Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • The Evolution of Ransomware: From the AIDS Trojan to Triple Extortion

    The Evolution of Ransomware: From the AIDS Trojan to Triple Extortion

    Ransomware has significantly evolved over the past few decades, transforming from a rudimentary digital extortion tool into a multi-billion-dollar industry. What started with the AIDS Trojan in 1989 has expanded into a sophisticated web of operations that leverage advanced encryption, double-extortion tactics, and cryptocurrency payments. This evolution mirrors both technological advancements and a shift in how cybercriminals operate. Below is a breakdown of key developments in the history of ransomware, highlighting its transformation from a niche threat to a global cybersecurity issue.

    The Early Days: The AIDS Trojan (1989)

    The journey of ransomware began in 1989 with the AIDS Trojan, also known as PC Cyborg, which is regarded as the first recorded instance of ransomware. This malware was distributed through 20,000 infected floppy disks sent to attendees of the World Health Organization’s global AIDS conference in Stockholm.

    How it worked:
    The Trojan encrypted file names on a victim’s computer after 90 reboots and demanded a ransom of $189 to be sent to a P.O. Box in Panama. While this early example was basic and required victims to send payments via mail, it set the stage for ransomware’s future potential.

    Impact:
    Though the AIDS Trojan didn’t cause widespread financial damage, it marked a significant milestone in the history of cybercrime. It was a harbinger of more complex attacks to come.

    Early Evolution: 2004–2007

    GPCoder (2005): A Step Toward Modern Ransomware

    The emergence of GPCoder in 2005 signified a major turning point in ransomware’s capabilities. This malware encrypted important data files and demanded a $200 payment via Western Union or premium text messages. Although not officially classified as ransomware at the time, GPCoder’s tactics foreshadowed many of the strategies used by later strains.

    RSA Encryption and Archievus (2005–2006)

    In 2005, Archievus introduced RSA asymmetric encryption to ransomware attacks. It encrypted files in the “My Documents” folder and required payment for decryption. However, a significant flaw was discovered when all victims were given the same decryption password.

    Locker Ransomware (2007)

    Locker ransomware represented a major shift by locking victims out of their devices entirely, rather than just encrypting files. This new approach utilized aggressive tactics, such as displaying adult content, to pressure victims into paying.

    The Rise of Cryptocurrencies and Ransomware-as-a-Service (RaaS)

    As cybercrime evolved, so did the sophistication of ransomware operations. In 2009, Vundo ransomware emerged, encrypting files and demanding payment for decryption. However, it wasn’t until 2010 with the rise of cryptocurrency that ransomware underwent its next major shift.

    Cryptocurrencies: The Game-Changer

    Bitcoin and other cryptocurrencies allowed ransomware operators to receive payments in a decentralized and untraceable manner. This created a major obstacle for law enforcement, making it harder to track down perpetrators and recover funds.

    Ransomware-as-a-Service (RaaS) (2012)

    In 2012, Reveton became one of the first strains to introduce the Ransomware-as-a-Service (RaaS) model. By masquerading as law enforcement and threatening victims with legal action unless payment was made, Reveton opened the door for less experienced hackers to get involved in ransomware attacks. This lowered the technical barriers for would-be cybercriminals and allowed ransomware to spread more rapidly.

    CryptoLocker: A Turning Point in Ransomware (2013)

    The introduction of CryptoLocker in 2013 marked a watershed moment in the evolution of ransomware. This strain used strong encryption techniques to lock victims’ files and demanded payment in Bitcoin or MoneyPak.

    Impact:
    The operation was highly successful, with the FBI estimating that over $27 million was paid by victims before a coordinated effort dismantled the CryptoLocker botnet. This represented a significant shift, not only in the technical capabilities of ransomware but also in its financial success.

    Modern Ransomware: Double Extortion and Beyond (2019–2025)

    The Emergence of Double Extortion (2019)

    In 2019, the Maze ransomware group introduced a new tactic: double extortion. This method involves two steps: first, the ransomware encrypts the victim’s files; then, the attacker steals sensitive data and threatens to release it unless a ransom is paid. This tactic has been widely adopted by cybercriminals and has made ransomware more threatening than ever.

    Notable Attacks:

    • WannaCry (2017): Exploiting a vulnerability in Microsoft Windows (EternalBlue), WannaCry spread globally, affecting hundreds of thousands of systems across 150 countries. Its impact was massive, disrupting healthcare systems like the UK’s NHS.
    • NotPetya (2017): Unlike traditional ransomware, NotPetya was designed to destroy data irreparably. This attack targeted Ukrainian infrastructure before spreading worldwide, underscoring how ransomware could also be used as a tool of cyber warfare.

    The Business of Ransomware

    By 2020, ransomware became a sophisticated business, with cybercriminal organizations operating with business-like efficiency. Ransomware operations are now often highly organized, with separate teams handling different aspects of the attack: development, execution, and communication with victims.

    Targeting Critical Infrastructure: Ransomware attacks have increasingly focused on critical infrastructure, such as energy grids, water systems, and healthcare institutions. These industries are prime targets due to the potential for significant disruption and the likelihood of paying high ransoms to avoid damage.

    The Future of Ransomware

    As ransomware continues to evolve, it remains one of the most significant threats in the cybersecurity landscape. The continued adoption of cryptocurrencies and RaaS means that ransomware will likely remain a major threat for the foreseeable future.

    Moreover, double extortion tactics have raised the stakes for businesses, making it crucial for organizations to not only back up data but also implement robust cybersecurity measures to protect against these increasingly sophisticated attacks.

    As we move into 2025 and beyond, ransomware is likely to become more targeted and even more destructive, as attackers refine their strategies and exploit vulnerabilities in emerging technologies.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: Monday Security Brief (5/5/2024)

    Netizen: Monday Security Brief (5/5/2024)

    Today’s Topics:

    • Microsoft Pushes Passkeys as Default for New Accounts, Paving the Way for a Passwordless Future
    • Disk-Wiping Linux Malware Hidden in Malicious Go Modules Highlights Growing Supply Chain Risk
    • How can Netizen help?

    Microsoft Pushes Passkeys as Default for New Accounts, Paving the Way for a Passwordless Future

    Microsoft is now setting passkeys as the default sign-in method for all newly created consumer accounts, part of a broader industry push to eliminate passwords altogether. According to a joint announcement by Microsoft executives Joy Chik and Vasu Jakkal, the change means that new users will never need to create or manage a traditional password, instead relying on phishing-resistant authentication methods like biometrics and device-based verification.

    The update streamlines the sign-up and login process, automatically selecting the most secure available method for each user. For instance, if both a password and a one-time code are present, the system will default to the code, prompting users to upgrade to a passkey afterward.

    This shift aligns Microsoft with Apple, Google, Amazon, and other major tech firms that are accelerating adoption of passwordless authentication through the use of passkeys. Passkeys are supported by the FIDO (Fast Identity Online) Alliance and leverage public/private key cryptography to verify a user’s identity. When a user registers with a service, their device creates a secure key pair—one private key stored locally, and one public key shared with the service. Authentication requires the user to confirm their identity using biometrics or a device PIN, which then signs a cryptographic challenge with the private key.

    Passkeys remove the need to remember or store passwords, reducing the attack surface for phishing, credential stuffing, and brute-force attacks. As a result, they’re increasingly viewed as a critical defense against account compromise.

    As of late 2024, more than 15 billion user accounts globally support passkey authentication, and Microsoft’s decision to make it the default marks a significant step toward standardizing this method. The company first introduced passkey support in Windows 11 in September 2023, followed by enhancements to Windows Hello. Google similarly began rolling out passkeys as the default login method that same year.

    In addition to improving security for consumer accounts, the FIDO Alliance recently announced a Payments Working Group to explore how passkeys can be applied in payment authentication systems—furthering the goal of widespread passwordless security in both consumer and enterprise environments.

    Existing Microsoft account holders can switch to passkeys by removing their password in their account settings, making full adoption a user-controlled option. With this update, Microsoft makes clear that the future of secure login doesn’t involve passwords at all.

    Disk-Wiping Linux Malware Hidden in Malicious Go Modules Highlights Growing Supply Chain Risk

    Researchers have uncovered three malicious Go modules that deliver a destructive disk-wiping payload to Linux systems, underscoring the severe threat posed by software supply chain attacks. Disguised as legitimate packages, these modules contain heavily obfuscated code that fetches a remote shell script designed to overwrite the system’s primary disk (/dev/sda) with zeroes—permanently disabling the machine.

    The compromised Go modules are:

    • github[.]com/truthfulpharm/prototransform
    • github[.]com/blankloggia/go-mcp
    • github[.]com/steelpoor/tlsproxy

    According to Socket researcher Kush Pandya, once executed, the packages confirm the host OS is Linux and then download the payload using wget. The script executes without warning, rendering the system unbootable and erasing all data beyond recovery.

    “This malicious script leaves targeted Linux servers or developer environments entirely crippled,” Pandya said. “It highlights the extreme danger posed by modern supply-chain attacks that can turn seemingly trusted code into devastating threats.”

    The Go module discovery comes amid a broader trend: researchers from Socket, Sonatype, and Fortinet have also found dozens of malicious packages in the npm and PyPI ecosystems targeting cryptocurrency users and developers.

    Malicious npm packages targeting crypto wallets:

    • crypto-encrypt-ts
    • react-native-scrollpageviewtest
    • bankingbundleserv
    • buttonfactoryserv-paypal
    • tommyboytesting
    • compliancereadserv-paypal
    • oauth2-paypal
    • paymentapiplatformservice-paypal
    • userbridge-paypal
    • userrelationship-paypal

    These packages aim to steal mnemonic seed phrases and private keys used for cryptocurrency wallets, exfiltrating data to attacker-controlled infrastructure.

    Malicious PyPI packages abusing Gmail and WebSockets:

    • cfc-bsb (2,913 downloads)
    • coffin2022 (6,571 downloads)
    • coffin-codes-2022 (18,126 downloads)
    • coffin-codes-net (6,144 downloads)
    • coffin-codes-net2 (6,238 downloads)
    • coffin-codes-pro (9,012 downloads)
    • coffin-grave (6,544 downloads)

    These packages used hard-coded Gmail credentials to quietly send stolen data via SMTP and open remote access channels over WebSockets. This allowed attackers to bypass network detection by leveraging trusted domains such as smtp.gmail.com.

    Olivia Brown, another researcher at Socket, warned that even long-standing packages can be repurposed for malicious use. “Do not trust a package solely because it has existed for more than a few years without being taken down.”

    To defend against these supply chain attacks, security teams and developers should:

    • Audit all open-source dependencies frequently.
    • Verify package authorship, repository links, and update history.
    • Monitor network traffic for unusual outbound connections, including unexpected SMTP or WebSocket activity.
    • Apply strict access controls to protect sensitive environment variables and private keys.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Critical Microsoft Telnet Server Vulnerability Enables Zero-Click NTLM Authentication Bypass

    Critical Microsoft Telnet Server Vulnerability Enables Zero-Click NTLM Authentication Bypass

    A newly disclosed zero-click vulnerability in Microsoft’s Telnet Server allows remote attackers to bypass NTLM authentication and gain administrator-level access without credentials. With no official patch available, this flaw presents a serious risk to legacy Windows systems still running Telnet services.

    Vulnerability Overview: Unauthenticated Access via MS-TNAP

    The vulnerability, detailed by cybersecurity researcher Hacker Fantastic, stems from a flaw in Microsoft’s Telnet Authentication Protocol (MS-TNAP). By exploiting a misconfiguration in how Telnet handles NTLM-based authentication, attackers can completely bypass standard credential checks.

    Affected systems include:

    • Windows 2000
    • Windows XP
    • Windows Server 2003
    • Windows Vista
    • Windows Server 2008
    • Windows 7
    • Windows Server 2008 R2

    The vulnerability arises from improper use of Security Support Provider Interface (SSPI) flags during the authentication handshake. The Telnet Server mistakenly configures NTLM to authenticate itself to the client instead of validating the client—effectively inverting the expected trust model.

    How the Exploit Works

    A proof-of-concept (PoC) tool named telnetbypass.exe was released, targeting local and domain-joined hosts. The exploit works as follows:

    1. It initiates a Telnet session requesting NTLM mutual authentication.
    2. A manipulated NTLM handshake is sent with altered SSPI flags (SECPKG_CRED_BOTH, ASC_REQ_DELEGATE, and ASC_REQ_MUTUAL_AUTH).
    3. A forged NTLM Type 3 message tricks the server into treating the attacker as an authenticated user.
    4. Full Telnet access is granted, often under Administrator privileges, with no password required.

    The exploit does not require prior interaction or credentials, making it particularly dangerous in environments still running legacy Microsoft services.

    What Do SOC Teams Need to Know?

    Security Operations Center (SOC) teams should immediately evaluate their environments for any running Telnet Server services, particularly on legacy Windows systems.

    Key actions:

    • Disable Telnet Services: Immediately shut down Telnet Server on all internal systems unless explicitly needed and secured.
    • Apply Network Restrictions: Use firewalls or network access controls to restrict Telnet access to specific trusted IP ranges.
    • Audit Legacy Systems: Perform a full asset inventory to identify and evaluate unsupported or legacy systems that may be vulnerable.
    • Deploy Application Controls: Use group policies or endpoint detection and response (EDR) solutions to prevent execution of unauthorized Telnet clients.
    • Monitor for Exploit Signatures: Look for abnormal NTLM handshake patterns or unusual Telnet traffic, particularly from internal hosts.

    Given the lack of a patch, active monitoring and access control are the only immediate lines of defense.

    Mitigation Recommendations

    Until Microsoft issues a formal patch for this vulnerability, the following steps are strongly advised:

    • Transition to Secure Protocols: Migrate from Telnet to more secure remote access solutions such as SSH.
    • Block Telnet at the Network Perimeter: Prevent Telnet traffic from crossing into sensitive network zones.
    • Implement Detection Rules: Update SIEM systems to monitor for exploitation attempts using known SSPI flag misuse or Telnet-based NTLM anomalies.
    • Educate IT Teams: Ensure administrators are aware of the risk and do not enable Telnet services during troubleshooting or legacy system setup.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Netizen: Monday Security Brief (4/28/2024)

    Netizen: Monday Security Brief (4/28/2024)

    Today’s Topics:

    • WooCommerce Users Hit by Fake Security Patch Campaign Distributing Backdoors
    • Over 1,200 SAP NetWeaver Servers Vulnerable to Actively Exploited CVE-2025-31324 Flaw
    • How can Netizen help?

    WooCommerce Users Hit by Fake Security Patch Campaign Distributing Backdoors

    Cybersecurity researchers have uncovered a widespread phishing campaign targeting WooCommerce users, using fake security alerts to trick site administrators into installing malware. Instead of delivering a legitimate patch, the attackers deploy a backdoor plugin that grants them complete control over compromised WordPress websites.

    The campaign, identified by WordPress security company Patchstack, closely resembles an attack from December 2023 where threat actors used a fake CVE vulnerability to lure victims. Researchers believe the new wave is either the work of the same group or a highly skilled copycat mimicking the earlier tactics.

    According to security researcher Chazz Wolcott, the phishing emails claim the targeted WooCommerce sites are vulnerable to a fictitious “Unauthenticated Administrative Access” flaw. Victims are urged to click a link that directs them to a phishing website designed to closely resemble the legitimate WooCommerce Marketplace page. The attackers rely on an IDN homograph trick—substituting the letter “e” with a visually similar special character “ė”—to disguise their domain as “woocommėrce[.]com.”

    Once on the fake page, victims are prompted to download a ZIP file named “authbypass-update-31297-id.zip,” which they are instructed to install like a standard WordPress plugin. However, installing this plugin triggers several malicious activities:

    • A new administrator account is silently created with a hidden username and randomized password.
    • A cron job is scheduled to run every minute, ensuring persistence.
    • Details about the new admin account and the compromised website are sent to a remote server at “woocommerce-services[.]com/wpapi.”
    • A second-stage payload is downloaded from domains such as “woocommerce-help[.]com/activate” or “woocommerce-api[.]com/activate.”
    • After decoding the payload, multiple web shells like P.A.S.-Fork, p0wny, and WSO are deployed to the server.
    • The rogue plugin hides itself from the WordPress plugin list, and the attacker-created admin account is also concealed from view.

    The end goal is full remote access to the infected websites. Attackers can inject spam, display malicious advertisements, redirect visitors to fraudulent sites, conscript the servers into botnets for distributed denial-of-service (DDoS) attacks, or even encrypt server files in ransomware-style extortion schemes.

    Website administrators are urged to immediately scan their WordPress instances for unknown plugins or suspicious administrator accounts. It’s also critical to ensure that WooCommerce and WordPress installations, along with all plugins and themes, are kept fully updated to mitigate the risk of such attacks.

    Over 1,200 SAP NetWeaver Servers Vulnerable to Actively Exploited CVE-2025-31324 Flaw

    More than 1,200 SAP NetWeaver instances exposed to the internet are vulnerable to an actively exploited, maximum-severity file upload flaw that enables remote attackers to hijack servers without authentication.

    SAP NetWeaver serves as an application server and development platform connecting SAP and non-SAP applications across multiple technologies. It plays a critical role in large enterprises worldwide.

    Last week, SAP disclosed CVE-2025-31324, a high-severity unauthenticated file upload vulnerability in the NetWeaver Visual Composer’s Metadata Uploader component. The flaw allows attackers to upload arbitrary executable files on vulnerable servers, leading to remote code execution and full system compromise.

    Multiple cybersecurity firms, including ReliaQuest, watchTowr, and Onapsis, have confirmed that CVE-2025-31324 is already being exploited in the wild. Threat actors are reportedly deploying web shells to maintain persistent access to affected servers.

    SAP responded by releasing a temporary workaround on April 8, 2025, and a full security patch on April 25. A spokesperson for SAP told BleepingComputer they are aware of exploitation attempts but have not seen evidence of customer data breaches or impacted systems so far.

    Recent scans have revealed a significant number of vulnerable systems online. The Shadowserver Foundation identified 427 exposed SAP NetWeaver servers globally, warning about the vast attack surface.

    The top affected countries include:

    • United States: 149 servers
    • India: 50 servers
    • Australia: 37 servers
    • China: 31 servers
    • Germany: 30 servers
    • Netherlands: 13 servers
    • Brazil: 10 servers
    • France: 10 servers

    However, the situation appears even more serious based on data from cyber defense platform Onyphe, which reported 1,284 vulnerable servers online — with 474 already compromised by web shells.

    “Something like 20 Fortune 500/Global 500 companies are vulnerable, and many of them are already compromised,” Onyphe CTO Patrice Auffret told BleepingComputer.

    Attackers are primarily dropping web shells named “cache.jsp” and “helper.jsp,” although researchers from Nextron Research noted that random filenames are also being used to evade detection.

    While the total number of affected servers may not seem massive, the presence of vulnerable SAP NetWeaver systems in large enterprises and multinational corporations poses a severe security risk.

    SAP customers are strongly urged to apply the latest security update following the vendor’s advisory. If immediate patching is not possible, organizations should take the following mitigation actions:

    • Restrict access to the /developmentserver/metadatauploader endpoint.
    • Disable the Visual Composer component if not in use.
    • Forward server logs to a SIEM and scan for unauthorized files in the servlet path.

    Additionally, RedRays has released a scanner tool specifically for CVE-2025-31324, helping administrators identify vulnerable systems across large environments.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Netizen: April 2025 Vulnerability Review

    Netizen: April 2025 Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from April that should be immediately patched or addressed if present in your environment. Detailed writeups below:

    CVE-2025-29824

    CVE-2025-29824 is a high-severity use-after-free vulnerability in the Windows Common Log File System (CLFS) Driver that allows an authorized attacker to elevate privileges locally. This vulnerability was disclosed as part of Microsoft’s April 2025 Patch Tuesday, where the company addressed 121 CVEs, including one zero-day that had already been exploited in the wild.

    Exploitation of CVE-2025-29824 could enable attackers to gain higher-level system privileges, providing them with the ability to execute arbitrary code, alter system configurations, or move laterally across a compromised network. Security researchers reported that ransomware gangs have actively exploited this flaw, making it a serious concern for enterprise environments, especially those running unpatched Windows systems.

    Given its active exploitation and the significant risk of privilege escalation, organizations are strongly urged to apply the April 2025 security updates without delay. In addition to patching, it is advisable to review system logs for signs of suspicious activity related to CLFS operations and implement endpoint protection solutions capable of detecting post-exploitation behaviors. Addressing this vulnerability promptly is critical to defending against ransomware attacks and broader system compromise.

    CVE-2025-22457

    CVE-2025-22457 is a critical stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways. The flaw exists in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2, and it allows a remote unauthenticated attacker to achieve remote code execution.

    This vulnerability has drawn serious concern due to its active exploitation by threat actors, including groups linked to Chinese espionage operations. Security researchers have reported that thousands of Ivanti VPN appliances were left exposed and vulnerable, leading to widespread targeting. Exploitation can result in full control over the affected device, enabling attackers to deploy malware, steal sensitive information, or establish persistent access for further attacks.

    Organizations using vulnerable versions of Ivanti products are strongly urged to update immediately to the patched versions released by Ivanti. Delaying remediation could leave critical infrastructure and sensitive networks exposed to sophisticated threat actors. It is also recommended to monitor network traffic for signs of compromise, restrict access to administrative interfaces, and apply strict segmentation and access controls around critical systems to minimize potential impact.

    CVE-2025-31200

    CVE-2025-31200 is a high-severity memory corruption vulnerability affecting multiple Apple operating systems, including iOS, iPadOS, macOS Sequoia, tvOS, and visionOS. The flaw was caused by improper bounds checking when processing audio streams in maliciously crafted media files. Successful exploitation of this vulnerability could allow an attacker to achieve arbitrary code execution on a target device.

    Apple addressed the issue in iOS 18.4.1, iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, and visionOS 2.4.1. Reports indicated that the flaw had been exploited in highly sophisticated attacks targeting specific individuals, particularly on iOS devices. Given the nature of the exploitation, it is suspected that the attacks were part of carefully crafted, state-sponsored campaigns aimed at high-value targets.

    Due to the potential for serious impact, users and organizations are urged to update their Apple devices to the latest patched versions as soon as possible. Special attention should be given to high-risk users who may be subject to targeted threats. In addition to applying updates, users should exercise caution when handling unknown or suspicious media files, particularly from untrusted sources.

    CVE-2024-53150

    CVE-2024-53150 is a high-severity vulnerability in the Linux kernel related to the ALSA (Advanced Linux Sound Architecture) USB-audio driver. The issue stems from a lack of proper validation when traversing USB clock descriptors, specifically failing to check the bLength field of each descriptor. This oversight could allow an out-of-bounds read when a device provides a malformed descriptor with a shorter-than-expected length, potentially leading to memory corruption or unexpected behavior.

    The vulnerability was resolved by introducing sanity checks during the clock descriptor traversal process. The updated code now verifies that descriptor lengths match the expected sizes before processing, and skips any invalid descriptors. Special attention was given to clock selector descriptors for UAC2 and UAC3 devices, which include dynamic array fields and required additional checks beyond simple size comparisons.

    This flaw was highlighted as part of Google’s Android security updates in April 2025, indicating that it had been actively exploited in attacks targeting Android devices. Given its potential for exploitation and the fact that Linux kernel vulnerabilities often impact a wide range of platforms, users and organizations should apply patches that address this vulnerability as soon as they are available. Updating kernel versions, especially for systems running Android or Linux-based distributions that use ALSA drivers, is critical to preventing potential exploitation through malicious USB devices or corrupted media handling.

    CVE-2024-53197

    CVE-2024-53197 is a high-severity vulnerability affecting the Linux kernel’s USB-audio subsystem, specifically impacting devices like Extigy and Mbox. The issue stems from a scenario where a malicious or faulty USB device provides a bNumConfigurations value that exceeds the amount initially allocated for dev->config during usb_get_configuration. This discrepancy can lead to out-of-bounds accesses later during operations such as usb_destroy_configuration, potentially resulting in memory corruption or system instability.

    The vulnerability was addressed by introducing proper validation checks to ensure that configuration values provided by devices do not exceed the allocated memory bounds. This fix was included in kernel patches released in early 2025 and was highlighted as part of the broader Android security updates in April 2025, suggesting that exploitation was observed in real-world attacks targeting Android systems and Linux-based environments.

    Given the nature of the flaw and the risks associated with memory corruption vulnerabilities, organizations and users running affected Linux or Android systems should apply the available security patches as soon as possible. Keeping systems updated and being cautious about connecting unknown or untrusted USB devices can help mitigate the risk of exploitation related to this vulnerability.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen Cybersecurity Bulletin (April 24th, 2025)

    Netizen Cybersecurity Bulletin (April 24th, 2025)

    Overview:

    • Phish Tale of the Week
    • Iranian Hackers Deploy MURKYTOUR Malware in Fake Job Campaign Targeting Israel
    • Curing: New io_uring Linux Rootkit Evades System Call-Based Detection
    • How can Netizen help?

    Phish Tale of the Week

    Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as an unnamed company. They’re sending us a text message, telling us that we should join some sort of stock trading group where they share “trusted analyst signals.” It seems both urgent and genuine, so why shouldn’t we? Luckily, there’s plenty of reasons that point to this being a scam.

    Here’s how we can tell not to fall for this phish:

    1. The first warning sign for this SMS is the context in which it was sent. When I recieved this SMS, I immediately knew not to click on the link due to the fact that I did not recently sign up for any information regarding a “Daily Exchange Trend Overview.” On top of that, it’s very apparent that this message was blasted out to random numbers: the message doesn’t even include my name or attempt to provide any level of familiarity.
    2. The second warning signs in this email is the messaging. This message tries to create a sense of opportunity and urgency in order to get you to take action by using language such as “Typical daily income: 1K-5K.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through SMS.
    3. The final warning sign for this email is the wording; in our case the smisher uses the incomplete sentence “Daily Exchange Trend Overview Mitigate your risks.” All of these factors point to the above being a smishing text, and a very unsophisticated one at that.


    General Recommendations:

    phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

    1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    2. Verify that the sender is actually from the company sending the message.
    3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    4. Do not give out personal or company information over the internet.
    5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this month’s Cybersecurity Brief:

    Iranian Hackers Deploy MURKYTOUR Malware in Fake Job Campaign Targeting Israel

    Iran-linked hacking group UNC2428 has been implicated in a highly targeted phishing campaign that delivered a new backdoor malware, MURKYTOUR, under the guise of a job opportunity with a major Israeli defense contractor. The social engineering operation, observed in October 2024, is part of an ongoing series of cyber-espionage attacks that leverage deception and custom-built malware to compromise victims in Israel.

    According to Google-owned threat intelligence firm Mandiant, the Iranian threat actor UNC2428 orchestrated a multi-stage attack by posing as recruiters from Rafael Advanced Defense Systems, a prominent Israeli defense company. The group directed victims to a fake website mimicking Rafael’s legitimate domain and asked them to download an application tool—RafaelConnect.exe—which appeared to facilitate the job application process.

    In reality, RafaelConnect.exe was a trojanized installer called LONEFLEET. It featured a realistic-looking graphical user interface (GUI) that requested personal information and a résumé upload. Behind the scenes, it executed MURKYTOUR, a custom malware implant that provided persistent access to the victim’s system. Mandiant confirmed the use of LEAFPILE, a launcher used to initiate MURKYTOUR silently while keeping the victim engaged with the fake application.

    “The use of legitimate-looking GUIs helps these Iranian threat actors reduce suspicion during installation,” Mandiant stated in its 2025 M-Trends report. “By mimicking the exact look and feel of recruitment portals, the malware deployment becomes seamless.”

    The techniques used by UNC2428 closely resemble tactics previously attributed to Black Shadow, a group linked to Iran’s Ministry of Intelligence and Security (MOIS). Israel’s National Cyber Directorate has associated Black Shadow with multiple campaigns targeting sectors such as finance, healthcare, transportation, academia, and government services.

    Mandiant emphasizes that UNC2428 is just one of several Iran-backed hacking clusters targeting Israeli interests throughout 2024.

    Other Active Iranian Threat Groups in 2024

    One notable Iranian threat group, Cyber Toufan, emerged with a wiper malware named POKYBLIGHT, used against Israeli-based systems. The wiper campaign appeared to focus on data destruction and operational disruption.

    Mandiant also tracked UNC3313, another Iran-affiliated espionage group, which distributed malware like JELLYBEAN and CANDYBOX through phishing lures themed around training and webinars. UNC3313 is known to rely heavily on remote monitoring and management (RMM) tools—nine different ones to date—to maintain access while evading traditional detection mechanisms.

    These tactics mirror those of MuddyWater (aka Static Kitten), a well-known Iranian cyber-espionage group with similar infrastructure and techniques.

    In a separate campaign observed in July 2024, Mandiant discovered that Iranian hackers distributed a .NET-based backdoor dubbed CACTUSPAL by disguising it as a legitimate installer for Palo Alto Networks’ GlobalProtect VPN software. Once launched, the malware stealthily verified its process and connected to a command-and-control (C2) server, establishing persistent access.

    Meanwhile, UNC1549—another Iranian threat actor—has adapted its tactics by embedding malicious infrastructure into cloud-based environments. Hosting C2 nodes and payloads on popular cloud platforms, they have been able to disguise malicious activity as normal enterprise traffic.

    “These methods allow Iranian APTs to fly under the radar by blending into enterprise network behavior,” said Mandiant. “Typosquatting and domain reuse are now combined with advanced cloud-native deception.”

    The group APT42, also known as Charming Kitten, is notorious for credential harvesting. They create highly convincing fake login pages for platforms like Google, Yahoo, and Microsoft, often redirecting users through services such as Google Sites and Dropbox to create credible landing pages. Their phishing tactics often involve rapport-building with victims, posing as trusted contacts or employers.

    Across all Iranian operations documented by Mandiant in 2024, over 20 unique malware families were identified—including custom backdoors, droppers, and downloaders. Among these, DODGYLAFFA and SPAREPRIZE have been used by APT34 (also known as OilRig) in operations aimed at Iraqi government systems.

    Iran-backed cyber operations are intensifying in scale and technical sophistication, particularly against Israeli interests. These operations demonstrate an evolving threat model, one that blends stealthy malware, deception, and cloud-based infrastructure.

    Mandiant warns that organizations operating in the region should remain on high alert. “Iran-nexus threat actors will continue adjusting their strategies to align with geopolitical interests,” the firm stated. “Defenders should expect more sophisticated lures, stealthier malware, and faster deployment cycles in 2025 and beyond.”

    To read more about this article, click here.

    Curing: New io_uring Linux Rootkit Evades System Call-Based Detection

    Programmer or developer typing on a laptop computer keyboard for HTML, appllication coding, software programming, and java script.

    A new proof-of-concept Linux rootkit called Curing reveals a dangerous blind spot in many popular runtime security tools by abusing the Linux io_uring interface to operate without triggering system calls. This evasion tactic highlights a growing risk for Linux environments relying on syscall-based monitoring for threat detection.

    Introduced in Linux kernel 5.1 in 2019, io_uring is an asynchronous I/O mechanism designed to improve performance by reducing context switches. It enables communication between user space and the kernel through shared submission and completion queues, allowing applications to perform I/O without the overhead of traditional system calls.

    While this boosts performance, it also presents a security problem: actions executed through io_uring can avoid detection from tools that rely on system call hooks.

    The Curing rootkit, developed as a proof-of-concept by security researchers at ARMO, establishes a backchannel with a command-and-control (C2) server and executes commands entirely through io_uring. This allows it to avoid generating system calls altogether, making its activity invisible to tools that depend on syscall-based detection.

    According to ARMO, this represents a major visibility gap in Linux runtime security.

    “This mechanism allows a user application to perform various actions without using system calls,” ARMO explained. “As a result, security tools relying on system call monitoring are blind to rootkits working solely on io_uring.”

    Popular Linux runtime security tools such as Falco and Tetragon are not equipped to detect threats like Curing. These tools rely on system call hooks to monitor runtime behavior, and because io_uring operations do not use system calls, they go unnoticed.

    This limitation underscores the need for more advanced detection methods that go beyond syscall monitoring and incorporate deeper visibility into kernel-level operations.

    Google previously flagged io_uring as a potential security concern. In 2023, the company began restricting its use across Android, ChromeOS, and internal production systems due to its ability to support powerful exploitation techniques.

    Traditional rootkits often rely on intercepting system calls or modifying kernel modules. Curing demonstrates that attackers no longer need to use these techniques to remain stealthy. By using io_uring, malware can operate entirely outside the detection scope of many current endpoint security tools.

    “System calls aren’t always guaranteed to be invoked,” said ARMO’s Head of Security Research Amit Schendel. “io_uring, which can bypass them entirely, is a great example. It represents a powerful tool for attackers and a blind spot for defenders.”

    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • AI Drastically Accelerates Exploit Development for CVE-2025-32433

    AI Drastically Accelerates Exploit Development for CVE-2025-32433

    Artificial intelligence is no longer a passive analytical tool—it has become an active threat amplifier. The case of CVE-2025-32433, a critical vulnerability in the Erlang SSH library, showcases how modern AI systems can drastically accelerate the timeline from vulnerability disclosure to working exploit. What once required days or weeks of reverse engineering and development can now be compressed into a matter of hours.

    A Single Evening to Full Exploitation

    This point was proven by Matthew Keeley, a security researcher at ProDefense, who challenged himself to see how far generative AI could go in converting a fresh CVE into a functional proof-of-concept exploit. Inspired by research from Horizon3.ai noting the exploitability of CVE-2025-32433, Keeley used GPT-4 and Claude Sonnet 3.7 to orchestrate the process.

    The initial task for GPT-4 was setting up a fuzzing environment—generating Docker containers, configuring a vulnerable Erlang SSH server, and creating basic testing scaffolding. This in itself was impressive: AI wasn’t just writing code—it was provisioning infrastructure for dynamic analysis. While fuzzing didn’t immediately yield an exploit, the foundation was laid.

    Once Keeley fed the model diff files from the patched version of the code, GPT-4 was able to compare the fixed and vulnerable implementations, identify the root cause, and generate a detailed explanation of the vulnerability: improper handling of unauthenticated SSH messages.

    From there, the model drafted a working PoC, and with additional refinement using Cursor (an AI-enhanced development environment powered by Claude Sonnet 3.7), Keeley had a successful exploit by the end of the night.

    Weaponization Is Now a Race Against the Clock

    The defensive window between CVE disclosure and public weaponization is collapsing. Security teams can no longer treat “patching within a few days” as acceptable. In many cases, attackers with access to the same models may already be building or sharing usable exploits on private channels.

    “What used to take skilled researchers a week now takes less than a day,” Keeley said. “With the right prompt engineering, you can move from a GitHub diff to a working exploit with AI writing 80% of the code.”

    This isn’t just theory. In 2024, the time from vulnerability disclosure to exploitation dropped significantly for critical flaws like CitrixBleed and regreSSHion. CVE-2025-32433 now joins the growing list of vulnerabilities where AI-assisted exploit development outpaces traditional defensive cycles.

    The Broader Trend: Volume and Velocity

    According to NIST data, CVE publication volume increased by 38% from 2023 to 2024. But the bigger issue is velocity—how quickly attackers can exploit new flaws. Adversaries are increasingly using shared tooling and automated development pipelines to mass-deploy new attacks. Keeley’s test shows that even well-documented but niche vulnerabilities can now be turned into reliable attack vectors within hours of public disclosure.

    This dynamic creates cascading risk across industries. A vulnerability discovered on Tuesday might be exploited globally by Wednesday. Patching cycles, software validation, and risk prioritization systems built around slower exploit timelines are quickly becoming obsolete.

    What Defenders Need to Do Now

    Organizations must assume that every publicly disclosed vulnerability is potentially already being exploited. That means moving from passive vulnerability monitoring to proactive, rapid patch deployment. Security teams need automation and orchestration tools capable of pushing fixes across environments within hours—not days.

    Equally important, vulnerability management strategies must evolve to include real-time telemetry, exploit prediction, and AI-driven prioritization. If adversaries are using AI to weaponize flaws, defenders must leverage AI for triage, threat modeling, and even anticipatory patching based on exploit likelihood.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Phishers Abuse Google DKIM Replay and Sites to Deliver Signed Credential-Stealing Emails

    Phishers Abuse Google DKIM Replay and Sites to Deliver Signed Credential-Stealing Emails

    A new phishing campaign is exploiting a loophole in Google’s email authentication system, allowing attackers to send DKIM-signed emails that appear to come from legitimate Google addresses. These messages pass all standard authentication checks—including SPF, DKIM, and DMARC—and are delivered to Gmail inboxes without warning, often grouped with real Google security alerts.

    The campaign was first flagged by Nick Johnson, lead developer of the Ethereum Name Service (ENS), who received one of these spoofed messages claiming that law enforcement had issued a subpoena for his Google account data.

    Google Sites Used to Host Phishing Pages

    The phishing message contains a link to a page hosted on sites.google.com, a legacy web hosting platform that still supports arbitrary script embeds. The linked page mimics Google’s support portal and includes options such as “upload documents” or “view case,” which redirect victims to a fraudulent Google login page designed to steal credentials.

    “Sites.google.com is a legacy platform that still allows user-generated content with embedded scripts,” Johnson explained. “That makes it an easy vector for hosting lookalike phishing pages on a trusted domain.”

    DKIM Replay Attack Enables Email Spoofing

    The core technique used in this campaign is a DKIM replay attack. The attackers first register a new domain and create a Google account in the form of me@domain.com. Then, they craft a Google OAuth application and assign the entire phishing message as its name.

    When that OAuth app is granted access to the email account, Google automatically sends a security alert to the inbox of me@domain.com. Since this alert is generated by Google, it carries a valid DKIM signature and passes all authentication checks.

    The attacker then forwards this message to their victims, using mail relays that preserve the DKIM headers—making the email appear legitimate even under scrutiny. Because Gmail treats me@ as shorthand for the recipient’s address, the phishing email appears even more convincing.

    Mail Routing Obscures Origin

    EasyDMARC and Johnson both confirmed that attackers use infrastructure like Jellyfish SMTP and Namecheap’s PrivateEmail service to relay the phishing messages while preserving their authentication headers. This allows attackers to mask the true origin and still pass security checks.

    “The success of the attack relies on the fact that Gmail prioritizes message headers and DKIM-signed content for trust—not the original envelope sender,” said EasyDMARC CEO Gerasim Hovhannisyan.

    Google Responds to the Abuse

    In a statement to The Hacker News, Google acknowledged the campaign and confirmed that it has rolled out fixes to block this avenue of abuse.

    “We’re aware of this class of targeted attack and have deployed protections to shut down this pathway,” a Google spokesperson said. “We encourage all users to enable two-factor authentication or passkeys to further secure their accounts.”

    Google also reiterated that it does not ask for account passwords or verification codes by email.

    Rise in SVG-Based Phishing Campaigns

    The DKIM replay scam arrives amid a broader rise in phishing attacks using SVG file attachments. These files contain embedded JavaScript that redirects users to spoofed login pages—commonly imitating Microsoft or Google services.

    Kaspersky reported that more than 4,100 phishing emails using malicious SVG attachments have been observed in 2025 alone, highlighting a growing trend in highly targeted phishing methods.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Netizen: Monday Security Brief (4/21/2024)

    Netizen: Monday Security Brief (4/21/2024)

    Today’s Topics:

    • Phishers Exploit Google OAuth to Send DKIM-Valid Spoofed Emails
    • Microsoft Entra Admins Hit by Widespread Lockouts Linked to New Credential Detection App
    • How can Netizen help?

    Phishers Exploit Google OAuth to Send DKIM-Valid Spoofed Emails

    Hackers have found a way to exploit Google’s OAuth infrastructure to send fake emails that pass DKIM authentication—making them appear legitimate even when they point to malicious phishing pages hosted on Google’s own services.

    The attack centers around what’s known as a DKIM replay, where a legitimate, signed email generated by Google is forwarded to a victim after being crafted to include deceptive content. Security researcher Nick Johnson, lead developer of Ethereum Name Service (ENS), detailed the scheme after receiving a suspicious Google security alert claiming his account data was requested by law enforcement. The message passed all authentication checks and was filed alongside real security notifications in his inbox.

    What made the email suspicious was its link to a “support portal” hosted on Google Sites—not the expected accounts.google.com domain. The page was an exact replica of Google’s login interface, built to harvest credentials. Its presence on a trusted Google domain made it harder for users to detect the fraud.

    The real trick was how the email passed DKIM verification. Johnson discovered that the attacker had created a Google account under the address me@[attacker-domain] and then built a deceptive OAuth app. The app’s name contained the entire phishing message, padded with whitespace to hide Google’s security alert about the app being granted inbox access. When the attacker authorized the app, Google automatically emailed a notification to their own inbox. That alert—signed with Google’s DKIM keys—was then forwarded to victims.

    Because DKIM only validates the message body and headers (not the SMTP envelope), the forged email appeared to come from no-reply@google.com and passed standard email security checks like SPF and DKIM. Johnson noted that Gmail’s UI showed the email as if it were sent to the victim directly, due to the clever use of the “me@” username format.

    Email security firm EasyDMARC later confirmed the technical details of the attack and labeled it a textbook example of how DKIM replay can be abused.

    This isn’t the first instance of the tactic. In March, BleepingComputer reported a similar scheme using PayPal’s infrastructure. In that case, the attacker abused the “gift address” field when linking an alternate email to a PayPal account. They inserted the phishing message into a second field, prompting PayPal to send a legitimate confirmation message that was then forwarded to a list of potential victims.

    Initially, Google claimed that the behavior was working as designed. However, after further review, the company acknowledged the abuse potential and has since begun working on mitigations to prevent this kind of OAuth-based spoofing from continuing.

    Microsoft Entra Admins Hit by Widespread Lockouts Linked to New Credential Detection App

    A sudden wave of account lockouts across Microsoft Entra ID environments is being tied to the rollout of a new security feature called MACE Credential Revocation. Starting on the evening of April 18, Windows administrators began reporting mass lockouts affecting user accounts across numerous tenants, with no evidence of actual compromise.

    Microsoft Entra ID, formerly Azure Active Directory, serves as Microsoft’s cloud identity and access platform. It underpins user authentication and access control for millions of organizations. However, a recent behind-the-scenes update to its credential leak detection functionality appears to have caused serious disruptions for IT teams and managed service providers (MSPs) worldwide.

    According to a fast-growing Reddit thread, organizations received hundreds or even thousands of “leaked credentials” alerts from Microsoft Entra, locking out affected users automatically. The volume and timing of the notifications led many to suspect a misfire.

    “About 1/3 of our accounts got locked out about ~1 hour ago,” wrote one MSP admin. “We’re a MSP so I’m assuming this is happening to our clients as well.”

    Despite Microsoft’s systems flagging leaked credentials, administrators reported no corresponding signs of compromise—no suspicious login attempts, no credential reuse, and no matches in external breach notification tools like Have I Been Pwned. Many of the locked accounts were protected by multifactor authentication (MFA), adding to the suspicion that the alerts were false positives.

    One managed detection and response (MDR) provider said they received more than 20,000 leaked credential alerts from Microsoft overnight, all stemming from various customer tenants.

    Several admins who reached out to Microsoft were told the issue stemmed from the rollout of a new Microsoft Entra Enterprise Application: MACE Credential Revocation.

    “Just got off with [a Microsoft] engineer. It is Tenant Lockout due to this MACE ninja rollout they did. No signs of compromise,” wrote one affected user. “It was Error Code: 53003 for conditional access policy.”

    Multiple admins confirmed that the MACE Credential Revocation app appeared in their tenants shortly before the lockouts began. MACE is designed to detect leaked credentials—such as those discovered on the dark web—and enforce account protections automatically, including revocation of access and credential resets.

    The problem appears to lie not with the goal of MACE, but in the accuracy of its detection logic during rollout. The sudden spike in lockouts—with no corresponding threat telemetry—suggests a faulty integration or misconfigured detection threshold.

    As of April 20, Microsoft has not issued an official statement about the incident. Administrators are urging caution and advising others to verify any credential alerts before assuming compromise, especially if the alerts arrived in bulk.

    While security teams are generally advised to treat any leaked credential notification seriously, the volume and context of these alerts have led many to classify the event as a Microsoft-driven incident rather than a coordinated attack.

    Until Microsoft clarifies the situation, admins are left relying on peer reports and case-by-case escalations to Microsoft support.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Understanding Software Keygens: A Comprehensive Guide

    Understanding Software Keygens: A Comprehensive Guide

    Software keygens (key generators) are tools designed to generate valid license keys or serial numbers to unlock and register software, often for illegal use (piracy). Understanding how they work involves examining the underlying system used by legitimate software to create and validate these keys, as well as the methods used by keygens to mimic or bypass this process. Let’s break down the questions:

    How Does the Key System Work in Software?

    Software usually employs a licensing system to validate a product key. This process involves several methods:

    1. Secret Key Generation:
      • Typically, the software developer creates a secret key (a long, complex string) known only to them.
      • To generate a unique key for each user, the program often combines the user’s details (like name, email, or machine identifier) with the secret key and hashes the result using an algorithm (like SHA1 or MD5).
      • The result is then formatted as an alphanumeric string that serves as the product key.
    2. Validation:
      • When the user inputs their key, the software will repeat the same process (concatenating the user details and secret key, and hashing it). It then compares the generated hash with the key entered by the user.
      • If the hashes match, the software grants access. If not, the program rejects the key.

    Where Does the Key Generation and Validation Occur?

    In most cases, key generation doesn’t require encrypted files. The process is handled either within the software or through a central server for online validation:

    1. Local Validation:
      • The product key is validated locally by the software itself. In this case, no external encrypted file is needed, and the key is generated using the same hash algorithm implemented within the software.
    2. Online Validation:
      • More advanced systems use online activation. In this case, the software communicates with a remote server where the key is verified against a central database of valid keys. This system makes it much harder for pirates to generate valid keys, as they would need access to the server or the correct algorithm for validation.

    How Do Companies Encrypt Product Keys?

    To ensure the security of product keys, companies typically do the following:

    1. Encrypting Stored Keys:
      • If the software needs to store a user’s key locally (for example, during installation), it may use encryption techniques such as AES (Advanced Encryption Standard) to store the key securely. This prevents attackers from easily accessing the key from the file system.
    2. Digital Signatures:
      • Some companies sign the key itself with a digital signature, which uses asymmetric encryption to verify that the key hasn’t been tampered with. The digital signature can also be checked by the software using the public key embedded within the application.

    How Do Keygens Work?

    Keygens work by reverse engineering the key generation algorithm used by the software:

    1. Reverse Engineering:
      • The keygen’s creator analyzes the software to discover the underlying algorithm responsible for key generation. This can be done through techniques like disassembling the binary or debugging the program to trace the execution path that leads to key validation.
      • Once the keygen understands how the key is generated, it can replicate this process and generate valid keys for any user.
    2. Brute Force or Pattern Recognition:
      • In some cases, keygens use brute-force methods or recognize patterns in the key generation algorithm to generate valid keys instantly. These methods are highly efficient if the algorithm is weak or the range of possible keys is narrow.

    Why Do Keygens Generate Keys Instantly?

    The reason keygens can generate keys quickly, as opposed to password-cracking tools like Cain & Abel, is due to the differences in the approach and complexity:

    1. Brute Force vs. Algorithm Recreation:
      • Password-cracking tools often rely on brute force (trying every possible combination) or dictionary-based methods, which can take a long time, especially for complex passwords.
      • Keygens, however, directly recreate the key generation algorithm, meaning they don’t need to try all possibilities. Instead, they just use the algorithm to generate a valid key on the fly. This makes the process very quick.

    What Measures Can Companies Take to Prevent Keygen Use?

    While no method is entirely foolproof, companies can implement several measures to prevent the use of keygens:

    1. Online Activation:
      • Online activation significantly reduces piracy by requiring the software to contact a remote server for validation. This makes it harder for attackers to bypass the activation mechanism without a valid server response.
    2. Digital Signatures and Encryption:
      • Using digital signatures or encrypting product keys ensures that even if a keygen generates a key, it will not be accepted if it is tampered with.
    3. Frequent Updates:
      • Regular updates to the software can disrupt keygens by changing the validation mechanism or introducing new algorithms that render old keys invalid.
    4. Hardware-based Licensing:
      • Some software companies use hardware-based licensing (such as dongles or TPM chips), where the key is tied to specific hardware. This makes it much harder to pirate the software, as the key cannot easily be extracted and used on another machine.

    Conclusion

    In conclusion, while understanding how keygens function can be valuable for security professionals and developers, it’s important to note that we do not support or condone piracy in any form. Piracy undermines the hard work of software developers, violates intellectual property laws, and compromises the integrity of digital ecosystems. Companies invest significant resources into creating and securing their software, and respecting their licensing and activation systems is crucial for fostering a fair and sustainable tech environment. It is always best to support legitimate software purchases to ensure continued innovation and protection for all users.