Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Google Issues Emergency Patch for Chrome Zero-Day Flaw CVE-2025-2783

    Google Issues Emergency Patch for Chrome Zero-Day Flaw CVE-2025-2783

    Google has released an emergency security patch for a zero-day vulnerability in its Chrome browser after researchers at Kaspersky uncovered its use in a sophisticated cyberespionage campaign. The flaw, tracked as CVE-2025-2783, was exploited alongside a second remote code execution (RCE) exploit in attacks targeting organizations in Russia.

    Discovery and Exploit Chain

    Kaspersky researchers first identified the exploit in mid-March when investigating a series of infections linked to phishing emails. The campaign, dubbed Operation ForumTroll, targeted Russian media outlets, educational institutions, and government agencies. Victims received highly personalized phishing emails containing short-lived malicious links.

    Once a target clicked on the link using Chrome, the browser automatically executed the exploit, bypassing Chrome’s sandbox security protections. This allowed attackers to escape the browser’s restricted environment and potentially execute additional malicious code on the system.

    Google’s Response

    Kaspersky’s security tools detected the exploit in action, leading the team to reverse-engineer the attack. They promptly reported the issue to Google, which coordinated the release of a security patch late Tuesday. The update addresses the vulnerability, effectively neutralizing the attack chain.

    While Kaspersky identified the initial sandbox escape exploit, they were unable to capture the second-stage RCE payload. However, patching CVE-2025-2783 significantly disrupts the attackers’ ability to carry out further compromises.

    A State-Sponsored Attack?

    Kaspersky researchers believe the attack demonstrates a high level of sophistication, suggesting it was likely carried out by a nation-state-backed Advanced Persistent Threat (APT) group.

    “This particular exploit left us scratching our heads,” Kaspersky stated. “Without doing anything obviously malicious or forbidden, it allowed attackers to bypass Chrome’s sandbox as if it didn’t even exist.”

    Researchers attributed the flaw to a logical error in the interaction between Chrome’s sandbox and the Windows operating system, which attackers exploited to escape containment.

    What SOC Teams Need to Know

    Security Operations Center (SOC) teams should prioritize immediate deployment of Google’s latest Chrome update to mitigate CVE-2025-2783. Since this exploit was part of a targeted cyberespionage campaign, SOC teams should closely monitor traffic for any signs of attempted exploitation, particularly unusual outbound connections from Chrome processes or execution of unexpected system commands following browser activity.

    Key actions include:

    • Hunting for indicators of compromise (IOCs) by reviewing logs for any signs of execution from suspicious links related to Operation ForumTroll.
    • Enhancing phishing defenses by reinforcing email filtering and conducting phishing awareness training.
    • Implementing behavior-based detection with endpoint detection and response (EDR) rules to flag unexpected Chrome child processes, which could indicate sandbox escape attempts.
    • Ensuring all managed systems are updated to the latest Chrome version as soon as possible.

    SOC analysts should also stay vigilant for additional exploits linked to this campaign, as APT actors may shift tactics now that this vulnerability has been patched.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: Monday Security Brief (3/31/2024)

    Today’s Topics:

    • Critical Vulnerability in Firefox Mirrors Chrome’s Exploited Zero-Day
    • Critical Vulnerability in Kubio AI Page Builder Puts WordPress Sites at Risk
    • How can Netizen help?

    Critical Vulnerability in Firefox Mirrors Chrome’s Exploited Zero-Day

    Mozilla has released security updates for its Firefox browser on Windows to patch a critical vulnerability, CVE-2025-2857. This flaw, which could allow attackers to escape the browser’s sandbox, was discovered shortly after Google addressed a similar vulnerability (CVE-2025-2783) in Chrome that had been actively exploited as a zero-day.

    Mozilla described the issue as an “incorrect handle” in the browser’s inter-process communication (IPC) code, which could enable a compromised child process to gain higher privileges by manipulating the parent process. This would allow attackers to bypass Firefox’s security sandbox, potentially leading to system compromise.

    The vulnerability affects both Firefox and Firefox Extended Support Release (ESR) versions. Mozilla has addressed the issue in:

    • Firefox 136.0.4
    • Firefox ESR 115.21.1
    • Firefox ESR 128.8.1

    The Tor Project has also released a security update for Tor Browser (version 14.0.8) to mitigate the same flaw for Windows users.

    The disclosure comes in the wake of Google’s recent fix for CVE-2025-2783 in Chrome, which was actively exploited in targeted attacks against media outlets, educational institutions, and government organizations in Russia.

    Kaspersky, which discovered the attacks in mid-March 2025, reported that victims were infected after clicking on a malicious link in phishing emails. Attackers used a specially crafted exploit chain that leveraged an unknown second vulnerability in Chrome to achieve remote code execution.

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-2783 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the necessary patches by April 17, 2025.

    Security Operations Center (SOC) teams should treat CVE-2025-2857 as a high-priority risk and take the following steps to ensure protection:

    • Update Browsers Immediately: Ensure all instances of Firefox, Firefox ESR, and Tor Browser are updated to the latest patched versions.
    • Monitor for Exploitation Attempts: Track any unusual activity related to browser processes, particularly unexpected privilege escalations.
    • Review Enterprise Browsing Policies: Enforce browser security settings, such as disabling unnecessary browser extensions and restricting execution of untrusted scripts.
    • Educate Users on Phishing Risks: Given the similarities to Chrome’s zero-day exploit, emphasize awareness training on phishing emails and suspicious links.

    While there is no evidence that CVE-2025-2857 has been exploited in the wild, its similarity to a recent active zero-day in Chrome makes it a significant security concern. Organizations should patch immediately to prevent potential future attacks.

    Critical Vulnerability in Kubio AI Page Builder Puts WordPress Sites at Risk

    A severe security vulnerability has been discovered in the Kubio AI Page Builder plugin for WordPress, exposing over 90,000 websites to potential attacks. Tracked as CVE-2025-2294, this flaw allows unauthenticated attackers to exploit a Local File Inclusion (LFI) vulnerability, which can lead to unauthorized file access and code execution.

    Kubio is a widely used WordPress website builder that enhances the block editor with additional features and styling options. Its ease of use and powerful customization capabilities have made it popular among website owners who want to build sites without coding knowledge.

    Security researcher mikemyers identified the vulnerability in the kubio_hybrid_theme_load_template function. This function fails to properly validate file paths, allowing attackers to include arbitrary files from the server. This oversight opens the door for several dangerous exploits, including:

    • Bypassing access controls: Attackers can access restricted files and directories.
    • Stealing sensitive data: Private server information and user data can be exposed.
    • Achieving code execution: If attackers can upload malicious files (such as disguised images), they can execute arbitrary PHP code, leading to full site compromise.

    The vulnerability has been given a critical CVSS score of 9.8, reflecting its potential for widespread exploitation. It affects all versions up to and including 2.5.1.

    The issue has been patched in version 2.5.2 of the Kubio AI Page Builder plugin. All users are strongly urged to update immediately to prevent exploitation.

    Security teams monitoring WordPress environments should take the following actions:

    • Ensure Immediate Patch Deployment: Verify that all instances of Kubio AI Page Builder have been updated to version 2.5.2 or later.
    • Monitor for Suspicious File Access: Look for unexpected file inclusion attempts, especially those referencing sensitive directories such as /etc/passwd or wp-config.php.
    • Restrict File Upload Permissions: Limit which files can be uploaded and execute server-side validation to prevent unauthorized PHP execution.
    • Conduct Regular Security Audits: Scan WordPress installations for outdated plugins and potential misconfigurations that could be exploited.

    With a vulnerability of this magnitude, unpatched sites could become easy targets for attackers looking to compromise WordPress websites. Updating immediately and monitoring for potential exploitation attempts should be a top priority.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Netizen: March 2025 Vulnerability Review

    Netizen: March 2025 Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from March that should be immediately patched or addressed if present in your environment. Detailed writeups below:

    CVE-2025-26633

    CVE-2025-26633 is a high-severity vulnerability affecting the Microsoft Management Console (MMC). It arises from improper neutralization, allowing an unauthorized attacker to bypass a security feature when exploiting the flaw locally.

    This vulnerability was included in Microsoft’s March 2025 Patch Tuesday, which addressed 56 CVEs. Notably, it was actively exploited in the wild before a patch was released. Reports indicate that the Russian ransomware group EncryptHub leveraged this zero-day in targeted attacks, potentially as early as 2023.

    Security researchers have linked the exploitation of CVE-2025-26633 to advanced persistent threat (APT) groups, with campaigns designed to escalate privileges and facilitate ransomware deployment. Given its active exploitation, organizations are strongly urged to apply Microsoft’s security update immediately. Additionally, endpoint monitoring, behavior-based threat detection, and access control reviews can help mitigate risks associated with privilege escalation vulnerabilities.

    CVE-2025-24983

    CVE-2025-24983 is a high-severity use-after-free vulnerability in the Windows Win32 Kernel Subsystem that allows an authorized attacker to elevate privileges locally. This flaw was part of Microsoft’s March 2025 Patch Tuesday, which addressed 56 CVEs, including seven zero-day vulnerabilities, with six actively exploited in the wild before patches were available.

    Security researchers discovered that this vulnerability had been exploited for nearly two years, dating back to 2023. Reports link its abuse to the EncryptHub ransomware group, which has been observed using zero-days in targeted attacks to escalate privileges and gain deeper access into compromised systems.

    Due to its active exploitation, organizations should immediately apply Microsoft’s security patch to mitigate risks. Additional security measures, such as restricting administrative access, enabling advanced threat detection, and monitoring for abnormal process activity, can help prevent potential exploitation of privilege escalation vulnerabilities like CVE-2025-24983.

    CVE-2025-24985

    CVE-2025-24985 is a high-severity vulnerability in the Windows Fast FAT Driver, classified as an integer overflow or wraparound issue. This flaw enables an unauthorized attacker to execute code locally, potentially leading to escalation of privileges or system compromise.

    This vulnerability was part of Microsoft’s March 2025 Patch Tuesday, which addressed 56 CVEs, including seven zero-day flaws, with six already exploited in the wild before patches were released. The vulnerability has been flagged by CISA and security researchers due to its potential use in real-world attacks, particularly by threat actors targeting Windows systems.

    Given its severity and the history of zero-day exploitation, organizations should immediately apply the Microsoft security patch to prevent possible exploitation. Additional steps, such as restricting local execution permissions, monitoring file system activity, and deploying endpoint detection tools, can further reduce the risk posed by this vulnerability.

    CVE-2025-24472

    CVE-2025-24472 is a critical authentication bypass vulnerability affecting FortiOS and FortiProxy. The flaw exists in FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.2.0 through 7.2.12, as well as 7.0.0 through 7.0.19, potentially allowing a remote attacker to gain super-admin privileges by exploiting crafted CSF proxy requests.

    This vulnerability has drawn significant attention from security researchers and government agencies, including CISA, due to its potential use in ransomware attacks and other high-profile cyber intrusions. Given its severity and the likelihood of active exploitation, security teams should immediately update to patched versions provided by Fortinet.

    Additional mitigation measures include restricting access to administrative interfaces from untrusted networks, monitoring logs for unauthorized authentication attempts, implementing multi-factor authentication wherever possible, and deploying intrusion detection and prevention systems to detect anomalous activity. Organizations using affected versions should prioritize remediation efforts to prevent potential compromise.

    CVE-2025-30154

    CVE-2025-30154 is a high-severity vulnerability involving a supply chain compromise in the GitHub action reviewdog/action-setup. On March 11, 2025, between 18:42 and 20:31 UTC, malicious code was injected into reviewdog/action-setup@v1, causing it to dump exposed secrets into GitHub Actions Workflow Logs. This compromise also affected other reviewdog actions that rely on reviewdog/action-setup@v1, including reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos, regardless of their specific version or pinning method.

    This incident highlights the risks associated with supply chain attacks in continuous integration and deployment (CI/CD) workflows. Developers and organizations using affected reviewdog actions should immediately verify their workflows for potential exposure, rotate any credentials or secrets that may have been leaked, and update to secure versions.

    Additional security measures, such as enforcing the use of dependency pinning, scanning for malicious code in third-party actions, and monitoring repository activity for unauthorized changes, can help mitigate future risks.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen Cybersecurity Bulletin (March 27th, 2025)

    Netizen Cybersecurity Bulletin (March 27th, 2025)

    Overview:

    • Phish Tale of the Week
    • Alleged Oracle Cloud Breach Sparks Controversy
    • Windows Zero-Day Exposes NTLM Credentials—Unofficial Patch Now Available
    • How can Netizen help?

    Phish Tale of the Week

    Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as an unnamed company. They’re sending us a text message, telling us that a new device was added to our Coinbase account, and that it’s imperative that we contact the number below. It seems both urgent and genuine, so why shouldn’t we? Luckily, there’s plenty of reasons that point to this being a scam.

    Here’s how we can tell not to fall for this phish:

    1. The first warning sign for this SMS is the context in which it was sent. When I recieved this SMS, I immediately knew not to click on the link due to the fact that I did not recently add any device to my Coinbase account. On top of that, it’s very apparent that this message was blasted out to random numbers: the message doesn’t even include my name or attempt to provide any level of familiarity.
    2. The second warning signs in this email is the messaging. This message tries to create a sense of opportunity and urgency in order to get you to take action by using language such as “if this was not you, contact us.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through SMS.
    3. The final warning sign for this email is the wording; in our case the smisher uses the incomplete sentence “Verification code to add a new device is 156232.” All of these factors point to the above being a smishing text, and a very unsophisticated one at that.


    General Recommendations:

    phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

    1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    2. Verify that the sender is actually from the company sending the message.
    3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    4. Do not give out personal or company information over the internet.
    5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this month’s Cybersecurity Brief:

    Alleged Oracle Cloud Breach Sparks Controversy

    Despite Oracle’s denial of a breach in its Oracle Cloud federated SSO login servers, multiple companies have confirmed that data samples shared by the threat actor are valid. The claim, initially made by a threat actor known as ‘rose87168,’ alleges the theft of authentication data and encrypted passwords belonging to 6 million users.

    Last week, ‘rose87168’ claimed to have infiltrated Oracle Cloud servers and began selling what they claimed to be authentication data, including SSO and LDAP passwords. The attacker further asserted that the stolen credentials could be decrypted with the information contained in the stolen files. As proof, they offered to share portions of the data with anyone who could assist in recovering the passwords.

    The threat actor also released multiple text files, including what appeared to be a database, LDAP data, and a list of 140,621 domains linked to various companies and government agencies. However, some of the domains appear to be test accounts, and multiple domains are associated with single companies, raising questions about the full extent of the breach.

    Alongside the leaked data, ‘rose87168’ provided an Archive.org link containing a text file allegedly tied to Oracle’s systems. BleepingComputer analyzed these files and reached out to impacted organizations, some of whom confirmed that the data matches real customer or employee information.

    Despite these confirmations, Oracle has maintained that no breach has occurred. The company has yet to publicly address whether an internal investigation is underway or provide further clarification regarding the authenticity of the leaked records.

    Security Operations Center (SOC) teams should remain vigilant and take proactive measures in light of this potential breach. Organizations using Oracle Cloud services should:

    • Conduct an immediate review of access logs for any suspicious authentication attempts.
    • Enforce password resets for all users, particularly those with SSO and LDAP access.
    • Strengthen authentication mechanisms by implementing multi-factor authentication (MFA).
    • Monitor threat intelligence sources for further updates on the breach and associated risks.

    Until Oracle provides more transparency, SOC teams must assume a heightened security posture to mitigate potential exploitation of compromised credentials.

    To read more about this article, click here.

    Windows Zero-Day Exposes NTLM Credentials—Unofficial Patch Now Available

    A newly discovered Windows zero-day vulnerability allows remote attackers to steal NTLM credentials by simply tricking victims into viewing malicious files in Windows Explorer. This vulnerability, which has not yet been assigned a CVE-ID, affects all Windows versions from Windows 7 to the latest Windows 11 release, as well as Server 2008 R2 through Server 2025.

    NTLM authentication has long been a target for attackers due to its susceptibility to relay and pass-the-hash attacks. In these scenarios, threat actors force network devices to authenticate to attacker-controlled servers or use stolen NTLM hashes to impersonate users and gain unauthorized access to systems. Once inside, attackers can move laterally within a network, exfiltrate sensitive data, and escalate privileges.

    ACROS Security researchers uncovered this new SCF File NTLM hash disclosure flaw while working on fixes for a separate NTLM vulnerability. The exploit requires minimal user interaction—simply previewing a malicious file in Windows Explorer can trigger the attack, leaking NTLM hashes to a remote adversary.

    While Microsoft has yet to release an official fix, ACROS Security has developed a free, unofficial micropatch through its 0patch platform. The micropatch prevents the flaw from being exploited, offering an immediate safeguard for users and organizations concerned about NTLM hash theft.

    Microsoft has acknowledged the risks associated with NTLM authentication and has previously announced plans to phase it out in future Windows 11 versions. However, with NTLM still widely used in corporate environments, this new vulnerability underscores the urgent need for organizations to transition to more secure authentication methods, such as Kerberos or modern multifactor authentication solutions.

    SOC teams should immediately assess their exposure to this vulnerability and consider deploying the 0patch micropatch as a temporary mitigation. Additionally, organizations should enforce NTLM relay attack mitigations, monitor network traffic for suspicious authentication attempts, and prioritize upgrading authentication protocols to reduce reliance on NTLM.

    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Critical VMware Tools Vulnerability CVE-2025-22230: What You Need to Know

    Critical VMware Tools Vulnerability CVE-2025-22230: What You Need to Know

    Broadcom has released security updates to address a high-severity authentication bypass vulnerability in VMware Tools for Windows. The flaw, tracked as CVE-2025-22230, arises from an improper access control weakness and was reported by Sergey Bliznyuk of Positive Technologies, a Russian cybersecurity firm previously sanctioned for allegedly trafficking hacking tools.

    Exploitation Risk and Impact

    The vulnerability allows local attackers with low privileges to escalate their access and perform high-privilege operations within a Windows guest VM. Since the exploit requires no user interaction and has low attack complexity, it poses a serious risk for organizations relying on VMware-based virtualization. If exploited, an attacker with a foothold inside a virtualized environment could gain elevated privileges, potentially leading to data theft, system manipulation, or lateral movement within the network.

    VMware’s security advisory warns:
    “A malicious actor with non-administrative privileges on a Windows guest VM may gain the ability to perform certain high-privilege operations within that VM.”

    Broader VMware Security Concerns

    This latest vulnerability follows Broadcom’s recent patching of three VMware zero-day vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226), highlighting an ongoing trend of targeted attacks against VMware environments. Given VMware’s widespread use in enterprise and government IT infrastructure, attackers are actively exploiting security gaps in virtualization tools to gain privileged access and establish persistence.

    What SOC Teams Need to Know

    Security Operations Center (SOC) teams should take immediate action to mitigate the risk posed by CVE-2025-22230 and other recently patched VMware vulnerabilities. Key steps include:

    • Prioritize patching: Apply Broadcom’s security updates for VMware Tools on all affected Windows guest VMs as soon as possible.
    • Monitor privileged access: Implement enhanced logging and monitoring for unusual privilege escalations and administrative operations within virtualized environments.
    • Restrict local user privileges: Limit non-administrative access within guest VMs to reduce the attack surface for privilege escalation attempts.
    • Harden VMware configurations: Disable unnecessary services and enforce strict access controls to minimize the risk of exploitation.
    • Threat hunting: Look for indicators of compromise (IoCs) related to unauthorized privilege escalation or suspicious lateral movement within VMware-based environments.

    With VMware environments increasingly targeted by attackers, SOC teams must proactively assess their virtualization security posture to prevent unauthorized access and privilege escalation risks.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Critical Ingress NGINX Controller Vulnerability Enables Unauthenticated Remote Code Execution

    Critical Ingress NGINX Controller Vulnerability Enables Unauthenticated Remote Code Execution

    A set of five critical security vulnerabilities in the Ingress NGINX Controller for Kubernetes has been disclosed, potentially allowing unauthenticated remote code execution (RCE). Security researchers warn that over 6,500 Kubernetes clusters are at immediate risk if their Ingress NGINX Controller is exposed to the public internet.

    Vulnerability Details and Severity

    The vulnerabilities—CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974—have been collectively named IngressNightmare by cloud security firm Wiz. Each has been assigned a CVSS score of 9.8, making them among the most severe Kubernetes-related security flaws in recent history.

    It is important to note that these vulnerabilities do not impact the NGINX Ingress Controller, a separate implementation used for NGINX and NGINX Plus. However, organizations using the Ingress NGINX Controller should immediately assess their exposure and take remedial action.

    How Attackers Can Exploit These Vulnerabilities

    The core issue lies within the admission controller component of the Ingress NGINX Controller. Exploiting these flaws enables attackers to gain unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster. This could allow threat actors to escalate privileges, exfiltrate sensitive data, or completely take over an affected Kubernetes environment.

    What SOC Teams Need to Know

    Security operations center (SOC) teams must act swiftly to mitigate potential threats stemming from IngressNightmare. Immediate steps include identifying affected instances, ensuring that the Ingress NGINX Controller is not exposed to the public internet, and applying any available security patches. Continuous monitoring for suspicious activity, particularly unauthorized access attempts and privilege escalation behaviors, should be prioritized.

    Organizations relying on Kubernetes should also conduct a thorough audit of role-based access control (RBAC) configurations and implement strict security policies to minimize the risk of lateral movement in case of a breach.

    Recommended Mitigation Steps

    1. Check for exposure – Ensure that the Ingress NGINX Controller is not accessible from the public internet.
    2. Apply patches – Monitor vendor advisories and apply security updates as soon as they become available.
    3. Review access policies – Limit permissions to prevent unauthorized access to sensitive cluster resources.
    4. Enable logging and monitoring – Implement robust logging and threat detection mechanisms to identify potential exploitation attempts.
    5. Conduct security audits – Regularly review Kubernetes security configurations to identify and remediate misconfigurations.

    Organizations that fail to address these vulnerabilities risk severe security breaches, including data theft and full cluster compromise. Immediate action is necessary to protect Kubernetes environments from exploitation.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: Monday Security Brief (3/24/2024)

    Netizen: Monday Security Brief (3/24/2024)

    Today’s Topics:

    • Coinbase Targeted in GitHub Actions Supply Chain Attack, 218 Repositories Exposed
    • FBI Issues Warning on Malicious Online File Converters
    • How can Netizen help?

    Coinbase Targeted in GitHub Actions Supply Chain Attack, 218 Repositories Exposed

    A sophisticated supply chain attack exploiting the GitHub Action “tj-actions/changed-files” was initially directed at one of Coinbase’s open-source projects before rapidly expanding to impact a broader range of repositories. Security researchers at Palo Alto Networks Unit 42 revealed that the attack aimed to exploit the public CI/CD flow of Coinbase’s agentkit project, likely as a stepping stone for further compromises. However, the attackers were unsuccessful in accessing Coinbase’s secrets or publishing malicious packages under its name.

    The attack was discovered on March 14, 2025, when researchers identified that the compromised GitHub Action had been altered to inject malicious code capable of exfiltrating sensitive secrets from repositories utilizing the workflow. The vulnerability has been designated CVE-2025-30066, carrying a CVSS score of 8.6, indicating a high-severity risk.

    According to security firm Endor Labs, approximately 218 GitHub repositories inadvertently leaked sensitive information due to this compromise. The stolen credentials include DockerHub, npm, and other package management tokens, potentially exposing organizations to further supply chain attacks.

    While Coinbase itself avoided direct exposure of its sensitive assets, the breach demonstrates how open-source repositories and CI/CD pipelines remain attractive attack surfaces for threat actors.

    Organizations relying on GitHub Actions should immediately audit their workflows, rotate exposed credentials, and implement stricter security controls to mitigate future risks.

    FBI Issues Warning on Malicious Online File Converters

    The FBI Denver Field Office has issued a warning about a growing cyber threat involving fake online document converters. Cybercriminals are exploiting these tools to steal personal information and, in some cases, deploy ransomware on victims’ devices.

    The warning follows an increase in reports of malware infections linked to fraudulent file conversion services. These seemingly legitimate websites offer free document conversion, file merging, and download tools, but instead, they serve as a front for malicious activity.

    According to the FBI, cybercriminals operate fraudulent file converter websites that claim to convert files between formats—such as .doc to .pdf—or merge multiple files into a single document. However, when users upload files, these sites either inject malware into the downloaded document or prompt victims to install malicious software under the guise of a converter tool.

    The malware can be used for a range of attacks, including data theft, keylogging, spyware deployment, and ransomware infections. The FBI urges victims of these scams to report any suspicious file converter services and to remain cautious when downloading files from unverified sources.

    How to Protect Yourself

    • Avoid using free, unverified file converters found through search engines.
    • Download software only from trusted sources such as official vendor websites.
    • Use antivirus software and endpoint protection to detect and block malware.
    • Regularly update your operating system and security patches to reduce vulnerabilities.

    The FBI’s warning underscores the importance of cyber hygiene in preventing malware infections. Users should remain skeptical of too-good-to-be-true free online tools and always verify the legitimacy of the websites they use.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • New Windows Zero-Day Exploited by State-Backed Hackers for Over Seven Years—Microsoft Declines to Patch

    New Windows Zero-Day Exploited by State-Backed Hackers for Over Seven Years—Microsoft Declines to Patch

    At least 11 state-sponsored hacking groups from North Korea, Iran, Russia, and China have been actively exploiting a critical Windows zero-day vulnerability since 2017. The flaw has been used in sophisticated data theft and cyber espionage campaigns, enabling attackers to gain unauthorized access to sensitive information and compromise systems worldwide. Despite the severity of the vulnerability and the scale of its exploitation, Microsoft has declined to issue a patch, claiming that the flaw “does not meet the bar for servicing.”

    Technical Details of the Vulnerability

    The vulnerability, tracked internally by Trend Micro’s Zero Day Initiative (ZDI) as ZDI-CAN-25373, was first identified by security researchers Peter Girnus and Aliakbar Zahravi. The flaw is linked to Shell Link (.lnk) files, which Windows uses to create shortcuts. Exploiting this vulnerability allows attackers to execute arbitrary code on the victim’s system, potentially enabling them to install malware, steal sensitive information, and escalate privileges within the network.

    “We discovered nearly a thousand Shell Link samples that exploit ZDI-CAN-25373, but the actual number of exploitation attempts is likely far higher,” Girnus and Zahravi stated in their report. They also confirmed that the vulnerability has been actively exploited in the wild for years, with evidence suggesting that multiple nation-state actors have used it in cyber espionage campaigns.

    Microsoft’s Response

    Despite being presented with detailed proof-of-concept exploits through Trend Micro’s bug bounty program, Microsoft decided not to release a security patch. The company categorized the flaw as not severe enough to warrant a fix under its current servicing criteria.

    “Microsoft tagged it as ‘not meeting the bar for servicing’ in late September and said it wouldn’t release security updates to address it,” the researchers reported. This decision has drawn criticism from the cybersecurity community, as the flaw remains a viable attack vector for state-sponsored actors.

    Potential Impact and Threat Landscape

    The fact that the vulnerability allows remote code execution makes it highly dangerous, especially when used by advanced persistent threat (APT) groups with nation-state backing. Cybersecurity experts warn that this flaw could be leveraged for a wide range of attacks, including intellectual property theft, infrastructure sabotage, and infiltration of government networks.

    The exploitation of ZDI-CAN-25373 highlights the persistent threat posed by zero-day vulnerabilities, particularly when state-sponsored actors are involved. Without a patch from Microsoft, organizations running Windows systems remain exposed to potential attacks, making it essential for security teams to implement compensating controls and enhance monitoring for suspicious activity.

    No CVE Assignment Yet

    Microsoft has yet to assign a CVE-ID to ZDI-CAN-25373, leaving security researchers and system administrators without an official reference point for tracking and mitigating the issue. In the absence of a patch, Trend Micro recommends that organizations tighten security controls around Shell Link files and increase endpoint monitoring to detect signs of exploitation.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Understanding the Transition from CCRI to CORA

    Understanding the Transition from CCRI to CORA

    The Command Cyber Readiness Inspection (CCRI) was a comprehensive cybersecurity evaluation conducted by the United States Department of Defense (DoD). Its primary goal was to assess the cybersecurity posture of DoD Information Networks, with a focus on Command, Mission, Threat, and Vulnerability. By evaluating military commands, installations, and other DoD organizations, the CCRI aimed to safeguard critical data, networks, and assets. The inspection served to ensure that DoD information systems adhered to stringent cybersecurity standards and maintained resilience against potential threats and vulnerabilities.

    In the past, the CCRI focused on identifying weaknesses and vulnerabilities, as well as ensuring compliance with DoD cybersecurity regulations. This included areas such as network security, hardening, configuration management, physical security, and overall information assurance. The goal was to identify gaps in cybersecurity practices, evaluate the organization’s adherence to DoD standards, and improve defenses across critical systems.

    Transition to Cyber Operational Readiness Assessment (CORA)

    As cybersecurity threats evolved and the landscape of the DoD’s information networks became more complex, the CCRI inspection underwent significant changes. To reflect this new approach, the inspection program was rebranded as the Cyber Operational Readiness Assessment (CORA) in March 2024. The shift from a traditional inspection to an operational readiness mission marked a broader evolution in the DoD’s efforts to continuously monitor, assess, and mitigate risks across its information networks.

    The Cyber Operational Readiness Assessment (CORA) program was launched by the Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN) after a nine-month pilot. CORA aims to validate current, future, and emerging technologies that help the DoD monitor and secure its cyber terrain, improving overall security and preparedness across the Department of Defense Information Network (DODIN).

    Key Inspection Areas Under CORA

    The core focus of both CCRI and CORA revolves around assessing the cybersecurity and operational readiness of DoD entities. While the program has evolved, the inspection areas remain critical in identifying vulnerabilities and improving the defense posture. These inspection areas include:

    1. Information Assurance (IA) and Cybersecurity: This area evaluates the organization’s cybersecurity practices, ensuring information systems and networks are protected and compliant with DoD cybersecurity policies. It includes an assessment of access controls, network security, vulnerability management, and overall adherence to best practices in cybersecurity.
    2. Computer Network Defense (CND): This area focuses on the organization’s capabilities to defend against cyber threats, attacks, and intrusions. The inspection assesses the organization’s incident response procedures, its ability to detect and mitigate cybersecurity incidents, and overall readiness to handle cyberattacks effectively.
    3. Information Management: This inspection area reviews the organization’s management of sensitive and classified information. It ensures that proper access controls are in place, data is appropriately classified, and systems are in place to prevent unauthorized access or data breaches.

    Frequency of CORA Inspections

    Under the new CORA framework, inspections are no longer scheduled on a fixed timeline. Instead, CORA will implement a risk-based approach to determine the frequency of assessments. This approach will take into account the mission-criticality of the organization, the current cybersecurity threats it faces, and the availability of resources for the assessment teams.

    This risk-based model means that certain high-priority or high-risk organizations may undergo CORA evaluations multiple times a year, while others may not receive an inspection for several years. This is a departure from the traditional CCRI model, where inspections followed a more rigid schedule, typically occurring on an annual, biennial, or ad-hoc basis.

    Scoring Criteria for CORA

    One of the significant changes from the CCRI to CORA is the evolution of the scoring criteria. In the past, the CCRI used a pass/fail system, where a score of 70 or above was considered passing. However, with the introduction of CORA, the assessment criteria have shifted to a data-driven approach, incorporating intelligence and threat data, such as information from the MITRE ATT&CK framework, to evaluate the organization’s susceptibility to current and emerging cyber threats.

    Rather than focusing purely on a numerical score, CORA now emphasizes risk mitigation efforts. Even in the presence of vulnerabilities, organizations that demonstrate progress in mitigating those risks are considered to be making valuable strides in improving their cybersecurity posture. This approach is designed to reflect a more nuanced understanding of cybersecurity resilience and provide a more comprehensive view of an organization’s readiness.

    Conclusion

    The transition from CCRI to CORA represents a significant shift in how the DoD evaluates its cybersecurity readiness. The new approach prioritizes continuous monitoring, risk-based assessments, and a focus on proactive defense strategies. By emphasizing the need to adapt to evolving threats and improving coordination across DoD entities, the Cyber Operational Readiness Assessment (CORA) program aims to strengthen the resilience and security of the Department of Defense’s information networks. As the program continues to evolve, it will play a crucial role in safeguarding the DoD’s critical data and infrastructure against the growing and dynamic landscape of cybersecurity threats.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Understanding C3PAOs in CMMC Compliance

    Understanding C3PAOs in CMMC Compliance

    The Cybersecurity Maturity Model Certification (CMMC) was created to establish a uniform standard for cybersecurity practices, specifically targeting organizations within the Defense Industrial Base (DIB). This model ensures that entities handling sensitive data, including Controlled Unclassified Information (CUI), Critical Technology Information (CTI), Federal Contract Information (FCI), and ITAR data, are able to safeguard such information adequately. To support DoD contractors in their compliance journey, the CMMC Accreditation Body (CMMC-AB) offers various certifications, including C3PAOs (CMMC Third-Party Assessment Organizations).

    In this article, we focus on the role of a C3PAO, a key player in ensuring organizations meet the CMMC standards.

    What Exactly is a C3PAO?

    A CMMC Third-Party Assessment Organization (C3PAO) is a group authorized by the CMMC-AB to perform official assessments of an Organization Seeking Compliance (OSC). Once an OSC enters into a contract with a C3PAO, the latter conducts a thorough evaluation to determine whether the OSC complies with the necessary CMMC level.

    In essence, C3PAOs play a crucial role in helping contractors in the DIB become certified by assessing their alignment with CMMC standards. It’s important to note that C3PAOs focus solely on conducting assessments—they do not provide consulting services, as this would create a conflict of interest. To assist in the pre-assessment phase, organizations often rely on Registered Provider Organizations (RPOs). RPOs offer guidance on compliance, help with policy creation, and ensure that the systems are configured to meet CMMC requirements. However, a C3PAO cannot act as both an RPO and an assessor for the same organization to maintain objectivity.

    For contractors handling FCI or CUI, encountering the DFARS 7021 clause in their contracts is inevitable. As the Department of Defense (DoD) implements CMMC, contractors will be required to undergo these assessments before their contracts are renewed. By 2025, all DoD contracts will contain this clause, making CMMC compliance a key requirement for doing business with the DoD.

    How Does a C3PAO Assessment Work?

    To determine which CMMC level an organization should pursue, contractors must assess their contracts to understand the cybersecurity requirements. Once this is clear, a C3PAO conducts an assessment based on the specific level of compliance required. This includes evaluating domains and practices in line with the desired CMMC level. As of now, C3PAOs are still in the process of being fully authorized to assess OSCs, but once they are, the process will become an integral part of CMMC certification.

    In certain cases, a C3PAO may work under contract with a Certified CMMC Assessor (CCA) to conduct the assessment. If you’re unsure of the level your organization needs to achieve, consulting a C3PAO is the best next step.

    Steps to Become a C3PAO

    Becoming an official C3PAO is a detailed process involving several steps, including:

    • Ownership Requirements: The organization must be 100% US-citizen owned or undergo a Foreign Ownership, Control, or Interest (FOCI) investigation if the company is public, has an Employee Stock Ownership Plan (ESOP), or operates as a global partnership.
    • CMMC Level 3 Compliance: The organization must pass an audit verifying its compliance with CMMC Level 3 standards.
    • Organizational Background Check: The C3PAO is subject to a background check by the CMMC-AB through Dun & Bradstreet. The company must also have a DUNS number and be registered in the CMMC-AB Marketplace.
    • ISO 17020 Certification: The organization must hold an ISO 17020 certification.
    • Insurance and Liability Policies: The C3PAO must carry general liability insurance, including errors and omissions and cybersecurity breach policies.
    • Partnerships: The C3PAO must have a relationship with at least one Registered Practitioner (RP), Certified CMMC Professional (CCP), CMMC Assessor (CCA), or Professional Assessor (PA).
    • Annual Fee: A $3,000 USD annual fee is required to maintain C3PAO certification.

    If the C3PAO uses a Cloud Service Provider (CSP) to handle or store CUI data, it must ensure that the CSP meets FEDRAMP High standards or that any gaps are properly addressed.

    Choosing the Right C3PAO for Your Organization

    Selecting the right C3PAO is crucial to ensuring your compliance journey runs smoothly. A reputable C3PAO will not only guide you through the assessment process but also ensure that your organization meets all necessary cybersecurity requirements as you prepare for CMMC certification.

    Working with a C3PAO is essential for contractors aiming to secure and retain DoD contracts. Without CMMC certification, contractors may lose the ability to bid on or participate in DoD projects. C3PAOs not only verify compliance but also help organizations strengthen their overall cybersecurity posture, ensuring long-term protection of sensitive data and operational integrity.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.