Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • How AI “Poisoning” Tools Like Nightshade and Glaze Disrupt Large Language Model Training

    How AI “Poisoning” Tools Like Nightshade and Glaze Disrupt Large Language Model Training

    As generative AI tools continue to evolve, many artists are sounding the alarm over the use of their work without consent. Large-scale AI models, including those powering image generation tools like MidJourney, DALL·E, and Stable Diffusion, rely on extensive datasets scraped from the internet. These datasets often contain copyrighted images and artistic works, allowing AI to mimic unique artistic styles without compensating or crediting the original creators.

    In response, artists and researchers have begun developing defensive technologies to combat unauthorized AI training. Two of the most notable tools, Nightshade and Glaze, were created by a research team led by Shawn Shan at the University of Chicago. These tools act as countermeasures against data scraping, poisoning AI models and making it difficult for them to accurately interpret and reproduce stolen artistic styles.

    How AI Training Data Works

    AI image generators rely on massive datasets to learn and replicate patterns in visual art. These datasets, often scraped from public websites without explicit permission, form the foundation of AI-generated art.

    Here’s a simplified breakdown of how AI models process training data:

    1. Data Collection: AI companies gather millions of images from the internet, often without permission from the artists. These images are stored in large-scale datasets, such as LAION-5B, which has been linked to many generative AI models.
    2. Feature Extraction: The AI analyzes the collected images, breaking them down into recognizable features like shapes, colors, and textures.
    3. Style Learning: By processing numerous works from different artists, the AI begins to understand stylistic elements and how they are applied across various compositions.
    4. Image Generation: When a user inputs a prompt, the AI synthesizes a new image based on the patterns and styles it has learned from the training data.

    This process has raised major ethical concerns, as AI-generated images can closely resemble or directly imitate an artist’s unique style without their consent.

    How Glaze Protects Artists’ Work

    Glaze is designed as a protective tool that subtly alters an artist’s work in a way that confuses AI models while remaining visually unchanged to human viewers.

    The key mechanism behind Glaze is adversarial perturbation, a technique used in cybersecurity to fool machine learning models. In the context of AI art protection, Glaze applies these perturbations to an image before it is posted online. When a machine learning model attempts to analyze the image, it misinterprets the stylistic elements, making it difficult to accurately extract or replicate the original style.

    For example, if an artist primarily creates watercolor-style paintings, Glaze can apply minute changes to the image’s pixel structure that make an AI perceive it as an oil painting instead. This effectively disrupts the dataset’s ability to learn and mimic the artist’s unique approach.

    How Nightshade Poisons AI Models

    While Glaze focuses on preventing style mimicry, Nightshade takes a more aggressive stance by actively corrupting AI training data. Nightshade works by introducing adversarial attacks at the dataset level, injecting images that contain misleading visual cues designed to alter how AI models interpret specific objects.

    If an AI model is trained on Nightshade-modified images, it will begin to associate incorrect visual data with certain prompts. For instance:

    • A poisoned dataset might cause an AI to generate images of dogs when asked to create a cat.
    • Buildings in AI-generated images might appear distorted or incorrectly structured.
    • Facial features might become scrambled, degrading the model’s ability to generate realistic human portraits.

    By introducing these errors, Nightshade disrupts AI models trained on unauthorized datasets, making them unreliable for future use. This is similar to cyberattacks that target machine learning algorithms with adversarial inputs to cause misclassification.

    Cybersecurity Implications of AI Poisoning

    The development of tools like Nightshade highlights growing concerns about data security and the ethical use of AI training data. AI poisoning techniques are not new—cybersecurity professionals have studied adversarial machine learning for years, particularly in areas like facial recognition and fraud detection.

    However, in the case of generative AI, adversarial attacks are being used as a form of digital rights enforcement. By corrupting datasets, Nightshade forces AI companies to reconsider their reliance on unauthorized web scraping. It also raises the possibility of broader applications in cybersecurity, such as protecting sensitive images from being misused in deepfake technology or preventing AI-driven surveillance from extracting accurate biometric data.

    The Ethical Debate and Industry Response

    The rise of AI poisoning as a defensive tactic has sparked debate within the tech community. Supporters argue that tools like Nightshade and Glaze are necessary to protect artists’ rights and challenge unethical AI training practices. Critics, however, warn that adversarial attacks on AI models could set a precedent for broader sabotage efforts, potentially leading to unintended consequences in fields that rely on machine learning for critical applications.

    AI companies are also taking steps to address concerns over data usage. Some organizations have introduced opt-out mechanisms for artists who do not want their work included in training datasets. Others are exploring compensation models that would allow artists to receive royalties when their work is used for AI training.

    Despite these developments, many artists remain skeptical of AI companies’ commitments to ethical data usage. The continued development of adversarial tools suggests that the battle over AI-generated art is far from over.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Why SIEMaaS is Essential for Modern Cybersecurity

    Why SIEMaaS is Essential for Modern Cybersecurity

    Security Information and Event Management (SIEM) has become an essential component of modern cybersecurity strategies, helping organizations detect, analyze, and respond to security incidents in real time. SIEM as a Service (SIEMaaS) is a cloud-based or managed alternative to traditional SIEM deployments, offering centralized security monitoring without the burden of maintaining complex infrastructure in-house.

    This approach enables organizations to strengthen their security posture while reducing operational costs and resource constraints. With cyber threats becoming more sophisticated, SIEMaaS provides a scalable and efficient way to stay ahead of potential attacks.

    How SIEM as a Service Works

    SIEMaaS functions as an outsourced security solution where an external provider manages and monitors security events across an organization’s IT infrastructure. It works by collecting logs from various sources—such as firewalls, servers, applications, and endpoints—and applying advanced analytics, correlation rules, and threat intelligence to detect anomalies and malicious activity.

    Key processes within SIEMaaS include:

    • Log Collection and Aggregation: Security logs from multiple devices are gathered in a centralized location, ensuring a comprehensive view of network activity.
    • Threat Detection and Correlation: The SIEM platform analyzes security events, applying correlation rules and behavioral analytics to identify potential threats.
    • Incident Investigation and Response: Security analysts assess detected threats, validate alerts, and take appropriate action to mitigate risks.
    • Compliance Management: SIEM solutions assist organizations in meeting regulatory requirements by generating audit-ready reports and ensuring proper log retention.
    • Continuous Monitoring and Reporting: 24/7 security monitoring ensures that potential threats are detected and addressed in real time.

    By leveraging SIEMaaS, organizations can improve their ability to detect and respond to threats while avoiding the challenges associated with managing a SIEM solution internally.

    Key Features of Managed SIEM

    A fully managed SIEM solution includes several advanced capabilities that enhance an organization’s security posture. Some of the most important features include:

    Centralized Log Management

    SIEMaaS collects security logs from various sources, including servers, cloud services, and endpoints, to provide a unified view of security events. This helps detect threats more effectively and ensures compliance with industry regulations.

    Real-Time Threat Detection

    By leveraging machine learning and rule-based correlation, SIEM solutions can identify patterns indicative of cyberattacks. This includes detecting insider threats, compromised credentials, and abnormal network behavior.

    Incident Response and Forensics

    When an incident occurs, security teams can quickly investigate logs, trace the attack’s origin, and determine its impact. Many SIEM solutions integrate with security orchestration and automation tools to enable rapid response.

    Compliance Support

    SIEM platforms help businesses comply with regulatory standards such as HIPAA, PCI DSS, ISO 27001, NIST 800-171, and CMMC by enforcing security controls and maintaining detailed logs for audits.

    Threat Intelligence Integration

    Advanced SIEM solutions integrate with threat intelligence feeds to detect indicators of compromise (IOCs) and proactively defend against emerging cyber threats.

    24/7 Security Monitoring

    Managed SIEM services provide continuous monitoring by experienced security analysts who assess alerts, filter out false positives, and escalate real threats.

    Benefits of SIEM as a Service

    Organizations that adopt SIEMaaS gain several advantages compared to traditional, on-premise SIEM solutions. Some of the most significant benefits include:

    Reduced Operational Complexity

    Deploying and managing an in-house SIEM requires skilled personnel, constant tuning, and ongoing maintenance. SIEMaaS eliminates these challenges by offloading management to an experienced provider.

    Faster Threat Detection and Response

    With real-time analysis and automated correlation, SIEMaaS enables organizations to identify and respond to threats before they escalate into serious security incidents.

    Cost Savings

    Maintaining an in-house Security Operations Center (SOC) can be expensive. SIEMaaS provides enterprise-grade security monitoring at a fraction of the cost, eliminating the need for a dedicated SOC team.

    Scalability and Flexibility

    SIEMaaS solutions are highly scalable, allowing businesses to expand their security operations without the need for additional infrastructure. This makes it an ideal choice for growing organizations.

    Improved Compliance Posture

    With built-in compliance reporting and log retention, organizations can ensure they meet industry regulations and quickly provide auditors with the necessary documentation.

    Choosing the Right SIEM as a Service Provider

    Selecting a SIEMaaS provider requires careful consideration of several factors to ensure it meets an organization’s specific security and compliance needs. Here are the most important aspects to evaluate:

    Experience and Expertise

    A reputable SIEMaaS provider should have a proven track record in managing SIEM solutions for businesses in various industries. Their team should include experienced security analysts and incident responders who understand the latest cyber threats.

    Threat Intelligence and Detection Capabilities

    Look for a provider that integrates real-time threat intelligence to enhance detection capabilities. This ensures your SIEM solution remains effective against new and evolving cyber threats.

    Customization and Integration

    Different organizations have unique security requirements. The SIEMaaS provider should offer customizable rules, dashboards, and reporting while integrating seamlessly with existing security tools like firewalls, endpoint detection and response (EDR), and cloud security platforms.

    Compliance Support

    Ensure the provider is experienced in handling industry-specific compliance requirements and can generate automated reports for HIPAA, PCI DSS, ISO 27001, and CMMC compliance audits.

    Automated Incident Response

    Some SIEMaaS providers integrate with Security Orchestration, Automation, and Response (SOAR) tools to provide automated incident response, reducing the need for manual intervention.

    Why SIEMaaS Is the Future of Cybersecurity

    With the growing complexity of cyber threats, SIEM as a Service offers an efficient way for organizations to enhance their security posture without overwhelming their IT teams. The combination of real-time monitoring, threat intelligence, and compliance automation makes it a valuable investment for businesses looking to stay ahead of cyber risks.

    As cyber threats evolve, businesses must prioritize security visibility and rapid response. A well-managed SIEM solution not only helps detect and respond to threats but also ensures regulatory compliance and improved cybersecurity resilience.

    For organizations that lack the internal resources to manage a SIEM platform, SIEMaaS provides an affordable, scalable, and highly effective alternative.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Microsoft March 2025 Patch Tuesday Fixes 7 Zero-Days, 57 Flaws

    Microsoft March 2025 Patch Tuesday Fixes 7 Zero-Days, 57 Flaws

    Microsoft’s March 2025 Patch Tuesday includes security updates for a total of 57 vulnerabilities, with a focus on six actively exploited zero-day vulnerabilities. This month’s updates also address three critical remote code execution (RCE) vulnerabilities, alongside a range of other flaws across various Microsoft products.

    Breakdown of Vulnerabilities

    The updates cover the following vulnerability categories:

    • 23 Elevation of Privilege Vulnerabilities
    • 3 Security Feature Bypass Vulnerabilities
    • 23 Remote Code Execution Vulnerabilities
    • 4 Information Disclosure Vulnerabilities
    • 1 Denial of Service Vulnerability
    • 3 Spoofing Vulnerabilities

    Note that the numbers above do not include vulnerabilities related to Mariner flaws or 10 Microsoft Edge vulnerabilities, which were fixed earlier in the month.

    To learn more about the non-security updates, including the Windows 11 KB5053598 & KB5053602 cumulative updates, visit the detailed articles released today.

    Six Actively Exploited Zero-Days

    This Patch Tuesday addresses six actively exploited zero-days and one publicly disclosed flaw, totaling seven zero-days for the month of March. These zero-days are vulnerabilities that have been actively targeted or publicly exposed without a fix at the time of disclosure.

    A few of these zero-days are related to Windows NTFS bugs that involve the mounting of VHD (Virtual Hard Disk) drives. Below are the details of the actively exploited zero-days:

    CVE-2025-24983Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability

    • Impact: This flaw allows local attackers to gain SYSTEM privileges on the affected device by exploiting a race condition.
    • Exploitation: Microsoft has not yet shared specifics on how the vulnerability was exploited. Filip Jurčacko from ESET discovered the flaw. More details are expected in the future.

    CVE-2025-24984Windows NTFS Information Disclosure Vulnerability

    • Impact: Attackers with physical access to the device can exploit this flaw by inserting a malicious USB drive, which enables the attacker to read portions of heap memory, potentially stealing sensitive information.
    • Exploitation: This vulnerability was disclosed anonymously.

    CVE-2025-24985Windows Fast FAT File System Driver Remote Code Execution Vulnerability

    • Impact: This RCE vulnerability, caused by an integer overflow or wraparound, allows attackers to execute arbitrary code when a specially crafted VHD is mounted on the system.
    • Exploitation: Malicious VHD files have been distributed in phishing attacks and on pirated software sites. This flaw was also disclosed anonymously.

    CVE-2025-24991Windows NTFS Information Disclosure Vulnerability

    • Impact: Similar to CVE-2025-24984, this vulnerability allows attackers to read portions of heap memory and steal sensitive information by exploiting the mounting of a malicious VHD.
    • Exploitation: This vulnerability was disclosed anonymously.

    CVE-2025-24993Windows NTFS Remote Code Execution Vulnerability

    • Impact: This RCE vulnerability, caused by a heap-based buffer overflow, allows attackers to execute arbitrary code when mounting a malicious VHD.
    • Exploitation: This flaw was also disclosed anonymously.

    CVE-2025-26633Microsoft Management Console Security Feature Bypass Vulnerability

    • Impact: This flaw could allow malicious .msc files to bypass Windows security features and execute code. Attackers would need to convince the user to open a specially crafted file, such as through phishing emails or malicious links.
    • Exploitation: Discovered by Aliakbar Zahravi from Trend Micro, this vulnerability is significant but depends on user interaction.

    Publicly Disclosed Zero-Day

    CVE-2025-26630Microsoft Access Remote Code Execution Vulnerability

    • Impact: This RCE vulnerability in Microsoft Access is caused by a use-after-free memory bug. Attackers can exploit this flaw by tricking users into opening a specially crafted Access file, typically through phishing or social engineering tactics.
    • Exploitation: This flaw cannot be exploited via the preview pane, and Microsoft has not revealed the source of disclosure.

    Recommendations for Users and Administrators

    It is strongly recommended that users and administrators apply the March 2025 Patch Tuesday updates immediately to mitigate the risk of exploitation, especially regarding the actively exploited zero-day vulnerabilities. Prioritizing the critical vulnerabilities, particularly those related to remote code execution and elevation of privilege, will help secure systems from immediate threats.

    For more information, users can consult Microsoft’s security release documentation or reach out to their IT security teams for assistance with applying the patches.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Dark Storm Claims Responsibility for Massive DDoS Against X

    Dark Storm Claims Responsibility for Massive DDoS Against X

    Elon Musk’s X platform, formerly known as Twitter, recently suffered multiple outages on March 10, which Musk attributed to a “massive cyberattack” potentially orchestrated by a “large, coordinated group and/or a nation-state.” Now, the pro-Palestinian hacktivist group Dark Storm has claimed responsibility for the attack.

    Latest Developments in the X Cyberattack

    The outages began on March 10, disrupting services and causing widespread user complaints about connection issues and unresponsiveness. Elon Musk initially speculated that the attack was highly coordinated, possibly involving a state-sponsored actor. However, Dark Storm has since publicly taken credit for the distributed denial-of-service (DDoS) attack, which overwhelmed X’s servers by flooding them with an immense volume of traffic.

    Dark Storm is known for its politically motivated cyber campaigns, often targeting organizations and platforms perceived to oppose Palestinian interests. By targeting X, Dark Storm aimed to disrupt communication channels and draw attention to its cause.

    What is a DDoS Attack?

    A distributed denial-of-service (DDoS) attack involves overwhelming a target’s servers or network infrastructure with excessive traffic, rendering services slow or entirely inaccessible. In the case of X, Dark Storm likely used a large botnet—an army of compromised devices—to generate massive amounts of traffic directed at X’s servers. This type of attack can cripple online platforms, disrupt user access, and damage a company’s reputation.

    DDoS attacks can take several forms, including:

    • Volumetric attacks – Overloading the target’s bandwidth with high volumes of traffic.
    • Protocol attacks – Exploiting weaknesses in network protocols to exhaust server resources.
    • Application layer attacks – Targeting specific services or applications to disrupt user functionality.

    In this instance, the scale and complexity of the attack suggest that Dark Storm deployed a combination of these techniques, making it difficult for X’s security team to mitigate the impact in real time.

    Potential Motivations and Implications

    Dark Storm’s claim of responsibility points to geopolitical motivations. The group has a history of targeting entities perceived to be aligned with Israeli or Western interests. The attack on X may have been intended to disrupt global communication or retaliate against perceived political actions.

    From a security standpoint, the attack raises serious questions about X’s cyber defenses. While Musk has claimed that X’s infrastructure is designed to handle high traffic volumes, the success of Dark Storm’s attack indicates that vulnerabilities remain. Strengthening DDoS mitigation strategies, such as deploying more robust traffic filtering and enhancing server redundancy, will be essential to preventing future disruptions.

    Moreover, the incident highlights the growing trend of hacktivism as a form of cyber warfare. State-sponsored and politically motivated attacks are becoming more frequent, with online platforms and social media networks increasingly targeted due to their influence on public discourse and political narratives.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: Monday Security Brief (3/10/2024)

    Netizen: Monday Security Brief (3/10/2024)

    Today’s Topics:

    • Hidden Commands in ESP32 Bluetooth Chip Could Enable Attacks on a Billion Devices
    • US Cities Warn of Surge in Parking Ticket Phishing Scams
    • How can Netizen help?

    Hidden Commands in ESP32 Bluetooth Chip Could Enable Attacks on a Billion Devices

    Security researchers have discovered undocumented commands in the ESP32 microchip, a widely used WiFi and Bluetooth-enabled microcontroller manufactured by Espressif. With over a billion devices using ESP32 chips as of 2023, the presence of these hidden commands raises serious security concerns. Potentially exploitable for spoofing trusted devices, unauthorized data access, and persistence on compromised networks, these vulnerabilities could have far-reaching implications for IoT security.

    Spanish cybersecurity researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco from Tarlogic Security unveiled their findings at RootedCON in Madrid. Their research suggests that these undocumented ESP32 commands could enable attackers to impersonate trusted devices and establish long-term persistence on targeted systems.

    “Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices,” Tarlogic shared in a statement.

    The ability to exploit these hidden commands may allow threat actors to bypass authentication mechanisms and compromise sensitive devices, including smartphones, computers, smart locks, and even medical equipment.

    The discovery of these undocumented commands presents multiple security threats:

    • Device Impersonation: Attackers could use the hidden commands to spoof legitimate devices, tricking networks and users into accepting them as trusted connections.
    • Unauthorized Data Access: Exploiting these commands may grant hackers access to sensitive data, potentially leading to data breaches or further compromises.
    • Pivoting to Other Devices: Once an attacker gains access to a compromised ESP32-based device, they could move laterally across a network, targeting additional connected systems.
    • Long-Term Persistence: The ability to exploit these commands could allow attackers to establish persistent access to compromised devices, making detection and remediation significantly more difficult.

    Following the public disclosure of these undocumented ESP32 commands, Espressif and the broader security community have been prompted to investigate the issue further. While Espressif has yet to provide an official statement regarding the potential risks, researchers and security professionals are urging IoT device manufacturers to assess their reliance on ESP32-based components and implement mitigations where possible.

    The discovery also underscores the importance of transparency in hardware security. Undocumented or unintended functionalities within widely used chips can introduce severe vulnerabilities, particularly in IoT environments where security controls are often weak.

    Organizations and individuals using ESP32-based devices should take the following steps to mitigate potential risks:

    • Firmware Updates: Monitor Espressif’s official channels for firmware patches that address security concerns.
    • Network Segmentation: Isolate IoT devices on separate network segments to prevent unauthorized access to sensitive systems.
    • Device Auditing: Regularly inspect and monitor IoT devices for unusual activity that may indicate unauthorized access.
    • Authentication Enhancements: Strengthen authentication mechanisms to prevent unauthorized devices from gaining network access.

    US Cities Warn of Surge in Parking Ticket Phishing Scams

    A widespread phishing campaign is targeting residents across multiple U.S. cities, tricking victims into paying fraudulent parking fines. These scam text messages claim to be from municipal parking violation departments, warning recipients of unpaid invoices and threatening additional daily fines. Authorities in cities such as New York, Boston, Detroit, and San Francisco have issued public warnings about this ongoing scam, urging residents to stay vigilant.

    The phishing texts use fear and urgency to pressure victims into immediate action. A typical message states that the recipient has an outstanding parking violation and will be charged a $35 daily late fee if the fine is not paid immediately. The text includes a malicious link, directing victims to a fake payment portal designed to steal credit card details and personal information.

    BleepingComputer received one such text targeting New York residents, which read:

    “This is a final reminder from the City of New York regarding the unpaid parking invoice. A $35 daily overdue fee will be charged if payment is not made today.”

    This same fraudulent template has been seen across multiple cities, using localized branding to make the scam appear legitimate.

    Since the scam gained traction in December, numerous cities have reported an increase in phishing attempts. Warnings have been issued in:

    • Annapolis
    • Boston
    • Denver
    • Detroit
    • Houston
    • Milwaukee
    • Salt Lake City
    • Charlotte
    • San Diego
    • San Francisco

    Local governments have advised residents not to click on suspicious links and to verify any outstanding parking violations directly through official city websites.

    This phishing scam is part of a larger trend of social engineering attacks that exploit urgency and fear to trick individuals into disclosing sensitive information. If victims enter their payment details into the fraudulent site, attackers can steal their credit card information, personal data, and even use it for identity theft.

    To avoid falling for these scams:

    1. Verify Directly with the City – Always check parking violations on official government websites rather than clicking on links in unsolicited messages.
    2. Look for Red Flags – Phishing messages often have generic greetings, grammatical errors, or unfamiliar links.
    3. Use Multi-Factor Authentication (MFA) – If your financial accounts support MFA, enable it to prevent unauthorized access.
    4. Report Suspicious Messages – If you receive a phishing text, report it to your city’s parking authority and your mobile carrier.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Broadcom Patches Three Actively Exploited VMware Zero-Days

    Broadcom Patches Three Actively Exploited VMware Zero-Days

    Broadcom has issued critical security patches addressing three zero-day vulnerabilities in VMware products that have been actively exploited in real-world attacks. Reported by the Microsoft Threat Intelligence Center, these vulnerabilities impact a wide range of VMware solutions, including ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform. If successfully exploited, attackers with administrative privileges on a virtual machine (VM) can escape the VM sandbox and execute code on the hypervisor, leading to potential system-wide compromise.

    Given the widespread use of VMware products in enterprise, cloud, and telecommunications environments, organizations must apply these patches immediately to mitigate security risks.

    Breakdown of the VMware Zero-Day Vulnerabilities

    The three vulnerabilities, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, present serious risks by allowing privilege escalation, arbitrary code execution, and hypervisor compromise.

    • CVE-2025-22224 (Critical – VCMI Heap Overflow)
      A heap overflow vulnerability in the VMware Content Management Interface (VCMI) allows local attackers with administrative privileges on a VM to execute arbitrary code as the VMX process on the host. This could enable attackers to move laterally within the virtualized environment and escalate their privileges.
    • CVE-2025-22225 (High – ESXi Arbitrary Write)
      This vulnerability affects VMware ESXi and enables attackers to perform arbitrary memory writes. Exploiting this flaw could allow an attacker to modify system data, bypass security restrictions, or execute malicious code with elevated privileges.
    • CVE-2025-22226 (High – Workstation and Fusion Privilege Escalation)
      This vulnerability impacts VMware Workstation and Fusion, allowing an attacker with local admin privileges inside a VM to escape the virtualized environment and execute commands on the host system.

    Exploitation and Security Implications

    According to Broadcom, there is evidence that these vulnerabilities have been actively exploited in the wild. Attackers who have already compromised a VM’s guest OS and gained administrator or root access can use these flaws to break out of the VM sandbox and compromise the hypervisor itself.

    Such an exploit can have severe consequences in enterprise and cloud environments, where a single compromised hypervisor can give attackers access to multiple virtual machines running on the same infrastructure. This can lead to data breaches, ransomware deployment, or disruption of critical business operations.

    Broadcom’s Response and Patch Availability

    Broadcom has released patches for affected VMware products and strongly urges customers to apply these updates immediately. The company has also committed to reviewing its internal security testing processes to prevent similar vulnerabilities in the future.

    VMware customers can find the necessary patches and remediation steps in Broadcom’s official security advisory. Organizations that cannot immediately patch should consider implementing temporary mitigations, such as restricting administrative access, monitoring for unusual VM activity, and segmenting virtualized workloads to limit lateral movement.

    Protecting Your VMware Environment

    To minimize exposure to future VMware vulnerabilities, security teams should follow best practices for securing virtualized environments:

    • Apply security patches as soon as they become available to prevent attackers from exploiting known vulnerabilities.
    • Limit administrative access to virtualized infrastructure and enforce the principle of least privilege.
    • Monitor hypervisor activity for signs of anomalous behavior, such as unexpected VM reconfigurations or unauthorized access attempts.
    • Implement network segmentation to restrict lateral movement between virtualized environments and isolate critical workloads.
    • Regularly conduct vulnerability assessments and penetration testing to identify and remediate security gaps in the infrastructure.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • What is Code Access Security (CAS)?

    What is Code Access Security (CAS)?

    Code Access Security (CAS) is a critical security framework in the .NET environment that regulates code execution based on defined permissions. Originally introduced to enhance application security, CAS helps protect systems from unauthorized access, malware, and security threats by enforcing strict code execution policies. While CAS has been deprecated in newer .NET versions, understanding its core principles remains crucial for security professionals and developers working with legacy applications.

    Understanding Code Access Security (CAS)

    Code Access Security (CAS) is a mechanism in the .NET Framework designed to restrict what code can do based on its source and assigned permissions. CAS prevents untrusted code from performing potentially harmful operations, such as accessing files, modifying the registry, or communicating over the network. By enforcing security policies at runtime, CAS helps mitigate security vulnerabilities and reduces the attack surface of applications.

    How Code Access Security (CAS) Works

    CAS operates by assigning permissions to code based on evidence such as the code’s origin, publisher, or digital signature. These permissions determine what actions the code can perform within the system, ensuring that only trusted code executes privileged operations. The CAS model consists of the following key components:

    • Evidence-Based Security: CAS evaluates code based on evidence (e.g., strong names, URL, digital signatures) to determine its trust level.
    • Permissions and Policy Levels: CAS enforces security policies that define the level of trust and permissions granted to code.
    • Security Stack Walk: Before executing, CAS verifies whether the calling code has the necessary permissions to perform an action.

    Configuring Code Access Security (CAS)

    For CAS to function effectively, it must be properly configured. The steps involved in enabling CAS include:

    1. Signing the .NET Assembly: The publisher must sign the .NET assembly using a strong name key file (SNK file) or a strong name.
    2. Adding to the Global Assembly Cache (GAC): The signed assembly must be stored in the Global Assembly Cache to be recognized as trusted code.
    3. Defining Security Policies: Administrators can establish security policies that determine the level of trust assigned to different code sources.

    Benefits of Code Access Security (CAS)

    • Prevents Unauthorized Code Execution: Ensures that only trusted code can perform privileged operations.
    • Reduces Attack Surface: Limits what untrusted code can access, minimizing security risks.
    • Enhances Application Security: Provides an additional layer of protection against malicious attacks.

    Conclusion

    Code Access Security (CAS) played a significant role in securing .NET applications by restricting code execution based on defined policies. Although CAS is no longer actively used in modern .NET versions, its principles continue to influence modern security frameworks. Understanding CAS is essential for security professionals and developers managing legacy applications to maintain robust security standards.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: Monday Security Brief (3/3/2024)

    Netizen: Monday Security Brief (3/3/2024)

    Today’s Topics:

    • Microsoft Uncovers Cybercriminal Network Behind AI Abuse Scheme
    • Chinese APT Exploits VPN Vulnerability to Infiltrate Global OT Organizations
    • How can Netizen help?

    Microsoft Uncovers Cybercriminal Network Behind AI Abuse Scheme

    Microsoft has identified and exposed a cybercrime network responsible for illicitly accessing and manipulating Azure OpenAI services to generate harmful content. The operation, dubbed LLMjacking, involves cybercriminals who hijacked API keys and exploited stolen credentials to bypass AI safety mechanisms, ultimately selling unauthorized access to malicious actors.

    Microsoft has been tracking this cybercrime operation under the name Storm-2139, revealing that the group accessed AI services through compromised credentials scraped from public sources. The actors modified the capabilities of Microsoft’s Azure OpenAI services and resold access, providing customers with tools and instructions to generate illicit content, including non-consensual intimate images and other harmful synthetic media.

    This discovery comes as part of an ongoing legal battle against AI abuse, with Microsoft securing a court order to take down aitism[.]net, a website central to the group’s operations. The company is pursuing legal action against multiple individuals involved in the scheme.

    Microsoft named four individuals linked to Storm-2139, spanning multiple countries:

    • Arian Yadegarnia (“Fiz”) – Iran
    • Alan Krysiak (“Drago”) – United Kingdom
    • Ricky Yuen (“cg-dot”) – Hong Kong, China
    • Phát Phùng Tấn (“Asakuri”) – Vietnam

    Additionally, Microsoft has identified two individuals based in the U.S., withholding their identities due to ongoing criminal investigations. The network consists of creators who develop AI abuse tools, providers who distribute and modify them, and end users who exploit AI for malicious purposes.

    Several other unnamed individuals across the U.S., Europe, Russia, Turkey, and Latin America have also been linked to the operation.

    Microsoft’s Digital Crimes Unit (DCU) continues to collaborate with law enforcement and regulatory bodies to combat AI abuse. The exposure of Storm-2139 serves as a warning to cybercriminals attempting to weaponize AI for illegal purposes.

    As AI technology evolves, organizations must prioritize security measures to prevent unauthorized access, ensure compliance with usage policies, and mitigate the risks associated with AI-driven cybercrime.

    Chinese APT Exploits VPN Vulnerability to Infiltrate Global OT Organizations

    A hacker infiltrates a remote network on a laptop

    A Chinese state-sponsored hacking group has been exploiting a vulnerability in Check Point’s security gateways to breach operational technology (OT) organizations worldwide. The cyber espionage campaign, attributed with low confidence to APT41 (also known as Winnti), has primarily targeted supply chain manufacturers in the aerospace and aviation sectors.

    The attackers leveraged CVE-2024-24919, a high-severity path traversal vulnerability in Check Point security gateways. This flaw, disclosed and patched in May 2024, allows unauthenticated attackers to access restricted files and extract password hashes. Once decrypted, these credentials enable full control over affected systems, allowing the threat actors to move laterally across networks and escalate privileges.

    Check Point researchers observed that the hackers installed the modular ShadowPad backdoor after gaining access. While there was no evidence of disruptive activity, the primary goal appears to be exfiltrating intellectual property from high-value OT organizations.

    The campaign has impacted dozens of organizations across the U.S., Latin America, Europe, the Middle East, and Africa. Notably, 20% of identified victims were based in Mexico. Many of the targeted companies supply critical aerospace and aviation manufacturers, making them attractive targets for espionage.

    However, the attackers did not limit themselves to a single industry. Utilities, finance companies in Africa, and smaller OT organizations were also compromised. Some of these may have been secondary targets, exploited as stepping stones to gain access to more valuable networks.

    While large manufacturers are often assumed to be primary targets, Check Point researchers found that many victims were small businesses with limited cybersecurity resources. These companies often lack dedicated security personnel and may rely on a single IT employee to handle security, infrastructure, and other responsibilities.

    As a result, many small OT organizations fail to apply patches promptly, making them easy targets for advanced persistent threats (APTs). The attackers capitalize on these weaknesses, gaining footholds in supply chains that connect to larger, more secure entities.

    The breach highlights the urgent need for better cybersecurity measures within OT environments, particularly among smaller manufacturers. Organizations using Check Point security gateways should ensure they have applied the latest patches and monitor for indicators of compromise (IoCs).

    Additionally, OT organizations must adopt proactive security practices, including network segmentation, regular vulnerability assessments, and endpoint detection and response (EDR) solutions to detect and prevent lateral movement within compromised networks.

    As advanced threat actors continue to exploit known vulnerabilities, organizations—large and small—must prioritize security hygiene to mitigate the risk of cyber espionage.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Netizen: February 2025 Vulnerability Review

    Netizen: February 2025 Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from February that should be immediately patched or addressed if present in your environment. Detailed writeups below:

    CVE-2025-21391

    CVE-2025-21391 is a high-severity elevation of privilege vulnerability affecting Windows Storage. This flaw was disclosed as part of Microsoft’s February 2025 Patch Tuesday update, which addressed 55 CVEs, including three critical vulnerabilities and four zero-days—two of which were actively exploited in the wild. Attackers who successfully exploit this vulnerability could gain elevated privileges, potentially allowing them to execute arbitrary code with higher system access.

    Given its high risk, organizations should prioritize patching affected Windows systems to prevent potential exploitation. Unpatched systems could be leveraged by attackers to escalate privileges, bypass security measures, and gain deeper access to networks. Security teams should review Microsoft’s official guidance and deploy the necessary updates immediately to mitigate any threats associated with this vulnerability.

    CVE-2025-21418

    CVE-2025-21418 is a high-severity elevation of privilege vulnerability affecting the Windows Ancillary Function Driver for WinSock. CVE-2025-21418 has a CVSS v3 vector of AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating that it is a local privilege escalation (LPE) vulnerability with a high impact on confidentiality, integrity, and availability.

    Exploiting this vulnerability could allow an attacker to escalate privileges on a compromised system, potentially leading to unauthorized access or system control. This makes it a significant concern for organizations, particularly those running unpatched Windows systems.

    Security teams should prioritize applying the relevant security patches provided by Microsoft to mitigate the risk. Organizations are also advised to review Microsoft’s official security guidance and consider implementing additional endpoint protection measures to detect and prevent privilege escalation attempts.

    CVE-2025-21376

    CVE-2025-21376 is a high-severity vulnerability in Windows’ Lightweight Directory Access Protocol (LDAP) service, which could allow remote code execution. The vulnerability is rated with a CVSS v3 base score of 8.1, indicating its high impact on affected systems.

    An attacker exploiting this vulnerability could remotely execute arbitrary code on a vulnerable system, potentially leading to a compromise. This would require no user interaction, making it particularly dangerous in environments where systems are exposed to untrusted networks. Given the severity of the issue, organizations are urged to apply the necessary patches promptly to mitigate the risk.

    Microsoft’s advisory provides further technical details on how to address the issue, and the vulnerability has been added to the CISA’s Known Exploited Vulnerabilities Catalog. Security teams should prioritize patching vulnerable LDAP services and consider implementing additional security measures to detect and block exploitation attempts.

    CVE-2025-21377

    CVE-2025-21377 is a medium-severity vulnerability in Windows that involves NTLM hash disclosure through spoofing. This issue, which was addressed in Microsoft’s February 2025 Patch Tuesday update, can potentially allow attackers to retrieve NTLM hashes under specific conditions. However, the attack requires user interaction, making it less critical compared to vulnerabilities that do not need user involvement.

    The vulnerability has a CVSS v3 base score of 6.5, which indicates that while the risk is notable, it is not as high as other severe vulnerabilities. The CVSS v2 base score is higher at 7.8, reflecting the potential impact on systems, though the requirement for user interaction reduces the overall exploitability of the flaw.

    The flaw could allow an attacker to spoof certain network traffic and extract NTLM hashes, which could then be used in offline attacks to compromise the system. While the severity is considered medium, organizations should still apply the necessary patches to prevent possible exploitation, especially if they have a large number of users with access to sensitive systems or credentials.

    CVE-2025-21381

    CVE-2025-21381 is a high-severity vulnerability in Microsoft Excel that could lead to remote code execution (RCE). This issue, disclosed as part of Microsoft’s February 2025 Patch Tuesday, arises from a flaw in Excel’s handling of files. If exploited, an attacker could craft a specially designed Excel file that, when opened by the user, could allow the attacker to execute arbitrary code on the victim’s machine.

    The vulnerability has a CVSS v3 base score of 7.8, indicating a high level of risk, with the potential for significant damage if successfully exploited. The attack requires user interaction, as the victim must open the malicious file, but once opened, the attacker could gain the same privileges as the user running the application, potentially compromising sensitive data and system integrity. The CVSS v2 score is 7.2, suggesting a medium-high risk but less severe than the v3 score.

    Given the ease of exploitation through social engineering (such as convincing the victim to open a malicious Excel document), it is important for organizations to deploy patches as soon as possible to mitigate the risk associated with this vulnerability.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen Cybersecurity Bulletin (February 27th, 2025)

    Netizen Cybersecurity Bulletin (February 27th, 2025)

    Overview:

    • Phish Tale of the Week
    • Bybit Suffers $1.5 Billion Cryptocurrency Heist, Linked to North Korean Lazarus Group
    • DISA Data Breach Exposes Personal Information of 3.3 Million Individuals
    • How can Netizen help?

    Phish Tale of the Week

    Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as an unnamed company. They’re sending us a text message, asking us if we’re looking for a remote job, and that it’s imperative that we click the link below. It seems both urgent and genuine, so why shouldn’t we? Luckily, there’s plenty of reasons that point to this being a scam.

    Here’s how we can tell not to fall for this phish:

    1. The first warning sign for this SMS is the context in which it was sent. When I recieved this SMS, I immediately knew not to click on the link due to the fact that I did not recently inquire anywhere about any remote work; Real companies looking to recruit qualified employees would not reach out to numbers in this way. On top of that, it’s very apparent that this message was blasted out to random numbers: the message doesn’t even include my name or attempt to provide any level of familiarity.
    2. The second warning signs in this email is the messaging. This message tries to create a sense of opportunity and urgency in order to get you to take action by using language such as “potential role opportunity” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through SMS.
    3. The final warning sign for this email is the wording; in our case the smisher misspelled the word “opportunity.” All of these factors point to the above being a smishing text, and a very unsophisticated one at that.


    General Recommendations:

    phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

    1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    2. Verify that the sender is actually from the company sending the message.
    3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    4. Do not give out personal or company information over the internet.
    5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this month’s Cybersecurity Brief:

    Bybit Suffers $1.5 Billion Cryptocurrency Heist, Linked to North Korean Lazarus Group

    Bybit, a major cryptocurrency exchange, has fallen victim to what is being described as the largest cryptocurrency heist in history, with hackers stealing approximately 400,000 Ethereum (ETH and stETH), valued at nearly $1.5 billion. Security experts have linked the attack to North Korea’s notorious Lazarus Group, a state-sponsored cybercrime syndicate known for targeting financial institutions and cryptocurrency platforms.

    The attack, which came to light over the weekend, exploited a vulnerability during the transfer of ETH from Bybit’s cold wallet to a warm wallet. The hackers manipulated the user interface, making it appear as though the transaction was legitimate while secretly altering the smart contract logic. This allowed them to take control of the cold wallet and reroute assets to addresses they controlled.

    Cybersecurity firm Check Point suggests that the attackers likely identified and compromised multisig signers—individuals responsible for approving transactions—by deploying malware, phishing, or a supply chain attack to gain unauthorized access.

    Bybit has been actively working to recover the stolen assets, with nearly $43 million already retrieved thanks to various cryptocurrency services freezing flagged funds. The company has launched a “recovery bug bounty program,” offering rewards of up to 10% of the recovered funds to those who assist in the retrieval process. Bybit has reassured users that all assets remain backed and that the company remains financially stable, even if the full amount is not recovered.

    Blockchain security analysts, including ZachXBT, were among the first to identify links between the Bybit hack and the Lazarus Group. Investigators from TRM Labs confirmed this assessment “with high confidence,” citing strong overlaps between the wallets used in this attack and those involved in previous North Korean crypto heists.

    Elliptic, another leading blockchain intelligence firm, also attributed the attack to Lazarus based on the laundering techniques used by the hackers. Within two hours of the breach, the stolen Ethereum was split into 50 different wallets and gradually emptied through centralized and decentralized exchanges, as well as cross-chain bridges. The attackers have been steadily converting the stolen ETH into Bitcoin, a tactic previously observed in Lazarus-linked operations.

    The Bybit heist is the latest in a series of large-scale cryptocurrency thefts attributed to North Korea. In 2024, the FBI officially accused North Korean hackers of stealing $308 million from Bitcoin.DMM.com, while the infamous $600 million Ronin bridge hack was also linked to Lazarus.

    Recent estimates from the US, Japan, and South Korea indicate that North Korean hackers stole approximately $660 million in cryptocurrency in 2024 alone, further cementing the regime’s reliance on cybercrime to fund its illicit activities.

    To read more about this article, click here.

    DISA Data Breach Exposes Personal Information of 3.3 Million Individuals

    DISA Global Solutions, a Texas-based provider of background screening and drug testing services, has disclosed a major data breach affecting over 3.3 million individuals. The breach, which occurred in early 2024, exposed sensitive personal information, including Social Security numbers, driver’s license details, and financial account data.

    According to DISA, the intrusion was detected on April 22, 2024, but forensic investigations determined that hackers had gained access to a portion of its network as early as February 9, 2024. The company has since undertaken a comprehensive review of the stolen files to identify affected individuals and assess the scope of the breach.

    A public notice posted on DISA’s website confirms that impacted individuals will receive notifications and be offered one year of free credit monitoring and identity restoration services. However, DISA has not observed any confirmed misuse of the stolen data at this time.

    While the exact nature of the cyberattack remains unclear, no known ransomware group has claimed responsibility for the incident. DISA, which serves more than 55,000 businesses and conducts millions of screenings annually, has not disclosed whether the breach was the result of a ransomware attack or another form of cyber intrusion.

    DISA has assured stakeholders that it is working to strengthen its security posture to prevent future incidents.

    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.