Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Orange Group Data Breach Exposes 380,000 Emails, Contracts, and Payment Details

    Orange Group Data Breach Exposes 380,000 Emails, Contracts, and Payment Details

    French telecommunications giant Orange Group has confirmed a security breach after a hacker leaked company documents online, revealing sensitive user and employee data. The hacker, known as “Rey” and affiliated with the HellCat ransomware group, attempted to extort the company before making the stolen data public.

    Details of the Breach

    According to the hacker’s claims on a cybercriminal forum, the breach primarily affected Orange’s Romanian division. The stolen data reportedly includes:

    • 380,000 unique email addresses
    • Source code
    • Invoices and contracts
    • Customer and employee information
    • Partial payment card details from Romanian customers

    Rey stated that the attack was not a ransomware operation and that they had access to Orange’s internal systems for over a month. They exfiltrated nearly 12,000 files, amounting to approximately 6.5GB of data, in a three-hour window without being detected.

    The breach was allegedly carried out by exploiting compromised credentials and vulnerabilities in Orange’s Jira software and internal portals. The hacker claims to have left a ransom note in the compromised system, but the company did not engage in negotiations.

    Orange Group’s Response

    In a statement to BleepingComputer, Orange confirmed the breach but emphasized that it impacted a “non-critical back-office application” and did not disrupt customer operations.

    “Orange can confirm that our operations in Romania have been the target of a cyberattack. We took immediate action, and our top priority remains protecting the data and interests of our employees, customers, and partners. There has been no impact on customers’ operations, and the breach was found to occur on a non-critical back-office application.”

    The company has launched an internal investigation and is working to assess the extent of the breach while implementing measures to mitigate its impact. Additionally, Orange is complying with all legal obligations and cooperating with relevant authorities to address the situation.

    Connection to HellCat Ransomware Group

    Although Rey claims to have breached Orange independently, they are affiliated with the HellCat ransomware group, which has previously targeted major corporations, including Schneider Electric and Spanish telecommunications firm Telefónica. In both cases, the attackers leveraged Jira server vulnerabilities to steal corporate data.

    Potential Impact

    Some of the leaked email addresses belong to former employees, contractors, and partners, with records dating back more than five years. Additionally, much of the exposed payment card information appears to have expired. However, the presence of customer and employee data still raises concerns over potential identity theft, phishing campaigns, and further cyberattacks.

    Ongoing Investigation

    Orange Group continues to investigate the breach, with its cybersecurity teams working to secure affected systems and prevent future attacks. The company has pledged to provide updates as more details emerge.

    This incident highlights the growing threat of cybercriminals exploiting vulnerabilities in enterprise software to gain unauthorized access to corporate networks. Organizations must remain vigilant in securing their systems, regularly updating software, and enforcing strong authentication measures to prevent similar attacks.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: Monday Security Brief (2/24/2024)

    Netizen: Monday Security Brief (2/24/2024)

    Today’s Topics:

    • Google Cloud Introduces Quantum-Safe Digital Signatures to Strengthen Encryption
    • Microsoft’s Majorana 1 Chip and the Implications for Quantum Decryption
    • How can Netizen help?

    Google Cloud Introduces Quantum-Safe Digital Signatures to Strengthen Encryption

    Google Cloud has announced the introduction of quantum-safe digital signatures in its Cloud Key Management Service (Cloud KMS), marking a significant step toward post-quantum cryptographic security. Currently available in preview, this update aligns with the National Institute of Standards and Technology’s (NIST) post-quantum cryptography (PQC) standards, addressing concerns over future quantum computing threats.

    Cloud KMS is a widely used encryption key management tool designed for securely generating, storing, and managing cryptographic keys for data encryption and digital signatures. Until now, it has relied on conventional public-key cryptography methods such as RSA and ECC, which remain vulnerable to potential quantum computing attacks.

    A growing concern in the cybersecurity world is the “harvest now, decrypt later” (HNDL) strategy, where attackers collect encrypted data today, anticipating future quantum computers capable of breaking classical encryption. With Microsoft’s recent breakthrough in Majorana qubits—a key development toward scalable quantum computing—organizations must begin adopting quantum-resistant security measures.

    To mitigate these risks, Google Cloud has now integrated two quantum-resistant digital signature algorithms into Cloud KMS and its Cloud HSM (Hardware Security Modules):

    • ML-DSA-65 (FIPS 204) – A lattice-based digital signature algorithm.
    • SLH-DSA-SHA2-128S (FIPS 205) – A stateless hash-based digital signature algorithm.

    These new cryptographic mechanisms are designed to future-proof digital security, allowing customers to sign and verify signatures with quantum-resistant algorithms in the same way they would with traditional cryptography.

    In addition, Google is ensuring transparency by making these cryptographic implementations open-source via the BoringCrypto and Tink libraries, allowing independent audits and security reviews.

    Google Cloud’s quantum-safe encryption initiative is particularly critical for industries handling sensitive data, including financial institutions, government agencies, and critical infrastructure operators. The introduction of PQC in Cloud KMS will help organizations prepare for the post-quantum era while maintaining secure data encryption and integrity.

    Google is inviting businesses and security teams to begin testing and integrating these algorithms into their existing security infrastructure and provide feedback to refine the technology before its full rollout. With quantum computing advancing rapidly, early adoption of PQC solutions is becoming an essential part of long-term cybersecurity strategies.

    Microsoft’s Majorana 1 Chip and the Implications for Quantum Decryption

    Post Quantum Cryptography and Quantum Resistant Cryptography – PQC – New Cryptographic Algorithms That Are Secure Against Quantum Computers – Conceptual Illustration

    Microsoft has unveiled the Majorana 1, the world’s first quantum processing unit utilizing topological qubits, which it claims can scale to one million qubits on a single chip. While this represents a significant technical breakthrough, security experts are now questioning whether it accelerates the timeline for quantum computing—bringing us closer to the moment when quantum machines will be powerful enough to break public-key encryption (PKE).

    Quantum computing has the potential to revolutionize industries by solving complex problems beyond the reach of classical computers. It could lead to breakthroughs in medicine, agriculture, material science, and artificial intelligence. However, before these innovations materialize, the first and most immediate concern for cybersecurity professionals is the threat to encryption.

    Current cryptographic standards rely on PKE, which is mathematically difficult to break using classical computers. Quantum computers, however, could use Shor’s algorithm to quickly factor large numbers and decrypt data that was once considered secure. This is why security researchers have been warning of a “harvest now, decrypt later” (HNDL) approach, where adversaries collect encrypted data today in anticipation of breaking it once a cryptanalytically relevant quantum computer (CRQC) becomes available.

    Most quantum computing research has focused on superconducting or trapped ion qubits, but these approaches suffer from high error rates due to environmental noise. Topological qubits, like those used in Majorana 1, offer a more stable and error-resistant alternative by encoding information in the topology of a physical system rather than in individual particles.

    This increased stability means fewer error-correcting qubits are required, potentially paving the way for more scalable quantum computers. Microsoft has described the Majorana 1 as a “topoconductor”, effectively a transistor for the quantum computing era, and claims that it can fit a million qubits on a single, palm-sized chip.

    The key question is whether this breakthrough accelerates the development of a cryptanalytically relevant quantum computer—one capable of breaking classical encryption.

    Troy Nelson, CTO at Lastwall, suggests that the technology could rival the silicon transistor, which transformed modern computing. However, he warns that scalability and economic viability remain significant challenges.

    Rebecca Krauthamer, CEO of QuSecure, acknowledges that error correction and infrastructure development still need to be addressed. However, she believes that if Microsoft can demonstrate a path to scalability, it could significantly shorten the timeline for quantum decryption.

    Carl Froggett, CISO at Deep Instinct, notes that Microsoft’s announcement accelerates the collision between quantum computing and AI, which could disrupt traditional cybersecurity practices.

    However, some experts remain skeptical. Scott Aaronson, a quantum computing researcher at the University of Texas, argues that topological qubits are only now reaching the stage where traditional qubits were 20–30 years ago. Unless they prove vastly superior in reliability, they may struggle to leapfrog existing approaches.

    While the timeline for quantum decryption remains uncertain, one thing is clear: organizations need to start migrating to quantum-resistant encryption now.

    Phil Venables, Google Cloud’s CISO, warns that even if quantum computing is still seven to ten years away, organizations should not delay migration to post-quantum cryptography (PQC). The transition will be complex, and waiting too long could leave critical data exposed.

    Marc Manzano, General Manager for Cybersecurity at SandboxAQ, echoes this urgency: “As we approach the ‘quantum cliff’, organizations must identify and secure cryptographic assets before scalable quantum machines break today’s encryption. The window for migration is shrinking, and a reactive approach is not an option.”

    Microsoft’s Majorana 1 chip represents a major technical milestone in quantum computing, but its direct impact on the timeline for quantum decryption remains uncertain. While the technology shows promise in stabilizing qubits, whether it will outpace existing quantum approaches is still unclear.

    However, one fact remains unchanged—the need for organizations to prepare for quantum threats today. The migration to quantum-safe cryptographic standards is already critical, and businesses that fail to act now risk being caught unprepared when quantum computing reaches a breakthrough.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • UK Government Forces Apple to Disable Advanced Data Protection

    UK Government Forces Apple to Disable Advanced Data Protection

    Apple has confirmed that it will no longer offer its Advanced Data Protection (ADP) feature for iCloud in the United Kingdom, following a secret government order demanding backdoor access to encrypted cloud data.

    ADP, an optional feature introduced in December 2022, provides end-to-end encryption for iCloud backups, ensuring that only the user can decrypt their data on trusted devices. However, as of today, new users in the UK will no longer be able to enable this security feature.

    Apple’s Response to the UK’s Encryption Request

    Apple expressed disappointment over the restriction, emphasizing the growing need for stronger data security amid rising cyber threats. In a statement to BleepingComputer, the company reaffirmed its stance against backdoors:

    “We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy.”

    Apple maintains that it has never provided governments with direct access to its servers or created master keys for encrypted data, and it has no intention of doing so. The company continues to advocate for user privacy and secure cloud storage.

    What This Means for UK iCloud Users

    Existing ADP users in the UK will still have access to the feature for now, but Apple has indicated that they will eventually need to disable it to continue using their iCloud accounts. The company plans to provide further guidance to affected users in the coming weeks.

    Despite this restriction, iMessage, FaceTime, Health data, and iCloud Keychain will remain end-to-end encrypted, even in the UK. Meanwhile, ADP will continue to be available in other countries where Apple users can enable it for additional data security.

    A Growing Battle Over Encryption

    Apple’s decision highlights the ongoing tensions between privacy advocates and government surveillance initiatives. The UK government has previously pushed for access to encrypted communications under laws like the Investigatory Powers Act, often referred to as the “Snooper’s Charter.”

    This move raises concerns about digital privacy, surveillance, and potential global implications, as other governments may follow suit in requesting similar access to encrypted data.

    For now, UK Apple users should stay informed about potential changes and consider alternative security measures to safeguard their data.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • SIPRNet and NIPRNet: Key Differences Explained

    SIPRNet and NIPRNet: Key Differences Explained

    The United States Department of Defense (DoD) relies on specialized communication networks to manage the flow of information across various security levels. Two primary networks in this infrastructure are the Secret Internet Protocol Router Network (SIPRNet) and the Non-classified Internet Protocol Router Network (NIPRNet). Each serves distinct purposes and operates under different security protocols.

    Overview of SIPRNet and NIPRNet

    Both SIPRNet and NIPRNet are integral to the DoD’s communication strategy, facilitating the exchange of information among military and defense entities. The key distinction lies in the classification levels of the data they handle and the security measures in place to protect that data.

    SIPRNet: Secure Communication for Classified Information

    SIPRNet is the DoD’s secure network designed for transmitting classified information up to the Secret level. Established in 1991, it connects various agencies, including the DoD, Department of Homeland Security (DHS), and Department of State (DoS), providing a secure channel for military operations and classified communications. Access to SIPRNet is highly restricted, requiring personnel to have appropriate security clearances and a validated need-to-know. This stringent access control ensures that sensitive information remains protected from unauthorized access.

    NIPRNet: Facilitating Unclassified Communication

    In contrast, NIPRNet is a global network that connects Non-Secure Internet Protocol Router Networks worldwide. It primarily supports the exchange of unclassified data, including emails, documents, and other non-sensitive information, among DoD agencies and related organizations. While NIPRNet is not classified, it is still protected through various security measures to prevent unauthorized access and cyber threats. Access to NIPRNet is less restrictive compared to SIPRNet, typically requiring a Common Access Card (CAC) for authentication.

    Key Differences Between SIPRNet and NIPRNet

    • Security Level: SIPRNet is designed for classified information up to the Secret level, employing robust security protocols to safeguard sensitive data. NIPRNet handles unclassified information, with security measures in place to protect against unauthorized access.
    • Data Types: SIPRNet transmits highly sensitive information such as classified military operations, intelligence reports, and diplomatic communications. NIPRNet supports the exchange of unclassified data, including routine emails and administrative documents.
    • Access Control: Access to SIPRNet is restricted to authorized personnel with the necessary security clearances and a validated need-to-know. NIPRNet access is generally available to all DoD users with a CAC, though certain areas may have additional access controls.
    • Infrastructure: SIPRNet operates on a separate and secure infrastructure to ensure the confidentiality of classified information. NIPRNet, while separate from the public internet, provides users with access to the internet, facilitating broader communication needs.

    Conclusion

    Understanding the distinctions between SIPRNet and NIPRNet is crucial for comprehending the DoD’s approach to secure communication. SIPRNet ensures the protection of classified information through stringent security measures and access controls, while NIPRNet facilitates the exchange of unclassified data with appropriate safeguards. Both networks are essential for maintaining operational security and effective communication within the Department of Defense.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • New FrigidStealer Campaign Targeting macOS Users: What SOC Teams Need to Know

    New FrigidStealer Campaign Targeting macOS Users: What SOC Teams Need to Know

    A newly discovered malware campaign is using fake browser update prompts to distribute FrigidStealer, an infostealer designed to target macOS users. The attack is part of a broader cybercriminal operation that also delivers malware to Windows and Android users. Cybersecurity researchers at Proofpoint have identified two threat groups—TA2726 and TA2727—working together to spread this malware through compromised websites.

    How the Attack Works

    The attackers inject malicious JavaScript into breached websites, which then display fake update alerts that mimic Google Chrome or Safari notifications. These pop-ups instruct users to download and install a required browser update, but instead of a legitimate update, the user unknowingly installs malware.

    Multi-Platform Targeting

    • macOS: Users receive a DMG file that installs FrigidStealer.
    • Windows: Victims download an MSI installer that loads Lumma Stealer or DeerStealer.
    • Android: Users are tricked into downloading an APK file that installs the Marcher banking trojan.

    Unlike traditional drive-by downloads, this attack requires user interaction. On macOS, the victim must right-click the downloaded file and select “Open”, followed by entering their password to bypass macOS Gatekeeper protections.

    What FrigidStealer Does

    FrigidStealer is built using the Go-based WailsIO framework, which enables the installer to closely mimic the look and feel of a legitimate browser update. Once installed, the malware operates covertly in the background. It is designed to extract sensitive information from the affected Mac, including saved cookies, login credentials, and various password files stored in browsers like Safari and Chrome. The malware also scans local directories for crypto wallet credentials and retrieves content from Apple Notes that may contain passwords, financial data, or other personal information. Additionally, FrigidStealer collects documents, spreadsheets, and text files from the user’s home directory.

    The stolen data is compressed into a hidden folder and transmitted to a command and control (C2) server at askforupdate[.]org.

    Why This Attack Is Significant

    Fake update campaigns are a growing trend in cybercrime. The use of JavaScript-based injects allows attackers to dynamically profile victims and tailor payloads based on operating system, browser type, and device location. While Windows and Android users have long been targeted by similar attacks, the emergence of advanced macOS-specific malware like FrigidStealer represents a concerning shift.

    What SOC Teams Need to Know

    Security Operations Centers (SOCs) must take proactive steps to detect and mitigate threats like FrigidStealer before they lead to data breaches. Here’s what security teams should focus on:

    Detection and Threat Intelligence

    • Monitor web traffic logs for connections to suspicious domains like askforupdate[.]org.
    • Analyze downloaded DMG files for unexpected permissions requests or credential access.
    • Track unusual browser update prompts appearing on legitimate corporate websites.

    Endpoint Protection

    • Ensure macOS security settings are configured to block unverified apps from executing.
    • Deploy endpoint detection and response (EDR) solutions to identify anomalies in application behavior.
    • Implement strong user access controls to prevent unauthorized software installations.

    User Awareness & Training

    • Educate employees on the dangers of fake update prompts.
    • Reinforce policies that restrict downloading software from untrusted sources.
    • Encourage users to manually check for browser updates via official vendor websites.

    How to Stay Protected

    To avoid falling victim to infostealers like FrigidStealer:

    • Never click on update prompts from websites. Always update browsers directly from their official settings menu.
    • Use trusted security software that can detect and block malicious downloads.
    • Regularly review account security and change passwords if suspicious activity is detected.

    Final Thoughts

    With multiple cybercrime groups leveraging fake browser updates as an infection vector, organizations must stay vigilant and implement layered security measures to mitigate these risks. By combining user awareness, strong endpoint security, and proactive threat monitoring, security teams can better defend against these evolving threats.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • OpenSSH Security Updates: What SOC Teams Need to Know

    OpenSSH Security Updates: What SOC Teams Need to Know

    OpenSSH has released security updates to address two newly discovered vulnerabilities, including a machine-in-the-middle (MiTM) attack and a pre-authentication denial-of-service (DoS) flaw. One of these vulnerabilities, CVE-2025-26465, had been present in OpenSSH for over a decade, exposing countless systems to potential exploitation.

    Two Critical Vulnerabilities in OpenSSH

    The MiTM vulnerability (CVE-2025-26465) affects OpenSSH clients when the VerifyHostKeyDNS option is enabled. This flaw allows attackers to intercept SSH connections and inject malicious keys, effectively hijacking sessions. An attacker can exploit improper error handling to trick a client into accepting a rogue server’s key by triggering an out-of-memory error during verification. Once compromised, the attacker can steal credentials, inject commands, and exfiltrate sensitive data.

    Although VerifyHostKeyDNS is disabled by default in OpenSSH, FreeBSD had it enabled by default from 2013 until 2023, leaving many systems unknowingly exposed.

    The second vulnerability, CVE-2025-26466, is a pre-authentication DoS flaw introduced in OpenSSH 9.5p1 (August 2023). The flaw allows attackers to send repeated small ping messages that force OpenSSH to buffer excessive responses, leading to uncontrolled memory allocation and potential system crashes. While not as severe as the MiTM flaw, this vulnerability still poses a high risk of service disruption, particularly for high-availability systems.

    OpenSSH Issues Security Fixes

    To mitigate these risks, OpenSSH has released version 9.9p2, which patches both vulnerabilities. Users and administrators are strongly urged to update their OpenSSH installations immediately to prevent potential exploitation.

    As an additional security measure, administrators should disable VerifyHostKeyDNS unless absolutely necessary and instead rely on manual SSH key fingerprint verification to ensure secure connections. For the DoS flaw, enforcing connection rate limits and monitoring SSH traffic for unusual patterns can help detect and prevent potential attacks before they cause serious disruption.

    Given OpenSSH’s widespread use across enterprise and cloud environments, delaying these updates leaves critical systems vulnerable to attacks that could compromise authentication, steal credentials, or disrupt operations.

    What SOC Teams Need to Know

    Here’s what SOC analysts and incident responders should focus on:

    • Prioritize Immediate Patching: OpenSSH 9.9p2 contains fixes for both CVE-2025-26465 and CVE-2025-26466. Ensure all affected systems are updated as soon as possible, particularly high-value assets and internet-facing SSH servers.
    • Audit SSH Configurations: Check for instances where VerifyHostKeyDNS is enabled. Since this setting can be exploited for MiTM attacks, disabling it across all systems is a necessary security measure unless there is a strict operational requirement.
    • Monitor for Exploitation Attempts: Deploy network monitoring rules to detect large SSH keys with excessive certificate extensions, which could indicate an attempt to exploit the MiTM flaw. Additionally, look for excessive SSH connection requests or unusually high memory usage on OpenSSH servers that could suggest an active DoS attack.
    • Apply Rate Limiting and Anomaly Detection: Implement SSH connection rate limits to mitigate potential DoS exploitation. Monitor logs for signs of resource exhaustion or unexpected service crashes that may indicate CVE-2025-26466 exploitation attempts.
    • Enhance Logging and Alerting: Ensure SSH authentication logs (/var/log/auth.log or /var/log/secure) are being forwarded to SIEM solutions for centralized monitoring. Set up alerts for anomalous SSH activity, such as repeated authentication failures, unexpected key exchanges, or changes to host keys.
    • Verify Key Integrity and Trust Models: Organizations relying on SSH for secure remote access should enforce strict key verification policies, such as manually validating SSH key fingerprints before accepting them, rather than relying on DNS-based verification.
    • Coordinate Incident Response Plans: If exploitation is detected, SOC teams should be prepared to isolate compromised hosts, rotate affected credentials, and conduct forensic analysis to determine if an attacker has gained persistence.

    With OpenSSH being a critical component in enterprise, cloud, and DevOps environments, SOC teams must take a proactive stance to prevent exploitation and ensure SSH connections remain secure.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: Monday Security Brief (2/17/2024)

    Netizen: Monday Security Brief (2/17/2024)

    Today’s Topics:

    • SonicWall Firewall Vulnerability Exploited Following PoC Release
    • Chinese APT Exploits New Windows Zero-Day, Security Researchers Warn
    • How can Netizen help?

    SonicWall Firewall Vulnerability Exploited Following PoC Release

    Cybercriminals are actively exploiting a critical authentication bypass vulnerability in SonicWall firewalls (CVE-2024-53704) following the public release of proof-of-concept (PoC) exploit code. The flaw, which affects the SSLVPN authentication mechanism, enables remote attackers to hijack active VPN sessions and gain unauthorized access to corporate networks.

    The vulnerability impacts SonicOS versions 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035, which are used across multiple SonicWall Gen 6 and Gen 7 firewall models, as well as SOHO series devices. If exploited, attackers can bypass multi-factor authentication (MFA), disclose sensitive information, and terminate active VPN sessions—posing a significant threat to enterprise security.

    SonicWall initially warned customers to update their firewall firmware before publicly disclosing the vulnerability on January 7. Despite this, cybersecurity firm Arctic Wolf has reported detecting exploitation attempts beginning shortly after the PoC exploit became available.

    According to Arctic Wolf, the exploit allows unauthenticated attackers to infiltrate corporate networks with minimal effort. “Given the ease of exploitation and available threat intelligence, Arctic Wolf strongly recommends upgrading to a fixed firmware to address this vulnerability,” the company stated.

    The PoC exploit was published by security researchers at Bishop Fox on February 10, approximately one month after SonicWall released security patches. Prior to the PoC’s release, internet scans conducted on February 7 revealed that nearly 4,500 unpatched SonicWall SSL VPN servers remained exposed online.

    Following the publication of the exploit code, SonicWall issued an urgent advisory reinforcing the importance of updating affected devices. “Proof-of-Concepts (PoCs) for the SonicOS SSLVPN Authentication Bypass Vulnerability (CVE-2024-53704) are now publicly available. This significantly increases the risk of exploitation. Customers must immediately update all unpatched firewalls (7.1.x & 8.0.0). If applying the firmware update is not possible, disable SSLVPN,” SonicWall warned.

    This is not the first time SonicWall firewalls have been targeted by threat actors. Ransomware groups such as Akira and Fog have previously leveraged SonicWall VPN vulnerabilities to gain initial network access. In October 2024, Arctic Wolf reported at least 30 ransomware intrusions that began with compromised SonicWall VPN accounts.

    Given the increased risk following the release of the PoC, organizations using affected SonicWall devices are strongly urged to apply patches immediately or implement mitigation measures, such as restricting SSLVPN access, to prevent potential attacks.

    Chinese APT Exploits New Windows Zero-Day, Security Researchers Warn

    Israeli cybersecurity firm ClearSky has identified a previously unknown Windows zero-day vulnerability being actively exploited by the Chinese advanced persistent threat (APT) group Mustang Panda. The firm has yet to disclose full details but confirmed that the flaw remains unpatched and currently lacks a CVE identifier, suggesting it is an emerging security risk.

    ClearSky described the vulnerability as a user interface (UI) flaw that allows threat actors to manipulate file visibility when extracting compressed RAR files. According to their research, files extracted from a RAR archive may remain hidden from users when viewed in Windows Explorer, even though they are accessible via the command line.

    The attack operates as follows:

    • When a user extracts a RAR archive, the extracted files do not appear in Windows Explorer, making it seem as if the folder is empty.
    • However, these files remain accessible via the command prompt if their exact paths are known.
    • Attackers can execute these hidden files without the user realizing they exist.
    • Running the attrib -s -h command on system-protected files generates an ActiveX component classified as an “Unknown” file type, raising concerns about potential abuse in malware delivery.

    Microsoft has been informed of the issue but has reportedly classified it as low severity. Given that it enables stealthy file execution, security researchers warn that the vulnerability could be leveraged for espionage, persistence, and malware deployment.

    Mustang Panda, the China-linked APT, has a history of targeting government agencies, NGOs, and critical infrastructure worldwide. The group is known for using custom malware and spear-phishing campaigns to gain long-term access to victim networks.

    This latest discovery adds to the growing list of Windows vulnerabilities being leveraged by Chinese APTs for cyber espionage and covert operations. If the flaw remains unpatched, it could be used to execute malicious payloads without detection, making it an attractive tool for state-sponsored attacks.

    Microsoft’s February Patch Tuesday addressed over 50 vulnerabilities, including two other zero-day exploits:

    • CVE-2025-21391 – A Windows Storage privilege escalation flaw that allows attackers to delete system files.
    • CVE-2025-21418 – A Windows Ancillary Function driver flaw that permits privilege escalation to system-level access.

    While these vulnerabilities received immediate patches, the ClearSky-discovered zero-day remains unresolved, increasing the urgency for a fix.

    ClearSky has promised to release further details in an upcoming technical blog post. Meanwhile, security researchers and enterprises are urged to monitor Microsoft’s security advisories and implement workarounds where possible.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Understanding Sandworm: Cyber Attacks Beyond Borders

    Understanding Sandworm: Cyber Attacks Beyond Borders

    Microsoft has identified a sophisticated cyber espionage operation carried out by a subgroup within Sandworm, the notorious Russian state-sponsored hacking collective. The operation, codenamed BadPilot, has been active since at least 2021, targeting internet-facing infrastructure in over 15 countries. This marks a significant expansion beyond Sandworm’s previous focus on Eastern Europe, with attacks now observed in North America, South America, Asia, and Africa.

    Sandworm’s Expanding Reach

    While Sandworm has historically concentrated on Ukraine, its latest activities indicate a shift in strategy. Microsoft’s findings reveal that high-value targets include government agencies, energy and telecommunications providers, arms manufacturers, and logistics firms. Countries affected by this operation include the United States, Canada, the United Kingdom, Australia, India, China, Turkey, Argentina, and Nigeria.

    The scale of this campaign suggests that Russia is investing heavily in broadening its cyber capabilities, ensuring access to strategic infrastructure across multiple regions. Sandworm’s subgroup appears to be pursuing both opportunistic mass compromises and targeted intrusions, indicating a desire to maintain persistent access across various industries.

    Exploiting Vulnerabilities for Initial Access

    To gain a foothold in target environments, the hacking group exploits publicly known security vulnerabilities in widely used software. Microsoft has identified multiple flaws that have been actively leveraged in these attacks, including vulnerabilities in Microsoft Exchange Server, Fortinet FortiClient, Zimbra Collaboration, and JetBrains TeamCity.

    By taking advantage of unpatched systems, Sandworm secures initial access to corporate and government networks, allowing it to establish long-term persistence. From there, the attackers deploy tools for credential harvesting, privilege escalation, and lateral movement within compromised organizations.

    Maintaining Persistence and Avoiding Detection

    Once inside a network, the attackers use various tactics to ensure prolonged access. Microsoft has observed Sandworm deploying legitimate remote administration tools, such as Atera Agent and Splashtop Remote Services, which allow them to blend in with regular IT activity. Additionally, the group has been seen installing OpenSSH and a custom TOR-based backdoor called ShadowLink, which enables covert access via the TOR anonymity network.

    Another method involves modifying Outlook Web Access (OWA) login pages to inject JavaScript code that captures and exfiltrates credentials in real time. These alterations allow attackers to maintain access even if security teams attempt to lock them out.

    The use of web shells is another persistent tactic. The hacking group has deployed a custom shell known as LocalOlive, which serves as a hidden entry point for follow-up payloads, such as tunneling utilities and malware designed for deeper network penetration.

    Cybercrime as a State-Sponsored Tool

    One of the most concerning aspects of Sandworm’s operations is its increasing reliance on cybercriminal infrastructure. Microsoft and Google’s Threat Intelligence Groups have reported that the group frequently purchases access to compromised systems through underground forums, using tools originally designed for cybercriminals.

    By leveraging malware such as DarkCrystal RAT (DCRat), Warzone, and Rhadamanthys Stealer, Sandworm can rapidly scale its operations without relying solely on in-house tools. The group also utilizes bulletproof hosting services from known cybercriminal actors, allowing them to conduct attacks with minimal risk of attribution.

    Trojanized Software and Fake Windows Updates

    Recent research from cybersecurity firms EclecticIQ and Mandiant has revealed that Sandworm is now using fake software activators and trojanized Windows updates to spread malware. These methods are particularly effective in regions like Ukraine, where the use of pirated software is widespread.

    One example is the Kalambur backdoor, which masquerades as a legitimate Windows security update. Once installed, it enables remote access via the Remote Desktop Protocol (RDP) while routing connections through TOR, making it difficult to track.

    This technique aligns with Sandworm’s broader strategy of targeting industrial control systems (ICS) and critical infrastructure by embedding malware into widely used applications. By exploiting organizations’ reliance on untrusted software, the group gains access to key systems without having to rely on traditional hacking techniques.

    The Bigger Picture: A Shifting Cyber Warfare Landscape

    Microsoft’s report highlights the evolving nature of Russian cyber operations. Sandworm’s shift from regionally focused attacks to a global cyber espionage campaign reflects broader geopolitical ambitions. The group’s ability to combine state-backed hacking with cybercriminal tactics makes it an increasingly dangerous threat.

    With access to a growing number of compromised networks, Sandworm is positioned to conduct espionage, disrupt critical industries, and establish long-term footholds in strategic sectors. These activities are likely aligned with the Kremlin’s long-term geopolitical objectives, giving Russia the ability to engage in cyber warfare on a massive scale.

    How Organizations Can Defend Against Sandworm Attacks

    To mitigate the risk posed by Sandworm and similar state-sponsored threats, organizations must adopt a proactive cybersecurity strategy. Keeping software up to date is critical, as the group primarily exploits known vulnerabilities. Implementing network segmentation can limit attackers’ ability to move laterally within an environment, reducing the impact of a successful breach.

    Security teams should also invest in endpoint detection and response (EDR) solutions to monitor suspicious activity in real time. A zero-trust security model, which continuously verifies users and devices before granting access, can help prevent unauthorized lateral movement.

    Given the increasing sophistication of cyber threats, threat intelligence monitoring is essential. Organizations must stay informed about the latest APT tactics and adjust their defenses accordingly. As cyber warfare continues to evolve, maintaining a strong security posture will be crucial in defending against nation-state actors.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Urgent iOS Update: Fixing Exploited USB Vulnerability

    Urgent iOS Update: Fixing Exploited USB Vulnerability

    Apple has released an urgent security patch for iOS and iPadOS, addressing a serious vulnerability that was actively exploited in targeted cyberattacks. The flaw, tracked as CVE-2025-24200, allows an attacker with physical access to a locked iPhone or iPad to disable USB Restricted Mode, a security feature designed to prevent unauthorized data access through the device’s Lightning or USB-C port.

    According to Apple’s security team, the exploit was part of an “extremely sophisticated attack” aimed at specific high-value individuals. While details remain limited, the discovery of the flaw was credited to Bill Marczak of The Citizen Lab, a research group known for investigating spyware and nation-state surveillance operations.

    How the Exploit Works

    USB Restricted Mode, first introduced by Apple to prevent forensic tools from bypassing passcodes and extracting device data, automatically disables USB data connections one hour after a device is locked. This feature effectively renders the Lightning or USB-C port charge-only unless explicitly re-enabled by the user.

    However, the newly disclosed vulnerability bypassed this security mechanism, allowing attackers to re-enable data access without needing the device owner’s passcode. In practice, this means a stolen or seized iPhone could be connected to specialized hardware to extract data—potentially putting sensitive information at risk.

    Apple classified the flaw as an authorization issue in the operating system’s logic and addressed it through improved state management in iOS 18.3.1 and iPadOS 18.3.1.

    Limited Information and High-Risk Targets

    As is common with Apple’s security disclosures, the company has not released indicators of compromise (IOCs) or telemetry data that would allow security researchers and defenders to detect past exploitation. Given Citizen Lab’s involvement, the exploit was likely used in nation-state or law enforcement surveillance campaigns rather than widespread cybercrime.

    The lack of technical details suggests that Apple wants to limit additional exploitation by preventing further reverse engineering of the attack. However, users who are high-risk targets, such as journalists, activists, or government officials, are strongly advised to update their devices immediately to minimize the chance of compromise.

    Mitigation and Next Steps

    To protect against CVE-2025-24200, Apple users should:

    • Update to iOS 18.3.1 or iPadOS 18.3.1 as soon as possible.
    • Ensure USB Restricted Mode is enabled under Settings > Face ID & Passcode > “USB Accessories” (should remain toggled off).
    • Use a strong passcode to prevent unauthorized access if a device is physically stolen.
    • Enable Lockdown Mode for extra security if you suspect you are a high-risk target.

    As physical access attacks remain a concern for high-profile individuals, ensuring that security measures like USB Restricted Mode, encrypted backups, and remote wipe capabilities are properly configured remains crucial.

    While no reports suggest widespread exploitation, this latest attack highlights the importance of keeping devices updated and staying aware of emerging threats targeting mobile security.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Time Bandit: A Security Bypass Vulnerability in ChatGPT-4o

    Time Bandit: A Security Bypass Vulnerability in ChatGPT-4o

    A newly disclosed security bypass vulnerability in OpenAI’s ChatGPT-4o, dubbed “Time Bandit,” allowed attackers to circumvent the platform’s built-in safety guardrails and generate illicit or dangerous content. By manipulating ChatGPT’s perception of time and leveraging historical context, malicious actors could instruct the AI to provide restricted information. This vulnerability, discovered by cybersecurity and AI researcher David Kuszmar, could have been exploited at scale by threat actors to generate harmful content such as weapon manufacturing instructions, drug synthesis guides, or phishing campaigns. Kuszmar, also credited for the Inception, 1899, Severance, and Kyber exploits, identified this flaw after conducting independent testing and recognizing the risks posed by the temporal confusion that ChatGPT experienced, which allowed him to bypass its safeguards.

    Understanding the Time Bandit Exploit

    The Time Bandit jailbreak takes advantage of timeline confusion and procedural ambiguity within ChatGPT-4o. The attack relies on guiding the AI into responding as if it were operating within a specific historical period, tricking it into ignoring modern-day safety protocols.

    There are two primary methods by which this exploit could be executed:

    1. Direct Prompt Manipulation
      • The attacker initiates a conversation with ChatGPT by asking about a specific historical time period or event.
      • The attacker progressively guides ChatGPT through procedural questions that maintain the historical context.
      • By keeping the AI within this historical setting, the attacker can pivot the conversation toward restricted topics.
      • ChatGPT, failing to recognize the shift due to the established historical frame, bypasses its safety filters and generates content it would typically block.
    2. Search Function Exploitation
      • The attacker prompts ChatGPT to search the web for a specific historical event or topic.
      • Subsequent queries continue within the established historical timeline while progressively shifting towards restricted topics.
      • By maintaining the time-bound narrative, the attacker tricks ChatGPT into providing information that would usually trigger content restrictions.

    During independent testing, security researchers at CERT/CC replicated the jailbreak and found that while ChatGPT would recognize and remove policy-violating prompts, it would still proceed to answer them. Notably, the exploit was more successful when using time frames from the 1800s and 1900s.

    Potential Impact of Time Bandit

    The Time Bandit vulnerability represented a significant security risk, as it effectively allowed ChatGPT-4o to be misused as a tool for generating harmful content at scale. Potential consequences included:

    • Weaponization of AI: Attackers could generate instructions on illicit activities, such as weapon or drug manufacturing.
    • Phishing and Social Engineering: ChatGPT could be exploited to generate convincing phishing emails, deepfake content, or fraudulent messages.
    • Malware Development: Hackers could manipulate ChatGPT into providing coding assistance for creating malicious scripts or exploits.
    • Bypassing OpenAI’s Security Filters: The ability to use ChatGPT as a proxy for malicious activity made tracking and attribution significantly more challenging.

    OpenAI’s Response and Mitigation

    OpenAI has since patched the vulnerability and reinforced ChatGPT-4o’s ability to detect and prevent similar jailbreaks. In response to the disclosure, an OpenAI spokesperson stated:

    “It is very important to us that we develop our models safely. We don’t want our models to be used for malicious purposes. We appreciate you for disclosing your findings. We’re constantly working to make our models safer and more robust against exploits, including jailbreaks, while also maintaining the models’ usefulness and task performance.”

    While Time Bandit has been mitigated, this exploit highlights the ongoing challenges in securing AI models against adversarial manipulation. Attackers will likely continue to develop new jailbreak techniques, emphasizing the need for continuous monitoring, ethical red-teaming, and improved security frameworks in AI development.

    Lessons Learned and Future Considerations

    The discovery of Time Bandit underscores the broader risks of AI safety and security:

    1. AI Jailbreaks Are Inevitable: Attackers will continue to develop novel methods to trick AI models into bypassing safety protocols through prompt engineering and contextual manipulation.
    2. History-Based Exploits Work: OpenAI and other AI providers must develop safeguards that recognize time-based deception techniques, ensuring the AI maintains modern ethical and legal standards regardless of conversational framing.
    3. Search Function Risks: AI models with real-time search capabilities introduce additional security risks, as attackers can use external data sources to strengthen jailbreak attempts.
    4. Security Audits Are Critical: Routine AI red-teaming and independent audits should be conducted to identify new vulnerabilities before they can be exploited at scale.

    As AI continues to evolve, so will adversarial tactics. Addressing vulnerabilities like Time Bandit is crucial to ensuring that AI remains a safe and responsible tool rather than a potential liability.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact