—are directly affected, the infotainment system’s vulnerability can serve as an entry point for further exploitation of the vehicle’s internal network, depending on its design and the system’s isolation protocols.

    Potential Impacts

    While the risks primarily concern non-critical functions like the IVI system, the exploitation of PerfektBlue could offer attackers a foothold into a vehicle’s broader network. In certain cases, where weak segmentation or inadequate gateway-level enforcement is present, this could lead to lateral movement into other vehicle control systems, potentially compromising safety-critical systems. Attackers could then manipulate or exfiltrate data, severely disrupting vehicle operation or extracting sensitive information.

    The Risk of Exploitation

    The exploitation of the PerfektBlue vulnerabilities requires that a series of conditions are met simultaneously: the attacker must be within a range of 5 to 7 meters, the vehicle’s ignition must be on, and the user must be actively pairing their device with the infotainment system. Even with these conditions in place, exploitation is still dependent on the attacker gaining the user’s consent during the pairing process. Despite these requirements, the risks associated with Bluetooth exploitation are clear, as it enables attackers to bypass traditional security measures and gain unauthorized access to vehicle systems.

    Manufacturer Responses

    In response to these vulnerabilities, manufacturers like Volkswagen have acknowledged the risks and emphasized that vehicle systems outside of the infotainment domain are secure from remote access. The company also stressed that the exploitation of these vulnerabilities has yet to be seen in the wild. Volkswagen has committed to addressing the security gap with software updates and urges vehicle owners to ensure their systems are up-to-date. In some cases, the company recommends that users visit a dealership to have the necessary updates installed.

    Mitigation and Protection

    While automakers are rolling out patches to mitigate these vulnerabilities, vehicle users should remain vigilant. As part of their precautionary measures, users are encouraged to check their pairing data during the connection process, ensuring that the displayed numbers match those on their device. Additionally, vehicle users should apply any available software updates promptly to protect their systems from exploitation.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Understanding SEO Poisoning and How to Defend Against It

    Understanding SEO Poisoning and How to Defend Against It

    Search engine optimization (SEO) poisoning has emerged as a significant cyber threat, enabling malicious actors to exploit search engine algorithms to spread malware and gain unauthorized access to targeted systems. By manipulating search results and exploiting the trust users place in high-ranking pages, attackers can direct unsuspecting individuals to malicious websites. Once on these sites, users may inadvertently download malware that can compromise their devices and network, potentially leading to broader cyberattacks such as data exfiltration and ransomware deployment. This article takes a deep dive into the SEO poisoning technique, its growing prevalence, and provides essential defense strategies to mitigate its risks.

    The Mechanics of SEO Poisoning

    SEO poisoning works by manipulating search engine algorithms to artificially boost the ranking of malicious websites. These manipulated sites often look legitimate, appearing among the top results for popular search queries. Once a user clicks on the poisoned link, they are directed to a malicious webpage that may prompt them to download harmful files or execute malicious scripts. The effectiveness of SEO poisoning relies on the implicit trust users have in search engines, making them more likely to engage with a top-ranking link.

    To achieve this manipulation, cybercriminals often employ techniques like link farms and keyword stuffing to boost the perceived legitimacy of malicious sites. Link farms are networks of websites that exist solely to generate links to other websites, artificially inflating their authority in search engine rankings. By creating numerous backlinks from seemingly unrelated but high-traffic sites, attackers can make their malicious sites appear legitimate to search engines, thus improving their search result ranking.

    Keyword stuffing is another common tactic used to optimize the ranking of malicious sites. In this process, attackers overload a site’s content with an excessive amount of keywords related to trending topics or common search queries. This practice can be further amplified by utilizing auto-generated content that includes snippets from legitimate sources. By aligning these keywords with popular search terms, attackers increase the likelihood that their malicious site will be listed at the top of search results, luring users into clicking on it.

    The Attack Chain

    SEO poisoning is not a one-time occurrence but a series of actions designed to gradually deceive and lure users. The attack chain typically unfolds as follows:

    1. Research: Threat actors begin by analyzing search trends, identifying keywords and topics that are currently popular. This ensures that the malicious content they create aligns with high-interest subjects that are likely to attract significant traffic.
    2. Setup: The attackers then create or hijack a legitimate website, which they modify to include malicious content disguised as helpful or relevant. These pages are carefully crafted to appear authoritative and trustworthy.
    3. Optimization: With the malicious content in place, the attackers begin to optimize the site using SEO tactics like link farming and keyword stuffing. This boosts the site’s search ranking, making it appear more credible to search engines and users.
    4. Distribution: Once the site is sufficiently ranked, it begins to appear in search results for targeted keywords. Users, trusting the search engine’s judgment, are more likely to click on the link, believing it to be a legitimate and useful resource.
    5. Monetization: The ultimate goal of SEO poisoning is to profit from compromised systems. Once a user downloads the malicious content, the attacker gains access to their device, often selling that access to other cybercriminals, including those involved in ransomware or data theft operations.

    Why SEO Poisoning Is So Effective

    SEO poisoning is particularly effective because it leverages the inherent trust users place in search engine results. The implicit trust in high-ranking pages makes users less likely to question the legitimacy of the site. Since users actively search for specific information, they are already in a mindset of engaging with content that appears relevant to their needs, making them even more susceptible to malicious sites disguised as legitimate sources.

    Several psychological factors also contribute to the success of SEO poisoning attacks:

    • Implicit Trust in Search Engines: Users inherently trust the ranking system of search engines, assuming that higher-ranked sites are more reliable. This trust increases the likelihood that users will engage with malicious sites that are artificially ranked at the top.
    • Perceived Legitimacy Through Association: When a malicious site appears among legitimate, high-ranking search results, it gains an unwarranted sense of credibility. Users are more likely to click on it, unaware that they are interacting with a site designed to deceive them.
    • Navigational Trust: The voluntary nature of clicking on a search result gives users a sense of control and security, making them less cautious about potential risks. This sense of autonomy can lead users to overlook red flags and engage with malicious content.

    Real-World Example

    One of the clearest examples of SEO poisoning in action comes from a search for “army award ceremony protocol pdf.” A seemingly legitimate PDF download page appears in the top search results. However, upon visiting the page, the user unknowingly downloads a piece of malware called Solarmarker. This malware silently compromises the user’s system, leading to further malicious actions.

    Such incidents showcase how SEO poisoning can be deceptively effective, particularly when the malicious link appears alongside legitimate websites, further reinforcing the user’s belief in its authenticity.

    Case Study: Gootloader Malware and SEO Poisoning

    In a May 2023 case, ReliaQuest’s Threat Hunting Team discovered that an SEO poisoning attack served as the entry point for Gootloader malware. In this case, a user searched for information on the difference between “legal ruled and wide ruled paper” and was directed to a seemingly harmless forum page. This page contained a download link for a PDF file. Upon clicking the link, the user unknowingly downloaded a ZIP file containing a JavaScript-based malware payload. The malware then initiated a command-and-control (C2) connection, establishing a backdoor into the system. This backdoor, known as SystemBC, enabled attackers to remotely access the compromised device, eventually leading to data exfiltration and lateral movement across the network.

    Detection and Mitigation Strategies

    Detecting SEO poisoning requires analyzing search-engine queries and file download events. By correlating these two data sources, organizations can identify potential indicators of SEO poisoning, particularly when downloaded files mirror the terms used in the user’s search query. The use of forward proxy logging and endpoint telemetry is essential for detecting suspicious activity linked to SEO poisoning.

    To prevent SEO poisoning, organizations should take proactive measures, such as:

    • Enable File Extension Display: Users should be instructed to display file extensions in their operating system. This simple change helps prevent malware from masquerading as benign file types like PDFs.
    • Change Default Script Executor to Notepad: Setting Notepad as the default application for executing JavaScript and Visual Basic script files reduces the likelihood of accidental execution of malicious scripts.
    • Train Employees on Cyber Hygiene: Employees should be trained to recognize signs of SEO poisoning and be vigilant when interacting with search results, especially those that seem too good to be true.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • The Echo Chamber Attack: A New LLM Security Threat

    The Echo Chamber Attack: A New LLM Security Threat

    The rapid advancement of large language models (LLMs) such as GPT-4 and Gemini-2 has significantly increased the capabilities of artificial intelligence systems. However, this progress has also exposed new vulnerabilities that malicious actors can exploit. One such threat, uncovered by NeuralTrust’s AI researcher Ahmad Alobaid, is the Echo Chamber attack—a sophisticated technique that bypasses LLM guardrails by exploiting the models’ reasoning capabilities through indirect manipulation. This article delves into the details of the Echo Chamber attack, how it works, its impact, and recommendations for mitigation.

    Attack Overview

    The Echo Chamber attack represents a novel form of jailbreak targeting LLMs. Unlike traditional attacks that rely on adversarial phrasing or obfuscation, the Echo Chamber attack subtly manipulates the model’s internal state through context poisoning. By introducing benign-seeming prompts that guide the model to dangerous conclusions, the attacker induces harmful outputs without ever explicitly requesting them. This clever use of indirect references and multi-turn reasoning bypasses traditional prompt filters and safety mechanisms, making it a potent weapon for adversaries.

    The core of the attack lies in its ability to manipulate the model’s memory and reasoning across multiple interactions. Over time, the subtle cues introduced by the attacker build upon each other, slowly steering the model towards generating harmful or non-compliant content. This creates a feedback loop, amplifying the attacker’s goal and bypassing the LLM’s safety controls.

    Example of the Echo Chamber Attack

    In a controlled experiment, the Echo Chamber attack successfully bypassed safety filters of a leading LLM. When explicitly asked to write a manual for creating a Molotov cocktail, the model initially refused. However, through the Echo Chamber attack, the LLM eventually provided a step-by-step guide, detailing the ingredients and construction process for the weapon. This was achieved by manipulating the model’s internal state over several turns, showing the power of context poisoning.

    How the Echo Chamber Attack Works

    The Echo Chamber attack is a multi-stage adversarial prompting technique. Initially, the attacker defines a harmful objective, such as generating hate speech, misinformation, or prohibited instructions, without directly mentioning it. Instead, the attacker plants benign-seeming prompts that subtly hint at the goal, such as asking the model to “refer back to the second sentence in the previous paragraph.” This seemingly innocuous request triggers the model to recall earlier content, often guiding it to harmful topics.

    In the next stage, the attacker introduces light semantic nudges that shift the model’s internal state. These prompts don’t directly point to harmful content but lay the groundwork for more damaging suggestions later. For example, a casual conversation about economic hardship can lead to frustrations, which are then exploited in subsequent interactions to escalate the conversation towards unsafe topics.

    Once the model begins to generate harmful content, the attacker can reference earlier prompts to reinforce the dangerous ideas. The key to the attack’s effectiveness is its subtlety—each prompt is designed to appear natural within the conversation, making it difficult for traditional safety mechanisms to detect.

    Effectiveness of the Attack

    NeuralTrust’s evaluation of the Echo Chamber attack demonstrated its effectiveness across multiple leading LLMs, including GPT-4.1-nano, GPT-4o-mini, GPT-4o, Gemini-2.0-flash-lite, and Gemini-2.5-flash. The attack achieved a success rate of over 90% in categories like Sexism, Violence, Hate Speech, and Pornography, while also performing strongly in areas such as Misinformation and Self-Harm. Even in stricter categories like Profanity and Illegal Activity, the attack’s success rate exceeded 40%, highlighting its wide applicability across various content domains.

    The attack typically achieved success within 1–3 turns, with the models showing increasing compliance as context poisoning took effect. Storytelling or hypothetical discussions were particularly effective, allowing the attacker to subtly steer the conversation towards the harmful objective.

    Why the Echo Chamber Attack Matters

    The Echo Chamber attack reveals a critical blind spot in LLM safety systems: their vulnerability to indirect manipulation via context and inference. Traditional defenses that focus on filtering explicit harmful content are insufficient when models can infer and build upon harmful objectives over multiple turns. This attack highlights a deeper flaw in current LLM alignment efforts, demonstrating that safety mechanisms must evolve to account for the subtle ways in which malicious actors can manipulate models.

    In practical applications such as customer support bots, productivity assistants, and content moderators, this type of attack could be used to extract harmful outputs without triggering alarms, leading to potential misuse in real-world scenarios.

    Mitigation Recommendations

    To defend against Echo Chamber-style jailbreaks, developers and vendors should consider implementing context-aware safety auditing. This approach involves dynamically scanning the conversation history to identify patterns of emerging risk. Toxicity accumulation scoring can also help detect when benign prompts begin to form harmful narratives. Additionally, training safety layers to recognize indirect manipulation and fine-tuning models to detect and block such attempts can significantly improve defense mechanisms.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Microsoft July 2025 Patch Tuesday Fixes 137 Bugs, Including SQL Server Zero-Day

    Microsoft July 2025 Patch Tuesday Fixes 137 Bugs, Including SQL Server Zero-Day

    Microsoft’s July 2025 Patch Tuesday includes updates for 137 vulnerabilities, among them one publicly disclosed zero-day. Fourteen flaws are classified as critical, with the majority involving remote code execution, while others relate to information disclosure and hardware-level side channel attacks affecting AMD processors.

    Breakdown of Vulnerabilities

    This month’s update includes:

    • 53 Elevation of Privilege vulnerabilities
    • 41 Remote Code Execution vulnerabilities
    • 18 Information Disclosure vulnerabilities
    • 8 Security Feature Bypass vulnerabilities
    • 6 Denial of Service vulnerabilities
    • 4 Spoofing vulnerabilities

    These totals do not include four Mariner or three Microsoft Edge vulnerabilities addressed earlier in the month. Non-security updates include patches for Windows 11 and Windows 10, though individual KB numbers were not listed in Microsoft’s summary release.

    Zero-Day Vulnerabilities

    One publicly disclosed zero-day is addressed in this month’s update.

    CVE-2025-49719 | Microsoft SQL Server Information Disclosure Vulnerability

    Affects: Microsoft SQL Server
    This flaw allows a remote, unauthenticated attacker to access data from uninitialized memory due to improper input validation. It can be exploited over a network without prior authentication. Administrators are advised to install the latest version of Microsoft SQL Server and update the Microsoft OLE DB Driver (version 18 or 19).

    Microsoft has not shared details on how the disclosure occurred, but no active exploitation has been reported.

    Other Critical Vulnerabilities

    Microsoft addressed several critical remote code execution vulnerabilities this month, including:

    • CVE-2025-49704, a remote code execution vulnerability in Microsoft SharePoint, which can be exploited remotely by authenticated users over the internet.
    • Multiple Microsoft Office RCEs that can be triggered by opening a crafted document or viewing it in the preview pane.

    Security updates for Microsoft Office LTSC for Mac 2021 and 2024 were not available at the time of release but are expected soon.

    AMD and Other Vendor Updates

    Security updates from other major vendors include:

    • AMD: Disclosed new transient execution side channel vulnerabilities based on Microsoft’s research into microarchitectural leakage boundaries.
    • Cisco: Released patches for various issues, including one involving hardcoded SSH root credentials in Unified Communications Manager (Unified CM).
    • Fortinet: Issued updates for FortiOS, FortiManager, FortiSandbox, FortiIsolator, and FortiProxy.
    • Google: Released a fix for an actively exploited Chrome zero-day (CVE-2025-6554). No Android patches were issued in the July 2025 bulletin.
    • Grafana: Addressed four Chromium-related vulnerabilities affecting the Image Renderer plugin and Synthetic Monitoring Agent.
    • Ivanti: Delivered updates for Ivanti Connect Secure, Policy Secure, EPMM, and EPM. None of the issues were reported as exploited.
    • SAP: Released fixes for several products and reclassified CVE-2025-30012 in SAP Supplier Relationship Management as a critical flaw, now rated 10.0.

    Recommendations for Users and Administrators

    Organizations should prioritize patching Microsoft SQL Server, Office, and SharePoint deployments, especially those accessible from external networks. While the SQL Server flaw is not known to be exploited, its public disclosure increases the risk of future exploitation. Systems with outdated OLE DB drivers should be updated alongside SQL Server patches.

    Security teams should also review AMD’s disclosure on transient scheduler attacks, as well as vendor patches from Cisco, Google, and SAP addressing high-severity and actively exploited vulnerabilities.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Netizen: Monday Security Brief (7/7/2024)

    Netizen: Monday Security Brief (7/7/2024)

    Today’s Topics:

    • Taiwan NSB Warns of Security Risks from China-Developed Apps
    • Understanding the Relationship Between NIS2 and the EU Cyber Resilience Act
    • How can Netizen help?

    Taiwan NSB Warns of Security Risks from China-Developed Apps

    Taiwan’s National Security Bureau (NSB) has issued a public warning about the security risks posed by China-developed apps such as RedNote (Xiaohongshu), Weibo, TikTok, WeChat, and Baidu Cloud, citing concerns over excessive data collection and the transfer of personal data to China.

    This alert follows a comprehensive inspection of these apps, conducted in collaboration with the Ministry of Justice Investigation Bureau (MJIB) and the Criminal Investigation Bureau (CIB). The NSB identified significant security issues across the apps, including the collection of sensitive personal data such as facial recognition, clipboard content, contact lists, location data, and more. Additionally, all the apps were found to transmit data back to servers in China, raising concerns about the potential misuse of this information.

    According to the NSB’s analysis, RedNote violated all 15 security indicators evaluated, followed by Weibo and TikTok with breaches in 13 categories, and WeChat and Baidu Cloud with violations in 10 and 9 areas, respectively. The warning highlights that companies operating in China are required by law to hand over user data for national security and intelligence purposes, further amplifying the privacy risks for Taiwanese users.

    This move follows similar actions in other countries like India, which banned Chinese apps over security concerns, and Canada, which recently ordered TikTok to cease operations. The U.S. has also extended its ban on TikTok, leaving its future uncertain. As global concerns over data privacy grow, the NSB urges the public to exercise caution when using China-made apps, stressing the importance of protecting personal and business data.

    Understanding the Relationship Between NIS2 and the EU Cyber Resilience Act

    The European Union has introduced two significant regulations aimed at strengthening cybersecurity: the NIS2 Directive and the Cyber Resilience Act (CRA). Both are designed to address vulnerabilities in essential services and digital products within the EU, with an emphasis on secure-by-design principles and comprehensive cybersecurity practices.

    The NIS2 Directive, effective from January 2023, mandates that essential service providers in sectors like energy, transport, healthcare, and finance implement strong risk management practices, report incidents promptly, and collaborate across EU member states. This regulation is crucial for maintaining the security and reliability of critical infrastructure, especially as cyber threats continue to evolve. NIS2 requires that organizations designated as “essential” or “important” within the EU ensure robust cybersecurity controls are in place. Member states have until October 2024 to integrate this directive into their national laws, with full compliance required within 21 months.

    On the other hand, the Cyber Resilience Act (CRA) focuses on the security of digital products. Effective from December 2024, the CRA mandates that manufacturers incorporate cybersecurity features into their products before they can be marketed within the EU. This “secure-by-design” approach ensures that digital products, whether hardware or software, undergo rigorous security assessments, are regularly updated throughout their lifecycle, and meet established EU cybersecurity standards. The CRA applies to all products with digital components, aiming to reduce vulnerabilities and safeguard users from potential cyber threats.

    While NIS2 focuses on securing essential services, the CRA addresses the security of products entering the EU market. These two regulations complement each other and aim to establish a consistent and strong cybersecurity framework across the EU. However, organizations must navigate the distinct requirements of each regulation to ensure full compliance.

    For many companies, aligning with both NIS2 and CRA requirements may appear daunting, but the regulations share common principles with existing frameworks like NIST CSF and ISO 27001. Companies with mature security practices will likely find that enhancing their existing frameworks will enable them to meet EU-specific requirements more efficiently. For smaller enterprises, particularly those in the product development space, the transition may involve substantial investments in technology, training, and new processes to meet these security standards.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Justice Department Cracks Down on North Korean Cyber Espionage Targeting U.S. Companies

    Justice Department Cracks Down on North Korean Cyber Espionage Targeting U.S. Companies

    The U.S. Justice Department has recently taken significant action against North Korean schemes involving IT workers infiltrating U.S. companies. These operations, which have persisted for several years, are part of a coordinated effort to exploit remote work opportunities for the North Korean regime’s benefit.

    The Indictments Exposed

    The recent indictments included charges against Chinese, Taiwanese, and even a U.S. citizen, Zhenxing “Danny” Wang of New Jersey. Wang, who was arrested, allegedly helped facilitate remote IT work at over 100 U.S. companies, including many Fortune 500 firms. From 2021 to 2024, the conspirators used compromised U.S. identities and shell companies to create the illusion of legitimate employment for North Korean IT workers. They exploited these fake identities to access U.S. laptops, enabling the remote workers to carry out IT tasks and avoid detection. The facilitators received almost $700,000 for their efforts, while the damage to the companies and the U.S. government was far greater, including over $3 million in legal fees and network remediation costs.

    One particularly alarming aspect of the scheme was a North Korean IT worker gaining access to sensitive employer data, including source code related to AI technology used by a U.S. defense contractor. This raises serious concerns about national security risks and the potential for espionage via these cyberattacks.

    In addition to these actions, the Justice Department indicted four North Korean nationals accused of stealing $900,000 in virtual currency through a scheme targeting blockchain research companies. They operated from the UAE, coordinating with firms in Atlanta and Serbia, before laundering the stolen funds.

    Searches, Seizures, and Financial Actions Taken

    In a show of force against these coordinated operations, U.S. authorities conducted searches of 29 known or suspected “laptop farms” across 16 states. These facilities were believed to be used as hiding spots for remote North Korean IT workers, evading identification and tracing efforts. The Justice Department also seized 29 financial accounts linked to laundering the illicit funds from the first scheme, as well as 21 fraudulent websites involved in the operation.

    Leah Foley, U.S. Attorney for the District of Massachusetts, warned, “The threat posed by DPRK operatives is both real and immediate. Thousands of North Korean cyber operatives have been trained and deployed by the regime to blend into the global digital workforce and systematically target U.S. companies.” Foley’s comments underline the critical need for continued vigilance in cybersecurity.

    Microsoft Takes Action: Suspended Accounts and Ongoing Monitoring

    In response to the growing threat, Microsoft disclosed that it had suspended 3,000 consumer-grade Outlook and Hotmail accounts linked to suspected North Korean IT worker schemes. The company also alerted affected customers via Microsoft Entra ID Protection and Microsoft Defender XDR. Microsoft tracks this activity under the names Jasper Sleet (formerly known as Storm-0287), Storm-1877, and Moonstone Sleet, as the threat actors continue to target organizations worldwide.

    Microsoft’s observations reveal a troubling trend where facilitators—often outside of North Korea—play a crucial role in validating fraudulent identities. These individuals manage logistics such as forwarding company hardware and creating profiles on freelance job websites to maintain the ruse of legitimate employment. As part of this process, workers are trained to use VPNs, proxy services, and remote management tools (RMM) to connect to devices housed in laptop farms located in countries where they can avoid detection.

    AI and Technology in North Korean Fraud

    As technology evolves, so do the tactics of cybercriminals. North Korean hackers are increasingly leveraging artificial intelligence (AI) to improve the efficacy of their fraudulent schemes. AI tools are used to refine fake resumes, manipulate worker images, and even generate convincing voice recordings. This innovation in social engineering tactics makes it even harder for companies to detect fraudulent activity and verify the authenticity of remote workers.

    Microsoft explained that these state-backed fraudsters utilize AI to enhance their capabilities, making their attacks more sophisticated and convincing. From generating realistic resumes to altering digital identities, AI has become a crucial part of North Korea’s strategy to infiltrate the global workforce and target critical U.S. businesses.

    Protecting Against North Korean IT Worker Schemes

    The increasing sophistication of North Korean cyberattacks demands comprehensive security measures for businesses. Microsoft has compiled a list of investigation, monitoring, and remediation recommendations to help organizations protect themselves from these types of social engineering and IT worker infiltration.

    For businesses operating in sectors where IT outsourcing or remote work is common, it is crucial to verify the identities of remote workers carefully. Enhanced monitoring of logins and network activity, along with strict authentication protocols, can prevent unauthorized access. Additionally, companies must ensure their cybersecurity teams are aware of the latest tactics and tools used by these threat actors, including VPNs, RMM tools, and AI-driven identity manipulation.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • How FileFix Exploits Browser File Uploads to Execute Malicious Commands

    How FileFix Exploits Browser File Uploads to Execute Malicious Commands

    In recent months, a surge in social engineering techniques has raised alarms across cybersecurity communities. Among these methods, ClickFix has gained attention as a relatively simple but highly effective way to exploit unsuspecting users. If you’re not familiar with ClickFix, it’s a social engineering attack that prompts users to unknowingly execute malicious commands, typically using the Windows Run Dialog (Windows Key + R). While this technique has been surprisingly successful, it heavily relies on the Run Dialog, which some might argue is too basic or impractical. But the effectiveness of ClickFix cannot be denied.

    However, as cybersecurity experts continue to adapt to new threats, one researcher decided to explore an alternative method to achieve similar results without relying on the traditional Run Dialog. Enter FileFix, a clever variation of ClickFix that bypasses some of the browser’s restrictions and manipulates users into executing OS commands—without ever leaving their browser window.

    What is FileFix?

    The idea behind the FileFix attack is simple yet innovative. It takes advantage of a common functionality in most browsers—the file upload feature. Users are familiar with file uploads: clicking an “Upload” button, browsing to a file, and then selecting it for upload. This functionality is found everywhere, from job application portals to online email clients, making it a well-understood feature. But what many don’t realize is that the File Explorer Address Bar (the place where users usually type or paste file paths) can also be used to execute OS commands. This particular feature is typically ignored by browsers, which makes it an effective target for social engineering.

    In this method, an attacker can convince a user to open File Explorer through a file upload button and paste a maliciously crafted command into the address bar. The command will then execute without the user’s knowledge, potentially giving the attacker access to the system. The attacker can hide their malicious code behind what appears to be a harmless file path, such as C:\company\internal-secure\filedrive\HRPolicy.docx, while in reality, the path is appended with a PowerShell command, like:

    Powershell.exe -c ping example.com # C:\\company\\internal-secure\\filedrive\\HRPolicy.docx

    The attack takes advantage of a feature that many users aren’t aware of and could be incredibly difficult to detect using conventional security tools.

    How Does FileFix Work?

    The attack begins by creating a phishing page that prompts the user to interact with a file path. The phishing page will include an “Open File Explorer” button that, when clicked, triggers the File Explorer window to open. It also copies the malicious PowerShell command to the clipboard. When the user pastes the file path into File Explorer’s address bar, the command executes, and the attacker gains access.

    Here’s the step-by-step breakdown:

    1. User interaction: The attacker’s phishing page asks the user to open File Explorer and enter a file path.
    2. Command hidden in plain sight: The file path is designed to look legitimate (e.g., C:\company\internal-secure\filedrive\HRPolicy.docx), but it secretly contains a PowerShell command after the file path (such as a command to ping an external server).
    3. Execution through File Explorer: When the user pastes the path into the address bar and presses enter, the OS command executes, allowing the attacker to gain access to the system.

    Blocking File Selection

    An interesting part of the FileFix attack is the user’s ability to accidentally or intentionally select a file for upload, which could complicate matters for the attacker. However, in this case, the attacker has anticipated this by adding a script that blocks the file upload event. If the user selects a file, the attacker’s code will alert the user, clear the file input, and force the File Explorer window to reopen, thus ensuring the user doesn’t deviate from the intended steps.

    Here’s the code snippet that blocks the file selection:

    javascriptCopyfileInput.addEventListener('change', () => {
  alert("Please follow the stated instructions.");
  fileInput.value = "";
  setTimeout(() => fileInput.click(), 500);
});

    A Potential Security Concern

    One critical aspect of the FileFix attack is that File Explorer can be used to execute commands without triggering security alerts in some cases. While this isn’t an entirely new concept, it’s certainly a new and creative way to leverage a well-known feature in a way that hasn’t been exploited as extensively before.

    For instance, an attacker might attempt to download an executable file (such as payload.exe), copy its location to the clipboard, and then prompt the user to execute the command from the File Explorer address bar. This removes the “Mark of the Web” (MOTW) attribute that would usually appear for files downloaded from untrusted sources, making it more difficult for security tools to detect the file as malicious.

    The Risks of FileFix

    FileFix, much like ClickFix, is an attack that relies on social engineering. The attacker has to convince the user to follow seemingly innocent steps, such as opening File Explorer and pasting a file path. However, the attack could be much more effective if combined with other methods, such as phishing or malware delivery.

    While this technique might seem fairly basic at first glance, its simplicity makes it a potent weapon in the arsenal of cybercriminals. And because it takes advantage of browser functionality that is generally trusted, it could bypass some of the security controls we commonly expect to be in place.

    Mitigating the FileFix Attack

    While there’s no foolproof way to prevent all social engineering attacks, there are some steps that can help minimize the risk of falling victim to FileFix:

    1. Educate Users: Make sure employees or users understand the dangers of clicking on suspicious links or interacting with unknown websites. Cybersecurity training should include awareness of phishing tactics and how to recognize suspicious behavior.
    2. Endpoint Security: Always ensure that endpoint protection tools are in place to detect and block malicious activities. These tools should be capable of recognizing suspicious PowerShell scripts or other abnormal processes running on a machine.
    3. Monitor Suspicious Activities: Regularly monitor systems for unusual activity, especially with respect to File Explorer, browser behavior, and any attempts to execute commands outside of normal user activity.
    4. Limit File Explorer Usage: Limit user access to File Explorer or restrict the use of browser-based file upload functionality to prevent unintended execution of commands.
    5. Browser Configuration: Configure browsers to block or restrict the use of the File Explorer address bar for executing OS commands, and disable features that could be used for similar attacks.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: Monday Security Brief (6/30/2024)

    Netizen: Monday Security Brief (6/30/2024)

    Today’s Topics:

    • Citrix Bleed 2: Over 1,200 Servers Vulnerable to Authentication Bypass Attack
    • APT28’s New Malware Campaign: Signal Chat Delivers BEARDSHELL and COVENANT to Ukraine
    • How can Netizen help?

    Citrix Bleed 2: Over 1,200 Servers Vulnerable to Authentication Bypass Attack

    On June 30, 2025, cybersecurity experts reported that more than 1,200 Citrix NetScaler ADC and NetScaler Gateway appliances exposed online remain unpatched against a critical vulnerability, CVE-2025-5777, which is believed to be actively exploited. This flaw, referred to as “Citrix Bleed 2,” allows threat actors to bypass authentication mechanisms and hijack user sessions by exploiting an out-of-bounds memory read vulnerability caused by insufficient input validation. Successful exploitation of this vulnerability could lead to attackers stealing session tokens, credentials, and other sensitive data from public-facing gateways and virtual servers, granting them access to restricted memory regions and enabling them to bypass multi-factor authentication (MFA).

    Citrix previously experienced a similar issue, “CitrixBleed,” which was exploited in ransomware attacks in 2023, targeting government organizations and moving laterally across compromised networks. The newly discovered vulnerability, CVE-2025-5777, is of critical severity, and Citrix issued an advisory on June 17, 2025, urging customers to upgrade their appliances and terminate all active ICA and PCoIP sessions to block potential attacks.

    Although Citrix has not yet confirmed public exploitation of CVE-2025-5777, security researchers from ReliaQuest assessed with medium confidence that the vulnerability is actively being exploited in targeted attacks. These attacks have shown indicators of post-exploitation activity, including hijacked Citrix web sessions, MFA bypass attempts, and suspicious LDAP queries linked to Active Directory reconnaissance. Additionally, security analysts from the Shadowserver Foundation discovered that over 2,100 Citrix NetScaler appliances were also unpatched against another critical vulnerability, CVE-2025-6543, which is currently being exploited in denial-of-service (DoS) attacks.

    Both CVE-2025-5777 and CVE-2025-6543 are classified as critical severity vulnerabilities, prompting cybersecurity experts to advise administrators to immediately deploy the latest patches from Citrix to mitigate potential risks. Companies are also encouraged to review access controls and monitor their Citrix NetScaler appliances for unusual user sessions and activities to prevent further exploitation.

    APT28’s New Malware Campaign: Signal Chat Delivers BEARDSHELL and COVENANT to Ukraine

    The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert about a new cyber attack campaign carried out by the Russian-linked APT28 (also known as UAC-0001) threat group. This campaign utilizes Signal chat messages to distribute two previously undetected malware families, BEARDSHELL and COVENANT, targeting Ukrainian entities.

    According to CERT-UA, BEARDSHELL is a C++-based malware that allows threat actors to download and execute PowerShell scripts. The malware also enables the upload of results back to a remote server via the Icedrive API. The malware first appeared in March-April 2024 during incident response efforts on a Windows machine. At the time, the exact infection method was unknown, but recent intelligence from ESET linked the malware to a breach of a “gov.ua” email account, likely indicating government-targeted attacks.

    Further investigation led to the discovery of the malware framework COVENANT, which operates as part of a multi-layered attack. In the campaign, APT28 is using Signal messages to send malicious macro-laden Microsoft Word documents. These documents, when opened, deploy two payloads: a malicious DLL (“ctec.dll”) and a PNG image (“windows.png”). The embedded macro also makes Windows Registry changes to ensure the DLL is loaded when Windows File Explorer is next launched. The primary function of the DLL is to execute shellcode embedded in the PNG, triggering the COVENANT framework to execute.

    COVENANT subsequently downloads two additional payloads that facilitate the execution of the BEARDSHELL backdoor on compromised systems. The BEARDSHELL backdoor provides persistent access to the infected systems, allowing threat actors to maintain long-term control.

    The malware is delivered via Signal chat, exploiting the Signal app’s ability to distribute files securely, making the attack harder to trace. For those defending against this threat, CERT-UA recommends monitoring network traffic associated with domains like “app.koofr[.]net” and “api.icedrive[.]net,” which are used for communication with the malware’s command-and-control servers.

    In parallel to this malware campaign, APT28 has been targeting outdated versions of the Roundcube webmail software used in Ukrainian organizations. Exploiting vulnerabilities like CVE-2020-35730, CVE-2021-44026, and CVE-2020-12641, APT28 is delivering malicious JavaScript payloads through phishing emails. These emails disguise themselves as news articles but, once opened, exploit the vulnerabilities to execute arbitrary JavaScript, exfiltrate user data, and install further malware on the victim’s system.

    One of the scripts, “e.js,” creates a mailbox rule to redirect incoming emails to a third-party address, while exfiltrating session cookies and the victim’s address book. The second, “q.js,” exploits an SQL injection vulnerability in Roundcube to extract information from the Roundcube database. A third file, “c.js,” exploits another vulnerability to execute arbitrary commands on the mail server.

    These vulnerabilities were leveraged in phishing emails sent to over 40 Ukrainian organizations, highlighting the group’s persistence and evolving tactics. CERT-UA continues to monitor these activities and urges organizations to patch vulnerabilities, implement robust email security filters, and monitor network traffic for any signs of compromise.

    To defend against these threats, CERT-UA advises organizations to:

    • Ensure all systems are up to date with the latest patches.
    • Disable macros in Microsoft Word and other Office applications.
    • Monitor network traffic for unusual activity related to Icedrive and Koofr domains.
    • Regularly audit email systems for signs of compromise, particularly for suspicious redirection or exfiltration activity.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Netizen: June 2025 Vulnerability Review

    Netizen: June 2025 Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from June that should be immediately patched or addressed if present in your environment. Detailed writeups below:

    CVE-2024-54085

    CVE-2024-54085 describes a critical authentication bypass vulnerability affecting American Megatrends International’s (AMI) SPx firmware, specifically within the Baseboard Management Controller (BMC). This flaw allows a remote attacker to bypass authentication mechanisms when interfacing through the Redfish Host Interface, enabling unauthorized access without user interaction or credentials. The vulnerability affects systems using AMI’s MegaRAC SPx firmware—commonly integrated into servers for out-of-band management—which magnifies its potential impact across enterprise environments and data centers.

    The attack vector is particularly dangerous due to its placement at the firmware level. By abusing the Redfish API exposed by the BMC, an attacker can gain privileged access to critical server management functions. This includes the ability to issue power controls, flash firmware, or even wipe or reconfigure the host system remotely. Exploiting this interface requires no local access, no authentication, and no user interaction—only network reachability. As a result, the vulnerability poses a direct threat to the confidentiality, integrity, and availability of affected systems.

    Reports published in June 2025 indicate that this flaw is being actively exploited in the wild. Attackers have used it to deploy destructive malware capable of bricking servers or persisting stealthily within BMC firmware. According to CISA and Eclypsium, exploitation campaigns have targeted thousands of vulnerable devices globally, and widespread scanning for exposed Redfish interfaces has been observed.

    The vulnerability was officially assigned CVE-2024-54085 and carries maximum severity scores across CVSS v2 (10.0), v3.1 (9.8), and v4.0 (10.0), underscoring the total system compromise potential. Organizations with exposed or internet-facing BMC interfaces—especially those running outdated AMI SPx firmware—should prioritize patching and segmenting their management networks. Updates and mitigation guidance have been made available through vendors such as NetApp and advisories from national cybersecurity agencies. Given the nature of the vulnerability, immediate action is required to prevent exploitation and irreversible damage to critical infrastructure.

    CVE-2025-6543

    CVE-2025-6543, widely dubbed “Citrix Bleed 2,” is a critical memory overflow vulnerability affecting NetScaler ADC and NetScaler Gateway appliances. The flaw emerges when these appliances are configured in Gateway mode—specifically as a VPN virtual server, ICA Proxy, CVPN, RDP Proxy, or AAA virtual server. When exploited, it leads to unintended control flow and Denial of Service (DoS), allowing an unauthenticated attacker to crash affected services or cause unpredictable behavior.

    This vulnerability was confirmed to be exploited as a zero-day prior to public disclosure. Its addition to CISA’s Known Exploited Vulnerabilities catalog and the subsequent emergency advisories from vendors and government agencies signal that threat actors moved quickly to abuse the flaw in the wild. Reports from June 2025 document the use of this bug in denial-of-service attacks targeting enterprise gateway infrastructure. The potential for remote exploitation without prior authentication makes it particularly attractive for both disruption campaigns and access footholds, depending on how it’s chained with other weaknesses.

    While the CVSS v2 score appears moderate at 5.0 due to limited immediate impact on confidentiality and integrity, the CVSS v3 score is 7.5 and the CVSS v4 score reaches 9.2—highlighting how newer scoring systems better reflect real-world risks associated with denial-of-service on critical edge infrastructure. The low CVSSv2 score fails to capture the severity of an attack that can render VPN and remote access services unusable during business hours, or which could serve as a stepping stone in more complex intrusion paths.

    Administrators running affected Citrix NetScaler versions are strongly urged to apply the emergency patches issued by Citrix and verify that public-facing services are not vulnerable. Beyond patching, affected organizations should review VPN and gateway logs for signs of repeated crashes or traffic anomalies beginning in mid-June 2025, which may indicate early-stage exploitation attempts or reconnaissance.

    CVE-2024-0769

    CVE-2024-0769 describes a critical path traversal vulnerability discovered in D-Link’s DIR-859 wireless router, version 1.06B01. The flaw lies in the HTTP POST request handler at the endpoint /hedwig.cgi, where the service parameter can be manipulated to perform directory traversal. By passing crafted input such as ../../../../htdocs/webinc/getcfg/DHCPS6.BRIDGE-1.xml, an unauthenticated remote attacker can access configuration files not intended to be publicly exposed, leading to unauthorized disclosure of sensitive system information.

    The issue stems from a failure to properly sanitize input within the POST request handler. This allows external actors to bypass expected restrictions and reach arbitrary files within the router’s internal file system. The attacker does not require any special privileges or user interaction to exploit this flaw, and the attack can be conducted entirely over the network. Proof-of-concept code was made public and has been observed in use, suggesting this is an active risk for any remaining DIR-859 units still online.

    This vulnerability is especially concerning due to the fact that the DIR-859 has reached end-of-life status. D-Link confirmed the device is no longer supported, meaning no firmware updates or patches will be released. As such, affected systems will remain perpetually vulnerable. Despite the CVSS v2 score being reported as only 5.0—likely due to its limited immediate impact on availability or integrity—the CVSS v3.1 score of 9.8 accurately reflects the true risk, as the flaw enables full remote file disclosure and potentially facilitates follow-on attacks.

    The issue was published in January 2024 but updated in June 2025 after further analysis and public exploit activity. Due to its inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog and a high EPSS probability of exploitation, it is strongly recommended that users immediately decommission any exposed DIR-859 units. Replacement with actively supported hardware and isolation of outdated equipment from public networks should be prioritized to prevent compromise.

    CVE-2019-6693

    CVE-2019-6693 describes a cryptographic weakness present in certain versions of Fortinet’s FortiOS operating system, which is used across a variety of the company’s security appliances. The flaw results from the use of a hard-coded cryptographic key to encrypt sensitive information in configuration backup files. An attacker who obtains such a backup—either through access to a compromised system or a leaked file—could decrypt portions of the content without needing to brute force or guess passwords, since the cipher key is static and known.

    The exposed information includes user account passwords (excluding the administrator password), passphrases used to protect private keys, and any High Availability (HA) configuration passwords, if set. Because the administrator password is exempt, the immediate risk of full system takeover from decrypting the file is somewhat reduced; however, the remaining credentials may still allow lateral movement, access to protected services, or reconstruction of internal secrets—especially in environments with poor account segmentation or where users share credentials across systems.

    Although this vulnerability was originally published in 2019, it was added to CISA’s Known Exploited Vulnerabilities catalog in June 2025, indicating that it remains a viable attack vector in real-world scenarios. The renewed interest likely stems from threat actors targeting backup files exfiltrated through other means, then decoding them using the now-public encryption key. The CVSS v3.1 score of 6.5 reflects the fact that the issue requires prior access to the backup file and does not permit direct execution or privilege escalation on its own.

    Nonetheless, organizations that maintain FortiOS appliances should audit their backup file storage and transfer mechanisms, implement encrypted transport layers and secure storage practices, and ensure they are not relying on outdated backup formats. Wherever possible, administrators should move to newer versions of FortiOS that remediate this flaw and remove reliance on insecure static key usage in cryptographic processes.

    CVE-2025-5419

    CVE-2025-5419 describes a high-severity vulnerability in the V8 JavaScript engine used by Google Chrome, prior to version 137.0.7151.68. The flaw stems from an out-of-bounds read and write condition that can be triggered through a crafted HTML page, potentially leading to heap corruption. This kind of memory error allows attackers to manipulate the memory layout of the running process, which can result in remote code execution under the context of the browser.

    The vulnerability is notable for its low attack complexity and lack of user privileges required to exploit it. While user interaction is necessary (typically in the form of visiting a malicious web page), once triggered, the flaw can allow attackers to execute arbitrary code, access sensitive information, or crash the browser. It is particularly dangerous in targeted phishing or watering hole campaigns where crafted JavaScript payloads are embedded in compromised or maliciously hosted sites.

    The CVSS v3 score of 8.8 reflects the severity of the potential impact on confidentiality, integrity, and availability, despite requiring user interaction. The older CVSS v2 system rates this flaw at a full 10.0, capturing the remote exploitation potential with no authentication needed. This disparity highlights the limitations of scoring systems when evaluating browser-based exploitation chains involving memory corruption.

    This vulnerability was confirmed to have been exploited in the wild and was added to CISA’s Known Exploited Vulnerabilities catalog in June 2025. It is part of an ongoing pattern of attackers targeting the V8 engine, often chaining JavaScript engine flaws with sandbox escapes or privilege escalation vulnerabilities to compromise host systems. Organizations using Google Chrome in sensitive environments should prioritize updates to patched versions and consider implementing browser isolation or application sandboxing to reduce the risk from future JavaScript engine vulnerabilities.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact